U.S. Federal Government and States Ask Court To Break Up Facebook

Antitrust suits finally filed against Facebook. The U.S. and state governments want to spin off WhatsApp and Instagram.

As has been long rumored, the Federal Trade Commission (FTC) and state attorneys general have filed lawsuits against Facebook, claiming the social media giant has pursued anti-competitive practices in violation of federal and state laws. This is the second major lawsuit filed this fall against a tech giant and may not be the last. The lawsuits make the case that the appropriate way to rectify the pattern of abuse is to spin off WhatsApp and Instagram among other requested legal relief. Probably not by accident, but both suits were filed in the same federal court, and consequently the suits will likely be consolidated with the FTC and the states working together in litigating against Facebook. This case may not be resolved until well into the Biden Administration.

The FTC voted to proceed with the antitrust and anti-competition action on a 3-2 vote with Chair Joseph Simons siding with the two Democratic Commissioners. The other two Republicans voted no but did so without issuing a dissent or statement, explaining their views or arguing the majority’s approach is wrong or misguided.

In the suit filed in the District Court of the District of Columbia, the FTC claims that Facebook has violated Section 2 of the Sherman Antitrust Act and by extension Section 5 of the FTC Act through buying potential rivals WhatsApp and Instagram and forcing any companies that want to use Facebook’s application programming interfaces not to compete with Facebook or Facebook Messenger. As a result, the FCT claims, people have no functional options for social messaging and personal networking and the online advertising market hurts advertisers and ultimately consumers given Facebook’s dominance of the market.

The FTC asserted:

  • Facebook has maintained its monopoly position by buying up companies that present competitive threats and by imposing restrictive policies that unjustifiably hinder actual or potential rivals that Facebook does not or cannot acquire.
  • Facebook holds monopoly power in the market for personal social networking services (“personal social networking” or “personal social networking services”) in the United States, which it enjoys primarily through its control of the largest and most profitable social network in the world, known internally at Facebook as “Facebook Blue,” and to much of the world simply as “Facebook.”
  • Facebook’s unmatched position has provided it with staggering profits. Facebook monetizes its personal social networking monopoly principally by selling advertising, which exploits a rich set of data about users’ activities, interests, and affiliations to target advertisements to users. Last year alone, Facebook generated revenues of more than $70 billion and profits of more than $18.5 billion.
  • Since toppling early rival Myspace and achieving monopoly power, Facebook has turned to playing defense through anticompetitive means. After identifying two significant competitive threats to its dominant position—Instagram and WhatsApp—Facebook moved to squelch those threats by buying the companies, reflecting CEO Mark Zuckerberg’s view, expressed in a 2008 email, that “it is better to buy than compete.” To further entrench its position, Facebook has also imposed anticompetitive conditions that restricted access to its valuable platform—conditions that Facebook personnel recognized as “anti user[,]” “hypocritical” in light of Facebook’s purported mission of enabling sharing, and a signal that “we’re scared that we can’t compete on our own merits.”
  • As Facebook has long recognized, its personal social networking monopoly is protected by high barriers to entry, including strong network effects. In particular, because a personal social network is generally more valuable to a user when more of that user’s friends and family are already members, a new entrant faces significant difficulties in attracting a sufficient user base to compete with Facebook. Facebook’s internal documents confirm that it is very difficult to win users with a social networking product built around a particular social “mechanic” (i.e., a particular way to connect and interact with others, such as photo-sharing) that is already being used by an incumbent with dominant scale. Even an entrant with a “better” product often cannot succeed against the overwhelming network effects enjoyed by a dominant personal social network.
  • In an effort to preserve its monopoly in the provision of personal social networking, Facebook has, for many years, continued to engage in a course of anticompetitive conduct with the aim of suppressing, neutralizing, and deterring serious competitive threats to Facebook Blue. This course of conduct has had three main elements: acquiring Instagram, acquiring WhatsApp, and the anticompetitive conditioning of access to its platform to suppress competition.

