ePrivacy Exception Proposed

Late last month, a broad exception to the EU’s privacy regulations became effective.

My apologies. The first version of this post erroneously asserted the derogation to the ePrivacy Directive had been enacted. It has not, and this post has been re-titled and updated to reflect this fact.

As the European Union (EU) continues to work on enacting a modernized ePrivacy Directive (Directive 2002/58/EC) to complement the General Data Protection Regulation (GDPR), it proposed an exemption to manage a change in another EU law to sweep “number-independent interpersonal communications services” into the current regulatory structure of electronics communication. The policy justification for allowing a categorical exemption to the ePrivacy Directive is for combatting child sexual abuse online. This derogation of EU law is limited to at most five years and quite possibly less time if the EU can enact a successor to the ePrivacy Directive, an ePrivacy Regulation. However, it is unclear when this derogation will be agreed upon and enacted.

In September 2020, the European Commission (EC) issued “a Proposal for a Regulation on a temporary derogation from certain provisions of the ePrivacy Directive 2002/58/EC as regards the use of technologies by number-independent interpersonal communicationsservice providers for the processing of personal and other data for the purpose of combatting child sexual abuse online.” The final regulation took effect on 21 December 2020. However, the EC has also issued a draft of compromise ePrivacy Regulation, the results of extensive communications. The GDPR was enacted with an update of the ePrivacy Directive in mind.

In early December, an EU Parliament committee approved the proposed derogation but the full Parliament has not yet acted upon the measure. The Parliament needs to reach agreement with the Presidency of the Council and the European Commission. In its press release, the Civil Liberties, Justice and Home Affairs explained:

The proposed regulation will provide for limited and temporary changes to the rules governing the privacy of electronic communications so that over the top (“OTT”) communication interpersonal services, such as web messaging, voice over Internet Protocol (VoIP), chat and web-based email services, can continue to detect, report and remove child sexual abuse online on a voluntary basis.

Article 1 sets out the scope and aim of the temporary regulation:

This Regulation lays down temporary and strictly limited rules derogating from certain obligations laid down in Directive 2002/58/EC, with the sole objective of enabling providers of number-independent interpersonal communications services to continue the use of technologies for the processing of personal and other data to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services.

The EC explained the legal and policy background for the exemption to the ePrivacy Directive:

  • On 21 December 2020, with the entry into application of the European Electronic Communications Code (EECC), the definition of electronic communications services will be replaced by a new definition, which includes number-independent interpersonal communications services. From that date on, these services will, therefore, be covered by the ePrivacy Directive, which relies on the definition of the EECC. This change concerns communications services like webmail messaging services and internet telephony.
  • Certain providers of number-independent interpersonal communications services are already using specific technologies to detect child sexual abuse on their services and report it to law enforcement authorities and to organisations acting in the public interest against child sexual abuse, and/or to remove child sexual abuse material. These organisations refer to national hotlines for reporting child sexual abuse material, as well as organisations whose purpose is to reduce child sexual exploitation, and prevent child victimisation, located both within the EU and in third countries.
  • Child sexual abuse is a particularly serious crime that has wide-ranging and serious life-long consequences for victims. In hurting children, these crimes also cause significant and long- term social harm. The fight against child sexual abuse is a priority for the EU. On 24 July 2020, the European Commission adopted an EU strategy for a more effective fight against child sexual abuse, which aims to provide an effective response, at EU level, to the crime of child sexual abuse. The Commission announced that it will propose the necessary legislation to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect known child sexual abuse material and oblige them to report that material to public authorities by the second quarter of 2021. The announced legislation will be intended to replace this Regulation, by putting in place mandatory measures to detect and report child sexual abuse, in order to bring more clarity and certainty to the work of both law enforcement and relevant actors in the private sector to tackle online abuse, while ensuring respect of the fundamental rights of the users, including in particular the right to freedom of expression and opinion, protection of personal data and privacy, and providing for mechanisms to ensure accountability and transparency.

The EC baldly asserts the problem of child online sexual abuse justifies a loophole to the broad prohibition on violating the privacy of EU persons. The EC did note that the fight against this sort of crime is a political priority for the EC, one that ostensibly puts the EU close to the views of the Five Eyes nations that have been pressuring technology companies to end the practice of making apps and hardware encrypted by default.

The EC explained:

The present proposal therefore presents a narrow and targeted legislative interim solution with the sole objective of creating a temporary and strictly limited derogation from the applicability of Articles 5(1) and 6 of the ePrivacy Directive, which protect the confidentiality of communications and traffic data. This proposal respects the fundamental rights, including the rights to privacy and protection of personal data, while enabling providers of number-independent interpersonal communications services to continue using specific technologies and continue their current activities to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services, pending the adoption of the announced long- term legislation. Voluntary efforts to detect solicitation of children for sexual purposes (“grooming”) also must be limited to the use of existing, state-of-the-art technology that corresponds to the safeguards set out. This Regulation should cease to apply in December 2025.

The EC added “[i]n case the announced long-term legislation is adopted and enters into force prior to this date, that legislation should repeal the present Regulation.”

In November, the European Data Protections Supervisor (EDPS) Wojciech Wiewiorówski published his opinion on the temporary, limited derogation from the EU’s regulation on electronics communication and privacy. Wiewiorówski cautioned that a short-term exception, however well-intended, would lead to future loopholes that would ultimately undermine the purpose of the legislation. Moreover, Wiewiorówski found that the derogation was not sufficiently specific guidance and safeguards and is not proportional. Wiewiorówski argued:

  • In particular, he notes that the measures envisaged by the Proposal would constitute an interference with the fundamental rights to respect for private life and data protection of all users of very popular electronic communications services, such as instant messaging platforms and applications. Confidentiality of communications is a cornerstone of the fundamental rights to respect for private and family life. Even voluntary measures by private companies constitute an interference with these rights when the measures involve the monitoring and analysis of the content of communications and processing of personal data.
  • The EDPS wishes to underline that the issues at stake are not specific to the fight against child abuse but to any initiative aiming at collaboration of the private sector for law enforcement purposes. If adopted, the Proposal, will inevitably serve as a precedent for future legislation in this field. The EDPS therefore considers it essential that the Proposal is not adopted, even in the form a temporary derogation, until all the necessary safeguards set out in this Opinion are integrated.
  • In particular, in the interest of legal certainty, the EDPS considers that it is necessary to clarify whether the Proposal itself is intended to provide a legal basis for the processing within the meaning of the GDPR, or not. If not, the EDPS recommends clarifying explicitly in the Proposal which legal basis under the GDPR would be applicable in this particular case.
  • In this regard, the EDPS stresses that guidance by data protection authorities cannot substitute compliance with the requirement of legality. It is insufficient to provide that the temporary derogation is “without prejudice” to the GDPR and to mandate prior consultation of data protection authorities. The co-legislature must take its responsibility and ensure that the proposed derogation complies with the requirements of Article 15(1), as interpreted by the CJEU.
  • In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse.
  • Finally, the EDPS is of the view that the five-year period as proposed does not appear proportional given the absence of (a) a prior demonstration of the proportionality of the envisaged measure and (b) the inclusion of sufficient safeguards within the text of the legislation. He considers that the validity of any transitional measure should not exceed 2 years.

The Five Eyes nations (Australia, Canada, New Zealand, the United Kingdom, and the United States) issued a joint statement in which their ministers called for quick action.

In this statement, we highlight how from 21 December 2020, the ePrivacy Directive, applied without derogation, will make it easier for children to be sexually exploited and abused without detection – and how the ePrivacy Directive could make it impossible both for providers of internet communications services, and for law enforcement, to investigate and prevent such exploitation and abuse. It is accordingly essential that the European Union adopt urgently the derogation to the ePrivacy Directive as proposed by the European Commission in order for the essential work carried out by service providers to shield endangered children in Europe and around the world to continue.

Without decisive action, from 21 December 2020 internet-based messaging services and e-mail services captured by the European Electronic Communications Code’s (EECC) new, broader definition of ‘electronic communications services’ are covered by the ePrivacy Directive. The providers of electronic communications services must comply with the obligation to respect the confidentiality of communications and the conditions for processing communications data in accordance with the ePrivacy Directive. In the absence of any relevant national measures made under Article 15 of that Directive, this will have the effect of making it illegal for service providers operating within the EU to use their current tools to protect children, with the impact on victims felt worldwide.

As mentioned, this derogation comes at a time when the EC and the EU nations are trying to finalize and enact an ePrivacy Regulation. In the original 2017 proposal, the EC stated:

The ePrivacy Directive ensures the protection of fundamental rights and freedoms, in particular the respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector. It also guarantees the free movement of electronic communications data, equipment and services in the Union.

The ePrivacy Regulation is intended to work in concert with the GDPR, and the draft 2020 regulation contains the following passages explaining the intended interplay of the two regulatory schemes:

  • Regulation (EU) 2016/679 regulates the protection of personal data. This Regulation protects in addition the respect for private life and communications. The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. The provisions particularise Regulation (EU) 2016/679 as regards personal data by translating its principles into specific rules. If no specific rules are established in this Regulation, Regulation (EU) 2016/679 should apply to any processing of data that qualify as personal data. The provisions complement Regulation (EU) 2016/679 by setting forth rules regarding subject matters that are not within the scope of Regulation (EU) 2016/679, such as the protection of the rights of end-users who are legal persons. Processing of electronic communications data by providers of electronic communications services and networks should only be permitted in accordance with this Regulation. This Regulation does not impose any obligations on the end-user End-users who are legal persons may have rights conferred by Regulation (EU) 2016/679 to the extent specifically required by this Regulation
  • While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concerns new techniques that allow for tracking of online behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive 2002/58/EC should therefore be repealed and replaced by this Regulation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Guillaume Périgois on Unsplash

Further Reading, Other Developments, and Coming Events (27 October)

Further Reading

  •  “The Police Can Probably Break Into Your Phone” By Jack Nicas — The New York Times. So, about “Going Dark.” Turns out nations and law enforcement officials have either oversold the barrier that default end-to-end encryption on phones creates or did not understand the access that police were already getting to many encrypted phones. This piece is based in large part on the Upturn report showing that United States (U.S.) law enforcement agencies have multiple means of hacking into encrypted or protected smartphones. The point is made that the issue is really that encryption makes it harder to get into phones and is quite pricey. If an iPhone or Android user stores data in the cloud, then getting access is not a problem. But having it encrypted on a phone requires serious technological means to access. But, this article points to another facet of the Upturn report: police have very little in the way of policy or guidance on how to handle data in ways that respect privacy and possibly even the laws of their jurisdictions.
  • Pornhub Doesn’t Care” By Samantha Cole and Emanuel Maiberg — Vice. One of the world’s biggest pornography sites seems to have a poor track record at taking down non-consensual pornography. A number of women were duped into filming pornography they were told would not be distributed online or only in certain jurisdictions. The proprietor lied and now many of them are faced with having these clips turn up again and again on Pornhub and other sites even if they use digital fingerprinting of such videos. These technological screening methods can be easily defeated. Worse still, Pornhub, and its parent company, Mindgeek, did not start responding to requests from these women to have their videos taken down until they began litigating against the man who had masterminded the filming of the non-consensual videos.
  • ‘Machines set loose to slaughter’: the dangerous rise of military AI” By Frank Pasquale — The Guardian. This long read lays out some of the possibilities that may come to pass if artificial intelligence is used to create autonomous weapons or robots. Most of the outcomes sound like science fiction, but then who could have foreseen a fleet of drones in the Middle East operated by the United States.
  • How The Epoch Times Created a Giant Influence Machine” By Kevin Roose — The New York Times. An interesting tale of how a fringe publication may be on its way to being one of the biggest purveyors of right wing material online.
  • Schools Clamored for Seesaw’s App. That Was Good News, and Bad News.” By Stephanie Clifford — The New York Times. The pandemic has led to the rise of another educational app.

