Google and France reach agreement on a scheme to compensate media while the company threatens to pull its search engine from Australia.
Not long after Google reached agreement with French media on how to compensate them under France’s law to implement a European Union (EU) Directive, the company threatened to pull its search engine from Australia for legislation introduced last month to make payment to that country’s media mandatory.
Last week, Google and the Alliance de la Presse d’Information Générale (APIG) announced agreement “about neighboring rights under French law…a major step forward: it is the culmination of months of negotiations within the framework set by the French Competition Authority.” APIG and Google explained:
This agreement establishes a framework within which Google will negotiate individual licensing agreements with IPG certified publishers within APIG’s membership, while reflecting the principles of the law. These agreements will cover publishers’ neighboring rights, and allow for participation in News Showcase, a new licencing program recently launched by Google to provide readers access to enriched content.
The remuneration that is included in these licensing agreements is based on criteria such as the publisher’s contribution to political and general information (IPG certified publishers), the daily volume of publications, and its monthly internet traffic.
In April 2020, France’s Competition Authority found that Google had indeed violated French and EU law and must compensate French news media for use of their content. Google appealed, lost, and then agreed to negotiate.
In the weeks before the French appeals court ruled against Google, Google and Alphabet CEO Sundar Pichai announced the company will pay some media outlets up to $1 billion over the next three years “to create and curate high-quality content for a different kind of online news experience” for its new product, Google News Showcase. Pichai claimed:
This approach is distinct from our other news products because it leans on the editorial choices individual publishers make about which stories to show readers and how to present them. It will start rolling out today to readers in Brazil and Germany, and will expand to other countries in the coming months where local frameworks support these partnerships.
In response, the European Publishers Council (EPC) noted
The French Competition Authority decision from April considered that Google’s practices were likely to constitute an abuse of a dominant position and brought serious and immediate damage to the press sector. It calls on Google, within three months, to conduct negotiations in good faith with publishers and press agencies on the remuneration for their protected content. Google’s appeal in July seeks to get some legal clarity on parts of the decision.
Moreover, the EU Directive on Copyright in the Digital Single Market is being implemented in EU member states and would allow them to require compensation from platforms like Facebook and Google. The EPC claimed:
Many are quite cynical about Google’s perceived strategy. By launching their own product, they can dictate terms and conditions, undermine legislation designed to create conditions for a fair negotiation, while claiming they are helping to fund news production.
This Directive lays down rules which aim to harmonise further Union law applicable to copyright and related rights in the framework of the internal market, taking into account, in particular, digital and cross-border uses of protected content. It also lays down rules on exceptions and limitations to copyright and related rights, on the facilitation of licences, as well as rules which aim to ensure a well-functioning marketplace for the exploitation of works and other subject matter.
Matters in Australia stand on different ground. In testimony before the Australian Senate Economics Legislation Committee, the Managing Director of Google Australia and New Zealand Melanie Silva said “[i]f this version of the code were to become law, it would give us no real choice but to stop making Google Search available in Australia.” She added “[i]t’s not a threat…[i]t’s a reality.” Silva was testifying on a recently released bill that would require Google, Facebook, and others to pay Australian news media for use of their content. Both tech giants have been fighting this initiative since it was launched in early 2020. Silva added the new law “would set an untenable precedent” and pose “unmanageable financial and operational risk.” Silva later posted a video on Twitter, making the case against the legislation. Additionally, Facebook threatened to limit what users in Australia could post and see if the law goes into effect.
In December 2020, Canberra unveiled the “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020” that “establishes a mandatory code of conduct to help support the sustainability of the Australian news media sector by addressing bargaining power imbalances between digital platforms and Australian news businesses” according to the Explanatory Memorandum. The legislation comes after the center-right government, the Liberal–National Coalition, tried to negotiate a voluntary agreement with Google and Facebook, but talks fell apart. In late May, Australia’s Treasurer Josh Frydenberg explained in an op-ed that because Facebook and Google have not come to an agreement with the Australian Competition & Consumer Commission (ACCC) in “facilitat[ing] the development of a voluntary code of conduct governing the relationships between digital platforms and media businesses, the goal of which was to protect consumers, improve transparency and address the power imbalance between the parties.”
The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
This is not the ACCC’s first interaction with the companies. In December 2020, the ACCC sued Facebook and two subsidiaries “for false, misleading or deceptive conduct when promoting Facebook’s Onavo Protect mobile app to Australian consumers.” The Australian regulator is claiming Facebook and its subsidiaries misrepresented VPN services that were offered, in large part, to collect personal data. The ACCC is arguing that Facebook Inc., Facebook Israel Ltd and Onavo,Inc. “made false, misleading or deceptive representations that Onavo Protect would keep users’ personal activity data private, protected and secret, and that such data would not be used for any purpose other than to provide the Onavo Protect services.” The ACCC argued that “a key purpose and use of Onavo Protect, which utilised Facebook’s servers, was for Facebook and Onavoto collect significant personal activity data, including about users’ internet and app activity, for Facebook and Onavo to use for their commercial benefit, including to support market analytics and related activities such as identifying future acquisitions.”
In October 2019 the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
In 2019, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
“Mexican president mounts campaign against social media bans” By Mark Stevenson — The Associated Press. The leftist President of Mexico President Andrés Manuel López Obrador is vowing to lead international efforts to stop social media companies from censoring what he considers free speech. Whether this materializes into something substantial is not clear.
“As Trump Clashes With Big Tech, China’s Censored Internet Takes His Side” By Li Yuan — The New York Times. The government in Beijing is framing the ban of former President Donald Trump after the attempted insurrection by social media platforms as proof there is no untrammeled freedom of speech. This position helps bolster the oppressive policing of online content the People’s Republic of China (PRC) wages against its citizens. And quite separately many Chinese people (or what appear to be actual people) are questioning what is often deemed the censoring of Trump in the United States (U.S.), a nation ostensibly committed to free speech. There is also widespread misunderstanding about the First Amendment rights of social media platforms not to host content with which they disagree and the power of platforms to make such determinations without fear that the U.S. government will punish them as is often the case in the PRC.
“Trump admin slams China’s Huawei, halting shipments from Intel, others – sources” By Karen Freifeld and Alexandra Alper — Reuters. On its way out of the proverbial door, the Trump Administration delivered parting shots to Huawei and the People’s Republic of China by revoking one license and denying others to sell the PRC tech giant semiconductors. Whether the Biden Administration will reverse or stand by these actions remains to be seen. The companies, including Intel, could appeal. Additionally, there are an estimated $400 million worth of applications for similar licenses pending at the Department of Commerce that are now the domain of the new regime in Washington. It is too early to discern how the Biden Administration will maintain or modify Trump Administration policy towards the PRC.
“Behind a Secret Deal Between Google and Facebook” By Daisuke Wakabayashi and Tiffany Hsu — The New York Times. The newspaper got its hands on an unredacted copy of the antitrust suit Texas Attorney General Ken Paxton and other attorneys general filed against Google, and it has details on the deal Facebook and Google allegedly struck to divide the online advertising world. Not only did Facebook ditch an effort launched by publishers to defeat Google’s overwhelming advantages in online advertising bidding, it joined Google’s rival effort with a guarantee that it would win a specified number of bids and more time to bid on ads. Google and Facebook naturally deny any wrongdoing.
“Biden and Trump Voters Were Exposed to Radically Different Coverage of the Capitol Riot on Facebook” By Colin Lecher and Jon Keegan — The Markup. Using a tool on browsers the organization pays Facebook users to have, the Markup can track the type of material they see in their feed. Facebook’s algorithm fed people material about the 6 January 2021 attempted insurrection based on their political views. Many have pointed out that this very dynamic creates filter bubbles that poison democracy and public discourse.
“Misinformation dropped dramatically the week after Twitter banned Trump and some allies” By Elizabeth Dwoskin and Craig Timberg — The Washington Post. Research showed that lies, misinformation, and disinformation about election fraud dropped by three-quarters after former President Donald Trump was banned from Twitter and other platforms. Other research showed that a small group of conservatives were responsible for up to 20% of misinformation on this and other conspiracies.
“This Was WhatsApp’s Plan All Along” By Shoshana Wodinsky — Gizmodo. This piece does a great job of breaking down into plain English the proposed changes to terms of service on WhatsApp that so enraged users that competitors Signal and Telegram have seen record-breaking downloads. Basically, it is all about reaping advertising dollars for Facebook through businesses and third-party partners using user data from business-related communications. Incidentally, WhatsApp has delayed changes until March because of the pushback.
“Brussels eclipsed as EU countries roll out their own tech rules” By By Laura Kayali and Mark Scott — Politico EU. The European Union (EU) had a hard-enough task in trying to reach final language on a Digital Services Act and Digital Markets Act without nations like France, Germany, Poland, and others picking and choosing text from draft bills and enacting them into law. Brussels is not happy with this trend.
Federal Trade Commission (FTC) Chair Joseph J. Simons announced his resignation from the FTC effective on 29 January 2021 in keeping with tradition and past practice. This resignation clears the way for President Joe Biden to name the chair of the FTC, and along with FTC Commissioner Rohit Chopra’s nomination to head the Consumer Financial Protection Bureau (CFPB), the incoming President will get to nominate two Democratic FTC Commissioners, tipping the political balance of the FTC and likely ushering in a period of more regulation of the technology sector.
Simons also announced the resignation of senior staff: General Counsel Alden F. Abbott; Bureau of Competition Director Ian Conner; Bureau of Competition Deputy Directors Gail Levine and Daniel Francis; Bureau of Consumer Protection Director Andrew Smith; Bureau of Economics Director Andrew Sweeting; Office of Public Affairs Director Cathy MacFarlane; and Office of Policy Planning Director Bilal Sayyed.
In a speech last week before he sworn in, President Joe Biden announced his $1.9 trillion American Rescue Plan, and according to a summary, Biden will ask Congress to provide $10 billion for a handful of government facing programs to improve technology. Notably, Biden “is calling on Congress to launch the most ambitious effort ever to modernize and secure federal IT and networks.” Biden is proposing to dramatically increase funding for a fund that would allow agencies to borrow and then pay back funds to update their technology. Moreover, Biden is looking to push more money to a program to aid officials at agencies who oversee technology development and procurement.
Biden stated “[t]o remediate the SolarWinds breach and boost U.S. defenses, including of the COVID-19 vaccine process, President-elect Biden is calling on Congress to:
Expand and improve the Technology Modernization Fund. A $9 billion investment will help the U.S. launch major new IT and cybersecurity shared services at the Cyber Security and Information Security Agency (CISA) and the General Services Administration and complete modernization projects at federal agencies. In addition, the president-elect is calling on Congress to change the fund’s reimbursement structure in order to fund more innovative and impactful projects.
Surge cybersecurity technology and engineering expert hiring. Providing the Information Technology Oversight and Reform fund with $200 million will allow for the rapid hiring of hundreds of experts to support the federal Chief Information Security Officer and U.S. Digital Service.
Build shared, secure services to drive transformational projects. Investing$300 million in no-year funding for Technology Transformation Services in the General Services Administration will drive secure IT projects forward without the need of reimbursement from agencies.
Improving security monitoring and incident response activities. An additional $690M for CISA will bolster cybersecurity across federal civilian networks, and support the piloting of new shared security and cloud computing services.
The United States (U.S.) Department of Commerce issued an interim final rule pursuant to an executive order (EO) issued by former President Donald Trump to secure the United States (U.S.) information and communications supply chain. This rule will undoubtedly be reviewed by the Biden Administration and may be withdrawn or modified depending on the fate on the EO on which the rule relies.
These regulations create the processes and procedures that the Secretary of Commerce will use to identify, assess, and address certain transactions, including classes of transactions, between U.S. persons and foreign persons that involve information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and pose an undue or unacceptable risk. While this interim final rule will become effective on March 22, 2021, the Department of Commerce continues to welcome public input and is thus seeking additional public comment. Once any additional comments have been evaluated, the Department is committed to issuing a final rule.
On November 27, 2019, the Department of Commerce (Department) published a proposed rule to implement the terms of the Executive Order. (84 FR 65316). The proposed rule set forth processes for (1) how the Secretary would evaluate and assess transactions involving ICTS to determine whether they pose an undue risk of sabotage to or subversion of the ICTS supply chain, or an unacceptable risk to the national security of the United States or the security and safety of U.S. persons; (2) how the Secretary would notify parties to transactions under review of the Secretary’s decision regarding the ICTS Transaction, including whether the Secretary would prohibit or mitigate the transaction; and (3) how parties to transactions reviewed by the Secretary could comment on the Secretary’s preliminary decisions. The proposed rule also provided that the Secretary could act without complying with the proposed procedures where required by national security. Finally, the Secretary would establish penalties for violations of mitigation agreements, the regulations, or the Executive Order.
