Further Reading, Other Developments, and Coming Events (10 September)

Coming Events

  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • Top Senate Democrats asked the Secretary of the Treasury to impose sanctions on officials and others in the Russian Federation for interfering in the 2020 United States election. In their letter, they urged Secretary Steven Mnuchin “to draw upon the conclusions of the Intelligence Community to identify and target for sanctions all those determined to be responsible for ongoing election interference, including any actors within the government of the Russian Federation, any Russian actors determined to be directly responsible, and those acting on their behalf or providing material or financial support for their efforts.” Given that Mnuchin is unlikely to displease President Donald Trump through agreeing that Russians are again interfering in a presidential election, it is probable that Senate Democrats are seeking to further their line of attack on Republicans that they are unwilling to defend the U.S. and its elections from Russia. They called on Mnuchin to use the authorities granted by Congress in the “Countering America’s Adversaries Through Sanctions Act” (P.L. 115-44) and Executive Order 13848 “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election.”
  • Epic Games has returned to court in an attempt to force Apple to put its popular multiplayer game, Fortnite back into the App Store. At present, those on iOS devices cannot download and play the newest version of the game released a few weeks ago. Even though Epic Games lost its request for a temporary restraining order that would order Apple to put the game back, it has filed for a preliminary injunction:
    • (1) restraining Defendant Apple Inc. (“Apple”) from removing, de-listing, refusing to list or otherwise making unavailable the app Fortnite or any other app on Epic’s Team ID ’84 account in Apple’s Developer Program, including any update of such an app, from the App Store on the basis that Fortnite offers in-app payment processing through means other than Apple’s In-App Purchase (“IAP”) or on any pretextual basis;
    • (2) restraining Apple from taking any adverse action against Epic, including but not limited to restricting, suspending, or terminating any other Apple Developer Program account of Epic or its affiliates, on the basis that Epic enabled in-app payment processing in Fortnite through means other than IAP or on the basis of the steps Epic took to do so;
    • (3) restraining Apple from removing, disabling, or modifying Fortnite or any code, script, feature, setting, certification, version or update thereof on any iOS user’s device; and
    • (4) requiring Apple to restore Epic’s Team ID ’84 account in Apple’s Developer Program.
    •  Epic Games asserts:
      • This motion is made on the grounds that: (1) Epic is likely to succeed on the merits of its claims that Apple’s conduct violates the Sherman Act; (2) absent a preliminary injunction, Epic is likely to suffer irreparable harm; (3) the balance of harms tips sharply in Epic’s favor; and (4) the public interest supports an injunction.
    • Considering that the judge ruled against Epic Games’ claim of irreparable harm in the motion for a temporary restraining order on the grounds that self-inflicted harm (i.e. Epic Game escalated by putting its own pay option on Fortnite to foil Apple’s 30% take on in-game sales and no public interest being present, one wonders if the company will prevail on this motion.
  • Apple filed a countersuit against Epic Games, arguing the latter breached its contract with the former and now must pay damages. In contrast, Epic Games is not suing for any monetary damages, surely a tactical decision to help its case in court and among interested observers.
    • Apple sought to portray Epic Games’ lawsuit this way:
      • Epic’s lawsuit is nothing more than a basic disagreement over money. Although Epic portrays itself as a modern corporate Robin Hood, in reality it is a multi-billion dollar enterprise that simply wants to pay nothing for the tremendous value it derives from the App Store. Epic’s demands for special treatment and cries of “retaliation” cannot be reconciled with its flagrant breach of contract and its own business practices, as it rakes in billions by taking commissions on game developers’ sales and charging consumers up to $99.99 for bundles of “V-Bucks.”
      • Epic decided that it would like to reap the benefits of the App Store without paying anything for them. Armed with the apparent view that Epic is too successful to play by the same rules as everyone else—and notwithstanding a public proclamation that Epic “w[ould] not accept special revenue sharing or payment terms just for ourselves”1—Epic CEO Tim Sweeney emailed Apple executives on June 30, 2020, requesting a “side letter” that would exempt Epic from its existing contractual obligations, including the App Store Review Guidelines (the “Guidelines”) that apply equally to all Apple developers. Among other things, Mr. Sweeney demanded a complete end-run around “Apple’s fees”—specifically, Epic wished to continue taking full advantage of the App Store while allowing consumers to pay Epic instead, leaving Apple to receive no payment whatsoever for the many services it provides developers and consumers.
    • Apple contended “[t]his Court should hold Epic to its contractual promises, award Apple compensatory and punitive damages, and enjoin Epic from engaging in further unfair business practices.”
  • The General Services Administration (GSA) released a draft Data Ethics Framework as part of implementing the Trump Administration’s Federal Data Strategy.
    • GSA noted
      • The Federal Data Strategy, delivered in December 2019, recognized the importance of ethics in its founding Principles. When the Federal Data Strategy team created the 2020 Action Plan, they specifically tasked the General Services Administration (GSA) with developing a Data Ethics Framework (Framework)in Action 14to help agency employees, managers, and leaders make ethical decisions as they acquire, manage, and use data.
      • The resulting Framework is intended to be a “living” resource and to be regularly updated by the CDO Council and ICSP. The Framework incorporates the input and terminology from stakeholders representing many domains, and who use different types of data in different ways. The developers of the Framework recognize that some terms may be used differently, depending on the context, type of data being used, and stage in the data lifecycle.
      • The Framework applies to all data types and data uses. The Framework consists of four parts:
        • About the Data Ethics Framework outlines the intended purpose and audience of this document
        • Data Ethics Defined explores the meaning of the term “data ethics,” as background to the Tenets provided in the following section
        • Data Ethics Tenets provides seven Tenets, or high-level principles, for using data ethically within the Federal Government
        • Data Ethics Tenets in Action describes the benefits of data ethics and contains use cases demonstrating how the Tenets can guide data activities within federal agencies and federally sponsored programs
      • The Administration claimed the 2020 Action Plan “establishes a solid foundation that will support implementation of the strategy over the next decade…[and] identifies initial actions for agencies that are essential for establishing processes, building capacity, and aligning existing efforts to better leverage data as a strategic asset.” The use of federal data holds a key place in the President’s Management Agenda (PMA) and, according to the Administration, will be a key driver in transforming how the federal government operates, particularly in relation to technology. The 2020 Action Plan lays out the steps agencies will be expected to take to realize the Administration’s 10-year Federal Data Strategy. As always, results will be informed by follow through and prioritization by the Office of Management and Budget (OMB) and buy-in from agency leadership.
      • Notably, the Administration tied the 2020 Action Plan to a number of other ongoing initiatives that rely heavily on data. The Administration said the plan “incorporates requirements of the Foundations for Evidence-Based Policymaking Act of 2018, the Geospatial Data Act of 2018, and Executive Order 13859 on Maintaining American Leadership in Artificial Intelligence.”
  • The Office of the Australian Information Commissioner (OAIC) published “its Corporate Plan for 2020-21, which sets out its strategic priorities and key activities for the next four years” according to its press release. The OAIC stated “[t]he plan identifies four strategic priorities that will help the OAIC achieve its vision to increase public trust and confidence in the protection of personal information and access to government-held information:
    • Advance online privacy protections for Australians
    • Influence and uphold privacy and information access rights frameworks
    • Encourage and support proactive release of government-held information, and
    • Contemporary approach to regulation.
    • The agency stated:
      • Over the coming year, the OAIC will continue to promote strong privacy protections for the use of personal information to prevent and manage the spread of COVID-19, including oversight of data handling within the COVIDSafe app system. 
      • Strengthening privacy protections in the online environment remains a key focus for the organisation, while privacy law reform will be a priority in 2020-21, with the Australian Government’s review of the Privacy Act an opportunity to ensure the regulatory framework can respond to new challenges in the digital environment.
      • Commissioner [Angelene] Falk said the OAIC will also enforce privacy safeguards under the Consumer Data Right and will continue its work to improve transparency and prevent harm to consumers through its oversight of the Notifiable Data Breaches scheme.
  • Ontario’s Ministry of Government and Consumer Services “launched consultations to improve the province’s privacy protection laws” and stakeholders “will have the opportunity to contribute to strengthening transparency and accountability concerning the collection, use and safeguarding of personal information online.” Ontario “is seeking advice on ways to:
    • Increase transparency for individuals, providing Ontarians with more detail about how their information is being used by businesses and organizations.
    • Enhance consent provisions allowing individuals to revoke consent at any time, and adopting an “opt-in” model for secondary uses of their information.
    • Introduce a right for individuals to request information related to them be deleted, subject to limitations (this is otherwise known as “right to erasure” or “the right to be forgotten”).
    • Introduce a right for individuals to obtain their data in a standard and portable digital format, giving them greater freedom to change service providers without losing their data (this is known as “data portability”).
    • Increase enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law, including giving the commissioner the ability to impose penalties.
    • Introduce requirements for data that has been de-identified and derived from personal information to provide clarity of applicability of privacy protections.
    • Expand the scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties.
    • Create a legislative framework to enable the establishment of data trusts for privacy protective data sharing.
  • The United States (U.S.) Department of Homeland Security (DHS) Office of the Inspector General (OIG) issued “Progress and Challenges in Modernizing DHS’ Information Technology (IT) Systems and Infrastructure” and found fault with these three systems:
    • DHS-wide Human Resources IT (HRIT)
    • DHS Legacy Major IT Financial System that “[s]erves as Coast Guard and Transportation Security Agency’s (TSA) financial system of record.
    • Federal Emergency Management Agency (FEMA) Grants Management Mission Domain and Operational Environment
    • The OIG stated
      • The DHS 2019–2023 IT strategic plan included two distinct department-wide IT modernization initiatives: to adopt cloud-based computing and to consolidate data centers. However, not all components have complied with or fully embraced these efforts due to a lack of standard guidance and funding. Without consistent implementation of these efforts, DHS components remain hindered in their ability to provide personnel with more enhanced, up-to-date technology.
      • In the meantime, DHS continues to rely on deficient and outdated IT systems to perform mission-critical operations. We identified three legacy IT systems with significant operational challenges that negatively affected critical DHS functions, such as human resources and financial management, as well as disaster recovery mission operations. DHS has not made sufficient progress in replacing or augmenting these IT systems due to ineffective planning and inexperience in executing complex IT modernization efforts. Additionally, the DHS CIO has not performed mandated oversight of legacy IT to mitigate and reduce risks associated with outdated systems. Until DHS addresses these issues, it will continue to face significant challenges to accomplish mission operations efficiently and effectively
    • The OIG recommended:
      • We recommend the DHS OCIO develop department-wide guidance for implementing cloud technology and migrating legacy IT systems to the cloud. Recommendation
      • We recommend the DHS OCIO coordinate with components to develop and finalize a data center migration approach to accomplish strategic goals for reducing the footprint of DHS IT infrastructure. Recommendation
      • We recommend the DHS OCIO establish a process to assign risk ratings for major legacy IT investments, as required by the Federal Information Technology Acquisition Reform Act.
  • The University of Toronto’s Citizen Lab and the International Human Rights Program at the University of Toronto’s Faculty of Law published a report “To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada” that “focuses on the human rights and constitutional law implications of the use of algorithmic policing technologies by law enforcement authorities.” The authors found:
    • The research conducted for this report found that multiple law enforcement agencies across Canada have started to use, procure, develop, or test a variety of algorithmic policing methods. These programs include using and both developing predictive policing technologies and using algorithmic surveillance tools. Additionally, some law enforcement agencies have acquired tools with the capability of algorithmic policing technology, but they are not currently using that capability because, to date, they have not decided to do so. 
    • The authors “analyze the potential impacts of algorithmic policing technologies on the following rights: the right to privacy; the right to freedoms of expression, peaceful assembly, and association; the right to equality and freedom from discrimination; the right to liberty and to be free from arbitrary detention; the right to due process; and the right to a remedy.”
  • The United States (U.S.) Department of Homeland Security (DHS) issued “the Electromagnetic Pulse (EMP) Program Status Report as part of an update on efforts underway in support of Executive Order (E.O.) 13865 on Coordinating National Resilience to Electromagnetic Pulses…[that] establishes resilience and security standards for U.S. critical infrastructure as a national priority.”
    • DHS stated
      • E.O.13865 states, “An electromagnetic pulse (EMP) has the potential to disrupt, degrade, and damage technology and critical infrastructure systems. Human-made or naturally occurring EMPs can affect large geographic areas, disrupting elements critical to the Nation’s security and economic prosperity, and could adversely affect global commerce and stability. The federal government must foster sustainable, efficient, and cost-effective approaches to improving the Nation’s resilience to the effects of EMPs.”
      • In accordance with E.O.13865, the Department has identified initial critical infrastructure and associated functions that are at greatest risk from an EMP and is focusing efforts on the development and implementation of evidence-based and independently-tested EMP protection and mitigation technologies and resilience best practices. Initial efforts within the Department, working across the federal interagency, have focused on risk management to both the Energy and Communications Sectors.
  • Two United States Magistrate Judges denied three requests for a geofence warrant to serve on Google to obtain cell phone data from an area of Chicago for three forty-five minutes periods on three different days. The courts took the unusual step of unsealing the opinions for the proceedings which are not adversarial because the person or people suspected of being involved with the alleged crime are presumably unaware and therefore cannot contest the warrant application. If Google took an adversarial position, there is no indication in the decisions the company did so. However, Google did state in a filing that “[b]etween 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.”
    • Moreover, one wonders if prosecutors did not also seek similar warrant requests from other companies such as telecommunications providers. Nonetheless, the judges ruled the geofence warrant requests violated the Fourth Amendment to the U.S. Constitution in a number of ways and suggested that narrower, more particular requests might have been legal.
    • In the first denial, the magistrate judge explained:
      • As to the first geofence request, the government has probable cause to believe that the suspect received the stolen pharmaceuticals from a commercial enterprise located within the designated geofence area during the designated forty-five minute interval in the early afternoon hours on the day of the first geofence request. The geofence, which has a 100-meter radius, is in a densely populated city, and the area contains restaurants, various commercial establishments, and at least one large residential complex, complete with a swimming pool, workout facilities, and other amenities associated with upscale urban living.
      • The second and third geofence requests focus on the same commercial enterprise where the government has probable cause to believe that the suspect shipped some of the stolen pharmaceuticals to a buyer, who purchased the pharmaceuticals from the suspect at the government’s direction. Again, the government’s requested geofence is a I00-meter radius area extending from the commercial establishment where the suspect shipped the pharmaceuticals and covers two separate dates for forty-five minute intervals in the early afternoon hours. This geofence includes medical offices and other single and multi-floor commercial establishments that are likely to have multiple patrons during the early afternoon hours.
      • The warrant application contemplates that the information will be obtained in three stages: (l) Google will be required to disclose to the government an anonymized list of devices that specifies information including the corresponding unique device ID, timestamp, coordinates, and data source, if available, of the devices that reported their location within the geofence during the forty-five minute periods; (2) the government will then review the list to prioritize the devices about which it wishes to obtain associated information; and (3) Google will then be required to disclose to the government the information identifying the Google account(s) for those devices about which the government further inquiries. The warrant application includes no criteria or limitations as to which cellular telephones government agents can seek additional information.