Other Developments

  • The United Kingdom’s (UK) Parliamentary Business, Energy and Industrial Strategy (BEIS) Committee wrote a number of companies, including technology firms, “to seek answers in relation to the Committee’s inquiry exploring the extent to which businesses in the UK are exploiting the forced labour of Uyghur in the Xinjiang region of China” according to the committee’s press release. The committee wrote to Amazon and TikTok because as the chair of the committee, Minister of Parliament Nusrat Ghani asserted:
    • The Australian Strategic Policy Institute’s (ASPI) ‘Uyghur’s for Sale’ report names 82 foreign and Chinese companies directly or indirectly benefiting from the exploitation of Uyghur workers in Xinjiang. The companies listed in the Australian Strategic Policy Institute’s report span industries including the fashion, retail and information technology sectors. On the BEIS Committee, we are determined to ask prominent businesses operating in Britain in these sectors what they are doing to ensure their profits are not on the back of forced labour in China. These businesses are trusted by many British consumers and I hope they will repay this faith by coming forward to answer these questions and also take up the opportunity to give evidence to the Business Committee in public.
    • In its March report, the ASPI argued:
      • The Chinese government has facilitated the mass transfer of Uyghur and other ethnic minority citizens from the far west region of Xinjiang to factories across the country. Under conditions that strongly suggest forced labour, Uyghurs are working in factories that are in the supply chains of at least 82 well-known global brands in the technology, clothing and automotive sectors, including Apple, BMW, Gap, Huawei, Nike, Samsung, Sony and Volkswagen.
      • This report estimates that more than 80,000 Uyghurs were transferred out of Xinjiang to work in factories across China between 2017 and 2019, and some of them were sent directly from detention camps. The estimated figure is conservative and the actual figure is likely to be far higher. In factories far away from home, they typically live in segregated dormitories, undergo organised Mandarin and ideological training outside working hours, are subject to constant surveillance, and are forbidden from participating in religious observances. Numerous sources, including government documents, show that transferred workers are assigned minders and have limited freedom of movement.
      • China has attracted international condemnation for its network of extrajudicial ‘re-education camps’ in Xinjiang. This report exposes a new phase in China’s social re-engineering campaign targeting minority citizens, revealing new evidence that some factories across China are using forced Uyghur labour under a state-sponsored labour transfer scheme that is tainting the global supply chain.
  • A group of nations worked together to find and apprehend individuals accused of laundering ill-gotten funds for cyber criminals. The United States (U.S.) indicted the accused. Europol explained:
    • An unprecedented international law enforcement operation involving 16 countries has resulted in the arrest of 20 individuals suspected of belonging to the QQAAZZ criminal network which attempted to launder tens of millions of euros on behalf of the world’s foremost cybercriminals. 
    • Some 40 house searches were carried out in Latvia, Bulgaria, the United Kingdom, Spain and Italy, with criminal proceedings initiated against those arrested by the United States, Portugal, the United Kingdom and Spain. The largest number of searches in the case were carried out in Latvia in operations led by the Latvian State Police (Latvijas Valsts Policija). Bitcoin mining equipment was also seized in Bulgaria.
    • This international sweep follows a complex investigation led by the Portuguese Judicial Police (Polícia Judiciária) together with the United States Attorney Office for the Western District of Pennsylvania and the FBI’s Pittsburgh Field Office, alongside the Spanish National Police (Policia Nacional) and the regional Catalan police (Mossos D’esquadra) and law enforcement authorities from the United Kingdom, Latvia, Bulgaria, Georgia, Italy, Germany, Switzerland, Poland, Czech Republic, Australia, Sweden, Austria and Belgium with coordination efforts led by Europol. 
    • The U.S. Department of Justice (DOJ) claimed:
      • Comprised of several layers of members from Latvia, Georgia, Bulgaria, Romania, and Belgium, among other countries, the QQAAZZ network opened and maintained hundreds of corporate and personal bank accounts at financial institutions throughout the world to receive money from cybercriminals who stole it from bank accounts of victims.  The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using “tumbling” services designed to hide the original source of the funds.  After taking a fee of up to 40 to 50 percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.  
      • The QQAAZZ members secured these bank accounts by using both legitimate and fraudulent Polish and Bulgarian identification documents to create and register dozens of shell companies which conducted no legitimate business activity. Using these registration documents, the QQAAZZ members then opened corporate bank accounts in the names of the shell companies at numerous financial institutions around the world, thereby generating hundreds of QQAAZZ-controlled bank accounts available to receive stolen funds from cyber thieves.
      • QQAAZZ advertised its services as a “global, complicit bank drops service” on Russian-speaking online cybercriminal forums where cybercriminals gather to offer or seek specialized skills or services needed to engage in a variety of cybercriminal activities. The criminal gangs behind some of the world’s most harmful malware families (e.g.: Dridex, Trickbot, GozNym, etc.) are among those cybercriminal groups that benefited from the services provided by QQAAZZ. 
  • Representatives Anna Eshoo (D-CA) and Bobby L. Rush (D-IL), and Senator Ron Wyden (D-OR) wrote the Privacy and Civil Liberties Oversight Board (PCLOB) asking that the privacy watchdog “investigate the federal government’s surveillance of recent protests, the legal authorities for that surveillance, the government’s adherence to required procedures in using surveillance equipment, and the chilling effect that federal government surveillance has had on protesters.”
    • They argued:
      • Many agencies have or may have surveilled protesters, according to press reports and agency documents.
        • The Customs and Border Protection (CBP) deployed various aircraft –including AS350 helicopters, a Cessna single-engine airplane, and Predator drones –that logged 270 hours of aerial surveillance footage over 15 cities, including Minneapolis, New York City, Buffalo, Philadelphia, Detroit, and Washington, D.C.
        • The FBI flew Cessna 560 aircraft over protests in Washington, D.C., in June, and reporting shows that the FBI has previously equipped such aircraft with ‘dirt boxes,’ equipment that can collect cell phone location data, along with sophisticated cameras for long-range, persistent video surveillance.
        • In addition to specific allegations of protester surveillance, the Drug Enforcement Agency (DEA) was granted broad authority to “conduct covert surveillance ”over protesters responding to the murder of Mr. Floyd.
    • Eshoo, Rush, and Wyden claimed:
      • Recent surveillance of protests involves serious threats to liberty and requires a thorough investigation. We ask that PCLOB thoroughly investigate, including by holding public hearings, the following issues and issue a public report about its findings:
        • (1) Whether and to what extent federal government agencies surveilled protests by collecting or processing personal information of protesters.
        • (2) What legal authorities agencies are using as the basis for surveillance, an unclassified enumeration of claimed statutory or other authorities, and whether agencies followed required procedures for using surveillance equipment, acquiring and processing personal data, receiving appropriate approvals, and providing needed transparency.
        • (3) To what extent the threat of surveillance has a chilling effect on protests.
  • Ireland’s Data Protection Commission (DPC) has opened two inquiries into Facebook and Instagram for potential violations under the General Data Protection Regulation (GDPR) and Ireland’s Data Protection Act 2018. This is not the only regulatory action the DPC has against Facebook, which is headquartered in Dublin. The DPC is reportedly trying to stop Facebook from transferring personal data out of the European Union (EU) and into the United States (U.S.) using standard contractual clauses (SCC) in light of the EU-U.S. Privacy Shield being struck down. The DPC stated “Instagram is a social media platform which is used widely by children in Ireland and across Europe…[and] [t]he DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination.
    • The DPC explained the two inquiries:
      • This Inquiry will assess Facebook’s reliance on certain legal bases for its processing of children’s personal data on the Instagram platform. The DPC will set out to establish whether Facebook has a legal basis for the ongoing processing of children’s personal data and if it employs adequate protections and or restrictions on the Instagram platform for such children. This Inquiry will also consider whether Facebook meets its obligations as a data controller with regard to transparency requirements in its provision of Instagram to children.
      • This Inquiry will focus on Instagram profile and account settings and the appropriateness of these settings for children. Amongst other matters, this Inquiry will explore Facebook’s adherence with the requirements in the GDPR in respect to Data Protection by Design and Default and specifically in relation to Facebook’s responsibility to protect the data protection rights of children as vulnerable persons.
  • The United States’ National Institute of Standards and Technology (NIST) issued a draft version of the Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT) Services (NISTIR 8323). Comments are due by 23 November.
    • NIST explained:
      • NIST has developed this PNT cybersecurity profile to help organizations identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated risks to the systems, networks, and assets dependent on PNT services. This profile will help organizations make deliberate, risk-informed decisions on their use of PNT services.
    • In its June request for information (RFI), NIST explained “Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services, was issued on February 12, 2020 and seeks to protect the national and economic security of the United States from disruptions to PNT services that are vital to the functioning of technology and infrastructure, including the electrical power grid, communications infrastructure and mobile devices, all modes of transportation, precision agriculture, weather forecasting, and emergency response.” The EO directed NIST “to develop and make available, to at least the appropriate agencies and private sector users, PNT profiles.”

Coming Events

  • The Senate Commerce, Science, and Transportation Committee will hold a hearing on 28 October regarding 47 U.S.C. 230 titled “Does Section 230’s Sweeping Immunity Enable Big Tech Bad Behavior?” with testimony from:
    • Jack Dorsey, Chief Executive Officer of Twitter;
    • Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and 
    • Mark Zuckerberg, Chief Executive Officer of Facebook.
  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

“How Encryption Works” by Afsal CMK is licensed under CC BY 4.0

Five Eyes Again Lean On Tech About Encryption

In the latest demand, the usual suspects are joined by two new nations in urging tech to stop using default encryption and to essentially build backdoors.

The Five Eyes (FVEY) intelligence alliance plus two Asian nations have released an “International Statement: End-To-End Encryption and Public Safety,” which represents the latest FVEY salvo in their campaign against technology companies using default end-to-end encryption. Again, the FVEY nations are casting the issues presented by encryption through the prism of child sexual abuse, terrorism, and other horrible crimes in order to keep technology companies on their proverbial policy backfoot. For, after all, how can the reasonable tech CEO argue for encryption when it is being used to commit and cover up unspeakable crimes.

However, in a sign that technology companies may be facing a growing playing field, India and Japan joined the FVEY in this statement; whether this is a result of the recent Quadrilateral Security Dialogue is unclear, but it seems a fair assumption given that two of the FVEY nations, the United States and Australia make up the other two members of the Quad. And, of course, the United Kingdom, Canada, and New Zealand are the three other members of the FVEY.

In the body of the statement, FVEY, Japan, and India asserted:

  • We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cyber security.  It also serves a vital purpose in repressive states to protect journalists, human rights defenders and other vulnerable people, as stated in the 2017 resolution of the UN Human Rights Council.  Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems. 
  • Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.  We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions:
    • Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
    • Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
    • Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

So, on the one hand, these nations recognize the indispensable role encryption plays in modern communications and in the fight against authoritarian regimes and “do not support counter-productive and dangerous approaches that would materially weaken or limit security systems.” But, on the other hand, “[p]articular implementations of encryption technology” is putting children at risk and letting terrorism thrive. Elsewhere in the statement we learn that the implementation in question is “[e]nd-to-end encryption that precludes lawful access to the content of communications in any circumstances.”