In addition to seeking general public comment, the Department requested comments from the public on five specific questions: (1) Whether the Secretary should consider categorical exclusions or whether there are classes of persons whose use of ICTS cannot violate the Executive Order; (2) whether there are categories of uses or of risks that are always capable of being reliably and adequately mitigated; (3) how the Secretary should monitor and enforce any mitigation agreements applied to a transaction; (4) how the terms, “transaction,” “dealing in,” and “use of” should be clarified in the rule; and (5) whether the Department should add record-keeping requirements for information related to transactions.
The list of “foreign adversaries” consists of the following foreign governments and non-government persons: The People’s Republic of China, including the Hong Kong Special Administrative Region (China); the Republic of Cuba (Cuba); the Islamic Republic of Iran (Iran); the Democratic People’s Republic of Korea (North Korea); the Russian Federation (Russia); and Venezuelan politician Nicolás Maduro (Maduro Regime).
The Federal Trade Commission (FTC) adjusted its penalty amounts for inflation, including a boost to the per violation penalty virtually all the privacy bills introduced in the last Congress would allow the agency to wield against first-time violators. The penalty for certain unfair and deceptive acts or practices was increased from $43,280 to $43,792.
The United States (U.S.) Department of State stood up its new Bureau of Cyberspace Security and Emerging Technologies (CSET) as it has long planned. At the beginning of the Trump Administration, the Department of State dismantled the Cyber Coordinator Office and gave its cybersecurity portfolio to the Bureau of Economic Affairs, which displeased Congressional stakeholders. In 2019, the department notified Congress of its plan to establish CSET. The department asserted:
The need to reorganize and resource America’s cyberspace and emerging technology security diplomacy through the creation of CSET is critical, as the challenges to U.S. national security presented by China, Russia, Iran, North Korea, and other cyber and emerging technology competitors and adversaries have only increased since the Department notified Congress in June 2019 of its intent to create CSET.
The CSET bureau will lead U.S. government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect U.S. foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber conflict, and prevailing in strategic cyber competition. The Secretary’s decision to establish CSET will permit the Department to posture itself appropriately and engage as effectively as possible with partners and allies on these pressing national security concerns.
The Congressional Members of the Cyberspace Solarium Commission made clear their disapproval of the decision. Senators Angus King (I-ME) and Ben Sasse, (R-NE) and Representatives Mike Gallagher (R-WI) and Jim Langevin (D-RI) said:
In our report, we emphasize the need for a greater emphasis on international cyber policy at State. However, unlike the bipartisan Cyber Diplomacy Act, the State Department’s proposed Bureau will reinforce existing silos and […] hinder the development of a holistic strategy to promote cyberspace stability on the international stage. We urge President-elect Biden to pause this reorganization when he takes office in two weeks and work with Congress to enact meaningful reform to protect our country in cyberspace.
The Australian Cyber Security Centre (ACSC) the Risk Identification Guidance “developed to assist organisations in identifying risks associated with their use of suppliers, manufacturers, distributors and retailers (i.e. businesses that constitute their cyber supply chain)” and the Risk Management Guidance because “[c]yber supply chain risk management can be achieved by identifying the cyber supply chain, understanding cyber supply chain risk, setting cyber security expectations, auditing for compliance, and monitoring and improving cyber supply chain security practices.”
The United Kingdom’s Surveillance Camera Commissioner (SCC), issued “best practice guidance, ‘Facing the Camera’, to all police forces in England and Wales” The SCC explained that “The provisions of this document only apply to the use of facial recognition technology and the inherent processing of images by the police where such use is integral to a surveillance camera system being operated in ‘live time’ or ‘near real time’ operational scenarios.” Last summer, a British appeals court overturned a decision that found that a police force’s use of facial recognition technology in a pilot program that utilized live footage to be legal. The appeals court found the use of this technology by the South Wales Police Force a violation of “the right to respect for private life under Article 8 of the European Convention on Human Rights, data protection legislation, and the Public Sector Equality Duty (“PSED”) under section 149 of the Equality Act 2010.” The SCC stated:
The SCC considers surveillance to be an intrusive investigatory power where it is conducted by the police which impacts upon those fundamental rights and freedoms of people, as set out by the European Convention of Human Rights (ECHR) and the Human Rights Act 1998. In the context of surveillance camera systems which make use of facial recognition technology, the extent of state intrusion in such matters is significantly increased by the capabilities of algorithms which are in essence, integral to the surveillance conduct seeking to harvest information, private information, metadata, data, personal data, intelligence and evidence. Each of the aforementioned are bound by laws and rules which ought to be separately and jointly considered and applied in a manner which is demonstrably lawful and ethical and engenders public trust and confidence.
Whenever the police seek to use technology in pursuit of a legitimate aim, the key question arises as to whether the degree of intrusion which is caused to the fundamental freedoms of citizens by the police surveillance conduct using surveillance algorithms (biometric or otherwise) is necessary in a democratic society when considered alongside the legality and proportionality of their endeavours and intent. The type of equipment/technology/modality which they choose to use to that end (e.g. LFR, ANPR, thermal imaging, gait analysis, movement sensors etc), the manner in which such technological means are deployed, (such as using static cameras at various locations, used with body worn cameras or other mobile means), and whether such technology is used overtly alongside or networked with other surveillance technologies, are all factors which may significantly influence the depth of intrusion caused by police conduct upon citizen’s rights.
The Senate confirmed the nomination of Avril Haines to be the new Director of National Intelligence by an 89-10 vote after Senator Tom Cotton (R-AK) removed his hold on her nomination. However, Josh Hawley (R-MO) placed a hold on the nomination of Alejandro Mayorkas to be the next Secretary of Homeland Security and explained his action this way:
On Day 1 of his administration, President-elect Biden has said he plans to unveil an amnesty plan for 11 million immigrants in this nation illegally. This comes at a time when millions of American citizens remain out of work and a new migrant caravan has been attempting to reach the United States. Mr. Mayorkas has not adequately explained how he will enforce federal law and secure the southern border given President-elect Biden’s promise to roll back major enforcement and security measures. Just today, he declined to say he would enforce the laws Congress has already passed to secure the border wall system. Given this, I cannot consent to skip the standard vetting process and fast-track this nomination when so many questions remain unanswered.
Former Trump White House Cyber Coordinator Rob Joyce will replace the National Security Agency’s (NSA) Director of Cybersecurity Anne Neuberger who has been named the Biden White House’s Deputy National Security Advisor for Cyber and Emerging Technology. Anne Neuberger’s portfolio at the NSA included “lead[ing] NSA’s cybersecurity mission, including emerging technology areas like quantum-resistant cryptography.” Joyce was purged when former National Security Advisor John Bolton restructured the NSC in 2018, forcing out Joyce and his boss, former Homeland Security Advisor Tom Bossert. Presumably Joyce would have the same responsibilities. At the National Security Council, Neuberger would will work to coordinate cybersecurity and emerging technology policy across agencies and funnel policy options up to the full NSC and ultimately the President. This work would include Joyce.
The Supreme Court of the United States (SCOTUS) heard oral arguments on whether the Federal Trade Commission (FTC) Act gives the agency the power to seek monetary damages and restitution alongside permanent injunctions under Section 13(b). In AMG Capital Management, LLC v. FTC, the parties opposing the FTC argue the plain language of the statute does not allow for the seeking of restitution and monetary damages under this specific section of the FTC Act while the agency argues long accepted past practice and Congressional intent do, in fact, allow this relief to be sought when the FTC is seeking to punish violators of Section 5. The FTC is working a separate track to get a fix from Congress which could rewrite the FTC Act to make clear this sort of relief is legal. However, some stakeholders in the debate over privacy legislation may be using the case as leverage.
In October 2020, the FTC wrote the House and Senate committees with jurisdiction over the agency, asking for language to resolve the litigation over the power to seek and obtain restitution for victims of those who have violated Section 5 of the FTC Act and disgorgement of ill-gotten gains. The FTC is also asking that Congress clarify that the agency may act against violators even if their conduct has stopped as it has for more than four decades. Two federal appeals courts have ruled in ways that have limited the FTC’s long used powers, and now the Supreme Court of the United States is set to rule on these issues sometime next year. The FTC is claiming, however, that defendants are playing for time in the hopes that the FTC’s authority to seek and receive monetary penalties will ultimately be limited by the United States (U.S.) highest court. Judging by language tucked into a privacy bill introduced by the former chair of one of the committees, Congress may be willing to act soon.
The FTC asked the House Energy and Commerce and Senate Commerce, Science, and Transportation Committees “to take quick action to amend Section 13(b) [of the FTC Act i.e. 15 U.S.C. § 53(b)] to make clear that the Commission can bring actions in federal court under Section 13(b) even if conduct is no longer ongoing or impending when the suit is filed and can obtain monetary relief, including restitution and disgorgement, if successful.” The agency asserted “[w]ithout congressional action, the Commission’s ability to use Section 13(b) to provide refunds to consumer victims and to enjoin illegal activity is severely threatened.” All five FTC Commissioners signed the letter.
The FTC explained that adverse rulings by two federal appeals courts are constraining the agency from seeking relief for victims and punishment for violators of the FTC Act in federal courts below those two specific courts, but elsewhere defendants are either asking courts for a similar ruling or using delaying tactics in the hopes the Supreme Court upholds the two federal appeals courts:
…[C]ourts of appeals in the Third and Seventh Circuits have recently ruled that the agency cannot obtain any monetary relief under Section 13(b). Although review in the Supreme Court is pending, these lower court decisions are already inhibiting our ability to obtain monetary relief under 13(b). Not only do these decisions already prevent us from obtaining redress for consumers in the circuits where they issued, prospective defendants are routinely invoking them in refusing to settle cases with agreed-upon redress payments.
Moreover, defendants in our law enforcement actions pending in other circuits are seeking to expand the rulings to those circuits and taking steps to delay litigation in anticipation of a potential Supreme Court ruling that would allow them to escape liability for any monetary relief caused by their unlawful conduct. This is a significant impediment to the agency’s effectiveness, its ability to provide redress to consumer victims, and its ability to prevent entities who violate the law from profiting from their wrongdoing.
The United Kingdom’s Information Commissioner’s Office (ICO) issued guidance for British entities that may be affected by the massive SolarWinds hack that has compromised many key systems in the United States. The ICO advised:
Organisations should immediately check whether they are using a version of the software that has been compromised. These are versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1.
Organisations must also determine if the personal data they hold has been affected by the cyber-attack. If a reportable personal data breach is found, UK data controllers are required to inform the ICO within 72 hours of discovering the breach. Reports can be submitted online or organisations can call the ICO’s personal data breach helpline for advice on 0303 123 1113, option 2.
Organisations subject to the NIS Regulation will also need to determine if this incident has led to a “substantial impact on the provision’ of its digital services and report to the ICO.
Europol announced the takedown of “the world’s largest illegal marketplace on the dark web” in an operation coordinated by the following nations: “Germany, Australia, Denmark, Moldova, Ukraine, the United Kingdom (the National Crime Agency), and the USA (DEA, FBI, and IRS).” Europol added:
The Central Criminal Investigation Department in the German city of Oldenburg arrested an Australian citizen who is the alleged operator of DarkMarket near the German-Danish border over the weekend. The investigation, which was led by the cybercrime unit of the Koblenz Public Prosecutor’s Office, allowed officers to locate and close the marketplace, switch off the servers and seize the criminal infrastructure – more than 20 servers in Moldova and Ukraine supported by the German Federal Criminal Police office (BKA). The stored data will give investigators new leads to further investigate moderators, sellers, and buyers.
The Enforcement Bureau (Bureau) of the Federal Communications Commission (FCC) issued an enforcement advisory intended to remind people that use of amateur and personal radios to commit crimes is itself a criminal offense that could warrant prosecution. The notice was issued because the FCC is claiming it is aware of discussion by some of how these means of communications may be superior to social media, which has been cracking down on extremist material since the attempted insurrection at the United States Capitol on 6 January. The Bureau stated:
The Bureau has become aware of discussions on social media platforms suggesting that certain radio services regulated by the Commission may be an alternative to social media platforms for groups to communicate and coordinate future activities. The Bureau recognizes that these services can be used for a wide range of permitted purposes, including speech that is protected under the First Amendment of the U.S. Constitution. Amateur and Personal Radio Services, however, may not be used to commit or facilitate crimes.