Further Reading

  • A Saudi Prince’s Attempt to Silence Critics on Twitter” By Bradley Hope and Justin Scheck – WIRED. Considering the United States Department of Justice indictments against three Saudi nationals in November 2019 and resulting news stories (“Why Do We Tolerate Saudi Money in Tech?” – The New York Times and “Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics” – The Washington Post), one would think what news is there in this excerpt on a book. But we learn that Twitter’s anti-establishment stance led the company’s lawyers to suspend the Saudi Twitter employee who the target of a U.S. investigation which allowed him to flee the U.S. Government lawyers were livid. The bigger issue is foreign operatives infiltrated social media platforms and then reaping information about selected people, especially dissidents.
  • When Algorithms Give Real Students Imaginary Grades” By Meredith Broussard – The New York Times. The International Baccalaureate (IB) program used an algorithm to hand out grades this past spring when in-person exams were cancelled. It did not go well as you might imagine. The same was true in the United Kingdom for its A-level exams, causing a furor there. The case id made for never using algorithms in education or related fields.
  • Wheely ride-hailing app writes to UK privacy watchdog over Moscow data demands” By Simon Goodley – The Guardian. A British ride-sharing company wrote the United Kingdom’s data protection authority about data requests made by the Moscow Department of Transportation (MDOT) on individual riders. Wheely made the case to the Information Commissioner’s Office (ICO) that it could not hand over the data under the General Data Protection Regulation (GDPR) unlike some of the app’s rivals who apparently complied with the demand. It is not clear whether the company’s GDPR obligations would apply in another jurisdiction. It may possible Wheely is trying to smear the other companies in the U.K.
  • Deepfake porn is now mainstream. And major sites are cashing in” By Matt BurgessWired. Through the use of artificial intelligence technology, people are making fake pornography in which actresses’ faces are affixed to women’s bodies that are engaged in sexual acts. These deepfake porn videos are soaring in popularity, and there are often not good options for taking them down or taking legal action. This is another area in which technology has outpaced policy and law.
  • Most cyber-security reports only focus on the cool threats” By Catalin Cimpanu – ZDNet. Turns out that commercial threat reports are issued with an eye towards generating business and considering that governments and huge contractors have the deepest pockets, the issues of concern are covered while other less lucrative areas like threats to civil society are largely ignored. These reports also influence policymakers and give them a distorted picture of cyber threats.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (8 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The National Institute of Standards and Technology (NIST) announced a 15 and 16 September webinar to discuss its Draft Outline of Cybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. NIST stated it “seeks insight and feedback on this Annotated Outline to improve the PNT cybersecurity profile, which is scheduled for publication in February 2021…[and] [a]reas needing more input include feedback on the description of systems that use PNT services and the set of standards, guidelines, and practices addressing systems that use PNT services.” NIST explained that “[t]hrough the Profile development process, NIST will engage the public and private sectors on multiple occasions to include a request for information, participation in workshops, solicitation of feedback on this annotated outline, and public review and comment on the draft Profile.” The agency added “[t]he Profile development process is iterative and, in the end state, will identify and promote the responsible use of PNT services from a cybersecurity point of view.”
    • In June, NIST released a request for information (RFI) “about public and private sector use of positioning, navigation, and timing (PNT) services, and standards, practices, and technologies used to manage cybersecurity risks, to systems, networks, and assets dependent on PNT services.” This RFI is being undertaken per direction in a February executive order (EO) to serve as the foundation for the Trump Administration’s efforts to lessen the reliance of United States’ (U.S.) critical infrastructure on current PNT systems and services. Specifically, the EO seeks to build U.S. capacity to meet and overcome potential disruption or manipulation of the PNT systems and services used by virtually every key sector of the public and private sectors of the U.S.
    • NIST explained “Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services, was issued on February 12, 2020 and seeks to protect the national and economic security of the United States from disruptions to PNT services that are vital to the functioning of technology and infrastructure, including the electrical power grid, communications infrastructure and mobile devices, all modes of transportation, precision agriculture, weather forecasting, and emergency response.” The EO directed NIST “to develop and make available, to at least the appropriate agencies and private sector users, PNT profiles.” NIST said “[r]esponses to this RFI will inform NIST’s development of a PNT profile, using the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework), that will enable the public and private sectors to identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated cybersecurity risks to the systems, networks, and assets dependent on PNT services.”
    • The EO defines the crucial term this RFI uses: “PNT profile” means a description of the responsible use of PNT services—aligned to standards, guidelines, and sector-specific requirements—selected for a particular system to address the potential disruption or manipulation of PNT services.
    • In April, the Department of Homeland Security (DHS) released a Congressionally required report, “Report on Positioning, Navigation, and Timing (PNT) Backup and Complementary Capabilities to the Global Positioning System (GPS)” as required by Section 1618 of the “2017 National Defense Authorization Act (NDAA) (P.L. 114–328) that was due in December 2017. DHS offered “recommendations to address the nation’s PNT requirements and backup or complementary capability gaps.”
  • Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) has reversed itself and decided that the Swiss-U.S. Privacy Shield does not provide adequate protection for Swiss citizens whose data is transferred for processing into the United States (U.S.) However, it does not appear that there will be any practical effect as of yet. The FDPIC determined that the agreement “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP).” This decision comes two months after the Court of Justice of the European Union (CJEU) struck down the European Union-U.S. Privacy Shield. The FDPIC noted this determination followed “his annual assessment of the Swiss-US Privacy Shield regime and recent rulings on data protection by the CJEU.” The FDPIC also issued a policy paper explaining the determination. The FDPIC added
    • As a result of this assessment, which is based on Swiss law, the FDPIC has deleted the reference to ‘adequate data protection under certain conditions’ for the US in the FDPIC’s list of countries. Since the FDPIC’s assessment has no influence on the continued existence of the Privacy Shield regime, and those concerned can invoke the regime as long as it is not revoked by the US, the comments on the Privacy Shield in the list of countries will be retained in an adapted form.
  • The United States Department of Defense (DOD) released its statutorily required annual report on the People’s Republic of China (PRC) that documented the rising power of the nation, especially with respect to cybersecurity and information warfare. The Pentagon noted
    • 2020 marks an important year for the People’s Liberation Army (PLA) as it works to achieve important modernization milestones ahead of the Chinese Communist Party’s (CCP) broader goal to transform China into a “moderately prosperous society” by the CCP’s centenary in 2021. As the United States continues to respond to the growing strategic challenges posed by the PRC, 2020 offers a unique opportunity to assess both the continuity and changes that have taken place in the PRC’s strategy and armed forces over the past two decades.
    • Regarding Cyberwarfare, the DOD asserted
      • The development of cyberwarfare capabilities is consistent with PLA writings, which identify Information Operations (IO) – comprising cyber, electronic, and psychological warfare – as integral to achieving information superiority and as an effective means for countering a stronger foe. China has publicly identified cyberspace as a critical domain for national security and declared its intent to expedite the development of its cyber forces.
      • The PRC presents a significant, persistent cyber espionage and attack threat to military and critical infrastructure systems. China seeks to create disruptive and destructive effects—from denial-of- service attacks to physical disruptions of critical infrastructure— to shape decision-making and disrupt military operations in the initial stages of a conflict by targeting and exploiting perceived weaknesses of militarily superior adversaries. China is improving its cyberattack capabilities and has the ability to launch cyberattacks—such as disruption of a natural gas pipeline for days to weeks—in the United States.
      • PLA writings note the effectiveness of IO and cyberwarfare in recent conflicts and advocate targeting C2 and logistics networks to affect an adversary’s ability to operate during the early stages of conflict. Authoritative PLA sources call for the coordinated employment of space, cyber, and EW as strategic weapons to “paralyze the enemy’s operational system of systems” and “sabotage the enemy’s war command system of systems” early in a conflict. Increasingly, the PLA considers cyber capabilities a critical component in its overall integrated strategic deterrence posture, alongside space and nuclear deterrence. PLA studies discuss using warning or demonstration strikes—strikes against select military, political, and economic targets with clear “awing effects”—as part of deterrence. Accordingly, the PLA probably seeks to use its cyberwarfare capabilities to collect data for intelligence and cyberattack purposes; to constrain an adversary’s actions by targeting network-based logistics, C2, communications, commercial activities, and civilian and defense critical infrastructure; or, to serve as a force-multiplier when coupled with kinetic attacks during armed conflict.
      • The PLA’s ongoing structural reforms may further change how the PLA organizes and commands IO, particularly as the Strategic Support Force (SSF) evolves over time. By consolidating cyber and other IO-related elements, the SSF likely is generating synergies by combining national-level cyber reconnaissance, attack, and defense capabilities in its organization.
    • The DOD also noted the PLA’s emphasis on intelligentized warfare:
      • The PLA sees emerging technologies as driving a shift to “intelligentized” warfare from today’s “informatized” way of war. PLA strategists broadly describe intelligentized warfare as the operationalization of artificial intelligence (AI) and its enabling technologies, such as cloud computing, big data analytics, quantum information, and unmanned systems, for military applications. These technologies, according to PRC leaders—including Chairman Xi Jinping— represent a “Revolution in Military Affairs” for which China must undertake a whole-of-government approach to secure critical economic and military advantages against advanced militaries.
  • The United States’ (U.S.) Citizenship and Immigration Services (USCIS) of the Department of Homeland Security (DHS) is proposing a rule “to amend DHS regulations concerning the use and collection of biometrics in the enforcement and administration of immigration laws by USCIS, U.S. Customs and Border Protection (CBP), and U.S. Immigration and Customs Enforcement (ICE).”
    • USCIS further explained:
    • First, DHS proposes that any applicant, petitioner, sponsor, beneficiary, or individual filing or associated with an immigration benefit or request, including United States citizens, must appear for biometrics collection without regard to age unless DHS waives or exempts the biometrics requirement.
    • Second, DHS proposes to authorize biometric collection, without regard to age, upon arrest of an alien for purposes of processing, care, custody, and initiation of removal proceedings.
    • Third, DHS proposes to define the term biometrics.
    • Fourth, this rule proposes to increase the biometric modalities that DHS collects, to include iris image, palm print, and voice print.
    • Fifth, this rule proposes that DHS may require, request, or accept DNA test results, which include a partial DNA profile, to prove the existence of a claimed genetic relationship and that DHS may use and store DNA test results for the relevant adjudications or to perform any other functions necessary for administering and enforcing immigration and naturalization laws.
    • Sixth, this rule would modify how VAWA and T nonimmigrant petitioners demonstrate good moral character, as well as remove the presumption of good moral character for those under the age of 14. 
    • Lastly, DHS proposes to further clarify the purposes for which biometrics are collected from individuals filing immigration applications or petitions, to include criminal history and national security background checks; identity enrollment, verification, and management; secure document production, and to administer and enforce immigration and naturalization laws.

Further Reading

  • State aid helps China tech leaders shrug off US sanctions” By Kenji Kawase – Nikkei Asian Review. A number of companies placed on the United States’ no-trade list have received generous subsidies from their government in Beijing. The People’s Republic of China (PRC) sees the health of a number of these companies as vital to its long term development and is willing to prop them up. Some companies have received multiples of their net profit to keep them afloat.
  • Facebook Says Trump’s Misleading Post About Mail-In Voting Is OK. Employees Say It’s Not.” By Craig Silverman and Ryan Mac – BuzzFeed News. There is more internal dissension at Facebook even after the company’s announcement it would not accept political advertising the last week of the election and correct misinformation about voting. Within hours of this policy change, President Donald Trump encouraged voters to possibly vote twice, which many Facebook employees saw as a violation of the new policy. The company disagreed and appended a claim from a bipartisan think tank study finding that mail-in voting is largely fraud free.
  • Why Facebook’s Blocking of New Political Ads May Fall Short” By Davey Alba and Sheera Frenkel – The New York Times. This piece explains in detail why Facebook’s new policy to combat political misinformation is likely to fall quite short of addressing the problem.
  • Student arrested for cyberattack against Miami schools used ‘easy to prevent’ program” By Colleen Wright and David Ovalle – Miami Herald. The United States’ fourth largest school district fell victim to a distributed denial of service attack launched by a 16-year-old student using more than a decade old tools downloaded from the internet. This unnamed hacker foiled the Miami-Dade school district’s first three days of online classes, raising questions about the cybersecurity of the school system if such an old attack succeeded so easily and how safe the personal information of students is in this school system and others around the country.
  • Trump and allies ratchet up disinformation efforts in late stage of campaign” By Ashley Parker – The Washington Post. It has been apparent for some that President Donald Trump and a number of his Republican allies are intentionally or recklessly spreading false information to try to help his campaign cover ground against frontrunner former Vice President Joe Biden. The goal is to so muddy the waters that the average person will neither be able to discern the truth of a claim not be concerned about doing so. This approach is the very same Russia’s leader Vladimir Putin has successfully executed in pushing his country into a post-truth world. Experts are warning that a continuation of this trend in the United States (U.S.) could wreak potentially irreparable harm.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by wal_172619 from Pixabay

Pending Legislation In U.S. Congress, Part II

Appropriations will, of course, be enacted, but when is the question. And along with bills to fund the U.S. government come policy direction.

