Further Reading, Other Developments, and Coming Events (8 October)

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications –
    • The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • Harvard University’s Berkman Klein Center for Internet & Society published a study, “Mail-In Voter Fraud: Anatomy of a Disinformation Campaign,” which found a concerted, almost certainly coordinated campaign led by President Donald Trump, the Republican Party, and conservative media outlets to claim against all evidence that mail voting is rife with fraud. The study points to structural issues in the United States (U.S.) and the broader media that allow parties to disseminate disinformation and propaganda. The authors found the traditional print and television media more effective and complicit in spreading lies and disinformation than social media platforms like Facebook and Twitter. The Berkman Klein Center explained:
    • The claim that election fraud is a major concern with mail-in ballots has become the central threat to election participation during the Covid-19 pandemic and to the legitimacy of the outcome of the election across the political spectrum. President Trump has repeatedly cited his concerns over voter fraud associated with mail-in ballots as a reason that he may not abide by an adverse electoral outcome. Polling conducted in September 2020 suggests that nearly half of Republicans agree with the president that election fraud is a major concern associated with expanded mail-in voting during the pandemic. Few Democrats share that belief. Despite the consensus among independent academic and journalistic investigations that voter fraud is rare and extremely unlikely to determine a national election, tens of millions of Americans believe the opposite. This is a study of the disinformation campaign that led to widespread acceptance of this apparently false belief and to its partisan distribution pattern. Contrary to the focus of most contemporary work on disinformation, our findings suggest that this highly effective disinformation campaign, with potentially profound effects for both participation in and the legitimacy of the 2020 election, was an elite-driven, mass-media led process. Social media played only a secondary and supportive role.
    • Our results are based on analyzing over fifty-five thousand online media stories, five million tweets, and seventy-five thousand posts on public Facebook pages garnering millions of engagements. They are consistent with our findings about the American political media ecosystem from 2015-2018, published in  Network Propaganda , in which we found that Fox News and Donald Trump’s own campaign were far more influential in spreading false beliefs than Russian trolls or Facebook clickbait artists. This dynamic appears to be even more pronounced in this election cycle, likely because Donald Trump’s position as president and his leadership of the Republican Party allow him to operate directly through political and media elites, rather than relying on online media as he did when he sought to advance his then-still-insurgent positions in 2015 and the first half of 2016.
    • Our findings here suggest that Donald Trump has perfected the art of harnessing mass media to disseminate and at times reinforce his disinformation campaign by using three core standard practices of professional journalism. These three are: elite institutional focus (if the President says it, it’s news); headline seeking (if it bleeds, it leads); and  balance , neutrality, or the avoidance of the appearance of taking a side. He uses the first two in combination to summon coverage at will, and has used them continuously to set the agenda surrounding mail-in voting through a combination of tweets, press conferences, and television interviews on Fox News. He relies on the latter professional practice to keep audiences that are not politically pre-committed and have relatively low political knowledge confused, because it limits the degree to which professional journalists in mass media organizations are willing or able to directly call the voter fraud frame disinformation. The president is, however, not acting alone. Throughout the first six months of the disinformation campaign, the Republican National Committee (RNC) and staff from the Trump campaign appear repeatedly and consistently on message at the same moments, suggesting an institutionalized rather than individual disinformation campaign. The efforts of the president and the Republican Party are supported by the right-wing media ecosystem, primarily Fox News and talk radio functioning in effect as a party press. These reinforce the message, provide the president a platform, and marginalize or attack those Republican leaders or any conservative media personalities who insist that there is no evidence of widespread voter fraud associated with mail-in voting.
    • The primary cure for the elite-driven, mass media communicated information disorder we observe here is unlikely to be more fact checking on Facebook. Instead, it is likely to require more aggressive policing by traditional professional media, the Associated Press, the television networks, and local TV news editors of whether and how they cover Trump’s propaganda efforts, and how they educate their audiences about the disinformation campaign the president and the Republican Party have waged.
  • The Senate Minority Leader and the top Democrats on three committees sent a letter to the acting Secretary of Homeland Security asking him to “release a document that shows President Donald Trump’s attacks on American Elections are consistent with a foreign influence campaign.” Senate Minority Leader Chuck Schumer (D-NY), Senate Intelligence Committee Ranking Member Mark Warner (D-VA), Senate Rules Committee Ranking Member Amy Klobuchar (D-MN), Senate Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-MI), and Senator Ron Wyden (D-OR) wrote to acting Secretary of Homeland Security Chad Wolf:
    • We write to urge you to immediately release to the public a September 3, 2020, analysis produced by the Department’s Office of Intelligence and Analysis.  This document demonstrates that a foreign actor is attempting to undermine faith in the US electoral system, particularly vote-by-mail systems, in a manner that is consistent with the rhetoric being used by President Trump, Attorney General Barr, and others.
    • The document has been marked ‘Unclassified/For Official Use Only,’ meaning that its release would not pose a risk to sources and methods and that it has already been widely distributed around the country through unclassified channels. It is now critical and urgent that the American people have access to this document so that they can understand the context of Trump’s statements and actions.
  • Representatives Abigail Spanberger (D-VA) and John Katko (R-NY) introduced the “Foreign Agent Disclaimer Enhancement (FADE) Act” “to protect against the influence of foreign nations that seek to weaken the U.S. electoral system and sow division through online disinformation campaigns.” This bill would close a loophole in the Foreign Agents Registration Act (FARA) that does not require foreign agents to disclose social media posts intended to persuade Americans as they must for other forms of communication. They provided the context for the legislation:
    • This week, the Federal Bureau of Investigation alerted Twitter that accounts likely based in Iran attempted to spread disinformation during the U.S. presidential debate.
    • An April 2020 State Department report warned that China, Iran, and Russia are using the COVID-19 crisis to launch a propaganda and disinformation onslaught against the United States.
    • Spanberger and Katko summarized the bill in their press release:
      • The Foreign Agent Disclaimer Enhancement (FADE) Act would increase transparency by requiring disclaimers attributing political content to a foreign principal be embedded on the face of a social media post itself. With this new requirement, disclaimers would remain with a post whenever the post is subsequently shared. The FADE Act would also clarify that these disclaimer requirements apply to the internet and apply to any political communications directed at the United States — regardless of the foreign agent’s location around the world.