The FTC detailed the harm to people and to competition:

  • Through at least the foregoing conduct, Facebook suppresses, deters, hinders, and eliminates personal social networking competition, and maintains its monopoly power in the U.S. personal social networking market, through means other than merits competition. In doing so, Facebook deprives users of personal social networking in the United States of the benefits of competition, including increased choice, quality, and innovation. Facebook cannot justify this substantial harm to competition with claimed efficiencies, procompetitive benefits, or business justifications that could not be achieved through other means.
  • By suppressing, neutralizing, and deterring the emergence and growth of personal social networking rivals, Facebook also suppresses meaningful competition for the sale of advertising. Personal social networking providers typically monetize through the sale of advertising; thus, more competition in personal social networking is also likely to mean more competition in the provision of advertising. By monopolizing personal social networking, Facebook thereby also deprives advertisers of the benefits of competition, such as lower advertising prices and increased choice, quality, and innovation related to advertising.

The FTC asked the court for a ruling that:

  1. that Facebook’s course of conduct, as alleged herein, violates Section 2 of the Sherman Act and thus constitutes an unfair method of competition in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a);
  2. divestiture of assets, divestiture or reconstruction of businesses (including, but not limited to, Instagram and/or WhatsApp), and such other relief sufficient to restore the competition that would exist absent the conduct alleged in the Complaint, including, to the extent reasonably necessary, the provision of ongoing support or services from Facebook to one or more viable and independent business(es);
  3. any other equitable relief necessary to restore competition and remedy the harm to competition caused by Facebook’s anticompetitive conduct described above;
  4. a prior notice and prior approval obligation for future mergers and acquisitions;
  5. that Facebook is permanently enjoined from imposing anticompetitive conditions on access to APIs and data;
  6. that Facebook is permanently enjoined from engaging in the unlawful conduct described herein;
  7. that Facebook is permanently enjoined from engaging in similar or related conduct in the future;
  8. a requirement to file periodic compliance reports with the FTC, and to submit to such reporting and monitoring obligations as may be reasonable and appropriate; and
  9. any other equitable relief, including, but not limited to, divestiture or restructuring, as the Court finds necessary to redress and prevent recurrence of Facebook’s violations of law, as alleged herein.

46 states, the District of Columbia, and the territory of Guam filed suit the same day against Facebook, alleging violations of Sections 16 and 7 of the Clayton Act and Section 2 of the Sherman Act. The suit was also filed in the District Court of the District of Columbia. The state attorneys general who filed suit against Facebook represent the following jurisdictions: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, the territory of Guam, Hawaii, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

The states made their case that Facebook has violated federal antitrust and anti-competition laws:

  • Every day, more than half of the United States population over the age of 13 turns to a Facebook service to keep them in touch with the people, organizations, and interests that matter most to them. For them, Facebook provides an important forum for sharing personal milestones and other intimate details about their lives to friends and family: for example, announcing the birth of a child or grieving the loss of a close relative; sharing photos and videos of children and grandchildren; and debating politics and public events.
  • Users do not pay a cash price to use Facebook. Instead, users exchange their time, attention, and personal data for access to Facebook’s services.
  • Facebook makes its money by selling ads. Facebook sells advertising to firms that attach immense value to the user engagement and highly targeted advertising that Facebook can uniquely deliver due to its massive network of users and the vast trove of data it has collected on users, their friends, and their interests. The more data Facebook accumulates by surveilling the activities of its users and the more time the company convinces users to spend engaging on Facebook services, the more money the company makes through its advertising business.
  • For almost a decade, Facebook has had monopoly power in the personal social networking market in the United States. As set forth in detail below, Facebook illegally maintains that monopoly power by deploying a buy-or-bury strategy that thwarts competition and harms both users and advertisers.
  • Facebook’s illegal course of conduct has been driven, in part, by fear that the company has fallen behind in important new segments and that emerging firms were “building networks that were competitive with” Facebook’s and could be “very disruptive to” the company’s dominance. As Facebook’s founder and CEO, Mark Zuckerberg observed, “[o]ne thing about startups . . . is you can often acquire them,” indicating at other times that such acquisitions would enable Facebook to “build a competitive moat” or “neutralize a competitor.”
  • Zuckerberg recognized early that even when these companies were not inclined to sell, if Facebook offered a “high enough price . . . they’d have to consider it.” Facebook has coupled its acquisition strategy with exclusionary tactics that snuffed out competitive threats and sent the message to technology firms that, in the words of one participant, if you stepped into Facebook’s turf or resisted pressure to sell, Zuckerberg would go into “destroy mode” subjecting your business to the “wrath of Mark.” As a result, Facebook has chilled innovation, deterred investment, and forestalled competition in the markets in which it operates, and it continues to do so.
  • Facebook’s unlawfully maintained monopoly power gives it wide latitude to set the terms for how its users’ private information is collected, used, and protected. In addition, because Facebook decides how and whether the content shared by users is displayed to other users, Facebook’s monopoly gives it significant control over how users engage with their closest connections and what content users see when they do. Because Facebook users have nowhere else to go for this important service, the company is able to make decisions about how and whether to display content on the platform and can use the personal information it collects from users solely to further its business interests, free from competitive constraints, even where those choices conflict with the interests and preferences of Facebook users.
  • choice in personal social networks, suppressed innovation, and reduced investment in potentially competing services. Facebook’s conduct deprives users of product improvements and, as a result, users have suffered, and continue to suffer, reductions in the quality and variety of privacy options and content available to them.
  • By eliminating, suppressing, and deterring the emergence and growth of personal social networking rivals, Facebook also harms advertisers in a number of ways, including less transparency to assess the value they receive from advertisements, and harm to their brand due to offensive content on Facebook services.
  • Facebook’s anticompetitive campaign to forestall competing services that might threaten its dominance in personal social networking services includes a variety of tactics.

The states are asking the court for the following relief:

  1. That Facebook be adjudged to have violated Section 2 of the Sherman Act, 15 U.S.C. § 2;
  2. That Facebook be enjoined and restrained from continuing to engage in any anticompetitive conduct and from adopting in the future any practice, plan, program, or device having a similar purpose or effect to the anticompetitive actions set forth above;
  3. That Facebook be enjoined and restrained from making further acquisitions valued at or in excess of $10 million without advance notification to Plaintiff States;
  4. That Facebook be enjoined and restrained from making further acquisitions without such disclosures to Plaintiff States as would be required to the federal government under the Hart-Scott-Rodino Act for transactions falling within the scope of such Act;
  5. That Facebook’s acquisition of Instagram be adjudged to be in violation of Section 7 of the Clayton Act, 15 U.S.C. § 18;
  6. That Facebook’s acquisition of WhatsApp be adjudged to be in violation of Section 7 of the Clayton Act, 15 U.S.C. § 18;
  7. That each Plaintiff State be awarded its costs, including reasonable attorneys’ fees pursuant to 15 U.S.C. § 15(c); and
  8. That the Court order such other and further equitable relief as this Court may deem appropriate to restore competitive conditions and lost competition and to prevent future violations, including divestiture or reconstruction of illegally acquired businesses and/or divestiture of Facebook assets or business lines.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

FTC Settlement with Zoom

The FTC again splits on a data security and privacy action. The popular online video call platform needs to revamp its data security practices or face considerable future liability.

The Federal Trade Commission (FTC) split along party lines to approve a settlement with Zoom to resolve allegations that the video messaging platform violated the FTC Act’s ban on unfair and deceptive practices in commerce. Zoom agreed to a consent order mandating a new information security program, third party assessment, prompt reporting of covered incidents and other requirements over a period of 20 years. The two Democratic Commissioners voted against the settlement and dissented because they argued it did not punish the abundant wrongdoing and will not dissuade future offenders.