Specifically, the Bureau reminds amateur licensees that they are prohibited from transmitting “communications intended to facilitate a criminal act” or “messages encoded for the purpose of obscuring their meaning.” Likewise, individuals operating radios in the Personal Radio Services, a category that includes Citizens Band radios, Family Radio Service walkie-talkies, and General Mobile Radio Service, are prohibited from using those radios “in connection with any activity which is against Federal, State or local law.” Individuals using radios in the Amateur or Personal Radio Services in this manner may be subject to severe penalties, including significant fines, seizure of the offending equipment, and, in some cases, criminal prosecution.
The European Data Protection Board (EDPB) issued its “Strategy for 2021-2023” in order “[t]o be effective in confronting the main challenges ahead.” The EDPB cautioned:
This Strategy does not provide an exhaustive overview of the work of the EDPB in the years to come. Rather it sets out the four main pillars of our strategic objectives, as well as set of key actions to help achieve those objectives. The EDPB will implement this Strategy within its Work Program, and will report on the progress achieved in relation to each Pillar as part of its annual reports.
The EDPB listed and explained the four pillars of its strategy:
PILLAR 1: ADVANCING HARMONISATION AND FACILITATING COMPLIANCE. The EDPB will continue to strive for a maximum degree of consistency in the application of data protection rules and limit fragmentation among Member States. In addition to providing practical, easily understandable and accessible guidance, the EDPB will develop and promote tools that help to implement data protection into practice, taking into account practical experiences of different stakeholders on the ground.
PILLAR 2: SUPPORTING EFFECTIVE ENFORCEMENT AND EFFICIENT COOPERATION BETWEEN NATIONAL SUPERVISORY AUTHORITIES. The EDPB is fully committed to support cooperation between all national supervisory authorities that work together to enforce European data protection law. We will streamline internal processes, combine expertise and promote enhanced coordination. We intend not only to ensure a more efficient functioning of the cooperation and consistency mechanisms, but also to strive for the development of a genuine EU-wide enforcement culture among supervisory authorities.
PILLAR 3: A FUNDAMENTAL RIGHTS APPROACH TO NEW TECHNOLOGIES. The protection of personal data helps to ensure that technology, new business models and society develop in accordance with our values, such as human dignity, autonomy and liberty. The EDPB will continuously monitor new and emerging technologies and their potential impact on the fundamental rights and daily lives of individuals. Data protection should work for all people, particularly in the face of processing activities presenting the greatest risks to individuals’ rights and freedoms (e.g. to prevent discrimination). We will help to shape Europe’s digital future in line with our common values and rules. We will continue to work with other regulators and policymakers to promote regulatory coherence and enhanced protection for individuals.
PILLAR 4: THE GLOBAL DIMENSION. The EDPB is determined to set and promote high EU and global standards for international data transfers to third countries in the private and the public sector, including in the law enforcement sector. We will reinforce our engagement with the international community to promote EU data protection as a global model and to ensure effective protection of personal data beyond EU borders.
Microsoft, Cisco, Zoom and Google replied to the open letter. The joint signatories thank these companies for engaging on this important matter and for acknowledging and responding to the concerns raised. In their responses the companies highlighted various privacy and security best practices, measures, and tools that they advise are implemented or built-in to their video teleconferencing services.
The information provided by these companies is encouraging. It is a constructive foundation for further discussion on elements of the responses that the joint signatories feel would benefit from more clarity and additional supporting information.
The ICO stated:
The joint signatories have not received a response to the open letter from Houseparty. They strongly encourage Houseparty to engage with them and respond to the open letter to address the concerns raised.
The European Union Agency for Cybersecurity (ENISA) “launched a public consultation, which runs until 7 February 2021, on its draft of the candidate European Union Cybersecurity Certification Scheme on Cloud Services (EUCS)…[that] aims to further improve the Union’s internal market conditions for cloud services by enhancing and streamlining the services’ cybersecurity guarantees.” ENISA stated:
There are challenges to the certification of cloud services, such as a diverse set of market players, complex systems and a constantly evolving landscape of cloud services, as well as the existence of different schemes in Member States. The draft EUCS candidate scheme tackles these challenges by calling for cybersecurity best practices across three levels of assurance and by allowing for a transition from current national schemes in the EU. The draft EUCS candidate scheme is a horizontal and technological scheme that intends to provide cybersecurity assurance throughout the cloud supply chain, and form a sound basis for sectoral schemes.
More specifically, the draft EUCS candidate scheme:
Is a voluntary scheme;
The scheme’s certificates will be applicable across the EU Member States;
Is applicable for all kinds of cloud services – from infrastructure to applications;
Boosts trust in cloud services by defining a reference set of security requirements;
Covers three assurance levels: ‘Basic’, ‘Substantial’ and ‘High’;
Proposes a new approach inspired by existing national schemes and international standards;
Defines a transition path from national schemes in the EU;
Grants a three-year certification that can be renewed;
Includes transparency requirements such as the location of data processing and storage.
The Commerce, Science, and Transportation Committee will hold a hearing on the nomination of Gina Raimondo to be the Secretary of Commerce on 26 January.
“YouTube Suspends Trump’s Channel for at Least Seven Days” By Daisuke Wakabayashi — The New York Times. Even Google is getting further into the water. Its YouTube platform flagged a video of President Donald Trump’s for inciting violence and citing the “ongoing potential for violence,” Trump and his team will not be able to upload videos for seven days and the comments section would be permanently disabled. YouTube has been the least inclined of the major platforms to moderate content and has somehow escaped the scrutiny and opprobrium Facebook and Twitter have faced even though those platforms have been more active in policing offensive content.
“Online misinformation that led to Capitol siege is ‘radicalization,’ say researchers” By Elizabeth Culliford — Reuters. Experts in online disinformation are saying that the different conspiracy movements that impelled followers to attack the United States (U.S.) Capitol are the result of radicalization. Online activities translated into real world violence, they say. The also decried the responsive nature of social media platforms in acting, waiting for an insurrection to take steps experts and others have been begging them to take.
“Uganda orders all social media to be blocked – letter” — Reuters. In response to Facebook blocking a number of government related accounts for Coordinated Inauthentic Behaviour” (CIB), the Ugandan government has blocked all access to social media ahead of its elections. In a letter seen by Reuters, the Uganda Communications Commission directed telecommunications providers “to immediately suspend any access and use, direct or otherwise, of all social media platforms and online messaging applications over your network until further notice.” This may become standard practice for many regimes around the world if social media companies crack down on government propaganda.
“‘Threat to democracy is real’: MPs call for social media code of conduct” By David Crowe and Nick Bonyhady — The Sydney Morning Herald. There has been mixed responses in Australia’s Parliament on social media platforms banning President Donald Trump after his role in inciting the violence at the United States (U.S.) Capitol. Many agree with the platforms, some disagree strenuously in light of other inflammatory content that is not taken down, and many want greater rationality and transparency in how platforms make these decisions. And since Canberra has been among the most active governments in regulating technology, it may inform the process of drafting its “Online Safety Bill,” which may place legal obligations on social media platforms.
“Poland plans to make censoring of social media accounts illegal” By Shaun Walker — The Guardian. Governments around the world continue to respond to a number of social media companies deciding to deplatform United States (U.S.) President Donald Trump. In Warsaw there is a draft bill that would make deplatforming a person illegal unless the offense is also contrary to Polish law. The spin is that the right wing regime in Warsaw is less interested in protecting free speech and more interested in propagating the same grievances the right wing in the United States is. Therefore, this push in Poland may be more about messaging and trying to cow social media companies and less about protecting free speech, especially speech with which the government disagrees (e.g. advocates for LGBTQI rights have been silenced in Poland.)
“Georgia results sweep away tech’s regulatory logjam” By Margaret Harding McGill and Ashley Gold — Axios. This is a nice survey of possible policy priorities at the agencies and in the Congress over the next two years with the Democrats in control of both.
“The Capitol rioters put themselves all over social media. Now they’re getting arrested.” By Sara Morrison — Recode. Will the attack on the United States (U.S.) Capitol be the first time a major crime is solved by the evidence largely provided by the accused? It is sure looking that way as law enforcement continues to use the posts of the rioters to apprehend, arrest, and charge them. Additionally, in the same way people who acted in racist and entitled ways (e.g. Amy Cooper in Central Park threatening an African American gentleman with calling the police even though he had asked her to put her dog on a leash) were caught through crowd-sourced identification pushes, rioters are also being identified.
CISA incident response investigations have identified that initial access in some cases was obtained by password guessing [T1101.001], password spraying [T1101.003], and inappropriately secured administrative credentials [T1078] accessible via external remote access services [T1133]. Initial access root cause analysis is still ongoing in a number of response activities and CISA will update this section as additional initial vectors are identified.
“A Facial Recognition Company Says That Viral Washington Times “Antifa” Story Is False” By Craig Silverman — BuzzFeed News. XRVIsion denied the Washington Times’ account that the company had identified antifa protestors among the rioters at the United States (U.S. Capitol) (archived here.) The company said it had identified two Neo-Nazis and a QAnon adherent. Even though the story was retracted and a corrected version issued, some still claimed the original story had merit such as Trump supporter Representative Matt Gaetz (R-FL).
The United States (U.S.) Trade Representative (USTR) announced that it would not act on the basis of three completed reports on Digital Services Taxes (DST) three nations have put in place and also that it would not proceed with tariffs in retaliation against France, one of the first nations in the world to enact a DST. Last year, the Organization for Economic Co-operation and Development convened multi-lateral talks to resolve differences on how a global digital services tax will ideally function with most of the nations involved arguing for a 2% tax to be assessed in the nation where the transaction occurs as opposed to where the company is headquartered. European Union (EU) officials claimed an agreement was possible, but the U.S. negotiators walked away from the table. It will fall to the Biden Administration to act on these USTR DST investigations if they choose.
In its press release, the USTR stated it would “suspend the tariff action in the Section 301 investigation of France’s Digital Services Tax (DST).”
The USTR added:
The additional tariffs on certain products of France were announced in July 2020, and were scheduled to go into effect on January 6, 2021. The U.S. Trade Representative has decided to suspend the tariffs in light of the ongoing investigation of similar DSTs adopted or under consideration in ten other jurisdictions. Those investigations have significantly progressed, but have not yet reached a determination on possible trade actions. A suspension of the tariff action in the France DST investigation will promote a coordinated response in all of the ongoing DST investigations.
In its December 2019 report, the USTR determined “that France’s DST is unreasonable or discriminatory and burdens or restricts U.S. commerce, and therefore is actionable under sections 301(b) and 304(a) of the Trade Act (19 U.S.C. 2411(b) and 2414(a))” and proposed a range of measures in retaliation.
The USTR also “issued findings in Section 301 investigations of Digital Service Taxes (DSTs) adopted by India, Italy, and Turkey, concluding that each of the DSTs discriminates against U.S. companies, is inconsistent with prevailing principles of international taxation, and burden or restricts U.S. commerce.” The USTR stated it “is not taking any specific actions in connection with the findings at this time but will continue to evaluate all available options.” The USTR added:
The Section 301 investigations of the DSTs adopted by India, Italy, and Turkey were initiated in June 2020, along with investigations of DSTs adopted or under consideration by Austria, Brazil, the Czech Republic, the European Union, Indonesia, Spain, and the United Kingdom. USTR expects to announce the progress or completion of additional DST investigations in the near future.
The United Kingdom’s Competition and Markets Authority (CMA) has started investigating Google’s Privacy Sandbox’ project to “assess whether the proposals could cause advertising spend to become even more concentrated on Google’s ecosystem at the expense of its competitors.” The CMA asserted:
Third party cookies currently play a fundamental role online and in digital advertising. They help businesses target advertising effectively and fund free online content for consumers, such as newspapers. But there have also been concerns about their legality and use from a privacy perspective, as they allow consumers’ behaviour to be tracked across the web in ways that many consumers may feel uncomfortable with and may find difficult to understand.