And, so these nations want companies like Facebook, Apple, Google, and others to take certain steps that would presumably maintain strong encryption but would allow access to certain communications for law enforcement purposes. These nations propose “[e]mbed[ding] the safety of the public in systems designs,” which is a nice phrase and wonderful rhetoric, but what does this mean practically? Companies should not use default encryption? Perhaps. But, let’s be honest about second order effects if American tech companies dispensed with default encryption. Sophisticated criminals and terrorists understand encryption and will still choose to encrypt their devices, apps, and communications, for in this scenario the devices and apps would no longer be encrypted as the default. Rather, people would have to go to the time and trouble of figuring out how to do this. . To be fair, neophyte and careless criminals and terrorists may not know to do so, and their communications would be fairly easy to acquire.

Another likely second order effect is that apps and software offering very hard to break encryption will no longer be made or legally offered in FVEY nations. Consequently, the enterprising individual interested in encryption that cannot be broken or tapped by governments will seek and likely find such technology through a variety of means produced in other countries. It is unlikely encryption will get put back in the bottle because FVEY and friends want it so.

Moreover, given the current technological landscape, the larger point here is that building backdoors into encryption or weakening encryption puts legitimate, desirable communications, activities, and transactions at greater risk of being intercepted. Why would this be so? Because it would take less effort and computing power to crack a weaker encryption key.

But, sure, a world in which my midnight snacking does not lead to weight gain would be amazing. And so it is with the FVEY’s call for strong encryption they could essentially defeat as needed. Eventually, the keys, technology, or means would be leaked or stolen as has happened time and time again. Most recently, there was a massive exfiltration of the Central Intelligence Agency’s (CIA) Vault 7 hacking tools and sources and methods. It would only be a matter of time before the tools to defeat encryption were stolen or compromised.

Perhaps there is a conceptual framework or technology that would achieve the FVEY’s goal, but, at present, it will entail tradeoffs that will make people less secure in their online communications. And, in the defense of the FVEY, they are proposing to “[e]ngage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.” Again, very nice phraseology that does not tell us much.

Of course, the FVEY nations are calling for access under proper authorization. However, in the U.S. that might not even entail an adversarial process in a court, for under the Foreign Intelligence Surveillance Act (FISA), there is no such process in the secret proceedings. Additionally, in the same vein, the phrase “subject to strong safeguards and oversight” is downright comical if the U.S. system is to be the template given the range of shortcomings and failures of national security agencies in meeting U.S. law relating to surveillance.

The FVEY, Japan, and India conclude with:

We are committed to working with industry to develop reasonable proposals that will allow technology companies and governments to protect the public and their privacy, defend cyber security and human rights and support technological innovation.  While this statement focuses on the challenges posed by end-to-end encryption, that commitment applies across the range of encrypted services available, including device encryption, custom encrypted applications and encryption across integrated platforms.  We reiterate that data protection, respect for privacy and the importance of encryption as technology changes and global Internet standards are developed remain at the forefront of each state’s legal framework.  However, we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security.  We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.

More having one’s cake and eating it, too. They think strong encryption is possible with the means of accessing encrypted communications related to crimes. This seems to be contrary to expert opinion on the matter.

As mentioned, this is not the FVEY’s first attempt to press technology companies. In October 2019, the U.S., the UK, and Australia sent a letter to Facebook CEO Mark Zuckerberg “to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.” These governments claimed “[w]e support strong encryption…[and] respect promises made by technology companies to protect users’ data…[but] “[w]e must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity.” The officials asserted that “[c]ompanies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes.”

In summer 2019 the FVEY issued a communique in which it urged technology companies “to include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.” Interestingly, at that time, these nations lauded Facebook for “approaches like Mark Zuckerberg’s public commitment to consulting Governments on Facebook’s recent proposals to apply end-to-end encryption to its messaging services…[and] [t]hese engagements must be substantive and genuinely influence design decisions.” It begs the question of what, if anything, changed since this communique was issued and the recent letter to Zuckerberg. In any event, this communique followed the Five Eyes 2018 “Statement of Principles on Access to Evidence and Encryption,“ which articulated these nations’ commitment to working with technology companies to address encryption and the need for law enforcement agencies to meet their public safety and protection obligations.

In Facebook’s December 2019 response, Facebook Vice President and WhatsApp Head Will Cathcart and Facebook Vice President and Messenger Head Stan Chudnovsky stated “[c]ybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere…[and] [t]he ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm.”

Moreover, one of the FVEY nations has enacted a law that could result in orders to technology companies to decrypt encrypted communications. In December 2018, Australia enacted the “Telecommunications and Other Legislation (Assistance and Access) Act 2018” (TOLA). As the Office of Australia’s Information Commissioner (OAIC) wrote of TOLA, “[t]he powers permitted under the Act have the potential to significantly weaken important privacy rights and protections under the Privacy Act…[and] [t]he encryption technology that can obscure criminal communications and pose a threat to national security is the same technology used by ordinary citizens to exercise their legitimate rights to privacy.”

This past summer, Australia’s Independent National Security Legislation Monitor (INSLM) issued its report on “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” (TOLA). The Parliamentary  Joint  Committee on Intelligence and Security had requested that the INSLM review the statute, and so INSLM engaged in a lengthy review, including input from the public. As explained in the report’s preface, the “INSLM independently reviews the operation, effectiveness and implications of national  security  and  counter-terrorism  laws;  and  considers  whether  the  laws  contain  appropriate  protections  for  individual  rights,  remain  proportionate  to  terrorism or national security threats, and remain necessary.”

INSLM claimed

In this report I reject the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other. Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection. Essentially this can be done by updating traditional safeguards to meet those same technological challenges – notably, those who are trusted to authorise intrusive search and surveillance powers must be able to understand the technological context in which those powers operate, and their consequences. If, but only if, the key recommendations I set out in this report in this regard are adopted, TOLA will be such a law.

The European Union may have a different view, however. In a response to a Minister of the European Parliament’s letter, the European Data Protection Board (EDPB) articulated its view that any nation that implements an “encryption ban” would endanger its compliance with the General Data Protection Regulation (GDPR) and possibly result in companies domiciled in those countries not being able to transfer and process the personal data of EU citizens. However, as always, it bears note the EDPB’s view may not carry the day with the European Commission, Parliament, and courts.

The EDPB stated

Any ban on encryption or provisions weakening encryption would undermine the GDPR obligations on the  concerned  controllers  and  processors  for  an  effective  implementation  of  both  data  protection principles and the appropriate technical and organisational measures. Similar considerations apply to transfers to controllers or processors in any third countries adopting such bans or provisions. Security measures are therefore specifically mentioned among the elements   the   European Commission must take into account when assessing the adequacy of the level of protection in a third country. In the absence of such a decision, transfers are subject to appropriate safeguards or maybe based on derogations; in any case the security of the personal data has to be ensured at all times.

The EDPB opined “that any encryption ban would seriously undermine compliance with the GDPR.” The EDPB continued, “[m]ore specifically, whatever the instrument used,  it would represent a major  obstacle in recognising a level of protection essentially equivalent to that ensured by the applicable  data protection law in the EU, and would seriously question the ability of the concerned controllers and processors to comply with the security obligation of the regulation.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay

Further Reading, Other Developments, and Coming Events (22 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing on 23 September titled “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • On 23 September, the Commerce, Science, and Transportation Committee will hold a hearing titled “Revisiting the Need for Federal Data Privacy Legislation,” with these witnesses:
    • The Honorable Julie Brill, Former Commissioner, Federal Trade Commission
    • The Honorable William Kovacic, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Jon Leibowitz, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Maureen Ohlhausen, Former Commissioner and Acting Chairman, Federal Trade Commission
    • Mr. Xavier Becerra, Attorney General, State of California
  • The House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will hold a virtual hearing “Mainstreaming Extremism: Social Media’s Role in Radicalizing America” on 23 September with these witnesses:
    • Marc Ginsburg, President, Coalition for a Safer Web
    • Tim Kendall, Chief Executive Officer, Moment
    • Taylor Dumpson, Hate Crime Survivor and Cyber-Harassment Target
    • John Donahue, Fellow, Rutgers University Miler Center for Community Protection and Resiliency, Former Chief of Strategic Initiatives, New York City Police Department
  • On 23 September, the Senate Homeland Security and Governmental Affairs will hold a hearing to consider the nomination of Chad Wolf to be the Secretary of Homeland Security.
  • The Senate Armed Services Committee will hold a closed briefing on 24 September “on Department of Defense Cyber Operations in Support of Efforts to Protect the Integrity of U.S. National Elections from Malign Actors” with:
    • Kenneth P. Rapuano, Assistant Secretary of Defense for Homeland Defense and Global Security
    • General Paul M. Nakasone, Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service
  • On 24 September, the Homeland Security and Governmental Affairs will hold a hearing on “Threats to the Homeland” with:
    • Christopher A. Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center
    • Kenneth Cuccinelli, Senior Official Performing the Duties of the Deputy Secretary of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The United States (U.S.) Department of Justice (DOJ) has indicted two Iranian nationals for allegedly hacking into systems in the U.S., Europe, and the Middle East dating back to 2013 to engage in espionage and sometimes theft.
    • The DOJ claimed in its press release:
      • According to a 10-count indictment returned on Sept. 15, 2020, Hooman Heidarian, a/k/a “neo,” 30, and Mehdi Farhadi, a/k/a “Mehdi Mahdavi” and “Mohammad Mehdi Farhadi Ramin,” 34, both of Hamedan, Iran, stole hundreds of terabytes of data, which typically included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research.  In some instances, the defendants’ hacks were politically motivated or at the behest of Iran, including instances where they obtained information regarding dissidents, human rights activists, and opposition leaders.  In other instances, the defendants sold the hacked data and information on the black market for private financial gain.
      • The victims included several American and foreign universities, a Washington, D.C.-based think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran.  In addition to the theft of highly protected and sensitive data, the defendants also vandalized websites, often under the pseudonym “Sejeal” and posted messages that appeared to signal the demise of Iran’s internal opposition, foreign adversaries, and countries identified as rivals to Iran, including Israel and Saudi Arabia.
  • Two United States (U.S.) agencies took coordinated action against an alleged cyber threat group and a front company for a “a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector.” The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) “imposed sanctions on Iranian cyber threat group Advanced Persistent Threat 39 (APT39), 45 associated individuals, and one front company…Rana Intelligence Computing Company (Rana)” per the agency’s press release. Treasury further claimed:
    • Rana advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and Security (MOIS) by conducting computer intrusions and malware campaigns against perceived adversaries, including foreign governments and other individuals the MOIS considers a threat. APT39 is being designated pursuant to E.O. 13553 for being owned or controlled by the MOIS, which was previously designated on February 16, 2012 pursuant to Executive Orders 13224, 13553, and 13572, which target terrorists and those responsible for human rights abuses in Iran and Syria, respectively.
    • The Federal Bureau of Investigation (FBI) provided “information on numerous malware variants and indicators of compromise (IOCs) associated with Rana to assist organizations and individuals in determining whether they may have been targeted.”
  • The United States (U.S.) Department of Justice (DOJ) also released grand jury indictments against five nationals of the People’s Republic of China and two Malaysians for extensive hacking and exfiltration of commercial and business information with an eye towards profiting from these crimes. The DOJ asserted in its press release:
    • In August 2019 and August 2020, a federal grand jury in Washington, D.C., returned two separate indictments (available here and here) charging five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.
    •  The intrusions, which security researchers have tracked using the threat labels “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider,” facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information.  These intrusions also facilitated the defendants’ other criminal schemes, including ransomware and “crypto-jacking” schemes, the latter of which refers to the group’s unauthorized use of victim computers to “mine” cryptocurrency. 
    • Also in August 2020, the same federal grand jury returned a third indictment charging two Malaysian businessmen who conspired with two of the Chinese hackers to profit from computer intrusions targeting the video game industry in the United States and abroad.  Shortly thereafter, the U.S. District Court for the District of Columbia issued arrest warrants for the two businessmen.  On Sept. 14, 2020, pursuant to a provisional arrest request from the United States with a view to their extradition, Malaysian authorities arrested them in Sitiawan.
  • On 21 September, the House of Representatives took and passed the following bills, according to summaries provided by the House Majority Whip’s office:
    • The “Effective Assistance in the Digital Era” (H.R. 5546) (Rep. Jeffries – Judiciary) This bill requires the Federal Bureau of Prisons to establish a system to exempt from monitoring any privileged electronic communications between incarcerated individuals and their attorneys or legal representatives.
    • The “Defending the Integrity of Voting Systems Act (S. 1321) This bill broadens the definition of “protected computer” for purposes of computer fraud and abuse offenses under current law to include a computer that is part of a voting system.
    • The “Promoting Secure 5G Act of 2020” (H.R. 5698) This bill will establish as a U.S. policy within the IFIs to only finance 5G projects and other wireless technologies that include adequate security measures in furtherance of national security aims to protect wireless networks from bad actors and foreign governments.
    • The “MEDIA Diversity Act of 2020” (H.R. 5567) This bill Requires the FCC to consider market entry barriers for socially disadvantaged individuals in the communications marketplace.
    • The “Don’t Break Up the T-Band Act of 2020” as amended (H.R. 451) This bill repeals the requirement on the FCC to reallocate and auction the T-Band.  H.R. 451 also requires the FCC to adopt rules limiting the use of 9-1-1 fees by States or other taxing jurisdictions to (1) the support and implementation of 9-1-1 services and (2) operational expenses of public safety answering points.
    • It bears note that S. 1321 has passed the Senate, and so it is off to the White House for the only election security bill that has made it through both house of Congress.