As Congress returns from an eventful summer recess, it is possible technology focused and related legislation is passed or advances towards passage before the body leaves Washington in late September. Yesterday, we examined the FY 2021 National Defense Authorization Act (NDAA) and the lapsed provisions in the Foreign Intelligence Surveillance Act (FISA). Today we will look at appropriations.

Passage of regular appropriations during federal election years is almost always delayed until after the election, and the Congress and the President usually agree to extend the current year’s level of funding for agencies through late November or early December (aka a continuing resolution.) This year, negotiations over another potential pandemic package might complicate passage of a continuing resolution (CR) this month, but it appears, at present, the two issues are being handled separately with Speaker of the House Nancy Pelosi (D-CA) and Secretary of the Treasury Steven Mnuchin having reached agreement in principle on a CR. It remains to be seen whether this agreement will hold through passage of legislation to keep the U.S. government funded as carefully negotiated deals have unraveled at the last minute when President Donald Trump found reason to object.

Also, there have been only four fiscal years since the enactment of the Congressional Budget Act of 1974 in which all the appropriations bills were enacted by the beginning of the coming fiscal year. Therefore, it is almost certainly going to be the case that the current fractured political environment in Washington results in a current resolution for the first few months of FY 2021 and quite possibly well into calendar year 2021 should the Democrats take control of the White House and Senate.

Moreover, the Trump Administration has again proposed steep cuts to many civilian agencies the Congress will probably ignore based on appropriations from the previous three fiscal years appropriations process. Nonetheless, in a footnote to a summary table in its FY 2021 budget request, the Administration explained it is “propos[ing] to fund base defense programs for 2021 at the existing [Budget Control Act] cap and fund base [non-defense] programs at a level that is five percent below the 2020 [non-defense] cap.” The Administration asked that Congress “extend the [Budget Control Act] caps through 2025 at the levels included in the 2021 Budget…[which] would provide an increase in defense funding of about two percent each year, and decrease funding for [non-defense] programs by two percent (or “2-penny”) each year.”

However, the House Appropriations Committee has again rejected these deep cuts to non-defense funding and have moved forward by passing 10 of the 12 annual bills in July. By way of contrast, the Senate Appropriations Committee, has not even considered any of its bills in committee, reportedly because there was a desire to shield vulnerable Republicans running for reelection from taking tough votes on politically divisive issues. Consequently, the Senate Appropriations Committees almost certainly has bills it has worked on and are ready to go when the time comes to consider the inevitable bundling of bills either into one omnibus or smaller packages to enact FY 2021 funding.

In any event, the annual appropriations bills provide top-line funding numbers for a number of agencies with jurisdiction over United States’ technology programs and policies. There can be policy directives written into these bills usually in the form of denying the use of funds for certain purposes or tying the use of funds to an agency addressing an issue of importance to a committee or subcommittee. However, the more directive policy changes are usually written in the Committee Reports that accompany the bills.

FY 2021 Homeland Security Appropriations Act

The Homeland Security Subcommittee marked up and reported out to the full committee its “FY 2021 Homeland Security Appropriations Act” that would provide the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with $1.844 billion for operations and support, $396 million for procurement, construction, and improvement, and $14.4 million for research & development. For FY 2020, CISA was appropriated $1.566 billion for operations and support, $434 million for procurement, construction, and improvement, and $14.4 million for research & development. For the next fiscal year, the Trump Administration requested $1.438 billion, $313 million, and $6.4 million respectively for the same categories of programs. Moreover, the Committee made available its Committee Report. However, this bill has not come to the House floor and likely will not to shield Democrats seeking reelection in moderate or right-leaning districts from facing votes on issues like immigration.

The package includes $2.6 million for a Joint Cybersecurity Coordination Group (JCCG) inside DHS “serve as a coordinating entity that will help the Department identify strategic priorities and synchronize cyber-related activities across the operational components.” This new entity comes about because the Trump Administration requested its creation as part of its FY 2021 budget request. The Committee expressed disappointment with “the lack of quality and detail provided in CISA’s fiscal year 2021 budget justification documents, to include several errors and unjustified adjustments that appear to be attributable to CISA’s premature proposal for a new Program, Project, or Activity (PPA) structure and raise questions about whether the budget could be executed as requested.” Consequently, the Committee directed that CISA “submit the fiscal year 2022 budget request at the same level of PPA detail as provided in the table at the end of this report with no further adjustments to the PPA structure.”

Among other programmatic and funding highlights, the Committee

  • “[E]ncourage[d] CISA to continue to use commercial, human-led threat behavioral analysis and technology, and to employ private sector, industry-specific, threat intelligence and best practices to better characterize potential consequences to critical infrastructure sectors during a systemic cyber event.”
  • Urged “CISA and the Election Infrastructure Information Sharing and Analysis Center (EI–ISAC) to expand outreach to the most vulnerable jurisdictions” with respect to election security assistance.
  • Directed “CISA to continue providing the semiannual briefing on the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM)”
  • Pointed to $5.8 million to set up a ‘‘central Federal information security incident center,’ a requirement mandated by the Federal Information Security Modernization Act (FISMA) (P.L. 113-283) and $9.3 million “to establish a formal program office to coordinate supply chain risk management efforts for federal civilian agencies; act as the executive agent for the Federal Acquisition Security Council (FASC), as authorized by the SECURE Technology Act, 2018 (Public Law 115– 390); and fund various supply chain related efforts and services.”
  • Emphasized its increase of $6 million as compared to FY 2020 “to grow CISA’s threat hunting capabilities” “[i]n the face of cyber threats from nation-state adversaries such as Russia, China, Iran, and North Korea.”
  • [P]rovide[d] an increase of $11,568,000 above the request to establish a Joint Cyber Center (JCC) for National Cyber Defense to bring together federal and State, Local, Tribal, and Territorial (SLTT) governments, industry, and international partners to strategically and operationally counter nation-state cyber threats.”
  • Bestowed “an increase of $10,022,000 above the request for the underlying infrastructure that enables better identification, analysis, and publication of known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.”
  • Noted “[t]hrough the Shared Cybersecurity Services Office (SCSO), CISA serves as the Quality Services Management Office for federal cybersecurity” and explained “[t]o help improve efforts to make strategic cybersecurity services available to federal agencies, the Committee includes $5,064,000 above the request to sustain prior year investments and an additional $5,000,000 to continue to expand the office.”
  • Expressed its concern “about cyber vulnerabilities within supply chains, which pose unacceptable risks to the nation’s physical and cyber infrastructure and, therefore, to national security” and provided “an increase of $18,005,000 above the request to continue the development of capabilities to address these risks through the ICT Supply Chain Risk Management Task Force and other stakeholders, such as the FASC.”

FY 2021 Financial Services and General Government Appropriations Act

The FY 2021 Financial Services and General Government Appropriations Act has a provision that would bar either the Federal Trade Commission (FTC) or Federal Communications Commission (FCC) from taking certain actions related to Executive Order 13925, “Preventing Online Censorship” issued in May by the White House after Twitter fact checked a pair of President Donald Trump’s Tweets that contained untruthful claims about voting by mail. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

Under the Executive Order, the National Telecommunications and Information Administration (NTIA) is to file a petition for rulemaking with the FCC to clarify the interplay between clauses of 47 USC 230, notably whether the liability shield that protects companies like Twitter and Facebook for content posted on an online platform also extends to so-called “editorial decisions,” presumably actions like Twitter’s in fact checking Trump regarding mail balloting. The NTIA would also ask the FCC to define better the conditions under which an online platform may take down content in good faith that are “deceptive, pretextual, or inconsistent with a provider’s terms of service; or taken after failing to provide adequate notice, reasoned explanation, or a meaningful opportunity to be heard.” The NTIA is also ask the FCC to promulgate any other regulations necessary to effectuate the EO. The FTC was directed consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

In the Committee Report for the FY 2021 Financial Services and General Government Appropriations Act, the House Appropriations Committee explained it provided $341 million for the FTC, “a $10,000,000 increase over fiscal year 2020… will increase the FTC’s capabilities both to monitor mergers and acquisitions that could reduce competition or lead to higher prices, and to take enforcement action against companies that fail to take reasonable steps to secure their customer data or that engage in other problematic trade practices.”

The Committee detailed the following program and funding provisions related to the FTC, including combatting fraudulent calls to seniors, robocalls, fraudulent health care calls, and the following:

  • Cryptocurrency.— The Committee encourages the FTC to work with the Securities and Exchange Commission, other financial regulators, consumer groups, law enforcement, and other public and private stakeholders to identify and investigate fraud related to cryptocurrencies market and discuss methods to empower and protect consumers.”
  • Consumer Repair Rights.—The Committee is aware of the FTC’s ongoing review of how manufacturers—in particular mobile phone and car manufacturers—may limit repairs by consumers and repair shops, and how those limitations may increase costs, limit choice, and impact consumers’ rights under the Magnuson-Moss Warranty Act. Not later than 120 days after the enactment of this Act, the FTC is directed to provide to the Committee, and to publish online, a report on anticompetitive practices related to repair markets. The report shall provide recommendations on how to best address these problems.
  • Antitrust Actions.—The Committee directs the GAO to study FTC and DOJ antitrust actions over the past 25 years. The study shall examine the following questions: How many instances have FTC and DOJ been on opposing sides of the same matter? In how many of these instances was the split created by (a) the FTC intervening in DOJ’s case; and (b) the DOJ intervening in FTC’s case? In these instances, how (if at all) did the split affect the final outcome (e.g., did the judicial opinion cite the split or explain how it affected the court’s decision)? In how many instances has an FTC action appeared before the Supreme Court? Of these instances, in how many cases did the FTC represent itself (rather than be represented by the Solicitor General)? In how many instances has the DOJ or FTC reneged on a clearance agreement with the other agency? In how many of these instances was the disruption created by (a) the FTC’s decision to renege on the agreement; and (b) the DOJ’s decision to renege on the agreement? How many amicus briefs did each agency file in each year? How many of the total amicus briefs filed by DOJ were done so at the invitation of the court? How many of the total amicus briefs filed by FTC were done so at the invitation of the court?

With respect to the FCC, the package provides $376 million and requires a host of programmatic responses, including:

  • Broadband Maps.—The Committee provides significant funding for upfront costs associated with implementation of the Broadband DATA Act. The Committee anticipates funding related to the Broadband DATA Act will decline considerably in future years and expects the FCC to repurpose a significant amount of staff currently working on economic, wireline, and wireless issues to focus on broadband mapping.
  • Broadband Access.—The Committee believes that deployment of broadband in rural and economically disadvantaged areas is a driver of economic development, jobs, and new educational opportunities. The Committee supports FCC efforts to judiciously allocate Universal Service Fund (USF) funds for these areas.
  • Rural Digital Opportunity Fund.—The Committee appreciates the significant investment the FCC is planning to make to deploy broadband services to unserved areas. The Committee recognizes the need for government programs to minimize instances in which two different providers receive support from two different programs to serve the same location. However, the Committee is concerned that current program rules may have the unintended consequence of discouraging other funding sources from participating in broadband deployment, particularly State-based programs. The Committee directs the FCC to adjust program rules to ensure applicants, and the States in which those applicants would deploy broadband, are not put at a disadvantage when applying for the Rural Digital Opportunity Fund based on the State’s proactive, independent investment in broadband.
  • Lifeline Service.—The Committee is concerned that changes to the Lifeline minimum service standards and support levels will adversely impact low-income Americans, including many suffering from economic hardships due to the coronavirus. The Committee directs the FCC to pause implementation of any changes to the currently applicable minimum service standards for Lifeline-supported mobile broadband service and any changes in the current levels of Lifeline support for voice services until the FCC has completed the State of the Lifeline Marketplace Report required by the 2016 Lifeline Order…
  • Mid-Band Spectrum.—The Committee believes that Fifth-Generation (5G) mobile technology is critical to U.S. national and economic security. A key component of the U.S. strategy for 5G is ensuring that U.S. wireless providers have enough mid-band spectrum (frequencies between 3 GHz and 24 GHz), which provides fast data connections while also traveling longer distances. The Committee is concerned that the U.S. is falling behind other countries in the allocation of such spectrum. The Committee urges the Administration and the FCC to work expeditiously to identify and make available more mid-band spectrum for 5G so that the U.S. does not fall further in the race to deploy 5G networks and services.
  • 5G Supply Chain.—The Committee understands the importance of a secure 5G technology supply chain. The Committee encourages the FCC to investigate options for increasing supply chain diversity, competition, and network security via interoperable technologies and open standard-based interfaces.

The Committee had a range of mandates for the Office of Management and Budget (OMB):

  • Federal and Critical Infrastructure Cybersecurity.—The Committee is aware that Federal agencies and the nation’s critical infrastructure face unique cybersecurity threats. Executive Order 13800, issued on May 11, 2017, directs agency heads to implement several risk management and cybersecurity measures, including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. OMB is directed to report, within 90 days of enactment of this Act, on the status of compliance with Executive Order 13800 by each applicable agency. The report shall identify risk management and cybersecurity compliance gaps and outline the steps each agency needs to take to manage such risks. OMB shall prioritize working with the applicable agency heads to address remaining gaps and inconsistencies.
  • Federal Information Technology Workforce.—OMB is directed to consult with the Office of Personnel Management and the General Services Administration and report to the Committee, no later than September 30, 2021, on gaps in Federal information technology workforce skills, disciplines, and experience required to enable the Federal government to modernize its ability to use technology and develop effective citizen-facing digital services to carry out its mission.