Google’s announced changes – known collectively as the ‘Privacy Sandbox’ project – would disable third party cookies on the Chrome browser and Chromium browser engine and replace them with a new set of tools for targeting advertising and other functionality that they say will protect consumers’ privacy to a greater extent. The project is already under way, but Google’s final proposals have not yet been decided or implemented. In its recent market study into online platforms digital advertising, the CMA highlighted a number of concerns about their potential impact, including that they could undermine the ability of publishers to generate revenue and undermine competition in digital advertising, entrenching Google’s market power.
Each of the networks we removed today targeted people outside of their country of origin, primarily targeting Africa, and also some countries in the Middle East. We found all three of them as a result of our proactive internal investigations and worked with external researchers to assess the full scope of these activities across the internet.
While we’ve seen influence operations target the same regions in the past, this was the first time our team found two campaigns — from France and Russia — actively engage with one another, including by befriending, commenting and criticizing the opposing side for being fake. It appears that this Russian network was an attempt to rebuild their operations after our October 2019 takedown, which also coincided with a notable shift in focus of the French campaign to begin to post about Russia’s manipulation campaigns in Africa.
Unlike the operation from France, both Russia-linked networks relied on local nationals in the countries they targeted to generate content and manage their activity across internet services. This is consistent with cases we exposed in the past, including in Ghana and the US, where we saw the Russian campaigns co-opt authentic voices to join their influence operations, likely to avoid detection and help appear more authentic. Despite these efforts, our investigation identified some links between these two Russian campaigns and also with our past enforcements.
Two of the top Democrats on the House Energy and Committee along with another Democrat wrote nine internet service providers (ISP) “questioning their commitment to consumers amid ISPs raising prices and imposing data caps during the COVID-19 pandemic.” Committee Chair Frank Pallone, Jr. (D-NJ), Communications and Technology Subcommittee Chairman Mike Doyle (D-PA), and Representative Jerry McNerney (D-CA) wrote the following ISPs:
Pallone, Doyle, and McNerney took issue with the companies raising prices and imposing data caps after having pledged not to do so at the behest of the Federal Communications Commission (FCC). They asked the companies to answer a series of questions:
Did the company participate in the FCC’s “Keep Americans Connected” pledge?
Has the company increased prices for fixed or mobile consumer internet and fixed or phone service since the start of the pandemic, or do they plan to raise prices on such plans within the next six months?
Prior to March 2020, did any of the company’s service plans impose a maximum data consumption threshold on its subscribers?
Since March 2020, has the company modified or imposed any new maximum data consumption thresholds on service plans, or do they plan to do so within the next six months?
Did the company stop disconnecting customers’ internet or telephone service due to their inability to pay during the pandemic?
Does the company offer a plan designed for low-income households, or a plan established in March or later to help students and families with connectivity during the pandemic?
Beyond service offerings for low-income customers, what steps is the company currently taking to assist individuals and families facing financial hardship due to circumstances related to COVID-19?
Businesses and individuals that operate in the PRC or with PRC firms or entities should scrutinize any business relationship that provides access to data—whether business confidential, trade secrets, customer personally identifiable information (PII), or other sensitive information. Businesses should identify the sensitive personal and proprietary information in their possession. To the extent possible, they should minimize the amount of at-risk data being stored and used in the PRC or in places accessible by PRC authorities. Robust due diligence and transaction monitoring are also critical for addressing potential legal exposure, reputation risks, and unfair advantage that data and intellectual property theft would provide competitors. Businesses should seek to acquire a thorough understanding of the ownership of data service providers, location of data infrastructure, and any tangential foreign business relationships and significant foreign investors.
The Federal Communications Commission (FCC) is asking for comments on the $3.2 billion Emergency Broadband Benefit Program established in the “Consolidated Appropriations Act, 2021” (H.R. 133). Comments are due by 16 February 2021. The FCC noted “eligible households may receive a discount off the cost of broadband service and certain connected devices during an emergency period relating to the COVID-19 pandemic, and participating providers can receive a reimbursement for such discounts.” The FCC explained the program in further detail:
Pursuant to the Consolidated Appropriations Act, the Emergency Broadband Benefit Program will use available funding from the Emergency Broadband Connectivity Fund to support participating providers’ provision of certain broadband services and connected devices to qualifying households.
To participate in the program, a provider must elect to participate and either be designated as an eligible telecommunications carrier or be approved by the Commission. Participating providers will make available to eligible households a monthly discount off the standard rate for an Internet service offering and associated equipment, up to $50.00 per month.
On Tribal lands, the monthly discount may be up to $75.00 per month. Participating providers will receive reimbursement from the Emergency Broadband Benefit Program for the discounts provided.
Participating providers that also supply an eligible household with a laptop, desktop computer, or tablet (connected device) for use during the emergency period may receive a single reimbursement of up to $100.00 for the connected device, if the charge to the eligible household for that device is more than $10.00 but less than $50.00. An eligible household may receive only one supported device. Providers must submit certain certifications to the Commission to receive reimbursement from the program, and the Commission is required to adopt audit requirements to ensure provider compliance and prevent waste, fraud, and abuse.
The transition noted “[p]rior to this role, she led NSA’s Election Security effort and served as Assistant Deputy Director of NSA’s Operations Directorate, overseeing foreign intelligence and cybersecurity operations…[and] also previously served as NSA’s first Chief Risk Officer, as Director of NSA’s Commercial Solutions Center, as Director of the Enduring Security Framework cybersecurity public-private partnership, as the Navy’s Deputy Chief Management Officer, and as a White House Fellow.” The transition stated that “[p]rior to joining government service, Neuberger was Senior Vice President of Operations at American Stock Transfer & Trust Company (AST), where she directed technology and operations.”
The Federal Communications Commission (FCC) published a final rule in response to the United States (U.S.) Court of Appeals for the District of Columbia’s decision striking down three aspects of the FCC’s rollback of net neutrality, “Restoring Internet Freedom Order.” The FCC explained the final rule:
responds to a remand from the U.S. Court of Appeals for the D.C. Circuit directing the Commission to assess the effects of the Commission’s Restoring Internet Freedom Order on public safety, pole attachments, and the statutory basis for broadband internet access service’s inclusion in the universal service Lifeline program. This document also amends the Commission’s rules to remove broadband internet service from the list of services supported by the universal service Lifeline program, while preserving the Commission’s authority to fund broadband internet access service through the Lifeline program.
In 2014, the U.S. Court of Appeals for the District of Columbia struck down a 2010 FCC net neutrality order in Verizon v. FCC, but the court did suggest a path forward. The court held the FCC “reasonably interpreted section 706 to empower it to promulgate rules governing broadband providers’ treatment of Internet traffic, and its justification for the specific rules at issue here—that they will preserve and facilitate the “virtuous circle” of innovation that has driven the explosive growth of the Internet—is reasonable and supported by substantial evidence.” The court added that “even though the Commission has general authority to regulate in this arena, it may not impose requirements that contravene express statutory mandates…[and] [g]iven that the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the Commission from nonetheless regulating them as such.” However, in 2016, the same court upheld the 2015 net neutrality regulations in U.S. Telecom Association v. FCC, and then upheld most of the Trump Administration’s FCC’s repeal of the its earlier net neutrality rule.
However, the D.C. Circuit declined to accept the FCC’s attempt to preempt all contrary state laws and struck down this part of the FCC’s rulemaking. Consequently, states and local jurisdictions may now be free to enact regulations of internet services along the lines of the FCC’s now repealed Open Internet Order. The D.C. Circuit also sent the case back to the FCC for further consideration on three points.
In its request for comments on how to respond to the remand, the FCC summarized the three issues: public safety, pole attachments, and the Lifeline Program:
Public Safety. First, we seek to refresh the record on how the changes adopted in the Restoring Internet Freedom Order might affect public safety. In the Restoring Internet Freedom Order, the Commission predicted, for example, that permitting paid prioritization arrangements would “increase network innovation,” “lead to higher investment in broadband capacity as well as greater innovation on the edge provider side of the market,” and “likely . . . be used to deliver enhanced service for applications that need QoS [i.e., quality of service] guarantees.” Could the network improvements made possible by prioritization arrangements benefit public safety applications—for example, by enabling the more rapid, reliable transmission of public safety-related communications during emergencies?
Pole Attachments. Second, we seek to refresh the record on how the changes adopted in the Restoring Internet Freedom Order might affect the regulation of pole attachments in states subject to federal regulation. To what extent are ISPs’ pole attachments subject to Commission authority in non-reverse preemption states by virtue of the ISPs’ provision of cable or telecommunications services covered by section 224? What impact would the inapplicability of section 224 to broadband-only providers have on their access to poles? Have pole owners, following the Order, “increase[d] pole attachment rates or inhibit[ed] broadband providers from attaching equipment”? How could we use metrics like increases or decreases in broadband deployment to measure the impact the Order has had on pole attachment practices? Are there any other impacts on the regulation of pole attachments from the changes adopted in the Order? Finally, how do any potential considerations about pole attachments bear on the Commission’s underlying decision to classify broadband as a Title I information service?
Lifeline Program. Third, we seek to refresh the record on how the changes adopted in the Restoring Internet Freedom Order might affect the Lifeline program. In particular, we seek to refresh the record on the Commission’s authority to direct Lifeline support to eligible telecommunications carriers (ETCs) providing broadband service to qualifying low-income consumers. In the 2017 Lifeline NPRM, the Commission proposed that it “has authority under Section 254(e) of the Act to provide Lifeline support to ETCs that provide broadband service over facilities-based broadband-capable networks that support voice service,” and that “[t]his legal authority does not depend on the regulatory classification of broadband Internet access service and, thus, ensures the Lifeline program has a role in closing the digital divide regardless of the regulatory classification of broadband service.” How, if at all, does the Mozilla decision bear on that proposal, and should the Commission proceed to adopt it?
The Federal Trade Commission (FTC) reached a settlement with a photo app company that allegedly did not tell users their photos would be subject to the company’s facial recognition technology. The FTC deemed this a deceptive business practice in violation of Section 5 of the FTC Act and negotiated a settlement the Commissioners approved in a 5-0 vote. The consent order includes interesting, perhaps even new language, requiring the company “to delete models and algorithms it developed by using the photos and videos uploaded by its users” according to the FTC’s press release.
Since 2015, Everalbum has provided Ever, a photo storage and organization application, to consumers.
In February 2017, Everalbum launched its “Friends” feature, which operates on both the iOS and Android versions of the Ever app. The Friends feature uses face recognition to group users’ photos by faces of the people who appear in the photos. The user can choose to apply “tags” to identify by name (e.g., “Jane”) or alias (e.g., “Mom”) the individuals who appear in their photos. These tags are not available to other Ever users. When Everalbum launched the Friends feature, it enabled face recognition by default for all users of the Ever mobile app. At that time, Everalbum did not provide users of the Ever mobile app an option to turn off or disable the feature.
However, prior to April 2019, Ever mobile app users who were located anywhere other than Texas, Illinois, Washington, and the European Union did not need to, and indeed could not, take any affirmative action to “let[ Everalbum] know” that it should apply face recognition to the users’ photos. In fact, for those users, face recognition was enabled by default and the users lacked the ability to disable it. Thus, the article was misleading for Ever mobile app users located outside of Texas, Illinois, Washington, and the European Union.
Between September 2017 and August 2019, Everalbum combined millions of facial images that it extracted from Ever users’ photos with facial images that Everalbum obtained from publicly available datasets in order to create four new datasets to be used in the development of its face recognition technology. In each instance, Everalbum used computer scripts to identify and compile from Ever users’ photos images of faces that met certain criteria (i.e., not associated with a deactivated Ever account, not blurry, not too small, not a duplicate of another image, associated with a specified minimum number of images of the same tagged identity, and, in three of the four instances, not identified by Everalbum’s machines as being an image of someone under the age of thirteen).
The FTC summarized its settlement:
The proposed settlement requires Everalbum to delete:
the photos and videos of Ever app users who deactivated their accounts;
all face embeddings—data reflecting facial features that can be used for facial recognition purposes—the company derived from the photos of Ever users who did not give their express consent to their use; and
any facial recognition models or algorithms developed with Ever users’ photos or videos.
In addition, the proposed settlement prohibits Everalbum from misrepresenting how it collects, uses, discloses, maintains, or deletes personal information, including face embeddings created with the use of facial recognition technology, as well as the extent to which it protects the privacy and security of personal information it collects. Under the proposed settlement, if the company markets software to consumers for personal use, it must obtain a user’s express consent before using biometric information it collected from the user through that software to create face embeddings or develop facial recognition technology.