      • To ensure enforcement of these new transparency measures, the FADE Act would requirethe Department of Justice (DOJ) to notify online platforms if a foreign agent does not meet disclaimer requirements for posts on their platforms, and in these cases, require the platform to remove the materials and use reasonable efforts to inform recipients of the materials that the information they saw was disseminated by a foreign agent. Additionally, the bipartisan bill would requireDOJ to prepare a report to Congress on enforcement challenges.
  • Europol issued its annual “Internet Organised Crime Threat Assessment (IOCTA) 2020” that “provides a unique law enforcement- focused assessment of emerging challenges and key developments in the area of cybercrime” in the European Union (EU).
  • Europol highlighted its findings:
    • Cross-Cutting Crime Facilitators And Challenges To Criminal Investigations
      • Social engineering remains a top threat to facilitate other types of cybercrime.
      • Cryptocurrencies continue to facilitate payments for various forms of cybercrime, as developments evolve with respect to privacy- oriented crypto coins and services.
      • Challenges with reporting hinder the ability to create an accurate overview of crime prevalence across the EU.
    • Cyber-Dependent Crime
      • Ransomware remains the most dominant threat as criminals increase pressure by threatening publication of data if victims do not pay.
      • Ransomware on third-party providers also creates potential significant damage for other organisations in the supply chain and critical infrastructure.
      • Emotet is omnipresent given its versatile use and leads the way as the benchmark of modern malware.
      • The threat potential of Distributed Denial of Service (DDoS) attacks is higher than its current impact in the EU.
    • Child Sexual Exploitation Online
      • The amount of online Child sexual abuse material (CSAM) detected continues to increase, further exacerbated by the COVID-19 crisis, which has serious consequences for the capacity of law enforcement authorities.
      • The use of encrypted chat apps and industry proposals to expand this market pose a substantial risk for abuse and make it more difficult for law enforcement to detect and investigate online Child sexual exploitation (CSE) activities.
      • Online offender communities exhibit considerable resilience and are continuously evolving.
      • Livestreaming of child sexual abuse continues to increase and became even more prevalent during the COVID-19 crisis.
      • The commercialisation of online CSE is becoming a more widespread issue, with individuals uploading material to hosting sites and subsequently acquiring credit on the basis of the number of downloads.
    • Payment Fraud
      • SIM swapping is a key trend that allows perpetrators to take over accounts and has demonstrated a steep rise over the last year.
      • Business email compromise (BEC) remains an area of concern as it has increased, grown in sophistication, and become more targeted.
      • Online investment fraud is one of the fastest growing crimes, generating millions in losses and affecting thousands of victims.
      • Card-not-present (CNP) fraud continues to increase as criminals diversify in terms of target sectors and electronic skimming (e-skimming) modi operandi.
    • The Criminal Abuse Of The Darkweb
      • The Darkweb environment has remained volatile, lifecycles of Darkweb market places have shortened, and no clear dominant market has risen over the past year compared to previous years to fill the vacuum left by the takedowns in 2019.
      • The nature of the Darkweb community at administrator-level shows how adaptive it is under challenging times, including more effective cooperation in the search for better security solutions and safe Darkweb interaction.
      • There has been an increase in the use of privacy- enhanced cryptocurrencies and an emergence of privacy-enhanced coinjoin concepts, such as Wasabi and Samurai.
      • Surface web e-commerce sites and encrypted communication platforms offer an additional dimension to Darkweb trading to enhance the overall business model.
  • “43 center-right organizations, think tanks, and policy experts” wrote Senate Majority Whip John Thune (R-SD) “for his leadership and support for the American competitive approach to 5G deployment.” Last week, Thune and 18 Republican colleagues sent President Donald Trump a letter “to express our concerns about a Request For Information (RFI) released by the Department of Defense (DOD) that contradicts the successful free-market strategy you have embraced for 5G.” Late last month, the United States Department of Defense (DOD) released a  RFI on the possibility of the agency sharing its prized portions of electromagnetic spectrum with commercial providers to speed the development and adoption of 5G in the United States.
    • The 43 groups argued:
      • We too are concerned with the Department of Defense Request for Information on a government-managed process for 5G development and are alarmed with how quickly it is proceeding.  Even more disturbing are the rumors that the RFI was only for show and that the DoD already has an RFP it plans to greenlight. 
      • A government-run 5G backbone, wholesale network, or whatever name it goes by, is nationalization of private business. Spectrum sharing is something that must be considered as the nation moves forward with private networks, but it is not a reason for a government takeover. For a government-run network to happen, the federal government would have to either renege on licenses granted to private users or hoard spectrum at the expense of private industry. Either approach would upend well-established licensure policies at the FCC that establish certainty in operating and maintaining complex networks and create massive unnecessary delays to launching 5G networks. Moreover, the government should not be in the business of “competing” with private industry. That’s the business model of China and Russia, not the United States. 
  • The top Democrat on the Senate Intelligence Committee wrote Facebook, Twitter, and Google, urging the companies “to implement robust accountability and transparency standards ahead of the November election, including requirements outlined in the Honest Ads Act…to help prevent foreign interference in elections and improve the transparency of online political advertisements” according to his press release. Senator Mark Warner   (D-VA) asserted that “[i]n individual letters to FacebookGoogle, and Twitter, [he] detailed the various ways in which each company continues to contribute to the spread of disinformation, viral misinformation, and voter suppression efforts.” Warner “also warned about the imminent risk of bad actors once again weaponizing American-bred social media tools to undermine democracy ahead of the November election, and urged each company to take proactive measures to safeguard against these efforts.” Warner specified:
    • In his letter to Facebook, [he] criticized the platform’s efforts to label manipulated or synthetic content, describing these as “wholly inadequate.” He also raised alarm with instances of Facebook’s amplification of harmful content.
    • Similarly, in a letter to Google, [he] raised concern with the company’s efforts to combat harmful misinformation – particularly disinformation about voting, spread by right-leaning YouTube channels. He also criticized the comprehensiveness of Google’s ad archive, which presently excludes issue ads.
    • In his letter to Twitter, which has banned paid political content and placed restrictions on cause-based advertising, [he] noted that doctored political content continues to spread organically without adequate labeling that slows its spread or contextualizes it for users.
  • Representative Lauren Underwood (D-IL), the new Chair of the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, wrote Facebook, Twitter, and YouTube, urging them “to address ongoing reports of election-related disinformation targeting Black voters on their platforms” per her press release. She argued “[d]uring the 2016 election, social media platforms were used by malicious actors attempting to silence Black voters and sow racial division…[and] [f]our years later, social media companies have made too little progress toward containing this growing threat.” Underwood “requested information on the steps the companies are taking to prevent voter suppression, interference, and disinformation targeting Black voters.”