The Committee noted its additional funding to the Election Assistance Commission (EAC) for Election Security Grants of $500 million:

  • [T]he Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (P.L. 116–136) included $400,000,000 for grants to States to prevent, prepare for, and respond to coronavirus. The Committee is gravely concerned by persistent threats from Russia and other foreign actors attempting to influence the U.S. democratic process, and vulnerabilities that continue to exist throughout the Nation’s election system.
  • Since fiscal year 2018, Congress has provided $805,000,000 in grants to States to improve the security of elections for Federal office.
  • However, that funding has been inconsistent, unpredictable, and insufficient to meet the vast need across all the States and territories.
  • Congress must provide a consistent, steady source of Federal funds to support State and local election officials on the frontlines of protecting U.S. elections. The bill requires States to use payments to replace direct-recording electronic (DRE) voting machines with voting systems that require the use of an individual, durable, voter-verified paper ballot, marked by the voter by hand or through the use of a non-tabulating ballot marking device or system, and made available for inspection and verification by the voter before the vote is cast and counted.
  • Funds shall only be available to a State or local election jurisdiction for further election security improvements after a State has submitted a certification to the EAC that all DRE voting machines have been or are in the process of being replaced. Funds shall be available to States for the following activities to improve the security of elections for Federal office:
    • implementing a post-election, risk-limiting audit system that provides a high level of confidence in the accuracy of the final vote tally;
    • maintaining or upgrading election-related computer systems, including voter registration systems, to address cyber vulnerabilities identified through DHS scans or similar assessments of existing election systems;
    • facilitating cyber and risk mitigation training for State and local election officials;
    • implementing established cybersecurity best practices for election systems; and other priority activities and
    • investments identified by the EAC, in consultation with DHS, to improve election security.
  • The EAC shall define in the Notice of Grant Award the eligible investments and activities for which grant funds may be used by the States. The EAC shall review all proposed investments to ensure funds are used for the purposes set forth in the Notice of Grant Award.
  • The bill also requires that not less than 50 percent of the payment made to a State be allocated in cash or in kind to local government entities responsible for the administration of elections for Federal office.

Regarding the General Services Administration (GSA), the Committee directed the following:

  • Interagency Task Force on Health and Human Services Information Technology (IT).— The Committee urges the Chief Information Office and Chief Technology Officer (CTO) of HHS, in collaboration with the White House CTO and U.S. Department of Agriculture (USDA), as well as the Office of the National Coordinator for Health Information Technology (ONC) within HHS, 18F within the GSA, and the Cybersecurity and Infrastructure security Agency (CISA) within the U.S. Department of Homeland Security, to establish an interagency task force that will examine existing IT infrastructure in Federal health human service programs nationwide and identify the limitations to successfully integrating and modernizing health and human services IT, and the network security necessary for health and human services IT interoperability. The task force shall submit to the Committee within 180 days of enactment on this Act a report on its progress and on recommendations for further Congressional action, which should include estimated costs for agencies to make progress on interoperability initiatives.
  • Category Management.—The Committee is interested in understanding the effects of GSA’s category management policy on contracts with small businesses. Category management refers to the business practice of buying common goods and services as an enterprise to eliminate redundancies, increase efficiency, and deliver more value and savings from the Federal government’s acquisition programs. Within 180 days of the enactment of this Act, the Committee directs GSA, in cooperation with SBA, to submit a report to the Committee on the number of contracts that could have been awarded under sections 8(a), 8(m), 15(a), 15(j), 31, or 36 of the Small Business Act, but were exempted by category management since its implementation.

The Committee made the following recommendations generally:

  • Cyberspace Solarium Commission Recommendations.—The Committee recognizes and supports the priorities and recommendations laid out in the Cyberspace Solarium Commission’s report and urges Federal departments and agencies to align cybersecurity budgetary priorities with those laid out by the Commission. In particular, the Committee calls attention to recommendation 3.2, Develop and Maintain Continuity of the Economy Planning; recommendation 4.6.3, Strengthen the Capacity of the Committee on Foreign Investment in the United States, particularly with respect to the need to train Federal bankruptcy judges; recommendation 3.4, Improve and Enhance the Funding of the Election Assistance Commission; and recommendation 3.1, Strengthen Sector-specific Agencies’ Ability to Manage Critical Infrastructure Risk, particularly with respect to the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.
  • Zero Trust Model.—The Committee is aware that the most effective cybersecurity systems are based on the zero trust model, which is designed not only to prevent cyber intrusions but to prevent cyberthieves from accessing or removing protected information. To ensure that Federal agencies achieve the highest level of security against cyberattacks in the shortest amount of time, the Committee encourages all agencies to acquire and deploy zero trust cybersecurity software that is compatible with all existing operating systems and hardware platforms used by Federal agencies. The Committee also encourages Federal agencies to acquire and utilize software compatible with all existing operating systems and hardware platforms that will enable agencies to measure or quantify their risk of a cybersecurity attack in the months ahead and the types of cyberattack the agency is most likely to experience. Upon learning the risk and type of cyberattack the agency is most likely to face, the agency shall immediately take remedial action to minimize such risk. Agencies shall include information in their fiscal year 2022 Congressional Justification to Congress on their progress in complying with this directive.

FY 2021 Department of Defense Appropriations Act

On 14 July, the House Appropriations Committee marked up and reported out the “FY 2021 Department of Defense Appropriations Act,” which would provide $695 billion for the Department of Defense (DOD), “an increase of $1,294,992,000 above the fiscal year 2020 enacted level and a decrease of $3,695,880,000 below the budget request.” The House subsequently passed this bill.

The Committee Report contained these technology-related provisions:

  • ZERO TRUST ARCHITECTURE. The Committee encourages the Secretary of Defense to implement a Zero Trust Architecture to increase its cybersecurity posture and enhance the Department’s ability to protect its systems and data.
  • DISTRIBUTED LEDGER TECHNOLOGY RESEARCH AND DEVELOPMENT. The Committee is aware that distributed ledger technologies, such as blockchain, may have potentially useful applications for the Department of Defense, which include but are not limited to distributed computing, cybersecurity, logistics, and auditing. Therefore, the Committee encourages the Under Secretary of Defense (Research and Engineering) to consider research and development to explore the use of distributed ledger technologies for defense applications.
  • ARTIFICIAL INTELLIGENCE PARTNERSHIPS. The Committee is aware of the United States-Singapore partnership focusing on applying artificial intelligence in support of humanitarian assistance and disaster relief operations, which will help first responders better serve those in disaster zones. The Committee encourages the Secretary of Defense to pursue similar partnerships with additional partners in different regions, including the Middle East.
  • CYBER EDUCATION COLLABORATIVES. The Committee remains concerned by widespread shortages in cybersecurity talent across both the public and private sector. In accordance with the recommendations of the Cyberspace Solarium Commission, the Committee encourages the Under Secretary of Defense (Research and Engineering) to direct cyber-oriented units to collaborate with local colleges and universities on research, fellowships, internships, and cooperative work experiences to expand cyber-oriented education opportunities and grow the cybersecurity workforce. The Committee also appreciates that veterans and transitioning servicemembers could serve as a valuable recruiting pool to fill gaps in the cybersecurity workforce. Accordingly, the Committee encourages the Under Secretary to prioritize collaboration with colleges and universities near military installations as well as the veteran population.
  • 5G TELECOMMUNICATIONS TECHNOLOGY. The Committee is concerned about reports that foreign manufacturers are significantly ahead of United States companies in the development and deployment of 5G telecommunications technologies, which poses a national security risk to the United States and its allies. Without a robust domestic 5G supply chain, the United States will be vulnerable to 5G systems that facilitate cyber intrusion from hostile actors. In order to secure a reliable 5G system and a domestic supply chain that meets the national security needs of the United States and its allies, the Committee encourages the Secretary of Defense to accelerate engagement with domestic industry partners that are developing 5G systems. Additionally, the Committee is aware of the significant investments being made in 5G efforts but is concerned with the level of detail provided for congressional oversight. The Committee directs the Under Secretary of Defense (Research and Engineering) to conduct quarterly execution briefings with the House and Senate Appropriations Committees beginning not later than 90 days after the enactment of this Act.
  • MILITARY INFORMATION SUPPORT OPERATIONS. Over the past decade, the bulk of activities under Military Information Support Operations (MISO) focused on countering violent extremist organizations (VEO). While VEOs remain an ongoing threat and require continued vigilance, peer and near-peer adversaries like China and Russia are using social media and other vectors to weaken domestic and international institutions and undermine United States interests. This new information environment and the difficulty of discriminating between real and fake information heightens the importance of enhancing and coordinating United States government information-related capabilities as a tool of diplomatic and military strategy.
  • The Committee recognizes the efforts and accomplishments of the United States Special Operations Command and other agencies within the executive branch to operate in the digital domain. However, it is difficult to view individual agency activities as a coordinated whole of government effort. Over the past several years, the classified annex accompanying annual Department of Defense Appropriations Acts included direction focusing on the individual activities of geographic combatant commands. However, information messaging strategies to counter Chinese and Russian malign influences cuts across these geographic boundaries and requires coordination between multiple government agencies using different authorities.
  • Therefore, in order to better understand how MISO activities support a whole of government messaging strategy, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit a report for MISO activities for the individual geographic combatant commands justified by the main pillars of the National Defense Strategy to the House and Senate Appropriations Committees not later than 15 days after submission of the fiscal year 2022 budget request and annually thereafter. The report shall include spend plans identifying the requested and enacted funding levels for both voice and internet activities and how those activities are coordinated with the Intelligence Community and the Department of State. The enacted levels will serve as the baseline for reprogramming in accordance with section 8007 of this Act. Furthermore, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit to the congressional defense committees, not later than 90 days after the end of the fiscal year, an annual report that provides details on each combatant commands’ MISO activities by activity name, description, goal or objective, target audience, dissemination means, executed funds, and assessments of their effectiveness. Additional details for the report are included in the classified annex accompanying this Act.

FY 2021 Commerce, Justice, Science Appropriations Act

In July, the “FY 2021 Commerce, Justice, Science Appropriations Act” was also marked up and reported out, and the House passed the bill. The Committee Report contains these provisions:

  • Cybersecurity Threats.—The Committee remains concerned that as the Census Bureau looks to modernize data collection methods, the Census Bureau could potentially be exploited by nefarious actors who seek to undermine the integrity of census data, which is vital to democratic institutions, and gain access to sensitive information otherwise protected by law. These threats include both hacking into the Census Bureau IT infrastructure and efforts to use supercomputing to unmask the privacy of census respondents. The Committee directs the Census Bureau to prioritize cyber protections and high standards of data differential privacy, while also maintaining the accuracy of the data, and expects the Census Bureau to update the Committee regularly on these efforts.
  • Cybersecurity and Privacy.—The proliferation of data generation, storage, and usage associated with the digital economy is making it increasingly important to protect that data with effective cryptography and privacy standards. The Committee is concerned that individual, corporate, and public-sector data privacy is continuously at risk from attacks by individual actors, criminal organization, and nation-states. The Committee urges NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies.
  • National Initiative for Cybersecurity Education.—The Committee notes with concern the shortage of cybersecurity professionals across the government and private sector, from entry level applicants to experienced professionals. The Committee therefore supports the National Initiative for Cybersecurity Education (NICE) and directs NIST to provide resources commensurate with the prior fiscal year for this effort.
  • Cybersecurity Conformity Assessment Programs.—The Committee instructs NIST, in collaboration with other relevant organizations, to report to the Committee no later than 270 days after the enactment of this Act on challenges and approaches to establishing and managing voluntary cybersecurity conformity assessment programs for information and communication technologies including federal cloud technologies.
  • Cybersecurity Training.—Within the increase to Manufacturing Extension Partnership (MEP), the Committee directs NIST to maintain the core services of the MEP and encourages NIST to utilize existing expertise within its Information Technology Laboratory to increase cybersecurity technical training to small manufacturers to strengthen their cybersecurity capabilities given the troubling threats from state and non-state actors and other emerging threats.
  • Cybersecurity threat information sharing.—The Committee supports sharing by DOJ of cybersecurity threat warnings and intelligence with private companies who may benefit from actionable information to deter, prevent, or mitigate threats. The Committee asks DOJ to provide a briefing on this topic not later than 90 days after enactment of this Act.
  • Chinese-government affiliated companies.—The Committee is concerned with companies operating within the United States that are known to have substantial ties to the Chinese government, including full or partial ownership by the Chinese government, and that are required by Chinese law to assist in espionage activities, including collection of personally identifiable information of American citizens. Such companies may pose cybersecurity risks, such as vulnerabilities in their equipment, and some are the subject of ongoing Congressional and Executive Branch investigations involving their business practices. The Committee directs DOJ to enforce applicable laws and prevent the operation of known foreign entities who participate in the theft of American intellectual property, the harvesting of personal identifiable information on behalf of a foreign government, and the unlawful surveillance of American citizens by adversarial state-owned enterprises.