FTC Commissioner Rohit Chopra issued a statement, explaining his view on facial recognition technology and he settlement:
As outlined in the complaint, Everalbum made promises that users could choose not to have facial recognition technology applied to their images, and that users could delete the images and their account. In addition to those promises, Everalbum had clear evidence that many of the photo app’s users did not want to be roped into facial recognition. The company broke its promises, which constitutes illegal deception according to the FTC’s complaint. This matter and the FTC’s proposed resolution are noteworthy for several reasons.
First, the FTC’s proposed order requires Everalbum to forfeit the fruits of its deception. Specifically, the company must delete the facial recognition technologies enhanced by any improperly obtained photos. Commissioners have previously voted to allow data protection law violators to retain algorithms and technologies that derive much of their value from ill-gotten data. This is an important course correction.
Second, the settlement does not require the defendant to pay any penalty. This is unfortunate. To avoid this in the future, the FTC needs to take further steps to trigger penalties, damages, and other relief for facial recognition and data protection abuses. Commissioners have voted to enter into scores of settlements that address deceptive practices regarding the collection, use, and sharing of personal data. There does not appear to be any meaningful dispute that these practices are illegal. However, since Commissioners have not restated this precedent into a rule under Section 18 of the FTC Act, we are unable to seek penalties and other relief for even the most egregious offenses when we first discover them.
Finally, the Everalbum matter makes it clear why it is important to maintain states’ authority to protect personal data. Because the people of Illinois, Washington, and Texas passed laws related to facial recognition and biometric identifiers, Everalbum took greater care when it came to these individuals in these states. The company’s deception targeted Americans who live in states with no specific state law protections.
The Trump Administration issued the “National Maritime Cybersecurity Plan” that “sets forth how the United States government will defend the American economy through enhanced cybersecurity coordination, policies and practices, aimed at mitigating risks to the maritime sub-sector, promoting prosperity through information and intelligence sharing, and preserving and increasing the nation’s cyber workforce” according to the National Security Advisor Robert O’Brien. It will be up to the Biden Administration to implement, revise, or discard this strategy, but strategy documents such as this that complain anodyne recommendations tend to stay in place for the short-term, at least. It bears note that the uneven margins to the columns in the document suggests a rush to issue this document before the end of the Trump Administration. Nevertheless, O’Brien added:
President [Donald] Trump designated the cybersecurity of the Maritime Transportation System (MTS) as a top priority for national defense, homeland security, and economic competitiveness in the 2017 National Security Strategy. The MTS contributes to one quarter of all United States gross domestic product, or approximately $5.4 trillion. MTS operators are increasingly reliant on information technology (IT) and operational technology (OT) to maximize the reliability and efficiency of maritime commerce. This plan articulates how the United States government can buy down the potential catastrophic risks to our national security and economic prosperity created by technology innovations to strengthen maritime commerce efficiency and reliability.
The strategy lists a number of priority actions for the executive branch, including:
The United States will de- conflict government roles and responsibilities.
The United States will develop risk modeling to inform maritime cybersecurity standards and best practices.
The United States will strengthen cybersecurity requirements in port services contracts and leasing.
The United States will develop procedures to identify, prioritize, mitigate, and investigate cybersecurity risks in critical ship and port systems.
Exchange United States government information with the maritime industry.
Share cybersecurity intelligence with appropriate non- government entities.
The National Security Agency’s NSA Cybersecurity Directorate has issued its very annual review, the “2020 NSA Cybersecurity Year in Review” that encapsulates the first year of operation for the newly created part of the NSA.
In 2020, NSA focused on modernizing encryption across the Department of Defense (DOD). It began with a push to eliminate cryptography that is at risk from attack due to adversarial computational advances. This applied to several systems commonly used by the Armed Services today to provide command and control, critical communications, and battlefield awareness. It also applied to operational practices concerning the handling of cryptographic keys and the implementation of modern suites of cryptography in network communications devices.
2020 was notable for the number of Cybersecurity Advisories (CSAs) and other products NSA cybersecurity produced and released. These products are intended to alert network owners, specifically National Security System (NSS), Department of Defense (DOD), and Defense Industrial Base (DIB), of cyber threats and enable defenders to take immediate action to secure their systems.
2020 was notable not just because it was the NSA Cybersecurity Directorate’s first year nor because of COVID-19, but also because it was an election year in the United States. Drawing on lessons learned from the 2016 presidential election and the 2018 mid-term elections, NSA was fully engaged in whole-of-government efforts to protect 2020 election from foreign interference and influence. Cybersecurity was a foundational component of NSA’s overall election defense effort.
This past year, NSA cybersecurity prioritized public-private collaboration, invested in cybersecurity research, and made a concerted effort to build trusted partnerships with the cybersecurity community.
The NSA touted the following achievements:
In November 2019, NSA began laying the groundwork to conduct a pilot with the Defense Cyber Crime Center and five DIB companies to monitor and block malicious network traffic based on continuous automated analysis of the domain names these companies’ networks were contacting. The pilot’s operational phase commenced in March 2020. Over six months, the Protective Domain Name Service (PDNS) examined more than 4 billion DNS queries to and from these companies. The PDNS provider identified callouts to 3,519 malicious domains and blocked upwards of 13 million connections to those domains. The pilot proved the value of DoD expanding the PDNS service to all DIB entities at scale
How cyber secure is cyber “ready” for combat? In response to legislation that recognized the imperative of protecting key weapons and space systems from adversary cyber intrusions, NSA partnered closely with the DoD CIO, Joint Staff, Undersecretary of Defense for Acquisition & Sustainment, and the Military Services to structure, design, and execute a new cybersecurity program, focused on the most important weapons and space systems, known as the Strategic Cybersecurity Program (SCP), with the mindset of “stop assessing and start addressing.”The program initially identified 12 key weapons and space systems that must be evaluated for cybersecurity vulnerabilities that need to be mitigated. This is either due to the existence of intelligence indicating they are being targeted by cyber adversaries or because the systems are particularly important to warfighting. These systems cover all warfighting domains (land, sea, air, cyber, and space). Under the auspices of the SCP, NSA and military service partners will conduct cybersecurity evaluations, and, most importantly, maintain cyber risk scoreboards and mitigation plans accountability in reducing cyber risk to acceptable levels
The NSA sees the following issue son the horizon:
In October 2020, NSA launched an expansive effort across the Executive Branch to understand how we can better inform, drive, and understand the activities of NSS owners to prevent, or respond to, critical cybersecurity events, and cultivate an operationally-aligned community resilient against the most advanced threats. These efforts across the community will come to fruition during the first quarter of 2021 and are expected to unify disparate elements across USG for stronger cybersecurity at scale.
NSA Cybersecurity is also focused on combating ransomware, a significant threat to NSS and critical infrastructure. Ransomware activity has become more destructive and impactful in nature and scope. Malicious actors target critical data and propagate ransomware across entire networks, alarmingly focusing recent attacks against U.S. hospitals. In 2020, NSA formed multiple working groups with U.S. Government agencies and other partners to identify ways to make ransomware operations more difficult for our adversaries, less scalable, and less lucrative. While the ransomware threat remains significant, NSA will continue to develop innovative ways to keep the activity at bay.
This week, Parler sued Amazon after it rescinded its web hosting services to the social media platform billed as the conservative, unbiased alternative to Twitter. Amazon has responded with an extensive list of the inflammatory, inciting material upon which it based its decision.
In its 11 January complaint, Parler asked a federal court “for injunctive relief, including a temporary restraining order and preliminary injunctive relief, and damages” because mainly “AWS’s decision to effectively terminate Parler’s account is apparently motivated by political animus…[and] is also apparently designed to reduce competition in the microblogging services market to the benefit of Twitter” in violation of federal antitrust law.
In its 12 January response, Amazon disagreed:
This case is not about suppressing speech or stifling viewpoints. It is not about a conspiracy to restrain trade. Instead, this case is about Parler’s demonstrated unwillingness and inability to remove from the servers of Amazon Web Services (“AWS”) content that threatens the public safety, such as by inciting and planning the rape, torture, and assassination of named public officials and private citizens. There is no legal basis in AWS’s customer agreements or otherwise to compel AWS to host content of this nature. AWS notified Parler repeatedly that its content violated the parties’ agreement, requested removal, and reviewed Parler’s plan to address the problem, only to determine that Parler was both unwilling and unable to do so. AWS suspended Parler’s account as a last resort to prevent further access to such content, including plans for violence to disrupt the impending Presidential transition.
Amazon offered a sampling of the content on Parler that caused AWS to pull the plug on the platform:
“Fry’em up. The whole fkn crew. #pelosi #aoc #thesquad #soros #gates #chuckschumer #hrc #obama #adamschiff #blm #antifa we are coming for you and you will know it.”
“#JackDorsey … you will die a bloody death alongside Mark Suckerturd [Zuckerberg]…. It has been decided and plans are being put in place. Remember the photographs inside your home while you slept? Yes, that close. You will die a sudden death!”
“We are going to fight in a civil War on Jan.20th, Form MILITIAS now and acquire targets.”
“On January 20th we need to start systematicly [sic] assassinating [sic] #liberal leaders, liberal activists, #blm leaders and supporters, members of the #nba #nfl #mlb #nhl #mainstreammedia anchors and correspondents and #antifa. I already have a news worthy event planned.”
Shoot the police that protect these shitbag senators right in the head then make the senator grovel a bit before capping they ass.”
On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
On 15 January, the Senate Intelligence Committee will hold a hearing on the nomination of Avril Haines to be the Director of National Intelligence.
The Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the nomination of Alejandro N. Mayorkas to be Secretary of Homeland Security on 19 January.
On 19 January, the Senate Armed Services Committee will hold a hearing on former General Lloyd Austin III to be Secretary of Defense.
The top Republican and Democrat on the Senate Commerce Committee seek to frame the 28 October hearing on Section 230 in the light they favor.
Before the Senate Commerce, Science, and Transportation Committee held its hearing today on 47 U.S.C. 230 (Section 230), both Chair Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) sought to provide their slant on the proceedings. Wicker continued with the Republican narrative by suggesting social media platforms may be cooperating with the Biden Campaign, and Cantwell released a report on how these platforms have adversely affected local journalism to the detriment of American democracy.
Wicker sent letters to Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey that seem obliquely along the same lines as Senator Josh Hawley’s (R-MO) letter to the Federal Election Commission (FEC) claiming that the two platforms’ restriction on spreading the dubious New York Post story on Hunter Biden was an in-kind campaign contribution.
Wicker wrote to Zuckerberg and Dorsey
In the interest of fully disclosing any interactions with the candidates and their campaigns, I request that you provide the Committee with specific information regarding whether and how [Facebook/Twitter have] provided access to any data, analytics, or other information to either major political party, candidate, or affiliates thereof. This includes information related to advertising, post or page performance, engagement, or other data that might shape or influence decision-making by the candidate or campaign. In addition, please indicate whether this information is provided equitably to all candidates, and how decisions are made regarding what information is provided and to whom.
Clearly Wicker is after any indication that the Biden Campaign has received undue or extra help or information the Trump Campaign has not. Facebook taken millions in dollars of advertising from the two campaigns and from other parties. Twitter stopped accepting political advertising in late 2019. Consequently, it is likely there will be mountains of material to provide the committee. This inquiry may have been made in the interest of ensuring a fairly contested election. Or, perhaps Wicker and his staff have some inside information into the two platforms relations to the Biden Campaign. Perhaps the letter is meant as a fishing expedition in the hopes any such evidence will turn up.
Nonetheless, these letters may have the prophylactic effect of chilling any efforts Facebook and Twitter may take in the last week of the election lest they be hauled again before Congress to answer for their moderation and take down decisions regarding political and misinformation material. If it turns out the Trump Campaign has gotten advantageous treatment, it would be hard to see how Wicker and other Republicans would weave the fact of greater assistance to President Donald Trump into their perpetual campaign of decrying alleged but never proven anti-conservative bias.
But, as mentioned before, Wicker could attempt to portray any assistance provided to the Biden Campaign as an in-kind contribution as Hawley did after sharing of the dubious New York Post article was limited on the platforms even though there are clear exemptions for the media to federal laws and regulations on aid to campaigns.
Hawley claimed in a letter to the FEC that Twitter and Facebook have given the Biden Campaign an in-kind contribution by blocking the article in violation of federal campaign finance law. Hawley, however, was careful to couch his language in language suggesting that Twitter and Facebook’s actions (which he terms suppression) were in-kind contributions instead of outright asserting they are.