Further Reading

  • Justice Department expected to brief state attorneys general this week on imminent Google antitrust lawsuit” By Tony Romm — The Washington Post; “Justice Dept. Case Against Google Is Said to Focus on Search Dominance” By Cecilia Kang, Katie Benner, Steve Lohr and Daisuke Wakabayashi — The New York Times; “Justice Department, states to meet in possible prelude to Google antitrust suit” By Leah Nylen — Politico. Tomorrow, the United States Department of Justice (DOJ) will outline its proposed antitrust case against Google with state attorneys general, almost all of whom are investigating Google on the same grounds. Reportedly, the DOJ case is focused on the company’s dominance of online searches, notably its arrangement to make Google the default search engine on iPhones and Androids, and not on its advertising practices. If the DOJ goes this road, then it will be similar to the European Union’s (EU) 2018 case against Google for the same, which resulted in EU residents being offered a choice on search engines on Android devices and a €4.34 billion fine. This development comes after articles earlier this month that Attorney General William Barr has been pushing the DOJ attorneys and investigators against the wishes of many to wrap up the investigation in time for a pre-election filing that would allow President Donald Trump to claim he is being tough on big technology companies. However, if this comes to pass, Democratic attorneys general may decline to join the suit and may bring their own action also alleging violations in the online advertising realm that Google dominates. In this vein, Texas Attorney General Ken Paxton has been leading the state effort to investigate Google’s advertising business, which critics argue is anti-competitive. Also, according to DOJ attorneys who oppose what they see as Barr rushing the suit, this could lead to a weaker case Google may be able to defeat in court. Of course, this news comes shortly after word leaked from the Federal Trade Commission (FTC) that its case against Facebook could be filed regarding its purchase of rivals WhatsApp and Instagram.
  • Why Japan wants to join the Five Eyes intelligence network” By Alan Weedon — ABC News. This piece makes the case as to why the United States, United Kingdom, Canada, Australia, and New Zealand may admit a new member to the Five Eyes soon: Japan. The case for the first Asian country is that it is a stable, western democracy, a key ally in the Pacific, and a bulwark against the influence of the People’s Republic of China (PRC). It is really this latter point that could carry the day, for the Five Eyes may need Japan’s expertise with the PRC and its technology to counter the former’s growing ambitions.
  • The next Supreme Court justice could play a major role in cybersecurity and privacy decisions” By Joseph Marks — The Washington Post. There are a range of cybersecurity and technology cases that the Supreme Court will decide in the near future, and so whether President Donald Trump gets to appoint Justice Ruth Bader Ginsburg’s successor will be very consequential for policy in these areas. For example, the court could rule on the Computer Fraud and Abuse Act for the first time regarding whether researchers are violating the law by probing for weak spots in systems. There are also Fourth Amendment and Fifth Amendment cases pending with technology implications as the former pertains to searches of devices by border guards and the latter to self-incrimination visa vis suspects being required to unlock devices.
  • Facebook Says it Will Stop Operating in Europe If Regulators Don’t Back Down” By David Gilbert —VICE. In a filing in its case against Ireland’s Data Protection Commission (DPC), Facebook made veiled threats that if the company is forced to stop transferring personal data to the United States, it may stop operating in the European Union altogether. Recently, the DPC informed Facebook that because Privacy Shield was struck down, it would need to stop transfers even though the company has been using standard contractual clauses, another method permitted in some case under the General Data Protection Regulation. Despite Facebook’s representation, it seems a bit much that the company would leave the EU to any competitors looking to its fill its shoes.
  • As U.S. Increases Pressure, Iran Adheres to Toned-Down Approach” By Julian E. Barnes, David E. Sanger, Ronen Bergman and Lara Jakes — The New York Times. The Islamic Republic of Iran is showing remarkable restraint in its interactions with the United States in the face of continued, punitive actions against Tehran. And this is true also of its cyber operations. The country has made the calculus that any response could be used by President Donald Trump to great effect in closing the gap against front runner former Vice President Joe Biden. The same has been true of its cyber operations against Israel, which has reportedly conducted extensive operations inside Iran with considerable damage.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events ( 4 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Election Assistance Commission (EAC) “released the Election Risk Profile Tool, a user-friendly assessment tool to equip election officials and federal agencies in prioritizing and managing cybersecurity risks to the Election Infrastructure Subsector.” The agencies stated “[t]he new tool is designed to help state and local election officials understand the range of risks they face and how to prioritize mitigation efforts…[and] also addresses areas of greatest risk, ensures technical cybersecurity assessments and services are meeting critical needs, and provides a sound analytic foundation for managing election security risk with partners at the federal, state and local level.”
    • CISA and the EAC explained “[t]he Election Risk Profile Tool:
      • Is a user-friendly assessment tool for state and local election officials to develop a high-level risk profile across a jurisdiction’s specific infrastructure components;
      • Provides election officials a method to gain insights into their cybersecurity risk and prioritize mitigations;
      • Accepts inputs of a jurisdiction’s specific election infrastructure configuration; and
      • Outputs a tailored risk profile for jurisdictions, which identifies specific areas of highest risk and recommends associated mitigation measures that the jurisdiction could implement to address the risk areas.
  • The cybersecurity agencies of the Five Eyes nations have released a Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity that “highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices.” The agencies asserted “[t]he purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”
    • The Australian Cyber Security Centre, Canada’s Communications Security Establishment, the United States’ Cybersecurity and Infrastructure Security Agency, the United Kingdom’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team summarized the key takeaways from the Joint Advisory:
      • When addressing potential incidents and applying best practice incident response procedures:
      • First, collect and remove for further analysis:
        • Relevant artifacts,
        • Logs, and
        • Data.
      • Next, implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
      • Finally, consider soliciting incident response support from a third-party IT security organization to:
        • Provide subject matter expertise and technical support to the incident response,
        • Ensure that the actor is eradicated from the network, and
        • Avoid residual issues that could result in follow-up compromises once the incident is closed.
  • The United States’ (U.S.) Department of Justice (DOJ) and Federal Trade Commission (FTC) signed an Antitrust Cooperation Framework with their counterpart agencies from Australia, Canada, New Zealand, And United Kingdom. The Multilateral Mutual Assistance and Cooperation Framework for Competition Authorities (Framework) “aims to strengthen cooperation between the signatories, and provides the basis for a series of bilateral agreements among them focused on investigative assistance, including sharing confidential information and cross-border evidence gathering.” Given that a number of large technology companies are under investigation in the U.S., the European Union (EU) and elsewhere, signaling a shift in how technology multinationals are being viewed, this agreement may enable cross-border efforts to collectively address alleged abuses. However, the Framework “is not intended to be legally binding and does not give rise to legal rights or obligations under domestic or international law.” The Framework provides:
    • Recognising that the Participants can benefit by sharing their experience in developing, applying, and enforcing Competition Laws and competition policies, the Participants intend to cooperate and provide assistance, including by:
      • a) exchanging information on the development of competition issues, policies and laws;
      • b) exchanging experience on competition advocacy and outreach, including to consumers, industry, and government;
      • c) developing agency capacity and effectiveness by providing advice or training in areas of mutual interest, including through the exchange of officials and through experience-sharing events;
      • d) sharing best practices by exchanging information and experiences on matters of mutual interest, including enforcement methods and priorities; and
      • e) collaborating on projects of mutual interest, including via establishing working groups to consider specific issues.
  • Dynasplint Systems alerted the United States Department of Health and Human Services (HHS) that it suffered a breach affecting more than 100,000 people earlier this year. HHS’ Office of Civil Rights (OCR) is investigating possible violations of Health Insurance Portability and Accountability Act regulations regarding the safeguarding of patients’ health information. If Dynasplint failed to properly secure patient information or its systems, OCR could levy a multimillion dollar fine for the size breach. For example, in late July, OCR fined a company over $1 million for the theft of an unencrypted laptop that exposed the personal information of a little more than 20,000 people.
    • Dynasplint, a Maryland manufacturer of range of motion splints, explained:
      • On June 4, 2020, the investigation determined that certain information was accessed without authorization during the incident.
      • The information may have included names, addresses, dates of birth, Social Security numbers, and medical information.
      • Dynasplint Systems reported this matter to the FBI and will provide whatever cooperation is necessary to hold perpetrators accountable.
  • The California Legislature has sent two bills to Governor Gavin Newsom (D) that would change how technology is regulated in the state, including one that would alter the “California Consumer Privacy Act” (AB 375) (CCPA) if the “California Privacy Rights Act” (CPRA) (Ballot Initiative 24) is not enacted by voters in the November election. The two bills are:
    • AB 1138 would amend the recently effective “Parent’s Accountability and Child Protection Act” would bar those under the age of 13 from opening a social media account unless the platform got the explicit consent from their parents. Moreover, “[t]he bill would deem a business to have actual knowledge of a consumer’s age if it willfully disregards the consumer’s age.”
    •  AB 1281 would extend the carveout for employers to comply with the CCPA from 1 January 2021 to 1 January 2022. The CCPA “exempts from its provisions certain information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified…[and also] exempts from specified provisions personal information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.” AB 1281 “shall become operative only” if the CPRA is not approved by voters.
  • Senators Senator Shelley Moore Capito (R-WV), Amy Klobuchar (D-MN) and Jerry Moran (R-KS) have written “a letter to Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application (app) Premom” and “to request information on the steps that the FTC plans to take to address this issue.” They asserted:
    • A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent.
    • Moore Capito, Klobuchar, and Moran stated “[i]n light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:
      • 1. Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?  
      • 2. Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?
      • 3. Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?
      • 4. Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.
      • 5. How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in?