The National Institute of Standards and Technology (NIST) would be given $1.044 billion via the “FY 2021 Commerce-Justice-Science Appropriations Act.” NIST received a total of $1.034 billion for FY 2020, and the agency requested $737 million for the next fiscal year. This bill includes annual language barring any agency receiving funds under it from buying “a high-impact or moderate-impact  information  system” unless all the risks have been mitigated associated with the procurement of such a system, most especially including supply chain risks, that may originate in the People’s Republic of China, Iran, North Korea, or Russia.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Francine Sreca from Pixabay

Further Reading, Other Developments, and Coming Events ( 4 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Election Assistance Commission (EAC) “released the Election Risk Profile Tool, a user-friendly assessment tool to equip election officials and federal agencies in prioritizing and managing cybersecurity risks to the Election Infrastructure Subsector.” The agencies stated “[t]he new tool is designed to help state and local election officials understand the range of risks they face and how to prioritize mitigation efforts…[and] also addresses areas of greatest risk, ensures technical cybersecurity assessments and services are meeting critical needs, and provides a sound analytic foundation for managing election security risk with partners at the federal, state and local level.”
    • CISA and the EAC explained “[t]he Election Risk Profile Tool:
      • Is a user-friendly assessment tool for state and local election officials to develop a high-level risk profile across a jurisdiction’s specific infrastructure components;
      • Provides election officials a method to gain insights into their cybersecurity risk and prioritize mitigations;
      • Accepts inputs of a jurisdiction’s specific election infrastructure configuration; and
      • Outputs a tailored risk profile for jurisdictions, which identifies specific areas of highest risk and recommends associated mitigation measures that the jurisdiction could implement to address the risk areas.
  • The cybersecurity agencies of the Five Eyes nations have released a Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity that “highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices.” The agencies asserted “[t]he purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”
    • The Australian Cyber Security Centre, Canada’s Communications Security Establishment, the United States’ Cybersecurity and Infrastructure Security Agency, the United Kingdom’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team summarized the key takeaways from the Joint Advisory:
      • When addressing potential incidents and applying best practice incident response procedures:
      • First, collect and remove for further analysis:
        • Relevant artifacts,
        • Logs, and
        • Data.
      • Next, implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
      • Finally, consider soliciting incident response support from a third-party IT security organization to:
        • Provide subject matter expertise and technical support to the incident response,
        • Ensure that the actor is eradicated from the network, and
        • Avoid residual issues that could result in follow-up compromises once the incident is closed.
  • The United States’ (U.S.) Department of Justice (DOJ) and Federal Trade Commission (FTC) signed an Antitrust Cooperation Framework with their counterpart agencies from Australia, Canada, New Zealand, And United Kingdom. The Multilateral Mutual Assistance and Cooperation Framework for Competition Authorities (Framework) “aims to strengthen cooperation between the signatories, and provides the basis for a series of bilateral agreements among them focused on investigative assistance, including sharing confidential information and cross-border evidence gathering.” Given that a number of large technology companies are under investigation in the U.S., the European Union (EU) and elsewhere, signaling a shift in how technology multinationals are being viewed, this agreement may enable cross-border efforts to collectively address alleged abuses. However, the Framework “is not intended to be legally binding and does not give rise to legal rights or obligations under domestic or international law.” The Framework provides:
    • Recognising that the Participants can benefit by sharing their experience in developing, applying, and enforcing Competition Laws and competition policies, the Participants intend to cooperate and provide assistance, including by:
      • a) exchanging information on the development of competition issues, policies and laws;
      • b) exchanging experience on competition advocacy and outreach, including to consumers, industry, and government;
      • c) developing agency capacity and effectiveness by providing advice or training in areas of mutual interest, including through the exchange of officials and through experience-sharing events;
      • d) sharing best practices by exchanging information and experiences on matters of mutual interest, including enforcement methods and priorities; and
      • e) collaborating on projects of mutual interest, including via establishing working groups to consider specific issues.
  • Dynasplint Systems alerted the United States Department of Health and Human Services (HHS) that it suffered a breach affecting more than 100,000 people earlier this year. HHS’ Office of Civil Rights (OCR) is investigating possible violations of Health Insurance Portability and Accountability Act regulations regarding the safeguarding of patients’ health information. If Dynasplint failed to properly secure patient information or its systems, OCR could levy a multimillion dollar fine for the size breach. For example, in late July, OCR fined a company over $1 million for the theft of an unencrypted laptop that exposed the personal information of a little more than 20,000 people.
    • Dynasplint, a Maryland manufacturer of range of motion splints, explained:
      • On June 4, 2020, the investigation determined that certain information was accessed without authorization during the incident.
      • The information may have included names, addresses, dates of birth, Social Security numbers, and medical information.
      • Dynasplint Systems reported this matter to the FBI and will provide whatever cooperation is necessary to hold perpetrators accountable.
  • The California Legislature has sent two bills to Governor Gavin Newsom (D) that would change how technology is regulated in the state, including one that would alter the “California Consumer Privacy Act” (AB 375) (CCPA) if the “California Privacy Rights Act” (CPRA) (Ballot Initiative 24) is not enacted by voters in the November election. The two bills are:
    • AB 1138 would amend the recently effective “Parent’s Accountability and Child Protection Act” would bar those under the age of 13 from opening a social media account unless the platform got the explicit consent from their parents. Moreover, “[t]he bill would deem a business to have actual knowledge of a consumer’s age if it willfully disregards the consumer’s age.”
    •  AB 1281 would extend the carveout for employers to comply with the CCPA from 1 January 2021 to 1 January 2022. The CCPA “exempts from its provisions certain information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified…[and also] exempts from specified provisions personal information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.” AB 1281 “shall become operative only” if the CPRA is not approved by voters.
  • Senators Senator Shelley Moore Capito (R-WV), Amy Klobuchar (D-MN) and Jerry Moran (R-KS) have written “a letter to Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application (app) Premom” and “to request information on the steps that the FTC plans to take to address this issue.” They asserted:
    • A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent.
    • Moore Capito, Klobuchar, and Moran stated “[i]n light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:
      • 1. Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?  
      • 2. Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?
      • 3. Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?
      • 4. Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.
      • 5. How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in?

Further Reading

  • Justice Dept. Plans to File Antitrust Charges Against Google in Coming Weeks” By Katie Benner and Cecilia Kang – The New York Times; “The Justice Department could file a lawsuit against Google this month, overriding skepticism from its own top lawyers” By Tonty Romm – The Washington Post; “There’s a partisan schism over the timing of a Google antitrust lawsuit” By Timothy B. Lee – Ars Technica. The New York Times explains in its deeply sourced article that United States Department of Justice (DOJ) attorneys want more time to build a better case against Google, but that Attorney General William Barr is pressing for the filing of a suit as early as the end of this month in order for the Trump Administration to show voters it is taking on big tech. Additionally, a case against a tech company would help shore up the President’s right flank as he and other prominent conservatives continue to insist in the absence of evidence that technology companies are biased against the right. The team of DOJ attorneys has shrunk from 40 to about 20 as numerous lawyers asked off the case once it was clear what the Attorney General wanted. These articles also throw light on to the split between Republican and Democratic state attorneys general in the case they have been working on with the former accusing the latter of stalling for time in the hopes a Biden DOJ will be harsher on the company and the latter accusing the former of trying to file a narrow case while Donald Trump is still President that would impair efforts to address the range of Google’s alleged antitrust abuses.
  • Facebook Moves to Limit Election Chaos in November” By Mike Isaac – The New York Times. The social network giant unveiled measures to fight misinformation the week before the United States election and afterwards should people try to make factually inaccurate claims about the results. Notably, political advertisements will be banned a week before the 3 November election, but this seems like pretty weak tea considering it will be business as usual until late October. Even though the company frames these moves as “additional steps we’re taking to help secure the integrity of the U.S. elections by encouraging voting, connecting people to authoritative information, and reducing the risks of post-election confusion,” the effect of misinformation, disinformation, and lies that proliferate on Facebook will have likely already taken root by late October. It is possible the company still wants the advertising revenue it would forgo if it immediately banned political advertising. Another proposed change is to provide accurate information about voting generally and COVID-19 and voting. In fact, the platform corrected a post of President Donald Trump’s that expressed doubts about mail-in voting.
  • Washington firm ran fake Facebook accounts in Venezuela, Bolivia and Mexico, report finds” By Craig Timberg and Elizabeth Dwoskin – The Washington Post. In tandem with taking down fake content posted by the Internet Research Agency, Facebook also removed accounts traced back to a Washington, D.C. public relations firm, CLS Strategies, that was running multiple accounts to support the government in Bolivia and the opposition party in Venezuela, both of which are right wing. Using information provided by Facebook, Stanford University’s Internet Observatory released a report stating that “Facebook removed a network of 55 Facebook accounts,4 2 Pages and 36 Instagram accounts attributed to the US-based strategic communications firm CLS Strategies for engaging in coordinated inauthentic behavior (CIB).” Stanford asserted these key takeaways:
    • 11 Facebook pages related to Bolivia mainly supported Bolivia’s Interim President Jeanine Áñez and disparaged Bolivia’s former president Evo Morales. All had similar creation dates and manager location settings.
    • Venezuela-focused assets supported and promoted Venezuelan opposition leaders but changed in tone in 2020, reflecting factional divides in the opposition and a turn away from Juan Guaidó.
    • In addition to fake accounts, removed Facebook accounts include six profiles that match the names and photos of CLS Strategies employees listed publicly on their website and appear to be their real accounts.
    • CLS Strategies has a disclosed contract with the Bolivian government to provide strategic communications counsel for Bolivia’s 2020 elections and to strengthen democracy and human rights in Bolivia.
    • Coordinated inauthentic behavior reports from Facebook and Twitter have increasingly included assets linked to marketing and PR firms originating and acting around the world. The firms’ actions violate the platforms’ terms by operating internationally and failing to identify their origins and motivations to users.
    • In its release on the issue, Facebook explained:
      • In August, we removed three networks of accounts, Pages and Groups. Two of them — from Russia and the US — targeted people outside of their country, and another from Pakistan focused on both domestic audiences in Pakistan and also in India. We have shared information about our findings with law enforcement, policymakers and industry partners.
  • Belarusian Officials Shut Down Internet With Technology Made by U.S. Firm” By Ryan Gallagher – Bloomberg. A United States firm, Sandvine, sold deep packet inspection technology to the government in Belarus through a Russian intermediary. The technology was ostensibly to be used by the government to fend off dangers to the nation’s networks but was instead deployed to shut down numerous social media and news sites on the internet the day of the election. However, Belarusian activists quickly determined how to use workarounds, launching the current unrest that threatens to topple the regime. The same company’s technology has been used elsewhere in the world to cut off access to the internet as detailed by the University of Toronto’s Citizen Lab in 2018.
  • Canada has effectively moved to block China’s Huawei from 5G, but can’t say so” – Reuters. In a move reminiscent of how the People’s Republic of China (PRC) tanked Qualcomm’s proposed purchase of NXP Semiconductors in 2018, Canada has effectively barred Huawei from its 5G networks by not deciding, which eventually sent a signal to its telecommunications companies to use Ericsson and Nokia instead. This way, there is no public announcement or policy statement the PRC can object to, and the country toes the line with its other Five Eyes partners that have banned Huawei in varying degrees. Additionally, given that two Canadian nationals are being held because Huawei Chief Financial Officer Meng Wanzhou is being detained in Canada awaiting extradition to the Unted States to face criminal charges, Ottawa needs to manage its relations with the PRC gingerly.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Simon Steinberger from Pixabay

Further Reading, Other Developments, and Coming Events (2 September)

Here is today’s Further Reading, Other Developments, and Coming Events

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The Department of Commerce’s Bureau of Industry and Security (BIS) released for comment an advanced notice of proposed rulemaking to implement a provision from a 2018 rewrite of the United States (U.S.) export control of certain technology, namely “foundational technology” in this case. The Export Control Reform Act (ECRA) (P.L. 115-232) required the Department of Commerce to establish “a regular, ongoing interagency process to identify emerging and foundational technologies,” and Commerce began the process with an advanced notice of proposed rulemaking to identify only emerging technologies in November 2018. Yet the agency has not followed up with draft regulations on managing the export control process for emerging technologies. BIS explained
    • Pursuant to the Export Control Reform Act of 2018, BIS and its interagency partners are engaged in a process to identify emerging and foundational technologies that are essential to the national security of the United States. Foundational technologies essential to the national security are those that may warrant stricter controls if a present or potential application or capability of that technology poses a national security threat to the United States. In order to determine if technologies are foundational, BIS will evaluate specific items, including items currently subject only to anti-terrorism (AT) controls on the CCL or those designated as EAR99.
    • Under ECRA, emerging and foundational technologies are those technologies that are essential to the national security of the United States and are not critical technologies described in Section 721(a)(6)(A)(i)-(v) of the Defense Production Act of 1950, as amended (DPA).
    • Section 1758 of ECRA requires that foundational technologies be identified, and that BIS establish appropriate controls for that technology under the EAR. At a minimum, such controls would apply to countries subject to an embargo, including an arms embargo, imposed by the United States.
    • ECRA also requires that the interagency process is to take into account:
      • The development of foundational technologies in foreign countries;
      • The effect export controls may have on the development of such technologies in the United States; and
      • The effectiveness of export controls imposed pursuant to ECRA on limiting the proliferation of foundational technologies to foreign countries.
  • The Privacy Commissioner of Canada Daniel Therrien responded to an inquiry from Members of Parliament “about the privacy implications of the federal government’s COVID-19 exposure notification application (COVID Alert) and the ArriveCAN application.” The OPC explained
    • Our review of the COVID Alert application highlighted serious weaknesses with our current federal privacy legislation. In this case, the government took the position that its privacy laws do not apply in light of its assertion that personal information is not collected by the application. Further, while the design of the application is good, and that the government has agreed to be subject to an independent review, the government was not bound to make these commitments. The government chose to respect the principles put forth in our guidance documents because public trust is vital to the application’s success. However, without robust laws, other programs and applications could be introduced in the future that are not so privacy-sensitive.
  • The Department of Commerce’s Bureau of Industry and Security (BIS) “added 24 Chinese companies to the Entity List for their role in helping the Chinese military construct and militarize the internationally condemned artificial islands in the South China Sea,” including a number of technology companies. BIS explained:
    • The Entity List is a tool utilized by BIS to restrict the export, re-export, and transfer (in-country) of items subject to the Export Administration Regulations (EAR) to persons (individuals, organizations, companies) reasonably believed to be involved, or to pose a significant risk of becoming involved, in activities contrary to the national security or foreign policy interests of the United States.
    • Additionally, in a related action, “the Department of State will begin imposing visa restrictions on People’s Republic of China (PRC) individuals responsible for, or complicit in, either the large-scale reclamation, construction, or militarization of disputed outposts in the South China Sea, or the PRC’s use of coercion against Southeast Asian claimants to inhibit their access to offshore resources.” The Department of State stated that “[t]hese individuals will now be inadmissible into the United States, and their immediate family members may be subject to these visa restrictions as well.”
  • The Trump Administration announced “more than $1 billion in awards for the establishment of 12 new AI and QIS research and development (R&D) institutes nationwide,” a substantial portion of which Congress would need to appropriate in future years. The White House claimed the National Science Foundation’s (NSF) Artificial Intelligence (AI) Research Institutes and the Department of Energy’s (DOE) quantum information science (QIS) Research Centers “will serve as national R&D hubs for these critical industries of the future, spurring innovation, supporting regional economic growth, and training our next generation workforce.”
  • The Trump Administration explained:
    • The National Science Foundation and additional Federal partners are awarding $140 million over five years to a total of seven NSF-led AI Research Institutes. These collaborative research and education institutes will focus on a range of AI R&D areas, such as machine-learning, synthetic manufacturing, precision agriculture, and forecasting prediction. Research will take place at universities around the country, including the University of Oklahoma at Norman, the University of Texas at Austin, the University of Colorado at Boulder, the University of Illinois at Urbana-Champaign, the University of California at Davis, and the Massachusetts Institute of Technology.
    • NSF anticipates making additional AI Research Institute awards in the coming years, with more than $300 million in total awards, including contributions from partner agencies, expected by next summer. Overall, NSF invests more than $500 million in artificial intelligence activities annually and is the largest Federal driver of nondefense AI R&D.
    • To establish the QIS Research Centers, DOE is announcing up to $625 million over five years to five centers that will be led by DOE National Laboratory teams at Argonne, Brookhaven, Fermi, Oak Ridge, and Lawrence Berkeley National Laboratories. Each QIS Center will incorporate a collaborative research team spanning multiple institutions as well as scientific and engineering disciplines. The private sector and academia will be providing another $300 million in contributions for the centers.