While Hawley quite accurately quotes the law on what constitutes a contribution (“[a] “contribution” includes “anything of value . . . for the purpose of influencing any election for Federal office”), he is apparently unaware of the regulations promulgated by the FEC to explicate gaps and unaddressed issues in the statute. FEC regulations shed further light on the issue at hand. Notably, in 11 CFR 100.71, the FEC’s regulations provide extensive exceptions to what is a contribution and provide “[t]he term contribution does not include payments, services or other things of value described in this subpart.” One such exception is found in 11 CFR 100.73, “News story, commentary, or editorial by the media,” which makes clear:
Any cost incurred in covering or carrying a news story, commentary, or editorial by any broadcasting station (including a cable television operator, programmer or producer), Web site, newspaper, magazine, or other periodical publication, including any Internet or electronic publication, is not a contribution unless the facility is owned or controlled by any political party, political committee, or candidate, in which case the costs for a news story.
One of the essential elements for such an action to be a contribution is control or ownership. I am fairly certain the Biden Campaign neither owns nor controls Twitter or Facebook. For if they do, they have been colossally inept in allowing President Donald Trump and his partisans to spread widely misinformation and lies about mail-in voting to name one such subject.
Moreover, the FEC and federal courts have long recognized the “press exemption” to what might otherwise be considered in-kind contributions or expenditures in violation of the law. This exemption includes websites and the internet. It would seem that Facebook and Twitter were acting in ways much more similar to how the traditional print media has. It is telling that Hawley and others have not pilloried the so-called liberal media for looking askance at the New York Post’s story and not taking it at face value to the extent they have covered it at all. Therefore, it seems like any value the Biden Campaign may have derived from social media platforms using 47 USC 230 in moderating content on their platform is not an in-kind contribution.
Cantwell released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the Federal Trade Commission (FTC) may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action.
Cantwell detailed “Current and Suggested Congressional Considerations to Save Local News:”
Providing COVID-19 Emergency Financial Relief
As discussed in this report, the COVID-19 pandemic has had a devastating impact on local media outlets around the country. Congress should provide immediate support to stabilize these critical community institutions because it is very difficult to recreate a functioning local newsroom once its unique blend of knowledgeable local reporters, editorial controls, and regional subscribers is lost.
Congress should renew the Paycheck Protection Program (PPP), created by the Coronavirus Aid, Relief, and Economic Security (CARES) Act, to continue to support jobs at local news outlets. It should also expand the PPP to make thousands more local newspapers, radio, and television broadcasters eligible for emergency federal support.
Congress should also consider targeted tax incentives and grants as at least a short-term bridge to enable local news entities to survive the current economic turmoil.
Ensure Fair Return for Local News Content
Local news outlets create unmatched trusted content for local communities but, as discussed in this report, they are not being fairly compensated for their intellectual property by news aggregators, who are abusing their dominant positions in the marketplace.
Congress should consider requiring that news aggregation platforms enter into good faith negotiations with local news organizations and pay them fair market value for their content. Congress should also consider allowing local news organizations for a limited duration to collectively bargain for reuse of their content, provided there are strong controls in place to ensure that smaller publishers are not left behind.
Level the Playing Field for Local News
As detailed in this report, news aggregation platforms are using their market power and data aggregation practices to disadvantage local news.
Congress has a long history of addressing market abuses that stifle innovation and harm consumers. Rules preventing unfair, deceptive, and abusive practices can stop platforms from taking local news content without financial payment and retaliating against local news by hiding or removing their content from search engines or social media feeds. Similarly, statutes that prohibit market manipulation in other industries can serve as models to ensure online advertising markets are transparent and not contrived to benefit a dominant firm. Federal privacy protections can also serve to empower consumers to provide more support to local news organizations that provide them with more trusted and relevant information. Each of these changes should be crafted in a way to promote competition and consumer welfare and spur growth and innovation in the digital economy.
Cantwell’s report follows the House Judiciary Committee’s Antitrust, Commercial and Administrative Law Subcommittee’s “Investigation into Competition in Online Markets,” which also examined, in part, the effect of the digital dominance of Facebook and Google on the U.S. journalism industry. The Subcommittee asserted:
received testimony and submissions showing that the dominance of some online platforms has contributed to the decline of trustworthy sources of news, which is essential to our democracy. In several submissions, news publishers raised concerns about the “significant and growing asymmetry of power” between dominant platforms and news organizations, as well as the effect of this dominance on the production and availability of trustworthy sources of news. Other publishers said that they are “increasingly beholden” to these firms, and in particular, to Google and Facebook. Google and Facebook have an outsized influence over the distribution and monetization of trustworthy sources of news online, undermining the quality and availability of high-quality sources of journalism. This concern is underscored by the COVID-19 pandemic, which has laid bare the importance of preserving a vibrant free press in both local and national markets.
The Subcommittee recommended:
To address this imbalance of bargaining power, we recommend that the Subcommittee consider legislation to provide news publishers and broadcasters with a narrowly tailored and temporary safe harbor to collectively negotiate with dominant online platforms.
The Subcommittee noted:
In April 2019, Subcommittee Chairman [David] Cicilline (D-RI) and Doug Collins (R-GA), the former- Ranking Member of the Committee on the Judiciary, introduced H.R. 2054, the “Journalism Competition and Preservation Act of 2019.” H.R. 2054 would allow coordination by news publishers under the antitrust laws if it (1) directly relates to the quality, accuracy, attribution or branding, or interoperability of news; (2) benefits the entire industry, rather than just a few publishers, and is non-discriminatory to other news publishers; and (3) directly relates to and is reasonably necessary for these negotiations, instead of being used for other purposes.
Cantwell noted in her report “regulators across Europe and in Australia are taking steps to ensure that local publishers can continue to monetize their content and reach consumers.” She claimed “[p]artly in response to these regulatory actions, Google and Facebook have announced plans to provide limited compensation to a small slice of the news sector…[and [w]hether this compensation will be sufficient, or negotiated on fair terms, remains to be seen.”
In late July, the Australian Competition and Consumer Commission (ACCC) issued for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury and the companies. The ACCC explained:
The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off. Moreover, A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
In mid-August, Google and the ACCC exchanged public letters, fighting over the latter’s proposal to ensure that media companies are compensated for articles and content the former uses.
A proposed law, the News Media Bargaining Code, would force us to provide you with a dramatically worse Google Search and YouTube, could lead to your data being handed over to big news businesses, and would put the free services you use at risk in Australia.
You’ve always relied on Google Search and YouTube to show you what’s most relevant and helpful to you. We could no longer guarantee that under this law. The law would force us to give an unfair advantage to one group of businesses – news media businesses – over everyone else who has a website, YouTube channel or small business. News media businesses alone would be given information that would help them artificially inflate their ranking over everyone else, even when someone else provides a better result. We’ve always treated all website owners fairly when it comes to information we share about ranking. The proposed changes are not fair and they mean that Google Search results and YouTube will be worse for you.
You trust us with your data and our job is to keep it safe. Under this law, Google has to tell news media businesses “how they can gain access” to data about your use of our products. There’s no way of knowing if any data handed over would be protected, or how it might be used by news media businesses.
We deeply believe in the importance of news to society. We partner closely with Australian news media businesses — we already pay them millions of dollars and send them billions of free clicks every year. We’ve offered to pay more to license content. But rather than encouraging these types of partnerships, the law is set up to give big media companies special treatment and to encourage them to make enormous and unreasonable demands that would put our free services at risk.
The open letter published by Google today contains misinformation about the draft news media bargaining code which the ACCC would like to address.
Google will not be required to charge Australians for the use of its free services such as Google Search and YouTube, unless it chooses to do so.
Google will not be required to share any additional user data with Australian news businesses unless it chooses to do so.
The draft code will allow Australian news businesses to negotiate for fair payment for their journalists’ work that is included on Google services.
This will address a significant bargaining power imbalance between Australian news media businesses and Google and Facebook.
Google has since published a follow up letter, claiming it does not oppose the draft code but rather wants a few changes. Google also dodged blame for the decline of media revenue, asserting “the fall in newspaper revenue over recent years was mainly the result of the loss of classified ads to online classifieds businesses.” Google trumpeted its 1 October decision to “to pay a number of publishers to license their content for a new product, including some in Australia, as well as helping train thousands of Australian journalists.” As announced by Google and Alphabet CEO Sundar Pichai, Google will pay some media outlets up to $1 billion over the next three years “to create and curate high-quality content for a different kind of online news experience” for its new product, Google News Showcase. Pichai claimed:
This approach is distinct from our other news products because it leans on the editorial choices individual publishers make about which stories to show readers and how to present them. It will start rolling out today to readers in Brazil and Germany, and will expand to other countries in the coming months where local frameworks support these partnerships.
This decision was not well-received everywhere, especially in the European Union (EU), which is in the process of implementing an EU measure requiring Google and Facebook to pay the media for content. The European Publishers Council (EPC) noted:
The French Competition Authority decision from April considered that Google’s practices were likely to constitute an abuse of a dominant position and brought serious and immediate damage to the press sector. It calls on Google, within three months, to conduct negotiations in good faith with publishers and press agencies on the remuneration for their protected content. Google’s appeal in July seeks to get some legal clarity on parts of the decision.
Moreover, the European Union (EU) Directive on Copyright in the Digital Single Market is being implemented in EU member states and would allow them to require compensation from platforms like Facebook and Google. The EPC claimed:
Many are quite cynical about Google’s perceived strategy. By launching their own product, they can dictate terms and conditions, undermine legislation designed to create conditions for a fair negotiation, while claiming they are helping to fund news production.
In the key market for online advertising, which Google controls also thanks to its dominant position on a large part of the digital value chain, the Authority questions the undertaking’s discriminatory use of the huge amount of data collected through its various applications, preventing rivals in the online advertising markets from competing effectively. More specifically, Google appears to have engaged in an internal/external discriminatory conduct, refusing to provide its competitors with Google ID decryption keys and excluding third-party tracking pixels. At the same time, Google has allegedly used tracking elements enabling its advertising intermediation services to achieve a targeting capability that some equally efficient competitors are unable to replicate.
The conducts investigated by the Authority may have a significant impact on competition in the various markets of the digital advertising value chain, with wide repercussions on competitors and consumers. The absence of competition in the intermediation of digital advertising, in fact, might reduce the resources allocated to website producers and publishers, thus impoverishing the quality of content directed to end customers. Moreover, the absence of effective competition based on merits could discourage technological innovation for the development of advertising technologies and techniques less intrusive for consumers.
“Amazon to escape UK digital services tax that will hit smaller traders” By Mark Sweney — The Guardian. According to media reports, the United Kingdom’s (UK) new digital services tax will not be levied on goods Amazon sells directly to consumers. Rather, the new tax HM Revenue and Customs will be on the revenue from services Amazon and other platforms charge to third-party sellers using Amazon. And, Amazon has made clear it will merely pass along the 2% tax to these entities. This is a strange outcome to a policy ostensibly designed to address the fact that the tach giant paid only £14.4 million in corporation taxes to the UK last year on £13.7 billion in revenue.
“Norway blames Russia for cyber-attack on parliament” — BBC News. In a statement, the Norwegian government claimed that its Parliament has been breached, and Norway’s Foreign Minister is saying the Russian Federation is the culprit. Last month the government in Oslo said that the email accounts of some government officials had been compromised, but this announcement seems to indicate the breach was far wider than thought last month, or that the government knew and was holding back the information. If true, this is the second such penetration and exfiltration by Russian security services of a European government in the recent past as the German government made the same claims, which lead to the European Union’s first cyber sanctions.
“Twitter suspends accounts for posing as Black Trump supporters” By Kari Paul — The Guardian and “Fake Twitter accounts posing as Black Trump supporters appear, reach thousands, then vanish” By Craig Timberg and Isaac Stanley-Becker — The Washington Post. As a rule of thumb, I find the Cui Bono helpful. And, so it is with fake Twitter accounts of alleged African Americans who will vote for President Donald Trump. Are these courtesy of the Republican Party and the Trump Campaign? Maybe. They would certainly gain from peeling off African American support for Vice President Joe Biden considering its his strongest constituency as measured by percentage support relative to total population. The Russians? Sure. They also stand to benefit from stirring the cauldron of unease and division in the United States regardless of who wins, and possibly even more so if Biden wins for the U.S. will likely return to its pre-Trump adversarial policy towards the Russian Federation. And, finally how does Twitter benefit from taking down the sort of fake accounts that violate its terms of service when this has not often been its modus operandi? Perhaps to curry favor with a Biden Administration likely to push for changes as to how social media platforms are to be regulated.