Further Reading

  • Justice Dept. Plans to File Antitrust Charges Against Google in Coming Weeks” By Katie Benner and Cecilia Kang – The New York Times; “The Justice Department could file a lawsuit against Google this month, overriding skepticism from its own top lawyers” By Tonty Romm – The Washington Post; “There’s a partisan schism over the timing of a Google antitrust lawsuit” By Timothy B. Lee – Ars Technica. The New York Times explains in its deeply sourced article that United States Department of Justice (DOJ) attorneys want more time to build a better case against Google, but that Attorney General William Barr is pressing for the filing of a suit as early as the end of this month in order for the Trump Administration to show voters it is taking on big tech. Additionally, a case against a tech company would help shore up the President’s right flank as he and other prominent conservatives continue to insist in the absence of evidence that technology companies are biased against the right. The team of DOJ attorneys has shrunk from 40 to about 20 as numerous lawyers asked off the case once it was clear what the Attorney General wanted. These articles also throw light on to the split between Republican and Democratic state attorneys general in the case they have been working on with the former accusing the latter of stalling for time in the hopes a Biden DOJ will be harsher on the company and the latter accusing the former of trying to file a narrow case while Donald Trump is still President that would impair efforts to address the range of Google’s alleged antitrust abuses.
  • Facebook Moves to Limit Election Chaos in November” By Mike Isaac – The New York Times. The social network giant unveiled measures to fight misinformation the week before the United States election and afterwards should people try to make factually inaccurate claims about the results. Notably, political advertisements will be banned a week before the 3 November election, but this seems like pretty weak tea considering it will be business as usual until late October. Even though the company frames these moves as “additional steps we’re taking to help secure the integrity of the U.S. elections by encouraging voting, connecting people to authoritative information, and reducing the risks of post-election confusion,” the effect of misinformation, disinformation, and lies that proliferate on Facebook will have likely already taken root by late October. It is possible the company still wants the advertising revenue it would forgo if it immediately banned political advertising. Another proposed change is to provide accurate information about voting generally and COVID-19 and voting. In fact, the platform corrected a post of President Donald Trump’s that expressed doubts about mail-in voting.
  • Washington firm ran fake Facebook accounts in Venezuela, Bolivia and Mexico, report finds” By Craig Timberg and Elizabeth Dwoskin – The Washington Post. In tandem with taking down fake content posted by the Internet Research Agency, Facebook also removed accounts traced back to a Washington, D.C. public relations firm, CLS Strategies, that was running multiple accounts to support the government in Bolivia and the opposition party in Venezuela, both of which are right wing. Using information provided by Facebook, Stanford University’s Internet Observatory released a report stating that “Facebook removed a network of 55 Facebook accounts,4 2 Pages and 36 Instagram accounts attributed to the US-based strategic communications firm CLS Strategies for engaging in coordinated inauthentic behavior (CIB).” Stanford asserted these key takeaways:
    • 11 Facebook pages related to Bolivia mainly supported Bolivia’s Interim President Jeanine Áñez and disparaged Bolivia’s former president Evo Morales. All had similar creation dates and manager location settings.
    • Venezuela-focused assets supported and promoted Venezuelan opposition leaders but changed in tone in 2020, reflecting factional divides in the opposition and a turn away from Juan Guaidó.
    • In addition to fake accounts, removed Facebook accounts include six profiles that match the names and photos of CLS Strategies employees listed publicly on their website and appear to be their real accounts.
    • CLS Strategies has a disclosed contract with the Bolivian government to provide strategic communications counsel for Bolivia’s 2020 elections and to strengthen democracy and human rights in Bolivia.
    • Coordinated inauthentic behavior reports from Facebook and Twitter have increasingly included assets linked to marketing and PR firms originating and acting around the world. The firms’ actions violate the platforms’ terms by operating internationally and failing to identify their origins and motivations to users.
    • In its release on the issue, Facebook explained:
      • In August, we removed three networks of accounts, Pages and Groups. Two of them — from Russia and the US — targeted people outside of their country, and another from Pakistan focused on both domestic audiences in Pakistan and also in India. We have shared information about our findings with law enforcement, policymakers and industry partners.
  • Belarusian Officials Shut Down Internet With Technology Made by U.S. Firm” By Ryan Gallagher – Bloomberg. A United States firm, Sandvine, sold deep packet inspection technology to the government in Belarus through a Russian intermediary. The technology was ostensibly to be used by the government to fend off dangers to the nation’s networks but was instead deployed to shut down numerous social media and news sites on the internet the day of the election. However, Belarusian activists quickly determined how to use workarounds, launching the current unrest that threatens to topple the regime. The same company’s technology has been used elsewhere in the world to cut off access to the internet as detailed by the University of Toronto’s Citizen Lab in 2018.
  • Canada has effectively moved to block China’s Huawei from 5G, but can’t say so” – Reuters. In a move reminiscent of how the People’s Republic of China (PRC) tanked Qualcomm’s proposed purchase of NXP Semiconductors in 2018, Canada has effectively barred Huawei from its 5G networks by not deciding, which eventually sent a signal to its telecommunications companies to use Ericsson and Nokia instead. This way, there is no public announcement or policy statement the PRC can object to, and the country toes the line with its other Five Eyes partners that have banned Huawei in varying degrees. Additionally, given that two Canadian nationals are being held because Huawei Chief Financial Officer Meng Wanzhou is being detained in Canada awaiting extradition to the Unted States to face criminal charges, Ottawa needs to manage its relations with the PRC gingerly.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Simon Steinberger from Pixabay

Australia Cybersecurity Strategy/White Paper

Canberra is trying to recalibrate its cybersecurity strategy in he face of increased PRC hacking.

Australia has issued a new Cyber Security Strategy that replaces its 2016 strategy and proposes to change incrementally how the nation would approach cybersecurity and data protection paired with more funding for these activities. Notably, the government of Prime Minister Scott Morrison seems to be proposing a set of binding cybersecurity standards on certain sectors of critical infrastructure and a program of offensive cyber operations as a means of fending off threats from malicious nation state and criminal actions. The government in Canberra is also floating a voluntary code of conduct for the manufacturers and developers of Internet of Things (IoT) and a rewrite of privacy and data protection laws. In preparation for this strategy, Australia released a call for views in September 2019 on a discussion paper and received more than 200 comments.

Cybersecurity has been much on the minds of the government in Australia. Last fall, the Australian government leaked word that People’s Republic of China (PRC) hackers had penetrated the Parliament’s systems in Canberra even though the Morrison government declined to publicly accuse the PRC. According to media accounts, the Australian Signals Directorate determined that the PRC’s Ministry of State Security attacked Australia’s Parliament and hacked into both parties. In June 2020, Morrison told reporters “Australian organizations are currently being targeted by a sophisticated state-based cyber actor.” He contended “[t]his activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure.” In concert with Morrison’s statement, the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs issued an advisory describing “the tactics, techniques and procedures (TTPs) identified during the ACSC’s investigation of a cyber campaign targeting Australian networks.” Some experts are saying it must be the PRC, especially after Canberra all but publicly named the PRC as the entity that hacked into Parliament.

The Department of Home Affairs (Department) stated that “[t]his Strategy will invest $1.67 billion AUD over 10 years to achieve our vision…[and] [t]his includes:

  • Protecting and actively defending the critical infrastructure that all Australians rely on, including cyber security obligations for owners and operators.
  • New ways to investigate and shut down cyber crime, including on the dark web.
  • Stronger defences for Government networks and data.
  • Greater collaboration to build Australia’s cyber skills pipeline.
  • Increased situational awareness and improved sharing of threat information.
  • Stronger partnerships with industry through the Joint Cyber Security Centre program.
  • Advice for small and medium enterprises to increase their cyber resilience.
  • Clear guidance for businesses and consumers about securing Internet of Things devices.
  • 24/7 cyber security advice hotline for SMEs and families.
  • Improved community awareness of cyber security threats.

The Department addressed encryption at a high level even though Australia’s 2018 legislation, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, creates the first process for potentially ordering technology companies to decrypt encrypted systems and communications. The Department continued to emphasize the threats created by criminals using encrypted communications, particularly in crimes against children or sex crimes. The Five Eyes nations have increasingly turned to this tactic with the United States government hitting this theme hard whenever encryption policy is discussed. The Department claimed

  • Encryption is an important way of protecting consumer and business data, but the increasing use of the dark web and encryption technologies that allow people to remain anonymous online is challenging law enforcement agencies’ ability to protect our community. The dark web enables cyber criminals to broadcast child sexual exploitation and abuse, trade in stolen identities, traffic drugs and  rearms, and plan terror attacks. These platforms make committing serious crimes at volume, and across borders, easier than ever before.
  • The Telecommunications and Other Legislation Amendment (Assistance and Access) Act introduced in 2018 has helped Australia’s law enforcement and security agencies, working with industry, tackle online criminal and terrorist threats. Through this Strategy, the Australian Government will ensure law enforcement agencies have appropriate legislative powers and technical capabilities to deter, disrupt and defeat the criminal exploitation of anonymising technology and the dark web.

The Department explained generally the legislative changes that may result in greater regulation of certain critical infrastructure owners and operators:

The Australian Government will also work with businesses to consider legislative changes that set a minimum cyber security baseline across the economy. This consultation will consider multiple reform options, including:

  • the role of privacy, consumer and data protection laws
  • duties for company directors and other business entities
  • obligations on manufacturers of internet connected devices.

This consultation will examine ways to simplify and reduce the cost of meeting any future minimum baseline.

The Department stated “Australia’s enhanced critical infrastructure security regulatory framework will clarify what infrastructure owners need to do to meet our minimum expectations of cyber security,” including:

  • an enforceable positive security obligation for designated critical infrastructure entities;
  • enhanced cyber security obligations for those entities most important to the nation
  • Australian Government assistance for businesses in response to the most significant cyber attacks to Australian systems
  • voluntary measures to strengthen engagement with businesses in relation to risk, and support an entity’s security uplift.

The Department added that “[t]his enhanced regulatory framework will be delivered through amendments to the Security of Critical Infrastructure Act 2018.”

As mentioned, the Department touched on how Canberra would address the cybersecurity of IoT:

  • To support businesses in taking action to protect themselves and their customers, the Australian Government will release the voluntary Code of Practice: Securing the Internet of Things for Consumers, to inform businesses about the cyber security features expected of internet-connected devices available in Australia. The 13 principles in the voluntary Code of Practice will signal to manufacturers the importance of protecting consumers. Adoption of the Code of Practice, together with associated guidance material produced by the ACSC, will benefit Australians and SMEs by increasing the number of secure products available for purchase. The Australian Government will provide consumers with information about what to take into consideration when purchasing Internet of Things devices.
  • Similar to steps taken in the United Kingdom, the Australian Government will co-design supply chain principles for decision makers and suppliers, to encourage security-by-design; transparency; and autonomy and integrity in investment, procurement and security. The Australian Government will build these principles into decision-making practices, supporting competition and diversity in the
  • market. To keep guidance up to date as technology and threats continue to evolve, the Australian Government will continue to monitor and build on existing government initiatives that promote innovation in sovereign cyber security research and development. AustCyber  is well placed to assure continued commercialisation and scaling of cyber security capabilities that support our nation’s needs.