Further Reading

  • Judge Orders Twitter To Unmask FBI Impersonator Who Set Off Seth Rich Conspiracy” By Bobby Allyn — NPR. A magistrate judge in California denied Twitter’s motion to quash a subpoena in order to not reveal the account information of an anonymous user who spread lies about deceased Democratic National Committee staffer Seth Rich and his family regarding the Russian Federation’s interference in the 2016 election.
  • Justices wary of upending tech industry in Google v. Oracle Supreme Court fight” By Tucker Higgins — CNBC. This week, the Supreme Court of the United States heard oral arguments in the decade long legal war between Google and Oracle arising from the latter’s claim that the former infringed its ownership rights by using roughly 11,500 lines of code to create its Android operating system from an application programming interface developed by Sun Microsystems, a company bought by Oracle. This case could have huge ramifications for the technology industry if Oracle wins because it could make the development of new products and services much harder.
  • Facebook to temporarily halt political ads in U.S. after polls close Nov. 3, broadening earlier restrictions” By Elizabeth Dwoskin — The Washington Post. In its newest announcement, Facebook announced it will not accept political or issues advertising in the week after election day. This effort is the latest measure the platform has announced to address misinformation and disinformation. Facebook will also label efforts of candidates to claim an election has been decided if it, in fact, has not been. The platform will also remove posts that aim to intimidate voters or suppress the voting turnout.
  • Leaked: Confidential Amazon memo reveals new software to track unions” By Jason Del Rey and Shirin Ghaffary — recode. The tech giant is turning its data collection and analysis capabilities on its workforce in an effort to prevent unionizing at the United States’ (U.S.) second largest employer.
  • QAnon High Priest Was Just Trolling Away as a Citigroup Tech Executive” By William Turton and Joshua Brustein — Bloomberg. The fascinating if not horrifying story of how a seemingly, well-to-do mild-mannered tech specialist became one of the key figures in the QAnon conspiracy.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by John Mounsey from Pixabay

Further Reading, Other Developments, and Coming Events (7 October)