Further Reading

  • Facebook takes down Russian operation that recruited U.S. journalists, amid rising concerns about election misinformation” By Elizabeth Dwoskin and Craig Timberg – The Washington Post; “Russians Again Targeting Americans With Disinformation, Facebook and Twitter Say” By Sheera Frenkel and Julian E. Barnes; “Russian internet trolls hired U.S. journalists to push their news website, Facebook says” By Kevin Collier and Ken Dilanian – NBC News. In what is more evidence that the Russian Federation’s tactics have changed even though its goals have not, Facebook and Twitter announced the takedown of content written by Americans for a fake new source created and run by the Internet Research Agency. The purported online publications, Peace Data, has posted a number of articles aimed at turning far left voters off to the Biden-Harris campaign. In a sign of evolution, however, they hired freelance American journalists to write content that was then amplified elsewhere on the internet. A very curious aspect of this incident is why the FBI merely tipped off Facebook and Twitter instead of a more vigorous approach to addressing efforts to again create distrust and chaos in a U.S. election. One of the articles claims the FBI does not respond to state-sponsored influence operations as they may not be against U.S. law.
  • Big Tech Embraces New Cold War Nationalism” By JS Tan – Foreign Policy. This piece argues that Silicon Valley’s worldview and strategies have changed now in large part because of the rise of companies from the People’s Republic of China (PRC) like Huawei, TikTok, Tencent, and Alibaba. Now companies like Facebook and Google are discarding their internationalist, neoliberal approach and have aligned themselves with the United States (U.S.) government for a variety of reasons, including an inability to compete fairly inside the PRC. However, Silicon Valley and Washington’s interests on the PRC may be aligned, but in a number of other, very significant ways, especially with the current government, there are considerable differences.
  • Amazon Is Spying on Its Workers in Closed Facebook Groups, Internal Reports Show” By Lauren Kaori Gurley and Joseph Cox – Vice. Another article about the online giant’s distaste for unions and labor organizing activity. In this piece, we learn that Amazon is monitoring public posts by Amazon Flex drivers and possibly even penetrating closed or private groups on platforms like Facebook and hen reportedly extensively inside the company on The other day, Vice broke a story about Amazon posting two positions for intelligence analysts to help the company track labor organizing. The company took down the positions after the story was posted.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by WikiImages from Pixabay

Further Reading, Other Developments, and Coming Events (31 August)

Today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • A group of Democratic Senators wrote the Federal Communications Commission (FCC) “to express our profound frustration that the [agency] has failed to take forceful action to keep households connected during the COVID-19 pandemic.” They asserted that “[a]s millions of American families face unprecedented financial pressures and educational challenges, we urge the FCC to reverse proposed changes to the Lifeline program, take immediate steps to open its assistance to more households, and ensure that its services meet the pressing needs of families during this crisis.”
    • They claimed
      • Since the first weeks of [FCC Chair Ajit Pai’s tenure], the FCC has sought to block new broadband providers’ participation in the Lifeline program, curtail benefits in tribal areas, exclude existing carriers, rollback reforms for registering new carriers, make it harder for new applicants  to subscribe, prevent carriers from offering free in-person distribution of phones, reduce incentives to enroll subscribers, and add more barriers for participating carriers and subscriber. These proposals have been so extreme that they would lead to cutting off carriers serving almost 70% of Lifeline subscribers.
    • They urged Pai “to immediately take the following steps:
      • 1.) Take emergency measures to provide additional financial support to Lifeline providers during the pandemic to temporarily support unlimited mobile data and voice minutes, and notify Congress if additional funding is needed for such changes.
      • 2.) Extend all current FCC waivers on Lifeline usage and subscriber documentation requirements for at least a full year, until August 2021or when we have recovered from the pandemic.
      • 3.) Close the currently outstanding Lifeline proposed rulemakings that would create new obstacles for eligible households and add unwarranted burden on carriers.
      • 4.)Pause the scheduled changes to Lifeline program’s minimum service standards until the Commission studies such impacts on the market in its upcoming 2021 State of Lifeline Marketplace Report, to avoid disruptions to customers’ services.
      • 5.) Restore the monthly subsidy to $9.25 for plans offering voice services for subscribers who value voice over data-heavy plans and pause the planned decrease in contributions for voice support.
      • 6.) Work with states to increase the automated verification of state databases with the National Verifier program by the end of this year.
  • New Zealand’s National Cyber Security Centre (NCSC) released a “General Security Advisory: ongoing campaign of Denial of Service (DoS) attacks affecting New Zealand entities” after four days of DoS attacks against New Zealand’s stock market coming from somewhere offshore. The NCSC recommended best practices the Australian Cyber Security Centre (ACSC) had published. The NCSC stated
    • [It] is aware of an ongoing campaign of DoS attacks affecting New Zealand entities.
    • The campaign has included the targeting of a number of global entities, predominantly in the financial sector. 
    • The NCSC strongly encourages all organisations in this sector to consider the risk to their organisation of DoS and ensure appropriate mitigations are in place.
  • Senator Mark Warner (D-VA) letters to DellAppleHPSamsungGoogleMicrosoftAcer America, and ASUS USA asking the “companies to do what they can to help bridge the “homework gap” – the lack of reliable computer or internet access that prevents school-aged children from being able to do school work from home.” Warner’s letter is in response to the nationwide shortage of lost laptops and tablets facing families as many children will be starting school online this fall. Warner stated:
    • There are a range of actions your company can take, including educational product discounts, the provision of complimentary or donated computers (including for home lending programs many educational institutions operate), and the provision of refurbished or returned products in good working condition for school districts and higher education institutions to distribute to educators and students. While I understand the strains placed on the global supply chain, your prioritization of these matters would greatly assist struggling families at this challenging time.
  • The United States Department of Defense (DOD) updated its list of ““Communist Chinese military companies” operating directly or indirectly in the United States in accordance with the statutory requirement of Section 1237 of the National Defense Authorization Act for Fiscal Year 1999, as amended.” The eleven companies from the People’s Republic of China (PRC) were added to the existing list sent “to Congress in June 2020,” some 20 years after Congress tasked the DOD with this responsibility. This action is most likely in response to a letter sent last year to fulfill this responsibility. Notably, any company on the list could be sanctioned by the President under the same authorities recently used against TikTok and WeChat.
    • In a September 2019 letter to Secretary of Defense Mark Esper, Senate Minority Leader Chuck Schumer (D-NY) and Senator Tom Cotton (R-AR) were joined by Representatives Ruben Gallego (D-AZ) and Mike Gallagher (R-WI) in asking whether the DOD has been updating a list of “those persons operating directly or indirectly in the United States or any of its territories and possessions that are Communist Chinese military companies” as directed by Section 1237 of the FY 1999 NDAA. They noted that China’s Communist Party has adopted a Military-Civilian Fusion strategy “to achieve its national objectives,” including the acquisition of U.S. technology through any means such as espionage, forced technology transfers, and the purchase of or investment in U.S. technology forms. Schumer, Cotton, Gallego, and Gallagher urged the Trump Administration “reexamine all statutory authorities at its disposal to confront the CCP’s strategy of Military-Civilian Fusion, including powers that have laid dormant for years.”
    • Unstated in this letter, however, is that the first part of Section 1237 grants the President authority to “exercise International Emergency Economic Powers Act (IEEPA) authorities (other than authorities relating to importation) without regard to section 202 of the IEEPA (50 U.S.C. 1701) in the case of any commercial activity in the United States by a person that is on the list.” Of IEEPA grants the President sweeping powers to prohibit transactions and block property and property interests for nations and other groups subject to an IEEPA national emergency declaration. Consequently, those companies identified by the DOD on a list per Section 1237 could be blocked and prohibited from doing business with U.S. entities and others and those that do business with such Chinese companies could be subject to enforcement actions by the U.S. government (e.g. the U.S.’s actions against ZTE for doing business with Iran in violation of an IEEPA national emergency).
    • The statute defines a “Communist Chinese military company” as “any person identified in the Defense Intelligence Agency publication numbered VP-1920-271-90, dated September 1990, or PC-1921-57-95, dated October 1995, and any update of those publications for the purposes of this section; and any other person that is owned or controlled by the People’s Liberation Army; and is engaged in providing commercial services, manufacturing, producing, or exporting.” Considering that the terms “owned” and “controlled” are not spelled out in this section, the executive branch may have very wide latitude in deeming a non-Chinese company as owned or controlled and therefore subject to the President’s use of IEEPA powers. Moreover, since the President already has the authority to declare an emergency and then use IEEPA powers, this language would seem to allow the President to bypass any such declaration and immediately use such powers, except those regarding importation, against any Chinese entities identified on this list by the Pentagon.
  • District of Columbia Attorney General Karl Racine (D) filed suit against Instacart alleging the company “violated the District’s Consumer Protection Procedures Act and tax law by: 
    • Charging District consumers millions of dollars in deceptive service fees: Prior to 2016, Instacart’s checkout screen contained an option to tip workers, set as a default 10 percent of the consumer’s subtotal for groceries that users could adjust. In 2016, Instacart swapped the tip option for a service fee, which was also set to a default 10 percent and could be adjusted, and displayed it where the tip option used to be. Consumers paid the service fee believing they were tipping workers. In reality, the service fee was a second charge—on top of a delivery fee—imposed by Instacart to cover delivery costs and operating expenses. Additionally, Instacart failed to clearly disclose that service fees were optional and that consumers could choose not to pay them.
    • Misleading consumers about how service fees contributed to worker pay: When Instacart announced the new service fees, it told consumers that “100% of the variable service amount is used to pay all shoppers more consistently for each and every delivery, not just the last shopper to touch the order.” Instacart also stated that the company collected a service fee because “multiple shoppers may have been involved in a single order” and the “service fee is used to pay this entire set of shoppers.” In fact, the shoppers who fulfilled a consumer’s order were paid the same whether or not a consumer paid the service fee.
    • Failing to pay at hundreds of thousands of dollars in District sales tax: Under District law, Instacart is responsible for collecting sales tax on the delivery services it provides. The entire time Instacart has operated in the District, it has failed to collect sales tax on the service fees and delivery fees it charged users.
  • Two large United States (U.S.) technology companies are facing class actions in the Netherlands and the United Kingdom (UK) that argue the companies’ use of third party cookies in order to sell real time bidding advertising violated the European Union’s General Data Protection Regulation (GDPR) by not obtaining the consent of people before their personal information is collected and processed. The suit against Oracle and Salesforce is being brought by The Privacy Collective, a European non-profit, that could result in damages of more than €10 billion.
  • As part of its lawsuit against Google “for deceptive and unfair practices used to obtain users’ location data, which Google then exploits for its lucrative advertising business,” the Office of the Attorney General of Arizona released emails obtained during the course of discovery that may demonstrate the company’s knowledge that its interface and operating system were trying to frustrate a user’s desire to truly turn off location data.
  • The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) released A Draft Consumer Privacy Framework for Health Data, “a collaborative effort addressing gaps in legal protections for consumer health data outside of the Health Insurance Portability and Accountability Act’s (HIPAA) coverage.” Feedback is welcome until 25 September.
    • The organizations asserted
      • The standards’ emphasis is on transparency, accountability, and the limitation on health data collection, disclosure, and use. Importantly, the standards:
        • (1) move beyond outdated notice and consent models,
        • (2) cover all health information, and
        • (3) cover all entities that use, disclose or collect consumer health information, regardless of the size or business model of the covered entity.
      • This proposal is not designed to be a replacement for necessary comprehensive data privacy legislation. Given that Congressional action to pass such a law is likely some time away, this effort is designed to build consensus on best practices and to do what we can now, in the interim, to shore up protections for non-HIPAA covered health data.