The Department is accepting comment on its Protecting Critical Infrastructure and Systems of National Significance Consultation Paper​ and explained

  • We want to explore with you how Australia can position itself to meet cyber threats, now and into the future. In forming a view, we will need to consider whether responsibilities are appropriately assigned in keeping everyone safe. This will require a thoughtful discussion about how Government, businesses and individuals can share responsibility for cyber security in the future to get the best outcome for everyone.
  • For the Strategy to be successful, we need to develop and deliver it in partnership with the Australian community. This discussion paper seeks views from all Australians about how to grow Australia’s cyber security and future prosperity. Cyber security affects us all and we are seeking views from small, medium and large businesses, industry bodies, academia, advocacy groups, not for pro ts, government agencies, community groups and members of the public. We have posed a series of questions you may wish to answer as you offer your thoughts.
  • By working together, governments, academia, industry and the community can strengthen our nation’s cyber resilience across the economy to ensure we prosper as a nation and protect our interests online.

Last month, Australia’s 2020 Cyber Security Strategy Industry Advisory Panel issued its report and recommendations “to provide strategic advice to support the development of Australia’s 2020 Cyber Security Strategy.” The body was convened by the Minister for Home Affairs. The panel “recommendations are structured around a framework of five key pillars:

  • Deterrence: The Government should establish clear consequences for those targeting businesses and Australians. A key priority is increasing transparency on Government investigative activity, more frequent attribution and consequences applied where appropriate, and strengthening the Australian Cyber Security Centre’s (ACSC’s) ability to disrupt cyber criminals by targeting the proceeds of cybercrime.
  • Prevention: Prevention is vital and should include initiatives to help businesses and Australians remain safer online. Industry should increase its cyber security capabilities and be increasingly responsible for ensuring their digital products and services are cyber safe and secure, protecting their customers from foreseeable cyber security harm. While Australians have access to trusted goods and services, they also need to be supported with advice on how to practice safe behaviours at home and work. A clear definition is required for what constitutes critical infrastructure and systems of national significance across the public and private sectors. This should be developed with consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for both the public and private sectors.
  • Detection: There is clear need for the development of a mechanism between industry and Government for real-time sharing of threat information, beginning with critical infrastructure operators. The Government should also empower industry to automatically detect and block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’.
  • Resilience: We know malicious cyber activity is hitting Australians hard. The tactics and techniques used by malicious cyber actors are evolving so quickly that individuals, businesses and critical infrastructure operators in Australia are not fully able to protect themselves and their assets against every cyber security threat. As a result, it is recommended that the Government should strengthen the incident response and victim support options already in place. This should include conducting cyber security exercises in partnership with the private sector. Speed is key when it comes to recovering from cyber incidents, it is therefore proposed that critical infrastructure operators should collaborate more closely to increase preparedness for major cyber incidents.
  • Investment: The Joint Cyber Security Centre (JCSC) program is a highly valuable asset to form a key delivery mechanism for the initiatives under the 2020 Cyber Security Strategy should be strengthened. This should include increased resources and the establishment of a national board in partnership with industry, states and territories with an integrated governance structure underpinned by a charter outlining scope and deliverables.

Additionally, the Ministry of Defence issued its 2020 Force Structure Plan that promised even more investment in cybersecurity in the military realm. The planning document discussed the “Information and Cyber Domain” first among the traditional domains (e.g. Maritime), placing greater emphasis on the importance of cyberspace operations to the Australian government. The Ministry offered this summary of its plans:

  • 3.1 Defence is becoming more reliant on fast, reliable and secure internet-based communications. But the threat to this connectivity from malicious actors is also growing. There has been a marked increase in cyber-attacks against Australia by foreign actors and criminals.
  • 3.2 Secure and resilient information systems are essential to Defence’s ability to conduct operations. The Government’s plans for investments in Defence’s information warfare capabilities in the Information and Cyber domain are critical to ensure information can be securely and reliably shared across Defence, with other Government agencies, and with international partners. Future planned investments will protect Defence in cyberspace and enable operations against adversary systems. These plans include investments in offensive cyber and operational cyberspace capabilities for deployed forces.
  • 3.3 In addition to cyber capabilities, the Government plans to make additional investments in enhanced information and electronic warfare systems, and in improved joint command, control and communications systems to strengthen Defence’s warfighting capability. Proposed investments would improve network security and resilience, and the capacity to share information with international partners. Furthermore, Defence intelligence capability will be bolstered with funding to integrate intelligence, surveillance and reconnaissance programs and data, and continued investment in signals intelligence capabilities. Funding will be set aside to ensure Defence remains competitive in the future as emerging technologies, such as artificial intelligence, arise in this domain.
  • 3.4 The total program of investment in strengthened Information and Cyber domain capabilities is expected to comprise approximately $15 billion over the next decade.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay

Further Reading, Other Developments, and Coming Events (31 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 31 July, the House Intelligence Committee will mark up its Intelligence Authorization Act.
  • On 31 July the Select Committee on the Modernization of Congress will hold a business meeting “to consider proposed recommendations.”
  • On 3 August the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
  • The National Institute of Standards and Technology (NIST) will hold the “Exploring Artificial Intelligence (AI) Trustworthiness: Workshop Series Kickoff Webinar,” “a NIST initiative involving private and public sector organizations and individuals in discussions about building blocks for trustworthy AI systems and the associated measurements, methods, standards, and tools to implement those building blocks when developing, using, and testing AI systems” on 6 August.
  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”

Other Developments

  • The European Commission (EC) released a report on the status of efforts across the European Union (EU) to implement the EU Toolbox on 5G Cybersecurity, the bloc’s approach to navigating security issues presented by equipment and services offered by companies from the People’s Republic of China such as Huawei. The EC concluded
    • All  Member  States  reported  that  concrete  steps  have  been  taken  to  implement  the  Toolbox.  Most  Member  States  carried  out  a  gap  analysis  and  launched  a  process  to  review  and  upgrade  existing security measures and enforcement mechanisms. Many Member States have already adopted or are well advanced in the preparation of more advanced security measures on 5G cybersecurity.
    • However,  work  is  still  ongoing  in  many  Member  States  on  defining  the  content  and  scope  of  the  measures and in some cases, political decisions still need to be made in this regard. In addition, even where  measures  are  in  progress  or  being  planned,  not  all  Member  States  have  shared  detailed information about every measure, due to diverse stages in the national implementation processor for national security reasons. Nevertheless, a number of findings can be formulated based on the analysis presented  in  this  report as  regards  the  implementation  of  the  Toolbox  and  areas  where  specific  attention  is  needed  in  the  next  phases  of  the  implementation  of  the  Toolbox  at  national  and/or  EU  level.
  • The United States (US) and Australia released this joint statement after this week’s Australia-United States Ministerial Consultations (AUSMIN) after the heads of their defense and foreign ministries met in Washington DC. The two countries listed a number of steps and initiatives designed to counter the People’s Republic of China (PRC). Among other developments:
    • The US and Australia signed a classified Statement of Principles on Alliance Defense Cooperation and Force Posture Priorities in the Indo-Pacific.
    • The two nations “plan to continue to counter these threats vigorously, including through collaboration with international partners, and through a new working group between the Department of Foreign Affairs and Trade and the Department of State, which will monitor and respond to disinformation efforts.”
    • The US and Australia “expressed deep concern that the targeting of intellectual property and sensitive business information, including information relating to the development of vaccines and treatments for pandemic response, presents an increasing threat to the global economy, and they committed to holding malicious actors accountable.”
    • The countries “noted the role of 5G network security best practices, such as the Prague Proposals, and expressed their intent to work with like-minded partners to develop end-to-end technical solutions for 5G that use trusted vendors….[and] [a]cknowledging that 5G is only the starting point, the two nations also reaffirm their commitment to lifting the security of critical and emerging technologies that will be vital to our nations’ prosperity.”
    • The US and Australia “welcomed the announcement that Lynas has signed a Phase 1 contract with the U.S. Department of Defense for an engineering and market feasibility study for the design of a heavy rare earth separation facility in the United States” and “the continued development of a U.S.-Australia Critical Minerals Plan of Action to improve the security of critical minerals in the United States and Australia.” 
  • The United Kingdom’s National Cyber Security Centre (NCSC) has issued a report titled “The Cyber Threat to Sports Organisations” “to demystify the cyber threat to sports organisations by highlighting the cyber security issues that affect the sector on a daily basis: business email compromise, digital fraud, and venue security.” The NCSC asserted
    • cyber attacks against sports organisations are very common, with 70% of those surveyed experiencing at least one attack per annum. This is significantly higher than the average across UK business.
    • The primary cyber threat comes from cyber criminals with a financial motive. Criminal attacks typically take advantage of poor implementation of technical controls and normal human traits such as trust and ineffective password policies.
    • There have been a small number of Hostile Nation-state attacks against sports organisations; typically, these attacks have exploited the same vulnerabilities used by criminals.
    • The most common outcome of cyber attacks is unauthorised access to email accounts (Business Email Compromise) leading to fraud. Ransomware is also a significant issue in the sector.
  • Top Republicans on one of the committees with jurisdiction over technology have written Google and Apple regarding their “app store and the policies you have in place to ensure apps are appropriately vetted, particularly those with close ties to China and the Chinese Communist Party (CCP).” House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) and Consumer Protection and Commerce Subcommittee Ranking Member Cathy McMorris Rodgers (R-WA) are asking the companies to respond by 12 August to a series of questions. They asserted
    • As with any crisis, there are those that seek to exploit opportunities for their own malicious intent. We believe that bad actors may be taking advantage of the American people’s trust in your brand, which likely extends to apps available through your store. While we want an open and transparent marketplace that does not limit innovators outside your company, we know there are those that seek to use apps as a means to push through pop-up ads or hijack devices to make it a tool for eavesdropping.
    • The level of permissions that these apps require may include access to camera, microphone, and contacts, as well as functionality to load other malware for bad actors to control a device even after the original app has been removed. This is especially alarming when it comes from companies with direct or indirect links to the CCP.
  • A Washington DC think tank published a report written in part with Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) titled “AI and the Workforce.” The Bipartisan Policy Center explained that “[b]ased on our discussions with stakeholders, we have identified the following key principles:
    • 1. The United States should embrace and take a leadership role in the AI-driven economy by filling the AI talent gap and preparing the rest of the workforce for the jobs of the future. However, in doing so, policymakers should make inclusivity and equal opportunity a priority.
    • 2. Closing the AI talent gap requires a targeted approach to training, recruiting, and retaining skilled workers. This AI talent should ideally have a multi-disciplinary skill set that includes ethics.
    • 3. The AI talent gap is not the only challenge of the AI-driven economy, so the federal government should focus more broadly on the jobs of the future and skills that are complemented by AI technology. Additionally, encouraging workers to develop basic AI and technological literacy can help them better determine how to complement AI systems.
    • 4. The educational system from kindergarten through post-college is not yet designed for the AI-driven economy and should be modernized.
    • 5. The skills that will be in demand in the future will continuously change, so lifelong learning and ways to help displaced and mid-career workers transition into new jobs is critical for the workforce of the future.
    • In September 2018, Kelly and Hurd released a white paper detailing the “lessons learned from the Subcommittee’s oversight and hearings on AI and sets forth recommendations for moving forward.” 
  • The National Cyber Security Centre (NCSC) updated its “Mobile Device Guidance” regarding “Windows 10, Android and VPNs. The NCSC stated “[o]ver the next few months, we’ll be bringing our Chrome OS and Ubuntu Linux guidance up to date and into the new format.”
  • Cybersecurity company FireEye released a report on a new type of Russian disinformation campaign where hackers are gaining access to legitimate news sources and planting fake stories that are subsequently amplified on social media.
    • FireEye explained it
      • has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign, ongoing since at least March 2017, aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.”
    • FireEye added
      • Many, though not all, of the incidents we suspect to be part of the Ghostwriter campaign appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries. This falsified content has been referenced as source material in articles and op-eds authored by at least 14 inauthentic personas posing as locals, journalists, and analysts within those countries.