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications –
    • The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • Consumer Reports released a study it did on the “California Consumer Privacy Act” (CCPA) (AB 375), specifically on the Do-Not-Sell right California residents were given under the newly effective privacy statute. For those people (like me) who expected a significant number of businesses to make it hard for people to exercise their rights, this study confirms this suspicion. Consumer Reports noted more than 40% of data brokers had hard to find links or extra, complicated steps for people to tell them not to sell their personal information.
    • In “CCPA: Are Consumers Digital Rights Protected?,” Consumer Reports used this methodology:
    • Consumer Reports’ Digital Lab conducted a mixed methods study to examine whether the new CCPA is working for consumers. This study focused on the Do-Not-Sell (DNS) provision in the CCPA, which gives consumers the right to opt out of the sale of their personal information to third parties through a “clear and conspicuous link” on the company’s homepage.1 As part of the study, 543 California residents made DNS requests to 214 data brokers listed in the California Attorney General’s data broker registry. Participants reported their experiences via survey.
    • Consumer Reports found:
      • Consumers struggled to locate the required links to opt out of the sale of their information. For 42.5% of sites tested, at least one of three testers was unable to find a DNS link. All three testers failed to find a “Do Not Sell” link on 12.6% of sites, and in several other cases one or two of three testers were unable to locate a link.
        • Follow-up research focused on the sites in which all three testers did not find the link revealed that at least 24 companies on the data broker registry do not have the required DNS link on their homepage.
        • All three testers were unable to find the DNS links for five additional companies, though follow-up research revealed that the companies did have DNS links on their homepages. This also raises concerns about compliance, since companies are required to post the link in a “clear and conspicuous” manner.
      • Many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt out, highlighting serious flaws in the CCPA’s opt-out model.
        • Some DNS processes involved multiple, complicated steps to opt out, including downloading third-party software.
        • Some data brokers asked consumers to submit information or documents that they were reluctant to provide, such as a government ID number, a photo of their government ID, or a selfie.
        • Some data brokers confused consumers by requiring them to accept cookies just to access the site.
        • Consumers were often forced to wade through confusing and intimidating disclosures to opt out.
        • Some consumers spent an hour or more on a request.
        • At least 14% of the time, burdensome or broken DNS processes prevented consumers from exercising their rights under the CCPA.
      • At least one data broker used information provided for a DNS request to add the user to a marketing list, in violation of the CCPA.
      • At least one data broker required the user to set up an account to opt out, in violation of the CCPA.
      • Consumers often didn’t know if their opt-out request was successful. Neither the CCPA nor the CCPA regulations require companies to notify consumers when their request has been honored. About 46% of the time, consumers were left waiting or unsure about the status of their DNS request.
      • About 52% of the time, the tester was “somewhat dissatisfied” or “very dissatisfied” with the opt-out processes.
      • On the other hand, some consumers reported that it was quick and easy to opt out, showing that companies can make it easier for consumers to exercise their rights under the CCPA. About 47% of the time, the tester was “somewhat satisfied” or “very satisfied” with the opt-out process.
    • Consumer Reports recommended:
      • The Attorney General should vigorously enforce the CCPA to address noncompliance.
      • To make it easier to exercise privacy preferences, consumers should have access to browser privacy signals that allow them to opt out of all data sales in one step.
      • The AG should more clearly prohibit dark patterns, which are user interfaces that subvert consumer intent, and design a uniform opt-out button. This will make it easier for consumers to locate the DNS link on individual sites.
      • The AG should require companies to notify consumers when their opt-out requests have been completed, so that consumers can know that their information is no longer being sold.
      • The legislature or AG should clarify the CCPA’s definitions of “sale” and “service provider” to more clearly cover data broker information sharing.
      • Privacy should be protected by default. Rather than place the burden on consumers to exercise privacy rights, the law should require reasonable data minimization, which limits the collection, sharing, retention, and use to what is reasonably necessary to operate the service.
  • Two agencies of the Department of the Treasury have issued guidance regarding the advisability and legality of paying ransomware to individuals or entities under United States (U.S.) sanction at a time when ransomware attacks are on the rise. It bears note that a person or entity in the U.S. may face criminal and civil liability for paying a sanctioned ransomware entity even if they did not know it was sanctioned. One of the agencies reasoned that paying ransoms to such parties is contrary to U.S. national security policy and only encourages more ransomware attacks.
    • The Office of Foreign Assets Control (OFAC) issued an “advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” OFAC added:
      • Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
    • Financial Crimes Enforcement Network (FinCEN) published its “advisory to alert financial institutions to predominant trends, typologies, and potential indicators of ransomware and associated money laundering activities. This advisory provides information on:
      • (1) the role of financial intermediaries in the processing of ransomware payments;
      • (2) trends and typologies of ransomware and associated payments;
      • (4) reporting and sharing information related to ransomware attacks.
  • The Government Accountability Office (GAO) found uneven implementation at seven federal agencies in meeting the Office of Management and Budget’s (OMB) requirements in using the category management initiative for buying information technology (IT). This report follows in a long line of assessments of how the federal government is not spending its billions of dollars invested in IT to maximum effect. The category management initiative was launched two Administrations ago as a means of driving greater efficiency and savings for the nearly $350 billion the U.S. government spends annually in services and goods, much of which could be bought in large quantities instead of piecemeal by agency as is now the case.
    • The chair and ranking member of the House Oversight Committee and other Members had asked the GAO “to conduct a review of federal efforts to reduce IT contract duplication and/or waste” specifically “to determine the extent to which (1) selected agencies’ efforts to prevent, identify, and reduce duplicative or wasteful IT contracts were consistent with OMB’s category management initiative; and (2) these efforts were informed by spend analyses.” The GAO ended up looking at the Departments of Agriculture (USDA), Defense (DOD), Health and Human Services (HHS), Homeland Security (DHS), Justice (DOJ), State (State), and Veterans Affairs (VA).
    • The GAO found:
      • The seven agencies in our review varied in their implementation of OMB’s category management activities that contribute to identifying, preventing, and reducing duplicative IT contracts. Specifically, most of the agencies fully implemented the two activities to identify a Senior Accountable Official and develop processes and policies for implementing category management efforts, and to engage their workforces in category management training. However, only about half the agencies fully implemented the activities to reduce unaligned IT spending, including increasing the use of Best in Class contract solutions, and share prices paid, terms, and conditions for purchased IT goods and services. Agencies cited several reasons for their varied implementation, including that they were still working to define how to best integrate category management into the agency.
      • Most of the agencies used spend analyses to inform their efforts to identify and reduce duplication, and had developed and implemented strategies to address the identified duplication, which, agency officials reported resulted in millions in actual and anticipated future savings. However, two of these agencies did not make regular use of the spend analyses.