Further Reading

  • Big Oil Faded. Will Big Tech?” By Shira Ovide – The New York Times. This piece suggests that the so-called Big Tech companies may someday wane as many energy companies like Exxon are currently doing. The interesting point is made that a company or field’s preeminence can rapidly disappear and it can seem dominant until it is not. And this frequently happens for reasons that do not seem apparent or related. Ironically, Exxon essentially got pushed out of the Dow Jones Industrial Average because Apple had to split its stock because of its surging valuation. Another tech company, Salesforce, will replace Exxon.
  • Apple wants to stop advertisers from following you around the web. Facebook has other ideas.” By Peter Kafka – Recode. Apple will extend a feature from Safari to its next iOS for iPhones where users will soon be asked whether they want to allow apps to track them across the web and other apps in order to deliver them targeted, personalized advertising. To no great surprise, it is being assumed many users will say no, diminishing a prime mode by which companies reap data and show people advertisements that are intimately tied to what they read and watch online. Consequently, advertisers will be less willing to spend dollars on more general ads and income will be depressed for the two major players in this market: Facebook and Google. Facebook has already declared it will not use Apple’s device identifier unique to every iPhone or Apple Watch, meaning users downloading the Facebook app will not get the choice of whether to say no to the companies tracking them. It is not clear how well this workaround will mitigate the projected loss in ad revenue for Facebook, but it does represent the latest chapter in the fight between the two companies. Facebook has lined up with Epic Games, maker of Fortnite, in its suit against Apple regarding App Store policies. It is very likely Apple sees this change to iOS 14 as a means of burnishing its reputation as being more concerned about its users privacy than competitors in Silicon Valley, which it can afford to be considering it does not earn most of its revenue the same way Facebook does, and curry favor in Washington and Brussels where it is facing antitrust scrutiny.
  • Want a Free Amazon Halo Wearable? Just Hand Over Your Data to This Major Insurance Company” By Emily Mullin – OneZero. Amazon has teamed with insurer John Hancock to offer a wearable health and fitness tracker that will be used to collect personal data on wearers that is designed to nudge them into better behaviors and better health. This is not the first such pairing, and it raises a host of policy issues, for healthier people would be poised to reap benefits not available to less healthy people. Some insurers are offering modest amounts of cash or gift cards for exercising regularly or other benefits that would not go to less healthy people. These sorts of programs are similar to employee health and wellness programs that were enshrined in the “Patient Protection and Affordable Care Act” that studies have suggested do not work very well. Additionally, companies like Amazon and John Hancock will be collecting and processing all sorts of very sensitive personal information, making them likely targets of hacking operations. Also, there are privacy implications, for these wearable devices will likely allow companies to know the most intimate details of wearers’ lives.
  • TikTok Deal Is Complicated by New Rules From China Over Tech Exports” By Paul Mozur, Raymond Zhong and David McCabe – The New York Times; “TikTok Is Said to Wrestle With Two Competing Offers” By Mike Isaac – The New York Times; “China’s new tech export restrictions further cloud US TikTok sale and raise the risk of protectionism” By Coco Feng, Tracy Qu and Amanda Lee– South China Morning Post; “China puts drones and laser tech on restricted export list after US tightens rules” By Sidney Leng – South China Morning Post; “TikTok Chief Executive Kevin Mayer Resigns” By Mike Isaac – The New York Times.In a surprise announcement from two agencies late last week, the People’s Republic of China changed its export control rules for the first time since 2008 to likely have leverage over TikTok’s sale to a United States (U.S.) entity. Ostensibly, the changes are “to regulate technology exports, promote scientific and technological progress and economic and technological cooperation, and maintain national economic security,” but the inclusion of “personalised information recommendation service technology based on data analysis” and “artificial intelligence interactive interfaces” likely point to ByteDance’s app, TikTok. In fact a researcher with the PRC Ministry of Commerce was quoted as asserting “[t]he time to publish the new update of the export control list has been expedited due to the TikTok sale.” Moreover, the PRC’s timeline for deciding on whether an export license is needed is the same as the Trump Administration’s second executive order directing ByteDance to divest TikTok. Incidentally, these changes are probably in response to tighten of U.S. export controls against the PRC, which could set off retaliatory moves. In any event, Beijing will now have to approve any sale of TikTok operations in the U.S. Also, Walmart has apparently joined forces with Microsoft in preparing a bid on TikTok in competition with Oracle which threw its proverbal hat into the ring last week. And, new TikTok CEO Kevin Mayer stepped down in a surprise move citing ByteDance’s changed circumstances.
  • Trump aides interviewing replacement for embattled FTC chair” By Leah Nylen, Betsy Woodruff Swan, John Hendel and Daniel Lippman – Politico. The Trump Administration may be trying to force out Federal Trade Commission Chair Joe Simons or merely interviewing replacements if he steps down next year should President Donald Trump still be in the White House next year. Given the reports that Simons has resisted pressure from the White House to comply with the executive order on Section 230 by investigating social media platforms, Simons has likely not won any new fans at 1600 Pennsylvania Avenue. Having said that, removing an FTC Commissioner is much harder than other top positions in the U.S. government, and the FTC is designed to be insulated from political pressure. However, Commissioners are politicians, too, and carefully gauge the direction the wind is blowing. That being said, Simons has also sent out signals he will step down next year and return to private practice, so the interviewing of possible successors may be entirely normal in an Administration that usually does not operate normally.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gordon Johnson from Pixabay

Further Reading, Other Developments, and Coming Events (28 August)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • Members of the British Parliament have written the United Kingdom’s (UK) Information Commissioner’s Office (ICO) “about the Government’s approach to data protection and privacy during the COVID-19 pandemic, and also the ICO’s approach to ensuring the Government is held to account.” The MPs argued in the letter addressed to UK ICO Commissioner Elizabeth Denham
    • During the crisis, the Government has paid scant regard to both privacy concerns and data protection duties. It has engaged private contractors with problematic reputations to process personal data, as highlighted by Open Democracy and Foxglove. It has built a data store of unproven benefit. It chose to build a contact tracing proximity App that centralised and stored more data than was necessary, without sufficient safeguards, as highlighted by the Human Rights Committee. On releasing the App for trial, it failed to notify yourselves in advance of its Data Protection Impact Assessment – a fact you highlighted to the Human Rights Committee.
    • Most recently, the Government has admitted breaching their data protection obligations by failing to conduct an impact assessment prior to the launch of their Test and Trace programme. They have only acknowledged this failing in the face of a threat of legal action by Open Rights Group. The Government have highlighted your role at every turn, citing you as an advisor looking at the detail of their work, and using you to justify their actions.
    • The MPs added:
      • In this context, Parliamentarians and the public need to be able to rely on the Regulator. However, the Government not only appears unwilling to understand its legal duties, it also seems to lack any sense that it needs your advice, except as a shield against criticism.
      • Regarding Test and Trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health. The ICO has powers to compel documents to understand data processing, contractual relations and the like (Information Notices). The ICO has powers to assess what needs to change (Assessment Notices). The ICO can demand particular changes are made (Enforcement notices). Ultimately the ICO has powers to fine Government, if it fails to adhere to the standards which the ICO is responsible for upholding.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has released a 5G strategy that flows from a Trump Administration strategy released earlier this year. CISA is not asserting it has much authority in how the private sector will build, roll out, source, and secure 5G and is instead looking to capitalize on its role as the United States government’s cybersecurity agency for the civilian part of the government. As such, CISA is proposing to advise private sector stakeholders and provide its expertise so that the next generation of wireless communications in the U.S. is safe, stable, and secure. CISA is putting forth five initiatives that seeks to position CISA as a key stakeholder in assisting the larger U.S. efforts and individual companies and entities.
    • In the “National Strategy To Secure 5G,” the Trump Administration tied its overarching effort to foster 5G development and to cement the U.S.’s role as the preeminent technological power in the world to its 2018 United States National Cyber Strategy.
    • The Administration asserted
      • This National Strategy to Secure 5G expands on how the United States Government will secure 5G infrastructure domestically and abroad. 5G infrastructure will be an attractive target for criminals and foreign adversaries due to the large volume of data it transmits and processes as well as the support that 5G will provide to critical infrastructure. Criminals and foreign adversaries will seek to steal information transiting the networks for monetary gain and exploit these systems and devices for intelligence collection and surveillance. Adversaries may also disrupt or maliciously modify the public and private services that rely on communications infrastructure. Given these threats, 5G infrastructure must be secure and reliable to maintain information security and address risks to critical infrastructure, public health and safety, and economic and national security.
    • CISA noted the four lines of efforts from the “National Strategy To Secure 5G” are:
      • Facilitating domestic 5G rollout;
      • Assessing the risks and identifying core security principles for 5G infrastructure;
      • Managing the risks to our economic and national security from the use of 5G infrastructure; and
      • Promoting responsible global development and deployment of 5G infrastructure.
    • CISA stated
      • [it] leads 5G risk management efforts so the United States can fully benefit from all the advantages 5G connectivity promises to bring. In support of CISA’s operational priority to secure 5G, as outlined in the CISA Strategic Intent, the CISA 5G Strategy establishes five strategic initiatives that stem from the four lines of effort defined in the National Strategy to Secure 5G. Guided by three core competencies: Risk Management, Stakeholder Engagement, and Technical Assistance, these initiatives include associated objectives to ensure there are policy, legal, security, and safety frameworks in place to fully leverage 5G technology while managing its significant risks. With the support of CISA and its partners, the CISA 5G Strategy seeks to advance the development and deployment of a secure and resilient 5G infrastructure, one that enables enhanced national security, technological innovation, and economic opportunity for the United States and its allied partners.
    • CISA laid out the five initiatives:
      • Strategic Initiative 1: Support 5G policy and standards development by emphasizing security and resilience
        • The development of 5G policies and standards serve as the foundation for securing 5G’s future communications infrastructure. Those entities that shape the future of these policies and standards position themselves as global leaders and help facilitate secure deployment and commercialization of 5G technologies. To prevent attempts by threat actors to influence the design and architecture of 5G networks, it is critical that these foundational elements be designed and implemented with security and resilience from the start.
        • DESIRED OUTCOME: Threat actors are unable to maliciously influence the design and architecture of 5G networks.
      • Strategic Initiative 2: Expand situational awareness of 5G supply chain risks and promote security measures
        • Between untrusted components, vendors, equipment, and networks, 5G supply chain security is under constant threat. For example, while certain 5G equipment may be from a trusted vendor, supporting components manufactured or handled by untrusted partners or malicious actors could negate any security measures in place. These compromised components have the potential to affect the connectivity and security of transmitted data and information.
        • DESIRED OUTCOME: Malicious or inadvertent vulnerabilities within the 5G supply chain are successfully prevented or mitigated.
      • Strategic Initiative 3: Partner with stakeholders to strengthen and secure existing infrastructure to support future 5G deployments
        • Before moving to a standalone infrastructure, the first iterations of 5G deployment will work alongside existing 4G LTE infrastructure and core networks. While 5G architecture is designed to be more secure, 5G’s specifications and protocols stem from previous networks, which contain legacy vulnerabilities. For example, the overlay of 4G and 5G networks has the potential for a malicious actor to carry out a downgrade attack, where they could force a user on a 5G network to use 4G in order to exploit known vulnerabilities against them. These inherent vulnerabilities, along with new and unidentified risks, will require the collaboration of industry and government to develop and communicate security enhancements to support secure 5G deployments.
        • DESIRED OUTCOME: Secure 5G deployment, void of legacy vulnerabilities and untrusted components.
      • Strategic Initiative 4: Encourage innovation in the 5G marketplace to foster trusted 5G vendors
        • As 5G is deployed, there is an emphasis on ensuring that state-influenced entities do not dominate the 5G marketplace. To address this concern, CISA will work with its partners to support R&D initiatives and prize programs that result in secure and resilient 5G technologies and capabilities. By supporting these types of efforts, CISA will help drive innovation and establish a trusted vendor community for the future of 5G.
        • DESIRED OUTCOME: Increased number of trusted vendors in the 5G marketplace to address risks posed by limited competition and proprietary solutions.
      • Strategic Initiative 5: Analyze potential 5G use cases and share information on identified risk management strategies
        • The enhanced capabilities of 5G technologies will support an array of new functions and devices, introducing a plethora of potential use cases. With the potential for the connection of billions of devices on a network, also known as massive Machine-Type Communication (mMTC), applications like smart cities will require increased security to safeguard connected devices from potential threats and vulnerabilities. To ensure the security and integrity of these devices, CISA will communicate known vulnerabilities and risk management strategies for use cases associated with securing the Nation’s critical functions.
        • DESIRED OUTCOME: New vulnerabilities introduced by deployments of 5G technology are clearly understood and managed.
  • The Office of Management and Budget (OMB) released new guidance on grants and agreements federal agencies must generally follow that further implements a ban on using United States (U,S.) government funds on buying services or equipment from Huawei, ZTE, and other companies from the People’s Republic of China (PRC). Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) bars federal agencies, federal contractors, and recipients of federal funds from buying or using these services. Two regulations have been issued previously pertaining to agencies and contractors, and this notice governs the recipients of federal funding. However, the explanatory portion of the notice that discusses Section 889 differs from the actual regulatory text, giving rise to possible confusion over the scope and extent of the ban on the recipients of federal funding from buying or paying for banned services and equipment.
    • In the body of the notice, OMB stated:
      • OMB revised 2 CFR to align with section 889 of the NDAA for FY 2019 (NDAA 2019). The NDAA 2019 prohibits the head of an executive agency from obligating or expending loan or grant funds to procure or obtain, extend or renew a contract to procure or obtain, or enter into a contract (or extend or renew a contract) to procure or obtain the equipment, services, or systems prohibited systems as identified in NDAA 2019. To implement this requirement, OMB is adding a new section, 2 CFR 200.216 Prohibition on certain telecommunication and video surveillance services or equipment, which prohibit Federal award recipients from using government funds to enter into contracts (or extend or renew contracts) with entities that use covered telecommunications equipment or services. This prohibition applies even if the contract is not intended to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services. As described in section 889 of the NDAA 2019, covered telecommunications equipment or services includes:
        • Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities).
      • For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).
      • Telecommunications or video surveillance services provided by such entities or using such equipment.
      • Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of the National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.
    • In the rule itself, it is provided that the ban extends to the recipients and subrecipients themselves and not contractors using the banned services or equipment:
      • (a) Recipients and subrecipients are prohibited from obligating or expending loan or grant funds to:
        • (1) Procure or obtain;
        • (2) Extend or renew a contract to procure or obtain; or
        • (3) Enter into a contract (or extend or renew a contract) to procure or obtain equipment, services, or systems that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.
  • The United States (U.S.) Department of Justice (DOJ) announced a major reorganization of its Antitrust Division through the creation of “the Office of Decree Enforcement and Compliance and a Civil Conduct Task Force” and a shuffling of subject area matters “among its six civil sections in order to build expertise based on current trends in the economy.”
    • The DOJ explained
      • The Office of Decree Enforcement and Compliance will have primary responsibility for enforcing judgments and consent decrees in civil matters.  It will also advise the Antitrust Division’s criminal sections when parties seek credit at the charging stage for their corporate compliance programs.  The office will work closely with division attorneys, monitors, and compliance officers to ensure the effective implementation of and compliance with antitrust judgments.  Additionally, the office will be the Antitrust Division’s primary contact for complainants who have information regarding potential violations of those final judgments.
      • The second change to the Antitrust Division’s civil enforcement program is the creation of the Civil Conduct Task Force.  This dedicated group of Division attorneys will work across the civil sections and field offices to identify conduct investigations that require additional focus and resources.  As an independent group, the task force will have the dedicated resources and a consistent mandate to investigate and, ultimately, prosecute civil conduct violations of the antitrust laws.
      • The third change announced today is the realignment of certain responsibilities within the Antitrust Division’s six civil sections. The allocation of commodities among sections has evolved over the years, and today’s announcement is a recognition that technology has reshaped the competitive dynamics in several industries that the Antitrust Division analyzes on a regular basis.
      • Specifically, the currently named Media, Entertainment, and Professional Services Section will shift attention to financial services, fintech, and banking.  Those commodities were previously divided across three other civil sections.  The currently named Telecommunications and Broadband Section will expand its portfolio to concentrate on media, entertainment, and telecommunications industries. Lastly, the currently named Technology and Financial Services section will focus full time on technology markets and the competitive characteristics of platform business models.
  • A class action was filed in British court against Marriott for data breaches between 2014 and 2018 exposed the personal data of people worldwide. This action follows the United Kingdom’s (UK) Information Commissioner’s Office’s (ICO) intention to fine Marriott “£99,200,396 for infringements of the General Data Protection Regulation (GDPR)” in 2019, but this enforcement action was extended through mid-2020 by the ICO. It is unclear when, or even if, the ICO will conclude its investigation and action against Marriott given the UK’s pending exit from the European Union and the GDPR. Theoretically, the ICO may be able to use the UK’s data protection law, and it is telling the class action is filed under both the GDPR and the UK’s data protection law in effect during most of the period in which the breaches occurred.
    • The law firm handling the class action asserted
      • It is believed the data breach began when the systems of the Starwood Hotels group were compromised following a hack on its reservation network, which is believed to have first occurred in 2014. Marriott International acquired the Starwood Hotels group in 2016 but the exposure of customer information was not discovered until 2018. The guests’ personal data affected by the breach included information such as guests’ names, email and postal addresses, telephone numbers, gender and credit card information.
  • The Federal Highway Administration (FHWA), a component agency of the United States (U.S.) Department of Transportation (DOT), asked for input on a draft rule “to ensure that States meet specific registration, notification, and coordination requirements to facilitate broadband infrastructure deployment in the right-of-way (ROW) of applicable Federal-aid highway projects.” The agency was directed to undertake this rulemaking by language in the “MOBILE NOW Act” that was enacted as part of “The Consolidated Appropriations Act, 2018” (P.L. 115-141). The FHWA explained “[o]nce the regulations take effect, the Section 607 requirements will apply to each State that receives funds under [the section of the United States Code that governs highway funding and projects], including the District of Columbia and the Commonwealth of Puerto Rico.” The agency added:
    • FHWA recognizes that it is in the public interest for utility facilities to use jointly the ROW of public roads and streets when such use and occupancy do not adversely affect highway or traffic safety, or otherwise impair the highway or its aesthetic quality, and does not conflict with Federal, State, or local laws and regulations. The opportunity for such joint use avoids the additional cost of acquiring separate ROW for the exclusive accommodation of utilities. As a result, the ROW of highways is often used to provide public services to abutting residents as well as to serve conventional highway needs.
    • Utility facilities, unlike most other fixed objects that may be present within the highway environment, are not owned nor are their operations directly controlled by State or local public agencies. Federal laws and FHWA regulations contained in 23 U.S.C. 109, 111, 116, and 123 and 23 CFR parts 1, 635, 645, and 710 regulate the accommodation, relocation, and reimbursement of utilities located within the highway ROW. State departments of transportation (State DOT) are required to develop Utility Accommodation policies that meet these regulations. 23 CFR 645.211.