“Backers of Australia’s mandatory news code welcome French ruling on Google” By Amanda Meade — The Guardian. Not surprisingly, the Australian Competition and Consumer Commission (ACCC) was delighted when a French appeals court ruled in favor of France’s competition authority against Google in its challenge of a French law to require social media platforms to pay traditional media for use of their content. The ACCC has been fighting its own battle on this front with its draft code that would require Google and Facebook to do the same down under.
“Can Tinder be sued for breach of care?” By James Purtrill — ABC News. Given the recent allegations that Tinder knew of sexual assaulters using their app and doing nothing, this piece looks at the liability Tinder may face under Australian law. It is quite likely if sexual assaults related to Tinder indifference or negligence is occurring in other common law countries, then the company may be facing lawsuits there, too.
FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.
The GAO allowed:
Increasing use of technology and connectivity in avionics has brought new opportunities for persons with malicious intentions to target commercial transport airplanes. The connections among avionics and other systems onboard airplanes and throughout the aviation ecosystem are growing more complex as airplanes become more connected to systems that are essential for flight safety and operations. Airframe manufacturers are deploying software and hardware protections to reduce the risk of the cyber threats currently facing avionics systems.
The GAO contended:
Further, while FAA has mechanisms for coordinating among its internal components and with other federal agencies and private sector stakeholders to address cybersecurity risks, it has not established avionics cybersecurity risks as a priority. As a result, avionics cybersecurity issues that have been raised within FAA have not been consistently tracked to resolution. Until FAA conducts an overall assessment of the cybersecurity risks to avionics systems and prioritizes coordination efforts based on that assessment, it may not be allocating resources and coordinating on risks as effectively as it could.
The GAO made this recommendations:
The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)
The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)
The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)
The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)
The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)
The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)
The chairs and ranking members of the House Energy and Commerce Committee and one of its subcommittee wrote the Government Accountability Office (GAO) to “evaluate Department of Health and Human Services’ (HHS) [cyber] incident response capabilities…[and] should include assessing the agency’s forensic threat intelligence data infrastructure used in responding to major or significant incidents involving persistent threats and data breaches.” Chair Frank Pallone, Jr. (D-NJ), Ranking Member Greg Walden (R-OR), and Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), and Ranking Member Brett Guthrie (R-KY) stated:
The Chief Information Security Officer at HHS recently acknowledged that the ongoing COVID-19 public health crisis has placed a new target on HHS, and malicious actors have boosted their efforts to infiltrate the agency and access sensitive data. In addition, it was reported in March 2020 that HHS suffered a cyber-attack on its computer system. According to people familiar with the incident, it was part of a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor. Further, emerging cyber threats, such as the advanced persistent threat groups that exploited COVID-19 in early 2020, underscore the importance of effectively protecting information systems supporting the agency.
Given the types of information created, stored, and shared on the information systems owned and operated by HHS, it is important that the agency implement effective incident response handling processes and procedures to address persistent cyber-based threats.
A federal court denied Epic Games’ request for a preliminary injunction requiring Apple to put Fortnite back into the App Store. The judge assigned the case had signaled this request would likely fail as its request for a temporary restraining order was also rejected. The United States District Court for the Northern District of California summarized Epic’s motion:
In this motion for preliminary injunction, Epic Games asks the Court to force Apple to reinstate Fortnite to the Apple App Store, despite its acknowledged breach of its licensing agreements and operating guidelines, and to stop Apple from terminating its affiliates’ access to developer tools for other applications, including Unreal Engine, while Epic Games litigates its claims.
The court stated:
Epic Games bears the burden in asking for such extraordinary relief. Given the novelty and the magnitude of the issues, as well as the debate in both the academic community and society at large, the Court is unwilling to tilt the playing field in favor of one party or the other with an early ruling of likelihood of success on the merits. Epic Games has strong arguments regarding Apple’s exclusive distribution through the iOS App Store, and the in-app purchase (“IAP”) system through which Apple takes 30% of certain IAP payments. However, given the limited record, Epic Games has not sufficiently addressed Apple’s counter arguments. The equities, addressed in the temporary restraining order, remain the same.
The court held:
Apple and all persons in active concert or participation with Apple, are preliminarily enjoined from taking adverse action against the Epic Affiliates with respect to restricting, suspending or terminating the Epic Affiliates from the Apple’s Developer Program, on the basis that Epic Games enabled IAP direct processing in Fortnite through means other than the Apple IAP system, or on the basis of the steps Epic Games took to do so. This preliminary injunction shall remain in effect during the pendency of this litigation unless the Epic Affiliates breach: (1) any of their governing agreements with Apple, or (2) the operative App Store guidelines. This preliminary injunction supersedes the prior temporary restraining order.
In its complaint, Epic Games is arguing that Apple’s practices violate federal and California antitrust and anti-competition laws. Epic Games argued:
This case concerns Apple’s use of a series of anti-competitive restraints and monopolistic practices in markets for (i) the distribution of software applications (“apps”) to users of mobile computing devices like smartphones and tablets, and (ii) the processing of consumers’ payments for digital content used within iOS mobile apps(“in-app content”). Apple imposes unreasonable and unlawful restraints to completely monopolize both markets and prevent software developers from reaching the over one billion users of its mobile devices (e.g., iPhone and iPad) unless they go through a single store controlled by Apple, the App Store, where Apple exacts an oppressive 30% tax on the sale of every app. Apple also requires software developers who wish to sell digital in-app content to those consumers to use a single payment processing option offered by Apple, In-App Purchase, which likewise carries a 30% tax.
In contrast, software developers can make their products available to users of an Apple personal computer (e.g., Mac or MacBook) in an open market, through a variety of stores or even through direct downloads from a developer’s website, with a variety of payment options and competitive processing fees that average 3%, a full ten times lower than the exorbitant 30% fees Apple applies to its mobile device in-app purchases.
In its late August denial of Epic Games’ request for a temporary restraining order, the court decided the plaintiff does not necessarily have an antitrust case strong enough to succeed on the merits, has not demonstrated irreparable harm because the “current predicament appears to be of its own making,” would unjustifiably be enriched if Fortnite is reinstated to the App Store without having to pay 30% of in app purchases to Apple, and is not operating in a public interest strong enough to overcome the expectation private parties will honor their contracts or resolve disputes through normal means.
As part of its Digital Modernization initiative, the Department of Defense (DOD) released its Data Strategy which is supposed to change how the DOD and its components collect, process, and use data, which is now being framed as an essential element of 21st Century conflicts. The DOD stated:
DOD must accelerate its progress towards becoming a data-centric organization. DOD has lacked the enterprise data management to ensure that trusted, critical data is widely available to or accessible by mission commanders, warfighters, decision-makers, and mission partners in a real- time, useable, secure, and linked manner. This limits data-driven decisions and insights, which hinders the execution of swift and appropriate action.
Additionally, DOD software and hardware systems must be designed, procured, tested, upgraded, operated, and sustained with data interoperability as a key requirement. All too often these gaps are bridged with unnecessary human-machine interfaces that introduce complexity, delay, and increased risk of error. This constrains the Department’s ability to operate against threats at machine speed across all domains.
DOD also must improve skills in data fields necessary for effective data management. The Department must broaden efforts to assess our current talent, recruit new data experts, and retain our developing force while establishing policies to ensure that data talent is cultivated. We must also spend the time to increase the data acumen resident across the workforce and find optimal ways to promote a culture of data awareness.
The DOD explained how it will implement the new strategy:
Strengthened data governance will include increased oversight at multiple levels. The Office of the DOD Chief Data Officer (CDO) will govern the Department’s data management efforts and ensure sustained focus by DOD leaders. The DOD Chief Information Officer (DOD CIO) will ensure that data priorities are fully integrated into the DOD Digital Modernization program, ensuring synchronization with DOD’s cloud; AI; Command, Control, and Communications (C3); and cybersecurity efforts. The DOD CIO will also promote compliance with CDO guidance via CIO authorities for managing IT investments, issuing DOD policy, and certifying Service/component budgets.
The CDO Council, chaired by the DOD CDO, will serve as the primary venue for collaboration among data officers from across the Department. This body will identify and prioritize data challenges, develop solutions, and oversee policy and data standards of the Department. While working closely with the appropriate governance bodies, members of the CDO Council must also advocate that data considerations be made an integral part of all the Department’s requirements, research, procurement, budgeting, and manpower decisions.
The DOD concluded:
Data underpins digital modernization and is increasingly the fuel of every DOD process, algorithm, and weapon system. The DOD Data Strategy describes an ambitious approach for transforming the Department into a data-driven organization. This requires strong and effective data management coupled with close partnerships with users, particularly warfighters. Every leader must treat data as a weapon system, stewarding data throughout its lifecycle and ensuring it is made available to others. The Department must provide its personnel with the modern data skills and tools to preserve U.S. military advantage in day-to-day competition and ensure that they can prevail in conflict.
The DOD Digital Modernization Strategy, which also serves as the Department’s Information Resource Management (IRM) Strategic Plan, presents Information Technology (IT)-related modernization goals and objectives that provide essential support for the three lines of effort in the National Defense Strategy (NDS), and the supporting National Defense Business Operations Plan (NDBOP). It presents the DOD CIO’s vision for achieving the Department’s goals and creating “a more secure, coordinated, seamless, transparent, and cost-effective IT architecture that transforms data into actionable information and ensures dependable mission execution in the face of a persistent cyber threat.”
The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
Streamlining State and Local Approval of Certain Wireless Structure Modifications – The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
Enforcement Bureau Action – The Commission will consider an enforcement action.
On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
The Senate Commerce, Science, and Transportation Committee will reportedly hold a hearing on 29 October regarding 47 U.S.C. 230 with testimony from:
Jack Dorsey, Chief Executive Officer of Twitter;
Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and
Mark Zuckerberg, Chief Executive Officer of Facebook.
The EU’s highest court rules against three nations that tried to require that communications providers hand over location data and traffic data in bulk.
The Court of Justice of the European Union (CJEU) handed down a pair of rulings (here and here) on the extent to which European Union (EU) nations may engage in bulk, indiscriminate collection of two types of data related to electronic communications. The CJEU found that while EU member nations may conduct these activities to combat crime or national security threats during periods limited by necessity and subject to oversight, nations may not generally require the providers of electronic communications to store and provide indiscriminate location data and traffic data in response to an actual national security danger or a prospective one. The CJEU combined three cases into two rulings that came from the United Kingdom (UK), France, and Belgium to elucidate the reach of the Privacy and Electronic Communications Directive in relation to foundational EU laws.
First and foremost, the CJEU found that the “Directive on privacy and electronic communications” (Directive 2002/58/EC) does indeed apply to situations where EU nations are directing telecommunications companies and similar providers to hold and turn over bulk data. Some EU nations had tried to argue that such practices fell outside the scope of the Directive, and the CJEU found the opposite. The CJEU went on to state the Directive does not generally allow for an exception to the general principle that the confidentiality of communications must be safeguarded and that any permitted abridgement of this and associated rights are subject to related EU law principles of proportionality (more on this below). Consequently, the CJEU found that EU member nations may not require endless bulk transmission of location data and traffic data for national security reasons. Likewise, the court is also barring legislation requiring a communications provider to hold these data in case they are needed in the future by law enforcement or intelligence authorities. The CJEU went further and explicated a provision in the General Data Protection Regulation (GDPR) as barring EU nations from requiring that entities providing “online public communications services” and “hosting services” must retain and hand over data on people using those services.
The other side of the CJEU’s ruling is that EU nations may order just such bulk collection and retention of location data and traffic data if there is an imminent or foreseeable national security threat. This strikes me as the exception that will devour the rule. In any event, a court or an administrative body must be able to review whether such a national security threat exists and whether the collection is limited in both time and necessity. The reviewing entity must be able to render a binding decision that can shut down unlawful or unnecessary orders to providers to hand over such information.
The CJEU also found that targeted, limited orders for traffic and location data derived from objective and non-discriminatory bases targeting certain classes of people or a geographic location may be used. Real-time location data and traffic data may be collected as well if a court or administrative body has authorized the surveillance according to EU law. The CJEU spells out a few other exceptions EU nations may use regarding location data and traffic data. The CJEU, however, ruled that EU nations may not have provisions in laws allowing for the temporary suspension of the bar on providers being required to collect and turn over traffic data and location data to an EU government. Finally, the CJEU added that evidence of crimes gained through the bulk collection of the two types of data are inadmissible in the courts of EU nations.