Further Reading

  • Rite Aid deployed facial recognition systems in hundreds of U.S. stores” by Jeffrey Dastin– Reuters. A major United States retailer was using facial recognition technology mostly at stores in poorer, more ethnically diverse areas that seems connected to a company in the People’s Republic of China. Rite Aid has ceased use of this system that was implemented to address shoplifting and other crime and guards and other personnel were supposed to act when the system turned up a hit on a person in the store who had committed a crime or made trouble in another location. Given the accuracy of this sort of technology, there were a range of false positives. Additionally, locations in New York City that had similar crime profiles in majority white, affluent areas were much less likely to have this system. The company, DeepCamLLC, providing the technology appears intimately connected to a Chinese firm, Shenzhen Shenmu, that appears funded by a Beijing run venture capital/investment fund.
  • Facebook Wins Temporary Halt to EU Antitrust Data Demands” by Stephanie Bodoni – Bloomberg. In a setback for the European Commission’s (EC) investigation, the European Union General Court has temporarily blocked data and document requests in a pair of rulings. The court ruled for Facebook in finding the EC’s request “may unavoidably include personal information” and so “it is important to ensure that confidential treatment of such information is safeguarded, especially when the information does, at first sight, not appear to have any link with the subject matter of the commission’s investigation.” A Facebook attorney claimed the requests were going to net “highly sensitive personal information such as employees’ medical information, personal financial documents, and private information about family members of employees.” The court is expected to issue a final decision on the data requests, which has obvious implications for the EC’s investigation of Facebook.
  • Google’s Top Search Result? Surprise! It’s Google” By Adrianne Jeffries and Leon Yin – The Markup. Google’s search results have changed tremendously over the last 15 years from showing the top organic results to now reserving the 50% of the page for Google results and products. As a result a number of online businesses that compete with Google products have withered and some have died. Google denies abusing its market power, but competitors and possibly some regulators think otherwise, possibly foreshadowing future anti-competitive enforcement actions.
  • Five Eyes alliance could expand in scope to counteract China” by Patrick Wintour – The Guardian. The United States, United Kingdom, Canada, New Zealand, and Australia may expand both the scope of heir Five Eyes arrangement and the membership as a means of pushing back on Chinese policies and actions. Japan could possibly join the alliance and perhaps it serves as the basis for a trade agreement to address Beijing.
  • Huawei to double down on HSBC as legal battle over extradition of Meng Wanzhou intensifies” by Zhou Xin – South China Morning Post. As the daughter of Huawei’s founder continues to be held in Canada facing possible extradition to the United States (US) to be tried on charges of violating US sanctions on Iran. Meng Wanzhou’s lawyers are focusing on the evidence provided by Hong Kong based bank HSBC to the US Department of Justice as being deficient in a number of ways. The People’s Republic of China is still holding two Canadians incommunicado who were arrested and charged with espionage after Meng was detained in British Columbia.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

EDPB Opines Encryption Ban Would Endanger A Nation’s Compliance with GDPR

As the US and others call on technology companies to develop the means to crack encrypted communications, an EU entity argues any nation with such a law would likely not meet the GDPR’s requirements.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

In a response to a Minister of the European Parliament’s letter, the European Data Protection Board (EDPB) articulated its view that any nation that implements an “encryption ban” would endanger its compliance with the General Data Protection Regulation (GDPR) and possibly result in companies domiciled in those countries not being able to transfer and process the personal data of EU citizens. However, as always, it bears note the EDPB’s view may not carry the day with the European Commission, Parliament, and courts.

The EDPB’s letter comes amidst another push by the Trump Administration, Republican allies in Congress, and other nations to have technology companies develop workarounds or backdoors to its end-to-end encrypted devices, apps, and systems. The proponents of this change claim online child sexual predators, terrorists, and other criminals are using products and services like WhatsApp, Telegram, and iPhones to defeat legitimate, targeted government surveillance and enforcement. They reason that unless technology companies abandon their unnecessarily absolutist position and work towards a technological solution, the number of bad actors communicating in ways that cannot be broken (aka “going dark”) will increase, allowing for greater crime and wrongdoing.

On the other side of the issue, technology companies, civil liberties and privacy experts, and computer scientists argue that any weakening of or backdoors to encryption will eventually be stolen and exposed, making it easier for criminals to hack, steal, and exfiltrate. They assert the internet and digital age are built on secure communications and threatening this central feature would wreak havoc beyond the crimes the US and other governments are seeking to prevent.

The EDPB stated

Any ban on encryption or provisions weakening encryption would undermine the GDPR obligations on the  concerned  controllers  and  processors  for  an  effective  implementation  of  both  data  protection principles and the appropriate technical and organisational measures. Similar considerations apply to transfers to controllers or processors in any third countries adopting such bans or provisions. Security measures are therefore specifically mentioned among the elements   the   European Commission must take into account when assessing the adequacy of the level of protection in a third country. In the absence of such a decision, transfers are subject to appropriate safeguards or maybe based on derogations; in any case the security of the personal data has to be ensured at all times.

The EDPB opined “that any encryption ban would seriously undermine compliance with the GDPR.” The EDPB continued, “[m]ore specifically, whatever the instrument used,  it would represent a major  obstacle in recognising a level of protection essentially equivalent to that ensured by the applicable  data protection law in the EU, and would seriously question the ability of the concerned controllers and processors to comply with the security obligation of the regulation.”

The EDPB’s view is being articulated at a time when, as noted, a number of nations led by the United States (US) continue to press technology companies to allow them access to communications, apps, platforms, and devices that are encrypted. Last year, the US, United Kingdom, Australia, New Zealand, and Canada (the so-called Five Eyes nations) met and claimed in one of the communiques, the Five Eyes ministers asserted that

We are concerned where companies deliberately design their systems in a way that precludes any form of access to content, even in cases of the most serious crimes. This approach puts citizens and society at risk by severely eroding a company’s ability to identify and respond to the most harmful illegal content, such as child sexual exploitation and abuse, terrorist and extremist material and foreign adversaries’ attempts to undermine democratic values and institutions, as well as law enforcement agencies’ ability to investigate serious crime.

The five nations contended that “[t]ech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.” The Five Eyes also claimed that “[t]hose companies should also embed the safety of their users in their system designs, enabling them to take action against illegal content…[and] [a]s part of this, companies and Governments must work together to ensure that the implications of changes to their services are well understood and that those changes do not compromise public safety.”

The Five Eyes applauded “approaches like Mark Zuckerberg’s public commitment to consulting Governments on Facebook’s recent proposals to apply end-to-end encryption to its messaging services…[and] [t]hese engagements must be substantive and genuinely influence design decisions.”

The Five Eyes added

We share concerns raised internationally, inside and outside of government, about the impact these changes could have on protecting our most vulnerable citizens, including children, from harm. More broadly, we call for detailed engagement between governments, tech companies, and other stakeholders to examine how proposals of this type can be implemented without negatively impacting user safety, while protecting cyber security and user privacy, including the privacy of victims.

In October 2019, in an open letter to Facebook CEO Mark Zuckerberg, US Attorney General William P. Barr, United Kingdom Home Secretary Priti Patel, Australia’s Minister for Home Affairs Peter Dutton, and then acting US Homeland Security Secretary Kevin McAleenan asked “that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.” In Facebook’s December 2019 response, Facebook Vice President and WhatsApp Head Will Cathcart and Facebook Vice President and Messenger Head Stan Chudnovsky stated “[c]ybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere…[and] [t]he ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm.”

However, one of the Five Eyes nations has already taken legislative action to force technology companies and individuals cooperate with law enforcement investigations in ways that could threaten encryption. In December 2018, Australia enacted the “Telecommunications and Other Legislation (Assistance and Access) Act 2018” (TOLA). As the Office of Australia’s Information Commissioner (OAIC) wrote of TOLA, “[t]he powers permitted under the Act have the potential to significantly weaken important privacy rights and protections under the Privacy Act…[and] [t]he encryption technology that can obscure criminal communications and pose a threat to national security is the same technology used by ordinary citizens to exercise their legitimate rights to privacy.”

In a related development, this week, Australia’s Independent National Security Legislation Monitor (INSLM) issued its report on “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” (TOLA). The Parliamentary  Joint  Committee on Intelligence and Security had requested that the INSLM review the statute, and so INSLM engaged in a lengthy review, including input from the public. As explained in the report’s preface, the “INSLM independently reviews the operation, effectiveness and implications of national  security  and  counter-terrorism  laws;  and  considers  whether  the  laws  contain  appropriate  protections  for  individual  rights,  remain  proportionate  to  terrorism or national security threats, and remain necessary.”

INSLM claimed

In this report I reject the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other. Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection. Essentially this can be done by updating traditional safeguards to meet those same technological challenges – notably, those who are trusted to authorise intrusive search and surveillance powers must be able to understand the technological context in which those powers operate, and their consequences. If, but only if, the key recommendations I set out in this report in this regard are adopted, TOLA will be such a law.

INSLM stated “[t]he essential effects of TOLA are as follows:

a. Schedule 1 gives police and intelligence agencies new powers to agree or require significant industry assistance from communications providers.

b. Schedules 2, 3 and 4 update existing powers and, in some cases, extended them to new agencies. c. Schedule 5 gives the Australian Security Intelligence Organisation (ASIO) significant new powers to seek and receive both voluntary and compulsory assistance.

INSLM found

  • In relation to Schedule 1, for the reasons set out in greater detail in the report, Technical Assistance Notice (TANs) and Technical Capability Notice (TCNs) should be authorised by a body which is independent of the issuing agency or government. These are powers designed to compel a Designated Communications Provider (DCP) to reveal private information or data of its customers and therefore the usual practice of independent authorisation should apply.
  • I am satisfied that the computer access warrant and associated powers conferred by Schedule 2 are both necessary and proportionate, subject to some amendments.
  • I am generally satisfied that the powers conferred by Schedules 3 and 4 are both necessary and proportionate, but there are some matters that should be addressed and further monitored.
  • I have concluded that Schedule 5 should be amended to limit its breadth and clarify its scope.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay

EARN IT Act Finally Introduced; Five Eyes Announce Voluntary Principles to Counter Online Child Sexual Exploitation and Abuse; Senate Judiciary Holds Hearing

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here.

Senate Judiciary Committee Chair Lindsey Graham (R-SC), Ranking Member Dianne Feinstein (D-CA), and Senators Richard Blumenthal (D-CT), Josh Hawley (R-MO) formally introduced legislation they floated earlier this year that could potentially result in the liability shield enjoyed by technology being removed. Critics claim the legislation is an attempt to force technology companies to either give up end-to-end encryption or build in backdoors to encryption that will ultimately compromised. If enacted, the EARN IT Act would represent a second piece of legislation to change Section 230 of the Communications Decency Act in the last two years with enactment of “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (P.L. 115-164).