In the complaint, the FTC asserted there is evidence proving that Zoom lied about its claims that its used end-to-end encryption (it didn’t), used AES 256-bit encryption (it used 128-bit encryption, which is much easier to hack), and stored recorded encrypted on its servers (it didn’t until 60 days after recording when they were moved to the cloud and encrypted). The FTC labeled each of these deceptive practices that violated Section 5 of the FTC Act and provided extensive evidence that Zoom committed all these offenses. But, the worst violation may have been Zoom’s decision to circumvent Apple’s security feature on its browser Safari in the interest of allowing people one click to join a call. Apple had installed a feature on Safari and other of its applications that notify users when a clicked link (like one to a Zoom call) is going to take the person to a website or launch a non-Apple app. This feature was designed to address attacks via malware that launches automatically upon clicking a link or attackers seeking to penetrate a computer the same way. Apparently, Zoom did not like this, so the company essentially designed malware that defeated this feature of Safari and placed on the computers of Mac users without notice or consent. The FTC called this a fraudulent act in violation of Section 5.

The FTC also found systemic data security vulnerabilities in the company’s internal network that would have allowed malicious actors untrammeled access to sensitive user information. Moreover, contractors and service providers with access to Zoom’s networks were not subject to oversight. Also, software patches were not applied in a timely fashion, making it all the more likely that malicious parties could penetrate the company’s networks.

The FTC drafted a consent order Zoom signed without admitting any guilt that will require the company to honestly represent its security practices, the implementation of effective information security practices, periodic third party assessments, submit an annual certification that the company is complying, send compliance reports to the agency, and alert the FTC if there is a breach of Zoom’s security such that affects more than 500 users and triggers reporting requirements to a federal or state agency. As mentioned, this consent order is to last for 20 years, and in the event of any violations, the FTC can go to court and seek monetary damages for Zoom being in contempt of the order. This is the usual means the FTC can obtain civil fines, and the method by which the FTC reached a $5 billion settlement. All in all, this consent order is par for the course for the FTC.

Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented for a variety of reasons that may be summed up: the FTC let Zoom off with a slap on the wrist.

In his dissent, Chopra accused the majority of not using the full extent of its powers to help the people and businesses that had been harmed by Zoom’s actions and not setting an example to deter both future bad acts by others and by Zoom itself. Chopra characterized the Zoom settlement as being the latest in a long string of ineffectual consent orders that will fail to change the behavior of companies in the digital markets. Chopra called on the agency to use rarely utilized powers, notably through a rulemaking spelling out the practices the FTC will find deceptive and unfair, which would allow the agency to pursue civil fines in the first instance and also put companies on notice about what is allowed and what is not. Chopra also called for structural changes at the agency to increase its effectiveness. Kelly Slaughter focused on the majority’s choice to ignore the privacy implications of Zoom’s misdeeds, especially by not including any requirements that Zoom improve its faulty privacy practices.

To no great surprise, the majority disagreed with Chopra and Kelly Slaughter, trumpeting the settlement as “ensur[ing] that Zoom will prioritize consumers’ privacy and security.” The majority also asserted:

Our dissenting colleagues suggest additional areas for relief that likely would require protracted litigation to obtain. Given the effective relief this settlement provides, we see no need for that….We feel it is important to put in place measures to protect those users’ privacy and security now, rather than expend scarce staff resources on speculative, potential relief that a Court would not likely grant, given the facts here.

Incidentally, the majority’s primary rationale for not seeking more comprehensive punishment of Zoom and relief and redress for businesses and consumers lays bare the reason why any federal privacy regime may prove to be a toothless tiger. The majority reasoned that the FTC did the best it could because going to court would entail the risk Zoom would prevail given its resources, and even if the agency won, it would still burn through precious agency resources. As I’ve made this point before, if people are not given the right to vindicate their rights in court, absent a major infusion of money and authority into the FTC, a federal privacy law will fail to achieve the goal of increasing privacy in the digital world. And, this failure will occur because of the incentives. If a multi-billion corporation like Zoom gives the FTC night sweats about pursuing what appears to be an open and shut case given the egregious violations of the FTC Act, then the biggest players in the market will continue doing what they are currently doing with some changes in order to at least nod to a new law. However, the FTC will lack the means and the will to punish enough violators to change their behavior, the ultimate goal of any statutory scheme.