      • Until agencies fully implement the activities in OMB’s category management initiative, and make greater use of spend analyses to inform their efforts to identify and reduce duplicative contracts, they will be at increased risk of wasteful spending. Further, agencies will miss opportunities to identify and realize savings of potentially hundreds of millions of dollars.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) provided “specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure.” CISA took this action “[i]n light of heightened tensions between the United States and China.”
    • CISA asserted
      • According to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.
    • CISA recommends organizations take the following actions:
      • Adopt a state of heightened awareness. Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.
      • Increase organizational vigilance. Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.
      • Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see the Contact Information section below).
      • Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.
  • The Supreme Court of the United States (SCOTUS) declined to hear a case on an Illinois revenge porn law that the Illinois State Supreme Court upheld, finding it did not impinge on a woman’s First Amendment rights. Bethany Austin was charged with a felony under an Illinois law barring the nonconsensual dissemination of private sexual pictures when she printed and distributed pictures of her ex-fiancé’s lover. Because SCOTUS decided not to hear this case, the Illinois case and others like it remain Constitutional.
    • The Illinois State Supreme Court explained the facts of the case:
      • Defendant (aka Bethany Austin) was engaged to be married to Matthew, after the two had dated for more than seven years. Defendant and Matthew lived together along with her three children. Defendant shared an iCloud account with Matthew, and all data sent to or from Matthew’s iPhone went to their shared iCloud account, which was connected to defendant’s iPad. As a result, all text messages sent by or to Matthew’s iPhone automatically were received on defendant’s iPad. Matthew was aware of this data sharing arrangement but took no action to disable it.
      • While Matthew and defendant were engaged and living together, text messages between Matthew and the victim, who was a neighbor, appeared on defendant’s iPad. Some of the text messages included nude photographs of the victim. Both Matthew and the victim were aware that defendant had received the pictures and text messages on her iPad. Three days later, Matthew and the victim again exchanged several text messages. The victim inquired, “Is this where you don’t want to message [because] of her?” Matthew responded, “no, I’m fine. [S]omeone wants to sit and just keep watching want [sic] I’m doing I really do not care. I don’t know why someone would wanna put themselves through that.” The victim replied by texting, “I don’t either. Soooooo baby ….”
      • Defendant and Matthew cancelled their wedding plans and subsequently broke up. Thereafter, Matthew began telling family and friends that their relationship had ended because defendant was crazy and no longer cooked or did household chores.
      • In response, defendant wrote a letter detailing her version of events. As support, she attached to the letter four of the naked pictures of the victim and copies of the text messages between the victim and Matthew. When Matthew’s cousin received the letter along with the text messages and pictures, he informed Matthew.
      • Upon learning of the letter and its enclosures, Matthew contacted the police. The victim was interviewed during the ensuing investigation and stated that the pictures were private and only intended for Matthew to see. The victim acknowledged that she was aware that Matthew had shared an iCloud account with defendant, but she thought it had been deactivated when she sent him the nude photographs.
    • In her petition for SCOTUS to hear her case, Austin asserted:
      • Petitioner Bethany Austin is being prosecuted under Illinois’ revenge porn law even though she is far from the type of person such laws were intended to punish. These laws proliferated rapidly in recent years because of certain reprehensible practices, such as ex-lovers widely posting images of their former mates to inflict pain for a bad breakup, malicious stalkers seeking to damage an innocent person’s reputation, or extortionists using intimate photos to collect ransom. Austin did none of those things, yet is facing felony charges because she tried to protect her reputation from her former fiancé’s lies about the reason their relationship ended.
      • The Illinois Supreme Court rejected Petitioner’s constitutional challenge to the state revenge porn law only because it ignored well-established First Amendment rules: It subjected the law only to intermediate, rather than strict scrutiny, because it incorrectly classified a statute that applies only to sexual images as content neutral; it applied diminished scrutiny because the speech at issue was deemed not to be a matter of public concern; and it held the law need not require a showing of malicious intent to justify criminal penalties, reasoning that such intent can be inferred from the mere fact that the specified images were shared. Each of these conclusions contradicts First Amendment principles recently articulated by this Court, and also is inconsistent with decisions of various state courts, including the Vermont Supreme Court.
    • Illinois argued in its brief to SCOTUS:
      • The nonconsensual dissemination of private sexual images exposes victims to a wide variety of serious harms that affect nearly every aspect of their lives. The physical, emotional, and economic harms associated with such conduct are well-documented: many victims are exposed to physical violence, stalking, and harassment; suffer from emotional and psychological harm; and face limited professional prospects and lowered income, among other repercussions. To address this growing problem and protect its residents from these harms, Illinois enacted section 11-23.5,720 ILCS 5/11-23.5. Petitioner—who was charged with violating section 11-23.5 after she disseminated nude photos of her fiancé’s paramour without consent—asks this Court to review the Illinois Supreme Court’s decision rejecting her First Amendment challenge.
  • Six U.S. Agency for Global Media (USAGM) whistleblowers have filed a complaint concerning “retaliatory actions” with the Office of the Inspector General (OIG) at the Department of State and the Office of Special Counsel, arguing the newly installed head of USAGM punished them for making complaints through proper channels about his actions. This is the latest development at the agency. the United States Court of Appeals for the District of Columbia enjoined USAGM from “taking any action to remove or replace any officers or directors of the OTF,” pending the outcome of the suit which is being expedited.
  • Additionally, USAGM CEO and Chair of the Board Michael Pack is being accused in two different letters of seeking to compromise the integrity and independence of two organizations he oversees. There have been media accounts of the Trump Administration’s remaking of USAGM in ways critics contend are threatening the mission and effectiveness of the Open Technology Fund (OTF), a U.S. government non-profit designed to help dissidents and endangered populations throughout the world. The head of the OTF has been removed, evoking the ire of Members of Congress, and other changes have been implemented that are counter to the organization’s mission. Likewise, there are allegations that politically-motivated policy changes seek to remake the Voice of America (VOA) into a less independent entity.
  • The whistleblowers claimed in their complaint:
    • Each of the Complainants made protected disclosures –whether in the form of OIG complaints, communications with USAGM leadership, and/or communications with appropriate Congressional committees–regarding their concerns about official actions primarily taken by Michael Pack, who has been serving as the Chief Executive Officer for USAGM since June 4, 2020. The Complainants’ concerns involve allegations that Mr. Pack has engaged in conduct that violates federal law and/or USAGM regulations, and that constitutes an abuse of authority and gross mismanagement. Moreover, each of the Complainants was targeted for retaliatory action by Mr. Pack because of his belief that they held political views opposed to his, which is a violation of the Hatch Act.
    • Each of the Complainants was informed by letter, dated August 12, 2020, that their respective accesses to classified information had been suspended pending further investigation. Moreover, they were all concurrently placed on administrative leave. In each of the letters to the Complainants, USAGM claimed that the Complainants had been improperly granted security clearances, and that the Complainants failed to take remedial actions to address personnel and security concerns prior to permitting other USAGM employees to receive security clearances. In addition, many or all of the Complainants were earlier subject to retaliatory adverse personnel actions in the form of substantial limitations on their ability to carry out their work responsibilities(i.e. a significant change in duties and responsibilities), which limitations were imposed without following appropriate personnel procedures.