The CJEU summarized the beginning of the case out of the UK:
At the beginning of 2015, the existence of practices for the acquisition and use of bulk communications data by the various security and intelligence agencies of the United Kingdom, namely GCHQ, MI5 and MI6, was made public, including in a report by the Intelligence and Security Committee of Parliament (United Kingdom). On 5 June 2015, Privacy International, a non-governmental organisation, brought an action before the Investigatory Powers Tribunal (United Kingdom) against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State for the Home Department and those security and intelligence agencies, challenging the lawfulness of those practices.
The CJEU also summarized the two other cases combined into one:
By application lodged on 1 September 2015, French Data Network, La Quadrature du Net and the Fédération des fournisseurs d’accès à Internet associatifs brought an action before the Conseil d’État (Council of State, France) for the annulment of the implied rejection decision arising from the Prime Minister’s failure to reply to their application for the repeal of Article R. 10-13 of the CPCE and Decree No 2011-219, on the ground, inter alia, that those legislative texts infringe Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 of the Charter. Privacy International and the Center for Democracy and Technology were granted leave to intervene in the main proceedings.
By applications lodged on 10, 16, 17 and 18 January 2017, joined in the main proceedings, the Ordre des barreaux francophones et germanophone, the Académie Fiscale ASBL and UA, the Liga voor Mensenrechten ASBL, the Ligue des Droits de l’Homme ASBL, and VZ, WY and XX brought actions before the Cour constitutionnelle (Constitutional Court, Belgium) for the annulment of the Law of 29 May 2016, on the ground that it infringes Articles 10 and 11 of the Belgian Constitution, read in conjunction with Articles 5, 6 to 11, 14, 15, 17 and 18 of the ECHR, Articles 7, 8, 11 and 47 and Article 52(1) of the Charter, Article 17 of the International Covenant on Civil and Political Rights, which was adopted by the United Nations General Assembly on 16 December 1966 and entered into force on 23 March 1976, the general principles of legal certainty, proportionality and self-determination in relation to information and Article 5(4) TEU.
Given the state of Brexit negotiations, it may have given the CJEU some pleasure to administer this swift kick to the UK and its surveillance apparatus at its security and intelligence services before it leaves the bloc at year’s end. But, more substantially, this decision may well have repercussions on the adequacy decision the UK would need so companies could transfer personal data from the EU to the UK. Moreover, privacy and civil liberties advocates will be sure to point to his ruling as evidence the EU is against bulk collection of metadata and other facets of electronic communications unlike some other nations, like the United States (U.S.), which have historically collected vast troves of data on electronic communications.
First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.
Here are Further Reading, Other Developments, and Coming Events.
On 27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
On 28 July, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee will hold a hearing titled “Secure, Safe, and Auditable: Protecting the Integrity of the 2020 Elections” with these witnesses:
Mr. David Levine, Elections Integrity Fellow, Alliance for Securing Democracy, German Marshall Fund of the United States
Ms. Sylvia Albert, Director of Voting and Elections, Common Cause
Ms. Amber McReynolds, Chief Executive Officer, National Vote at Home Institute
Mr. John Gilligan, President and Chief Executive Officer, Center for Internet Security, Inc.
On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
Slack filed an antitrust complaint with the European Commission (EC) against Microsoft alleging that the latter’s tying Microsoft Teams to Microsoft Office is a move designed to push the former out of the market. A Slack vice president said in a statement “Slack threatens Microsoft’s hold on business email, the cornerstone of Office, which means Slack threatens Microsoft’s lock on enterprise software.” While the filing of a complaint does not mean the EC will necessarily investigate, under its new leadership the EC has signaled in a number of ways its intent to address the size of some technology companies and the effect on competition.
The National Institute of Standards and Technology (NIST) has issued for comment NIST the 2nd Draft of NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). NIST claimed this guidance document “promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches…[and] contains the same main concepts as the initial public draft, but their presentation has been revised to clarify the concepts and address other comments from the public.” Comments are due by 21 August 2020.
The United States National Security Commission on Artificial Intelligence (NSCAI) published its Second Quarter Recommendations, a compilation of policy proposals made this quarter. NSCAI said it is still on track to release its final recommendations in March 2021. The NSCAI asserted
The recommendations are not a comprehensive follow-up to the interim report or first quarter memorandum. They do not cover all areas that will be included in the final report. This memo spells out recommendations that can inform ongoing deliberations tied to policy, budget, and legislative calendars. But it also introduces recommendations designed to build a new framework for pivoting national security for the artificial intelligence (AI) era.
The NSCAI stated it “has focused its analysis and recommendations on six areas:
Advancing the Department of Defense’s internal AI research and development capabilities. The Department of Defense (DOD) must make reforms to the management of its research and development (R&D) ecosystem to enable the speed and agility needed to harness the potential of AI and other emerging technologies. To equip the R&D enterprise, the NSCAI recommends creating an AI software repository; improving agency- wide authorized use and sharing of software, components, and infrastructure; creating an AI data catalog; and expanding funding authorities to support DOD laboratories. DOD must also strengthen AI Test and Evaluation, Verification and Validation capabilities by developing an AI testing framework, creating tools to stand up new AI testbeds, and using partnered laboratories to test market and market-ready AI solutions. To optimize the transition from technological breakthroughs to application in the field, Congress and DOD need to reimagine how science and technology programs are budgeted to allow for agile development, and adopt the model of multi- stakeholder and multi-disciplinary development teams. Furthermore, DoD should encourage labs to collaborate by building open innovation models and a R&D database.
Accelerating AI applications for national security and defense. DOD must have enduring means to identify, prioritize, and resource the AI- enabled applications necessary to fight and win. To meet this challenge, the NSCAI recommends that DOD produce a classified Technology Annex to the National Defense Strategy that outlines a clear plan for pursuing disruptive technologies that address specific operational challenges. We also recommend establishing mechanisms for tactical experimentation, including by integrating AI-enabled technologies into exercises and wargames, to ensure technical capabilities meet mission and operator needs. On the business side, DOD should develop a list of core administrative functions most amenable to AI solutions and incentivize the adoption of commercially available AI tools.
Bridging the technology talent gap in government. The United States government must fundamentally re-imagine the way it recruits and builds a digital workforce. The Commission envisions a government-wide effort to build its digital talent base through a multi-prong approach, including: 1) the establishment of a National Reserve Digital Corps that will bring private sector talent into public service part-time; 2) the expansion of technology scholarship for service programs; and, 3) the creation of a national digital service academy for growing federal technology talent from the ground up.
Protecting AI advantages for national security through the discriminate use of export controls and investment screening. The United States must protect the national security sensitive elements of AI and other critical emerging technologies from foreign competitors, while ensuring that such efforts do not undercut U.S. investment and innovation. The Commission proposes that the President issue an Executive Order that outlines four principles to inform U.S. technology protection policies for export controls and investment screening, enhance the capacity of U.S. regulatory agencies in analyzing emerging technologies, and expedite the implementation of recent export control and investment screening reform legislation. Additionally, the Commission recommends prioritizing the application of export controls to hardware over other areas of AI-related technology. In practice, this requires working with key allies to control the supply of specific semiconductor manufacturing equipment critical to AI while simultaneously revitalizing the U.S. semiconductor industry and building the technology protection regulatory capacity of like-minded partners. Finally, the Commission recommends focusing the Committee on Foreign Investment in the United States (CFIUS) on preventing the transfer of technologies that create national security risks. This includes a legislative proposal granting the Department of the Treasury the authority to propose regulations for notice and public comment to mandate CFIUS filings for investments into AI and other sensitive technologies from China, Russia and other countries of special concern. The Commission’s recommendations would also exempt trusted allies and create fast tracks for vetted investors.
Reorienting the Department of State for great power competition in the digital age. Competitive diplomacy in AI and emerging technology arenas is a strategic imperative in an era of great power competition. Department of State personnel must have the organization, knowledge, and resources to advocate for American interests at the intersection of technology, security, economic interests, and democratic values. To strengthen the link between great power competition strategy, organization, foreign policy planning, and AI, the Department of State should create a Strategic Innovation and Technology Council as a dedicated forum for senior leaders to coordinate strategy and a Bureau of Cyberspace Security and Emerging Technology, which the Department has already proposed, to serve as a focal point and champion for security challenges associated with emerging technologies. To strengthen the integration of emerging technology and diplomacy, the Department of State should also enhance its presence and expertise in major tech hubs and expand training on AI and emerging technology for personnel at all levels across professional areas. Congress should conduct hearings to assess the Department’s posture and progress in reorienting to address emerging technology competition.
Creating a framework for the ethical and responsible development and fielding of AI. Agencies need practical guidance for implementing commonly agreed upon AI principles, and a more comprehensive strategy to develop and field AI ethically and responsibly. The NSCAI proposes a “Key Considerations” paradigm for agencies to implement that will help translate broad principles into concrete actions.
The cyber threat pose a serious threat to Denmark. Cyber attacks mainly carry economic and political consequences.
Hackers have tried to take advantage of the COVID-19 pandemic. This constitutes a new element in the general threat landscape.
The threat from cyber crime is VERY HIGH. No one is exempt from the threat. There is a growing threat from targeted ransomware attacks against Danish public authorities and private companies. The threat from cyber espionage is VERY HIGH.
The threat is especially directed against public authorities dealing with foreign and security policy issues as well as private companies whose knowledge is of interest to foreign states.
The threat from destructive cyber attacks is LOW. It is less likely that foreign states will launch destructive cyber attacks against Denmark. Private companies and public authorities operating in conflict-ridden regions are at a greater risk from this threat.
The threat from cyber activism is LOW. Globally, the number of cyber activism attacks has dropped in recent years,and cyber activists rarely focus on Danish public authorities and private companies. The threat from cyber terrorism is NONE. Serious cyber attacks aimed at creating effects similar to those of conventional terrorism presuppose a level of technical expertise and organizational resources that militant extremists, at present, do not possess. Also, the intention remains limited.
The technological development, including the development of artificial intelligence and quantum computing, creates new cyber security possibilities and challenges.
“Accuse, Evict, Repeat: Why Punishing China and Russia for Cyberattacks Fails” – The New York Times. This piece points out that the United States (US) government is largely using 19th Century responses to address 21st Century conduct by expelling diplomats, imposing sanctions, and indicting hackers. Even a greater use of offensive cyber operations does not seem to be deterring the US’s adversaries. It may turn out that the US and other nations will need to focus more on defensive measures and securing its valuable data and information.
“New police powers to be broad enough to target Facebook” – Sydney Morning Herald. On the heels of a 2018 law that some argue will allow the government in Canberra to order companies to decrypt users communications, Australia is considering the enactment of new legislation because of concern among the nation’s security services about end-to-end encryption and dark browsing. In particular, Facebook’s proposed changes to secure its networks is seen as fertile ground of criminals, especially those seeking to prey on children sexually.
“The U.S. has a stronger hand in its tech battle with China than many suspect” – The Washington Post. A national security writer makes the case that the cries that the Chinese are coming may prove as overblown as similar claims made about the Japanese during the 1980s and the Russian during the Cold War. The Trump Administration has used some levers that may appear to impede the People’s Republic of China’s attempt to displace the United States. In all, this writer is calling for more balance in viewing the PRC and some of the challenges it poses.
“Facebook is taking a hard look at racial bias in its algorithms” – Recode. After a civil rights audit that was critical of Facebook, the company is assembling and deploying teams to try to deal with the biases in its algorithms on Facebook and Instagram. Critics doubt the efforts will turn out well because economic incentives are aligned against rooting out such biases and the lack of diversity at the company.
“France won’t ban Huawei, but encouraging 5G telcos to avoid it: report” – Reuters. Unlike the United States, the United Kingdom, and others, France will not outright ban Huawei from their 5G networks but will instead encourage their telecommunications companies to use European manufacturers. Some companies already have Huawei equipment on the networks and may receive authorization to use the company’s equipment for up to five more years. However, France is not planning on extending authorizations past that deadline, which will function a de facto sunset. In contrast, authorizations for Ericsson or Nokia equipment were provided for eight years. The head of France’s cybersecurity agency stressed that France was not seeking to move against the People’s Republic of China (PRC) but is responding to security concerns.