As it happened, the FTC also announced its consent order against Sunday Riley and its namesake CEO for posting fake reviews of its cosmetic products on the website of retailer Sephora. Sunday Riley executives and employees created fake accounts to post fake reviews, and then used a VPN once the reviews were taken down. CEO Sunday Riley also directed employees to create three different fake accounts for this purpose. The consent order bars Sunday Riley and the named parties from making any misrepresentations about the company’s products and forbids them from failing to disclose material connections in advertising and related practices. This case does not pertain to data security and privacy, but Chopra and Kelly Slaughter dissented, voted against the consent order, and asserted, much as they did in the Zoom case:

  • The FTC is doubling down on its no-money, no-fault settlement with Sunday Riley, who was charged with egregious fake review fraud. This weak settlement is a serious setback for the Commission’s credibility as a watchdog over digital markets.
  • To defend this settlement, the Commissioners supporting this outcome claim they had no basis to seek more than $0. Their analytical approach favors the fraudster, and it will undermine our mission in future cases.
  • The Commission can end its no-consequences settlement policy by publishing a Policy Statement on Equitable Monetary Remedies, restating legal precedent into formal rules, and designating specific misconduct as penalty offenses through an unused FTC Act authority.

FTC Chair Joseph Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson made the case in their statement:

  • Every case presents unique circumstances, and there are many factors that must be considered in determining what constitutes an appropriate settlement. The primary factor is the law. For example, to obtain monetary relief, the Commission must have a viable legal basis to demonstrate consumer injury or ill-gotten gains from the alleged violations. In some cases, such as frauds where the consumer receives no value, this calculation may be obvious. In others, including Sunday Riley, a legally defensible calculation of ill-gotten gains may be difficult. In such cases, the expenditure of resources needed to develop an adequate evidentiary basis reasonably to approximate ill-gotten gains may substantially outweigh any benefits to consumers and the market. We believe the Commission’s order strikes the right balance.
  • The relief obtained in this case is consequential and will provide both specific and general deterrence. The administrative order binds Sunday Riley and its CEO.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Anna Shvets from Pexels

Congressional Cybersecurity Commission Releases Annex To Final Report

A Congressional cyber panel is adding four recommendations to its comprehensive March report.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 2 June, the Cyberspace Solarium Commission (CSC) released an annex to its final report. The CSC was created by the National Defense Authorization Act for Fiscal Year 2019 (P.L. 115-232) to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” In mid-March, the CSC released its final report and made a range of recommendations, some of which were paired with legislative language the CSC has still not yet made available. However, Members of Congress who served on the CSC are working with the Armed Services Committees to get some of this language added to the FY 2021 National Defense Authorization Act (NDAA). See this issue of the Technology Policy Update for more detail on the CSC’s final report.

Per its grant of statutory authority, the CSC is set to terminate 120 days after the release of its final report, which will be next month. Nonetheless, the CSC has been holding a series of webinars to elucidate or explain various components of the final report, and the Commission began to consider cybersecurity through the lens of the current pandemic for parallels and practical effects. Consequently, the CSC added four new recommendations and renewed its call that recommendations in its final report related to the pandemic – in the view of the Commission – receive renewed attention and ideally action by Congress and the Executive Branch.

The CSC again called for the types of resources and reforms most policymakers have either not shown an appetite for or believe are a few bridges too far. Even though the CSC stated its intention to a “9/11 Commission without the 9/11 event,” it is unlikely such sweeping policy changes will be made in the absence of a crisis or event that fundamentally changes this status quo. Nevertheless, the CSC’s new recommendations are targeted and modest, one of which call for funneling more funds through an existing grant program to bolster private sector/non-profit efforts and another for a government agency to exercise previously granted authority. What’s more, the CSC could add the new recommendations to those shared in the form of legislative language with the Armed Services Committees in the hopes they are included in this year’s NDAA. Given that CSC co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) serve on their chambers’ Armed Services Committees as do the other two Members of Congress on the CSC, Senator Ben Sasse (R-NE) and Representative James Langevin (D-RI), the chances of some of the recommendations making it into statute are higher than they may be otherwise.