Further Reading

  • Big Tech Was Their Enemy, Until Partisanship Fractured the Battle Plans” By Cecilia Kang and David McCabe — The New York Times. There’s a bit of court intrigue in this piece about how Republicans declined to join Democrats in the report on the antirust report released this week, sapping the recommendations on how to address Big Tech of power.
  • Facebook Keeps Data Secret, Letting Conservative Bias Claims Persist” By Bobby Allyn — NPR. Still no evidence of an anti-conservative bias at Facebook, according to experts, and the incomplete data available seem to indicate conservative content may be more favored by users than liberal content. Facebook does not release data that settle the question, however, and there are all sorts of definitional questions that need answers before this issue could be definitely settled. And yet, some food for thought is a significant percentage of sharing a link may be driven by bots and not humans.
  • News Corp. changes its tune on Big Tech” By Sara Fischer — Axios.  After beating the drum for years about the effect of Big Tech on journalism, the parent company of the Wall Street Journal and other media outlets is much more conciliatory these days. It may have something to do with all the cash the Googles and Facebooks of the world are proposing to throw at some media outlets for their content. It remains to be seen how this change in tune will affect the Australian Competition and Consumer Commission’s (ACCC) proposal to ensure that media companies are compensated for articles and content online platforms use. In late July the ACCC released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.”
  • Silicon Valley Opens Its Wallet for Joe Biden” By Daniel Oberhaus — WIRED. In what will undoubtedly be adduced as evidence that Silicon Valley is a liberal haven, this article claims according to federal elections data for this election cycle, Alphabet, Amazon, Apple, Facebook, Microsoft, and Oracle employees have contributed $4,787,752 to former Vice President Joe Biden and $239,527 to President Donald Trump. This is only for contributions of $200 and higher, so it is likely these data are not complete.
  • Facebook bans QAnon across its platforms” By Ben Collins and Brandy Zadrozny — NBC News. The social media giant has escalated and will remove all content related to the conspiracy group and theory known as QAnon. However, believers have been adaptable and agile in dropping certain terms and using methods to evade detection. Some experts say Facebook’s actions are too little, too late as these beliefs are widespread and are fueling a significant amount of violence and unrest in the real world.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Katie White from Pixabay

Further Reading, Other Developments, and Coming Events (15 August)