The “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020” (EARN IT Act of 2020) (S.3398) would establish a National Commission on Online Child Sexual Exploitation Prevention (Commission) that would design and recommend voluntary “best practices” applicable to technology companies such as Google, Facebook, and many others to address “the online sexual exploitation of children.” The Department of Justice (DOJ) would name the chair of the Commission and the Department of Homeland Security (DHS) and Federal Trade Commission (FTC) would each name one member of the Commission with the Speaker of the House, House Minority Leader, Senate Majority Leader and Senate Minority Leader each being able to appoint four members each. The Commission would submit its best practices to the Attorney General within 18 months of being convened, and if approved by DOJ, with the concurrence of DHS and the FTC, would publish these voluntary standards. Moreover, the EARN IT Act contains language allowing for the fast track consideration under which Congress could codify these practices, and thereafter technology companies subject to these standards would need to submit annual certifications that it “has a reasonable basis to conclude that review does not reveal any material non-compliance with the requirements of the best practices.” If a technology knowingly submits a false certification, then the company and the responsible executives and employees would face criminal liability, including fines and imprisonment. The bill would remove the liability shield under Section 230 of the Communications Decency Act with respect to state child exploitation laws unless companies either certify compliance with either the Commission’s best practices or those enacted by Congress or through the use of alternative reasonable measures.

In their press release, Graham, Feinstein, Blumenthal, and Hawley asserted:

The EARN IT Act is supported by more than 70 groups, survivors and stakeholders, including the National Center for Missing & Exploited Children (NCMEC), Rights4Girls, and the National Center on Sexual Exploitation.

Background on the EARN IT Act:

  • In July 2019, the Senate Judiciary Committee held a hearing titled, “Protecting Innocence in a Digital World”.
  • Later in 2019, the New York Times published a series of investigative reports, describing the rapid increase of child sexual abuse material on prominent online platforms. This is a threat that has not received a consistent and forceful response from the tech industry.
    • Reports of suspected child sexual abuse material to the NCMEC CyberTipline have exploded since its inception. For example, over the past five years, reports increased from 1.1 million in 2014 to 16.9 million covering 69.1 million photos, videos, and files in 2019.   
  • Section 230 of the Communications Decency Act gives “interactive computer services” significant immunity from civil liability, as well as state criminal liability for third party content on their platforms.  Sadly, given this limited liability, many companies do not aggressively go after online child sexual exploitation.

Among those opposed to the bill are:

  • Johns Hopkins University Associate Professor Matthew Green argued the EARN IT Act “represents a sophisticated and direct governmental attack on the right of Americans to communicate privately…[and] I can’t stress how dangerous this bill is, though others have tried.”
  • The Electronic Frontier Foundation (EFF) asserted of the bill that “its supporters’ strategy is clear. Because they didn’t put the word “encryption” in the bill, they’re going to insist it doesn’t affect encryption….It’s true that the bill’s authors avoided using that word. But they did propose legislation that enables an all-out assault on encryption.”
  • The Center for Internet and Society at Stanford Law School claimed the EARN IT Act “aims to kneecap encryption under the guise of protecting children online, while capitalizing on the techlash and the current unpopularity of Section 230 of the Communications Decency Act.”

The EARN IT Act was introduced the same day the Departments of Justice (DOJ) and Homeland Security (DHS) announced the release of the Voluntary Principles to Counter Online Child Sexual Exploitation and Abuse developed in conjunction with the governments of Australia, Canada, New Zealand, and the United Kingdom. DOJ and DHS claimed in their press release that

The voluntary principles provide a common and consistent framework to guide the digital industry in its efforts to combat the proliferation of online child exploitation.  The voluntary principles cover the following themes:

  • Prevent child sexual abuse material;
  • Target online grooming and preparatory behavior;
  • Target livestreaming;
  • Prevent searches of child sexual abuse material from surfacing;
  • Adopt a specialized approach for children;
  • Consider victim/survivor-led mechanisms; and
  • Collaborate and respond to evolving threats.

DOJ and DHS added

  • These voluntary principles are built on existing industry efforts to combat these crimes.  Some leading companies have dedicated significant resources to develop and deploy tools in the fight to protect children online and to detect, disrupt and identify offenders.  Although significant progress has been made, there is much more to be done to strengthen existing efforts and enhance collective action.
  • These principles are intended to have sufficient flexibility to ensure effective implementation by industry actors.  Some companies have already implemented measures similar to those outlined in these principles.  Regardless of whether or not a company chooses to adopt these principles, existing laws and regulations in relevant jurisdictions continue to apply to all companies.  Nothing in these principles overrides or is contrary to the need for companies to comply with the law.

These voluntary principles on online child abuse and exploitation are of a piece with previous efforts by the DOJ and Attorney General William Barr to pressure technology companies to provide greater technical assistance to defeat end-to-end encryption.

A week later, at a hearing, the Senate Judiciary Committee looked at the EARN IT Act with Graham and Blumenthal making opening statements of their bill. Many of the Members expressed support for the legislation or its goals and argued that large technology companies have simply not been doing enough to combat online child exploitation.

National Center for Missing & Exploited Children (NCMEC) Vice President John Shehan stated

The EARN It Act is a child protection bill that addresses many of the gaps identified by NCMEC in this written testimony regarding current efforts to combat the proliferation of child sexual abuse and exploitative material online, including:

(1) lack of adoption of consistent practices and technology across the tech industry to combat the problem;

(2) failure of companies to implement best practices across all of their platforms and services;

(3) reliance on wholly voluntary measures to protect children from being enticed/groomed online for sexual abuse and to prevent images of their rape and sexual abuse from circulating online;

(4) absence of incentives for ESPs to invest and engage in best practices to keep children safer online; and

(5) denial of a child victim’s right to his or her day in court against all parties, including tech companies, that have recklessly contributed to the child’s revictimization when sexually abusive images are recirculated online.

The EARN It Act addresses each of these gaps, shortcomings, and inconsistencies.

Match Group Chief Legal Officer & Secretary Jared Sine explained

  • Match Group takes the privacy of our users seriously, which is why we have developed a privacy framework that meets the standards of the GDPR—and all are brands are required to meet or exceed these standards. Like all internet companies, we grapple with the same inherent tensions that exist between privacy and security.
  • We believe that these issues are not mutually exclusive, especially when it comes to our support of the EARN IT Act. There are technological solutions to balance safety for our children and privacy, and we need to work to enable the Commission and develop those solutions. That is the point of the Commission—its ability to collaborate to solve these issues, taking into account the ecosystem, its needs, and the rights of its users and providers to drive a solution that works for everyone.
  • We also believe that Section 230 has been a critical part of the internet’s rise and success and must be kept strong and vibrant. However, we do not believe that companies who do nothing to stop child exploitation should receive the benefit and trust that Section 230 has long granted them.
  • This legislation acknowledges the importance of Section 230 to privacy, free speech, and so many other rights that we hold dear, while rightfully recognizing that online platforms must do more. The bill also creates a collaborative framework for setting standards across the internet ecosystem that will help tech companies fulfil their moral and societal obligation to protecting our kids online.
  • We do not take our support for this proposal lightly. We recognize how important it is to strike the right balance between privacy and security. But we believe the proposed legislation has the ability to do just that: by balancing those needs of safety and privacy through collaboration. As part of the standard setting process, the Commission established by the EARN IT Act must be empowered and instructed to take these tensions into account.
  • Match Group strongly supports the Commission included in this proposal for the very reason that it provides a forum for bringing law enforcement, industry, and technical experts together to create commonsense rules of the road that will not just level the playing field for technology companies but also incentivize investing in—and enforcing—online safety. Not only do we support this legislation, but we’d also like to offer suggestions to make it even stronger. We share your goal of making sure this is done in a way that does not stifle innovation but still has teeth, a topic I know Sen. Graham and others have talked about already.

The Catholic University of America Professor of Law Mary G. Leary explained that

  • As Congress contemplates the appropriate limits of Section 230 in the space of child sexual abuse material (CSAM) more generally, particular attention should be paid to this issue and its history. In the current form of the EARN It Act, an interactive computer service can claim a safe harbor from both state enforcement of its criminal laws and civil action through two fairly easily attainable paths. First, it obtains broad immunity if an officer certifies that the provider conducted a thorough review of the implementation and operation of the best practices and he has a “reasonable basis to conclude that review does not reveal any material non-compliance” with the best practices. This should be understood to be a relatively low standard not establishing actual compliance with best practices. This is particularly true given that the best practices will be generated by a commission whose membership largely comes from the tech community or its allies. Such a certification – which notably does not certify the entity is, in fact, in compliance with the practices – will provide the entity immunity from civil suit or state level prosecution. This exclusive protection is sweeping, and yet available to it for a very qualified certification. While the provider does risk prosecution, such a risk is remote as prosecution can only occur if it can be established that the provider knowingly submitted a false certification. The variance between the mens rea necessary for certification (reasonable basis to not believe there is material non- compliance) and that necessary for prosecution (knowingly submitting a false statement) is significant.
  • The second path to immunity is a provider establishing that it has implemented “reasonable measures” to prevent it from being used for the exploitation of minors. This will require a trial court, possibly at a motion to dismiss stage, to determine if the provider was reasonable in its measures. Such an approach risks a similar outcome as with the aforementioned Section 230 sex trafficking caselaw in which courts, unfamiliar with the technology and relying on outdated precedent, arguably expanded Section 230 immunity further than congressionally intended.
  • In such a regime, a victim survivor can attempt to hold a provider responsible for its actions and file a suit with facts and a good faith belief that the provider violated the law, was not in compliance with the practices, and, in fact, did not make a certification in good faith. Yet, by Section 230 immunity being awarded to the provider at such a low standard, the risk exists that the case will be dismissed prior to discovery. Thus, the legal landscape that led to Backpage successfully avoiding liability for several years could be repeated. That is to say an actor could be engaged in activity for which liability is appropriate, but a victim survivor is precluded from proving that case due to the sweeping scope of such immunity available to providers merely by arguing they are reasonable or that they had no reason to believe a material non-compliance occurred.

Internet Association (IA) Deputy General Counsel Elizabeth Banker contended that

IA is concerned that the EARN IT Act would burden, discourage, or even prevent, ongoing efforts by internet companies to keep their platforms safe and to identify and remove abusive content. It also would undermine the efforts of law enforcement, and nongovernmental organizations like NCMEC, to hold bad actors to account and combat child sexual abuse material (CSAM) online.

1. The bill would be vulnerable to Fourth Amendment challenges that could render evidence from platforms’ screening efforts inadmissible, therefore hampering efforts to combat CSAM. Criminal defendants across the United States have filed motions to suppress evidence of child sexual exploitation crimes in the hopes of avoiding conviction.4 The argument that many of these criminal defendants make is that providers, including IA member companies, who proactively detect CSAM and who report it to NCMEC’s CyberTipline, act as “agents of the government” for Fourth Amendment purposes. Under Fourth Amendment jurisprudence, a search performed by an agent of the government is subject to the same requirements as if the government performed the search directly. If a criminal defendant is able to show that the search violated the Fourth Amendment, the exclusionary rule may require that the evidence obtained through the illegal search, and any fruits of the poisonous tree, be excluded at trial.

2. The bill would delegate authority to set important standards to an administrative body. The EARN IT Act would delegate important decisions concerning security, privacy, and free speech on the internet—weighty and complex matters that directly impact hundreds of millions of consumers—to an administrative body that would be composed of members who are not elected representatives and that would operate with little transparency. These critical decisions should not be made through an opaque process; rather, they should be made by Congress directly.

3. The bill would be vulnerable to First Amendment challenges. If the EARN IT Act became law, it would be vulnerable to various First Amendment challenges. IA is concerned that such vulnerabilities create legal jeopardy, significant delays, and other costs and impediments that would inevitably slow the achievement of the goals that everyone engaged in the fight against CSAM is trying to attain.