In its “White Paper #1: Cybersecurity Lessons from the Pandemic,” the CSC asserted:

The COVID-19 pandemic illustrates the challenge of ensuring resilience and continuity in a connected world. Many of the effects of this new breed of crisis can be significantly ameliorated through advance preparations that yield resilience, coherence, and focus as it spreads rapidly through the entire system, stressing everything from emergency services and supply chains to basic human needs and mental health. e pandemic produces cascading effects and high levels of uncertainty. It has undermined normal policymaking processes and, in the absence of the requisite preparedness, has forced decision makers to craft hasty and ad hoc emergency responses. Unless a new approach is devised, crises like COVID-19 will continue to challenge the modern American way of life each time they emerge. This annex collects observations from the pandemic as they relate to the security of cyberspace, in terms of both the cybersecurity challenges it creates and what it can teach the United States about how to prepare for a major cyber disruption. These insights and the accompanying recommendations, some of which are new and some of which appear in the original March 2020 report, are now more urgent than ever.

The CSC conceded that “[t]he lessons the country is learning from the ongoing pandemic are not perfectly analogous to a significant cyberattack, but they offer many illuminating parallels.

  • First, both the pandemic and a significant cyberattack can be global in nature, requiring that nations simultaneously look inward to manage a crisis and work across borders to contain its spread.
  • Second, both the COVID-19 pandemic and a significant cyberattack require a whole-of-nation response effort and are likely to challenge existing incident management doctrine and coordination mechanisms.
  • Third, when no immediate therapies or vaccines are available, testing and treatments emerge slowly; such circumstances place a premium on building systems that are agile, are resilient, and enable coordination across the government and private sector, much as is necessary in the cyber realm.
  • Finally, and perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response.

The CSC continued:

The COVID-19 pandemic is a call to action to ensure that the United States is better prepared to withstand shocks and crises of all varieties, especially those like cyber events that we can reasonably predict will occur, even if we do not know when. We, as a nation, must internalize the lessons learned from this emergency and move forward to strengthen U.S. national preparedness.  This means building structures in government now to ensure strategic leadership and coordination through a cyber crisis. It means driving down the vulnerability of the nation’s networks and technologies. And finally, it means investing in rigorously building greater resiliency in the government, in critical infrastructure, and in our citizenry. In the past several years, experts have sounded the alarm, ranking cyberattacks as one of the most likely causes of a crisis. As the COVID-19 crisis has unfolded, the United States has experienced a wake-up call, prompting a national conversation about disaster prevention, crisis preparedness, and incident response. While COVID-19 is the root cause of today’s crisis, a significant cyberattack could be the cause of the next. If that proves to be the case, history will surely note that the time to prepare was now.

The CSC offered these four new recommendations:

  • Pass an Internet of Things Security Law: With a significant portion of the workforce working from home during the COVID-19 disruption, household internet of things (IoT) devices, particularly household routers, have become vulnerable but important pieces of our national cyber ecosystem and our adversary’s attack surface. To ensure that the manufacturers of IoT devices build basic security measures into the products they sell, Congress should pass an IoT security law. The law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.” But it should be only modestly prescriptive, relying more heavily on outcome-based standards, because security standards change with technology over time. Nonetheless, the law should stress enduring standards both for authentication, such as requiring unique default passwords that a user must change to their own authentication mechanism upon first use, and for patching, such as ensuring that a device is capable of receiving a remote update. Congress should consider explicitly tasking the Federal Trade Commission with enforcement of the law on the basis of existing authorities under Section 5 of the Federal Trade Commission Act.
    • In a footnote, the CSC asserted “[t]he proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2019 provides a viable model for a federal law that mandates that connected devices procured by the federal government have reasonable security measures in place, but should be expanded to cover all devices sold or offered for sale in the United States.
    • The initial draft of the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734) was a revised, unified version of two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283). However, during the process of consideration in both chambers, differences emerged that as of yet have not been reconciled. However, it is possible that a final version of this bill gets folded into the FY 2021 NDAA or is passed as standalone legislation in the waning days of this Congress.
    • However, the FTC already uses its Section 5 authorities to bring actions against IoT manufacturers. For example, last month, the agency announced a settlement with Tapplock regarding “allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”
  • Support Nonprofits that Assist Law Enforcement’s Cybercrime and Victim Support Efforts: Cyber-specific nonprofit organizations regularly collaborate with law enforcement in writing cybercrime reports, carrying out enforcement operations, and providing victim support services. As the COVID-19 pandemic has proven, trusted nonprofit organizations serve as critical law enforcement partners that can quickly mobilize to help identify and dismantle major online schemes. Such nonprofits have the expertise and flexibility to help and reinforce law enforcement efforts to disrupt cybercrime and assist victims. However, they often face financial challenges. Therefore, the Commission recommends that Congress provide grants through the Department of Justice’s Office of Justice Programs to help fund these essential efforts.
    • The portion of the Department of Justice’s Office of Justice Programs that makes grants was provided $1.892 billion in FY 2020, with large chunks being earmarked for state and local law enforcement agencies like the Edward Byrne Memorial Justice Assistance Grant program. Therefore, there would likely need to be additional funding provided for this program if there will be additional eligible recipients and additional purposes.
  • Establish the Social Media Data and Threat Analysis Center: Because major social media platforms are owned by private companies, developing a robust public-private partnership is essential to effectively combat disinformation. To this end, the Commission supports the provision in the FY2020 National Defense Authorization Act that authorizes the Office of the Director of National Intelligence to establish and fund a Social Media Data and Threat Analysis Center (DTAC), which would take the form of an independent, nonprofit organization intended to encourage public-private cooperation to detect and counter foreign influence operations against the United States. The center would serve as a public-private facilitator, developing information-sharing procedures and establishing—jointly with social media—the threat indicators that the center will be able to access and analyze. In addition, the DTAC would be tasked with informing the public about the criteria and standards for analyzing, investigating, and determining threats from malign influence operations. Finally, in order to strengthen a collective understanding of the threats, the center would host a searchable archive of aggregated information related to foreign influence and disinformation operations.
    • This is, obviously, not really a new recommendation, but rather a call for already granted authority to be used. The Director of National Intelligence was provided discretionary authority to establish the DTAC in P.L. 116-92 and has not chosen to do so yet. There are a number of existing entities that may qualify as the Atlantic Council’s Digital Forensics Research Lab or the Alliance for Securing Democracy. However, the issue may be resources in that the DNI was not provided any additional funding to stand up the DTAC.
  • Increase Nongovernmental Capacity to Identify and Counter Foreign Disinformation and Influence Campaigns: Congress should fund the Department of Justice to provide grants, in consultation with the Department of Homeland Security and the National Science Foundation, to nonprofit centers seeking to identify, expose, and explain malign foreign influence campaigns to the American public while putting those campaigns in context to avoid amplifying them. Such malign foreign influence campaigns can include covert foreign state and non-state propaganda, disinformation, or other inauthentic activity across online platforms, social networks, or other communities. These centers should analyze and monitor foreign influence operations, identify trends, put those trends into context, and create a robust, credible source of information for the American public. To ensure success, these centers should be well-resourced and coordinated with ongoing government efforts and international partners’ efforts.
    • It is not clear whether this program would be conducted through an existing DOJ program or a new one would be created. As with the DOJ’s Office of Justice Programs, funding may be an issue, and while the Armed Services Committees may be able to fold this into the FY 2021 (notwithstanding jurisdictional issues considering the DOJ is part of the Judiciary Committees’ purviews), but the Appropriations Committees would ultimately decide whether this would be funded.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.