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The Global Engagement Center (GEC) at the U.S. Department of State published the “GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem” The GEC drew on “on publicly available reporting to provide an overview of Russia’s disinformation and propaganda ecosystem.”  The GEC identified the five pillars of Russia’s Disinformation and Propaganda Ecosystem:
    • official government communications;
    • state-funded global messaging;
    • cultivation of proxy sources;
    • weaponization of social media; and
    • cyber-enabled disinformation.
    • The GEC stated
      • This report provides a visual representation of the ecosystem described above, as well as an example of the media multiplier effect it enables. This serves to demonstrate how the different pillars of the ecosystem play distinct roles and feed off of and bolster each other. The report also includes brief profiles of select proxy sites and organizations that occupy an intermediate role between the pillars of the ecosystem with clear links to Russia and those that are meant to be fully deniable. The emphasis on these proxy sites is meant to highlight the important role they play, which can be overlooked given the attention paid to official Russian voices on one end of the spectrum, and the social media manipulation and cyber-enabled threats on the other.
  • The United States (U.S.) Department of Veterans Affairs (VA) has restarted its process for rolling out its new electronic health record (EHR) and announced it has “revised its previous schedule to convert facilities to its new HER capabilities with updated timelines for deployments in August in Columbus, Ohio, and October in Spokane, Washington.” The VA opted to replace its Veterans Health Information Systems and Technology Architecture (VistA) with a commercial off-the-shelf system the U.S. Department of Defense has chosen, Cerner Millennium. However, this $16 billion acquisition has encountered numerous difficulties and delays, which has caught he continued attention of Congress.
    • The VA claimed “The new timeline will preserve the 10-year implementation schedule and the overall cost estimates of VA’s EHR modernization program…[and] [a]fter the conversion at these sites, VA will bring other select facilities forward in the timeline.”
    • In June 2020, the U.S. Government Accountability Office (GAO) found:
      • VA met its schedule for making the needed system configuration decisions that would enable the department to implement its new EHR system at the first VA medical facility, which was planned for July 2020. In addition, VA has formulated a schedule for making the remaining EHR system configuration decisions before implementing the system at additional facilities planned for fall 2020.
      • VA’s Electronic Health Record Modernization (EHRM) program was generally effective in establishing decision-making procedures that were consistent with applicable federal standards for internal control. However, VA did not always ensure the involvement of relevant stakeholders, including medical facility clinicians and staff, in the system configuration decisions. Specifically, VA did not always clarify terminology and include adequate detail in descriptions of local workshop sessions to medical facility clinicians and staff to ensure relevant representation at local workshop meetings. Participation of such stakeholders is critical to ensuring that the EHR system is configured to meet the needs of clinicians and support the delivery of clinical care.
  • The United States (U.S.) Government Accountability Office (GAO) studied and reported on privacy and accuracy issues related to the use of facial recognition technology requested by the chairs of the House Judiciary and Oversight and Reform Committees. This report updates a 2015 report on the same issues and renews the agency’s call first made in 2013 that Congress “strengthen[] the current consumer privacy framework to reflect the effects of changes in technology and the marketplace—particularly in relation to consumer data used for marketing purposes—while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord.”
    • In the new report, the GAO explained that “[s]takeholders we interviewed identified additional activities that companies could improve the use of facial recognition technology. These activities include
      • defining the purpose for the technology’s use and clearly notifying consumers how companies are using the technology—such as surveillance or marketing;
      • identifying risks and limitations associated with using the technology and prohibiting certain uses (e.g., those with discriminatory purposes); and
      • providing guidance or training related to these issues.
    • The GAO asserted
      • However, these voluntary privacy frameworks and suggested activities that could help address privacy concerns or improve the use of facial recognition technology are not mandatory. Furthermore, as discussed earlier, in most contexts facial recognition technology is not currently covered by federal privacy law. Accordingly, we reiterate our 2013 suggestion that Congress strengthen the current consumer privacy framework to reflect the effects of changes in technology and the marketplace.
  • The United States Department of Justice (DOJ) “announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS)…the government’s largest-ever seizure of cryptocurrency in the terrorism context.”
    • The DOJ claimed
      • These three terror finance campaigns all relied on sophisticated cyber-tools, including the solicitation of cryptocurrency donations from around the world.  The action demonstrates how different terrorist groups have similarly adapted their terror finance activities to the cyber age.  Each group used cryptocurrency and social media to garner attention and raise funds for their terror campaigns.  Pursuant to judicially-authorized warrants, U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise.
  • The United States (U.S.) National Counterintelligence and Security Center (NCSC) revealed it has “has been providing classified briefings and other assistance to federal procurement executives, chief information officers and chief information security officers from across the U.S. Government on supply chain threats and risks stemming from contracting with five Chinese companies.” The NCSC explained the “supply chain security briefings are designed to assist federal agencies implement” Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232).
    • The NCSC stated:
      • One provision of the NDAA prohibits the U.S. Government from directly using goods and services from five specified Chinese companies — Huawei, ZTE Corporation, Hytera Communications, Hanghzou Hikvision and Dahua Technology Company.
      • Another, broader, provision of Section 889 prohibits federal agencies from contracting with any company that uses goods and services from these five Chinese firms. This particular prohibition takes effect on August 13, 2020, unless a federal agency authorizes a waiver for a specific company, which can only be granted by the agency head after receiving NCSC supply chain security guidance.
  • The Federal Communications Commission (FCC) denied two petitions to stay an April 2020 rulemaking that would make the 6Ghz band of spectrum available to users other than the incumbents. The FCC noted “wo parties—Edison Electric Institute (EEI) and Association of Public-Safety Communications Officials-International, Inc. (APCO)—petitioned to stay the Order:
    • EEI, a trade association representing investor-owned electric utilities, seeks only to stay the effectiveness of the rules that apply to low-power indoor devices. 
    • APCO, a non-profit association of persons who manage and operate public-safety communications systems, seeks to stay the rules for both standard-power and low-power indoor operations.
    • In the rule and order, the FCC explained
      • We authorize two different types of unlicensed operations—standard-power and indoor low-power operations. We authorize standard-power access points using an automated frequency coordination (AFC) system. These access points can be deployed anywhere as part of hotspot networks, rural broadband deployments, or network capacity upgrades where needed. We also authorize indoor low-power access points across the entire 6 GHz band. These access points will be ideal for connecting devices in homes and businesses such smartphones, tablet devices, laptops, and Internet-of-things (IoT) devices to the Internet. As has occurred with Wi-Fi in the 2.4 GHz and 5 GHz bands, we expect that 6 GHz unlicensed devices will become a part of most peoples’ everyday lives. The rules we are adopting will also play a role in the growth of the IoT; connecting appliances, machines, meters, wearables, and other consumer electronics as well as industrial sensors for manufacturing.
  • In a speech, the Australian Competition and Consumer Commission (ACCC) Chair Rod Sims laid out the status of his agency’s actions against Google, Facebook, and other large technology platforms flowing from its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers,” including:
    • The ACCC recently launched an action against Google regarding misleading representations it made to consumers to obtain their consent to expand the scope of personal information it collected and used about its’ users online activities.
    • In another case, which we brought against Google last year, we allege that Google misled consumers into sharing location data with Google. We contend Google did not clearly inform consumers using Android mobile devices that a particular account setting allowed Google to collect location data. We assert that many consumers may have unknowingly provided more of their personal location data to Google than they intended. Google then used consumers’ location data to enhance the value of its advertising services to prospective advertisers. This case is currently in Court with a hearing scheduled in late November.
    • Currently the ACCC is considering the acquisition by Google and Facebook of Fitbit and Giphy, respectively. We are considering questions such as whether they have the ability to give themselves advantages by favouring their own products, or whether these acquisitions are raising barriers to entry for other competitors.
    • In April 2020 the Federal Government directed the ACCC to develop a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms. We recently published the draft legislation for the code.
  • A British appeals court overturned a decision that found that a police force’s use of facial recognition technology in a pilot program that utilized live footage to be legal. The appeals court found the use of this technology by the South Wales Police Force a violation of “the right to respect for private life under Article 8 of the European  Convention  on  Human  Rights,  data  protection  legislation,  and  the  Public  Sector Equality Duty (“PSED”) under section 149 of the Equality Act 2010.”

Further Reading

  • North Korean Hacking Group Attacks Israeli Defense Industry” by Ronen Bergman and Nicole Perlroth – The New York Times. Israel is denying the claims of a cybersecurity firm that hackers from the Democratic People’s Republic of Korea (DPRK) deeply penetrated its defense industry. Through the use of sophisticated phishing, including fake LinkedIn accounts and fluent English speakers, employees at Israeli defense companies were tricked into stalling spyware on these personal computers and then the hackers allegedly eventually accessed classified Israeli networks. The attacks show growing sophistication from DPRK hackers and that those looking to penetrate networks will always seek out weak spots.
  • Pentagon Requests More Time to Review JEDI Cloud Contract Bids” by Frank Konkel – Nextgov. The United States Department of Defense (DOD) has asked for yet more time to resolve who will win the second round of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract that may prove worth more than $10 billion to the winner. The Pentagon had told the court it was on schedule to make an award ion the rebid of the contract that Microsoft had won over Amazon. The latter claimed political interference from the White House violated federal contract law, among other claims, resulting in this lawsuit.
  • Google rival’s study urges letting mobile users pick search defaults” by Ashley Gold – Axios. DuckDuckGo, a search engine, claims in newly released research that permitting Android users to choose their search engine would decrease Google’s market share by 20%. This could be relevant to the United States (U.S.) Department of Justice’s (DOJ) antitrust investigation. As a point of reference, in the U.S., the United Kingdom, and Australia, Google’s share of the mobile search engine market is 95%, 98% and 98%. DOJ may seriously look at this remedy as the European Commission (EC) imposed this as part of its antitrust case against Google, resulting in a record €4.34 billion fine.
  • Facial Recognition Start-Up Mounts a First Amendment Defense” By Kashmir Hill – The New York Times. Clearview AI has retained legendary First Amendment lawyer Floyd Abrams to make the argument that its collection, use, and dissemination of publicly photos scraped from the internet is protected as free speech. Abrams is quoting as saying that while privacy is, of course, an important right, the First Amendment to the United States Constitution would trump any such rights. It is expected that this argument will be employed in the myriad suits against the facial recognition technology firm in the range of suits against the company.
  • An advanced group specializing in corporate espionage is on a hacking spree” By Jeff Stone – cyberscoop. A new hacking group, RedCurl, has gone on a worldwide hacking campaign that broke into businesses in the United Kingdom, Canada, and other places. The hackers phished a number of businesses successfully by impersonating someone from the human resources in he organization.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Federal Court Rules Against Suspicionless Searches At Border and In Airports

A U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”

In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.

The case was brought by the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) on behalf of 10 U.S. citizens and one legal permanent resident who had had their phones and computers searched by CBP or ICE agents upon entering the U.S., typically at airports. The ACLU argued these searches violated the Fourth Amendment’s because the agents did not obtain search warrants before conducting the searches of the devices for contraband. The plaintiffs further alleged the searches violated the First Amendment because “warrantless searches of travelers’ electronic devices unconstitutionally chill the exercise of speech and associational rights” according to their complaint. The agencies claimed that such searches require neither a warrant nor probable cause and that the First Amendment claim held no water, a position a number of federal appeals courts have held.

The Court noted that

In January 2018, CBP updated its policy to distinguish between two different types of searches, “basic” and “advanced,” and to require reasonable suspicion or a national security concern for any advanced search, but no showing of cause for a basic search. Under this policy, an advanced search is defined as “any search in which an officer connects external equipment, through a wired or wireless connection, to an electronic device, not merely to gain access to the device, but to review, copy and/or analyze its contents.” The parameters of an advanced search are clearer given this definition than that adopted for a basic search, which is merely defined as “any border search that is not an advanced search.” CBP and ICE use the same definitions of basic and advanced searches and ICE policy also requires reasonable suspicion to perform an advanced search.

The Court stated that

Although the border search exception and the search incident to arrest exception are similar, narrow exceptions to the search warrant requirement, the Court recognizes the governmental interests are different at the border and holds that reasonable suspicion and not the heightened warrant requirement supported by probable cause that Plaintiffs seek here and as applied to the search in Riley is warranted here.

The Court added that

Moreover, the reasonable suspicion that is required for the currently defined basic search and advanced search is a showing of specific and articulable facts, considered with reasonable inferences drawn from those facts, that the electronic devices contains contraband. Although this may be “a close question” on which at least two Circuits disagree…the Court agrees that this formulation is consistent with the government’s interest in stopping contraband at the border and the long-standing distinction that the Supreme Court has made between the search for contraband, a paramount interest at the border, and the search of evidence of past or future crimes at the border, which is a general law enforcement interest not unique to the border.

The Court explained the relief the plaintiffs sought:

  • declaration that CPB and ICE’s policies violate the First and Fourth Amendment facially and have violated Plaintiffs’ First and Fourth Amendment rights by authorizing and conducting searches of electronic devices absent a warrant supported by probable cause, and
  • declarations that CPB and ICE’s policies violate the Fourth Amendment facially and have violated Plaintiffs’ Fourth Amendment rights by authorizing and conducting the confiscation of electronic devices absent probable cause

The Court stated that this relief is granted to the extent that it is declaring “that the CBP and ICE policies for “basic” and “advanced” searches, as presently defined, violate the Fourth Amendment to the extent that the policies do not require reasonable suspicion that the devices contain contraband for both such classes of non-cursory searches and/or seizure of electronic devices; and that the non-cursory searches and/or seizures of Plaintiffs’ electronic devices, without such reasonable suspicion, violated the Fourth Amendment.”

However, the Court declined to institute a nationwide injunction preventing [CPB and ICE] from “searching electronic devices absent a warrant supported by probable cause that the devices contain contraband or evidence of a violation of immigration or customs laws,”…and b) an injunction preventing Defendants from confiscating electronic devices, with the intent to search the devices after the travelers leave the border, without probable cause and without promptly seeking a warrant for the search.” The Court asserted that briefing on the issues would be needed before such relief could be granted.