Further Reading

  • New Zealand stock exchange hit by cyber attack for second day” By Martin Farrer – The Guardian. A powerful offshore Distributed Denial of Service (DDoS) attack took down the nation’s stock exchange for the second day in a row. Given the apparent sophistication and resources necessary to execute this attack, according to experts, one wonders if either of the Pacific Rim’s most active, capable nation-state hackers may be responsible: the People’s Republic of China or the Democratic People’s Republic of Korea.
  • Israeli phone hacking company faces court fight over sales to Hong Kong” by Patrick Howell O’Neill – MIT Technology Review. Human rights attorneys have filed suit in Tel-Aviv to force the Ministry of Defence to end exports of Cellebrite’s phone hacking technology to repressive regimes like Hong Kong and Belarus. It is not clear Israel ever granted Cellebrite an export license, and the Ministry is being closed mouth on the issue. Previous filings assert Cellebrite’s technology has been used over 4,000 times in Hong Kong to hack into the phones of dissidents and activists even though many were using device encryption. Given that Cellebrite sells its technology widely throughout the world, perhaps the claims of some Five Eyes nations, including the United States, United Kingdom, and Australia, are overblown?
  • Armed militias mobilize on social media hours before deadly Kenosha shooting” – The Atlantic Counsel’s Digital Forensic Research Lab. As it turns out, Facebook and reddit posts and pages were encouraging armed individuals and militias to go to Kenosha, Wisconsin ostensibly to ensure protests over the police shooting of an African American man in the back did not result in violence or looting. An alarming number of these posts called for violence against the protestors, and at least one person heeded this call by shooting and killing two protestors.
  • Facebook chose not to act on militia complaints before Kenosha shooting” By Russell Brandom – The Verge. Even with people submitting complaints that various users and groups were inciting violence in Kenosha, Wisconsin, Facebook moderators declined to take down most of the material…until the day after a person shot and killed two protestors.
  • Tech’s deepening split over ads and privacy” By Kyle Daly – Axios. This piece summarizes some of the internecine fighting in Silicon Valley over privacy, which, as the author points out is driven by, or perhaps more kindly, happens to coincide with each companies’ interest. For example, Apple faces antitrust scrutiny in the United States and European Union and does not earn much revenue from advertising, so it is easy for them to propose changes to their iOS that would give users much more control over the data companies could collect. This would hurt some of Apple’s rivals like Facebook. What is not mentioned here is that should Microsoft win the TikTok sweepstakes, it is all but certain it’s position on stricter privacy controls will change, for the video sharing app s built on harvesting data from users.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Trump Administration Issues Second Part of Rule Banning Huawei, ZTE, and Other PRC Entities From Federal Systems

Starting in a month, those contracting with the federal government may not have Huawei or ZTE equipment of systems per a directive of Congress enacted in 2018. Lawmakers were concerned about national security and argued PRC equipment and systems are compromised. The first half of this ban took effect one year ago.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Federal agencies released an interim rule to implement the second half of a government-wide ban on buying or using Huawei, ZTE, and other equipment and systems considered risky or suspect by the United States (US) government. The first half of this ban went into effect late last summer and generally bars US agencies from buying or using so-called “covered telecommunications equipment or services,” and this part of the ban extends the prohibition to entities that would contract with US agencies. Therefore, as a general matter, such contractors would need to certify their services, systems, and equipment are free and clear of “covered telecommunication equipment,” which is largely technology developed and manufactured in the People’s Republic of China (PRC) or the Russian Federation. This rule will take effect on 13 August but may possibly affect contracts entered into before that date. And yet, comments are being accepted on this rule until 14 September, which will likely affect the rule on the margins when a final version is issued but not its substance.

The Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) amended “the Federal Acquisition Regulation (FAR) to implement section 889(a)(1)(B) of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that “prohibits executive agencies from entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” The agencies stated

The statute covers certain telecommunications equipment and services produced or provided by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of those entities) and certain video surveillance products or telecommunications equipment and services produced or provided by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of those entities). The statute is not limited to contracting with entities that use end-products produced by those companies; it also covers the use of any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.

The DOD, GSA, and NASA explained “[t]he 889(a)(1)(A) rule does the following:

  • It amends the FAR to include the 889(a)(1)(A) prohibition, which prohibits agencies from procuring or obtaining equipment or services that use covered telecommunications equipment or services as a substantial or essential component or critical technology. (FAR 52.204-25)
  • It requires every offeror to represent prior to award whether or not it will provide covered telecommunications equipment or services and, if so, to furnish additional information about the covered telecommunications equipment or services. (FAR 52.204-24)
  • It mandates that contractors report (within one business day) any covered telecommunications equipment or services discovered during the course of contract performance. (FAR 52.204-25)

The agencies added

The FAR Council will address the public comments received on both previous interim rules in a subsequent rulemaking. In addition, each agency has the opportunity under 889(a)(1)(A) to issue agency-specific procedures (as they do for any acquisition-related requirement). For example, GSA issued a FAR deviation where GSA categorized risk to eliminate the representations for low and medium risk GSA-funded orders placed under GSA indefinite-delivery contracts.

Section 889 of the FY 2019 NDAA was drafted to address the threats posed by the presence of Huawei and ZTE equipment and services throughout the systems and supply chains of the federal government and its contractors. The ultimate goal is the complete phaseout, if possible, of these and any other suspect systems that could possibly be compromised or exploited in the future. Consequently, Russian equipment and systems are also targeted. All federal agencies must inventory and then work to remove this equipment and products within the next few years, and the DOD has already started the required rulemakings to fulfill this policy goal.

As a result, the DOD and other agencies changed the FAR to put into effect a Congressionally-required ban on Huawei and ZTE products detailed in Section 889 of the FY 2019 NDAA. Specifically the August 2019 interim rule bars federal agencies from buying Huawei, ZTE, and related Chinese “equipment, system[s], or service[s] that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system” unless an exception allows the agency to disregard this general ban. This rule has already taken effect, and it is likely the DOD and other agencies will issue a final rule, which may change the interim rule on the margins but will likely maintain the substance of the prohibition. It bears note that this interim rule is applicable to all contracts going forward and some solicitations offered and contracts signed before August 13, 2019. In December 2019, the DOD, GSA, and NASA changed the original requirement that contractors certify for each procurement they do not have any Huawei or ZTE equipment or services and may make this certification annually instead.

In concert with the August 2019 interim final rule that put in place a ban on buying or using Huawei, ZTE, or other related equipment, the DOD issued a memorandum that “provides DOD-specific procedures associated with the interim FAR rule that implements section 889(a)(l)(A) of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232)…[and] [t]hese implementation procedures apply to contracts, task orders, and delivery orders, including basic ordering agreements (BOAs), orders against BOAs, blanket purchase agreements (BPAs), and calls against BPAs.”

Finally, it bears note that Section 889(b) also contains language barring any agency from making a loan or providing a grant to any entity with Huawei or ZTE systems or equipment or to buy Huawei systems or equipment. In June 2019, the Office of Management and Budget (OMB) asked Congress for legislative changes to the grant and loan language, ideally in the FY 2020 NDAA, and to push back the deadline for both of these provisions from August 13, 2020 to August 13, 2022. However, the Armed Services Committees did not include such language in either FY 2020 NDAA, suggesting there is not support in the committees to softening or rolling back the Huawei/ZTE bans.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alejandro Luengo on Unsplash

Further Reading and Other Developments (4 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The Senate invoked cloture on the nomination of acting Office of Management and Budget (OMB) Director Russell Vought to be confirmed in that role and will vote on the nomination on 20 July. OMB has been without a Senate-confirmed Director since Mick Mulvaney resigned at the end of March, but he was named acting White House Chief of Staff in January 2019, resulting in Vought serving as the acting OMB head since that time.
  • The United States Federal Chief Information Officer (CIO) Suzette Kent announced she is stepping down in July, and Deputy Federal CIO Maria Roat is expected to be named acting Federal CIO. Given the Trump Administration’s approach to submitting nominations to the Senate for confirmation and the Senate’s truncated work schedule due to the election, it is likely no nomination is made this year. Kent technically held the position of Administrator of the Office of Electronic Government within the Office of Management and Budget (OMB) and her portfolio includes a range of technology related matters including cybersecurity, information technology IT policy and procurement, workforce, data security, data management and others.
  • The General Services Administration (GSA) announced the next step in “establish[ing] a program to procure commercial products through commercial e-commerce portals for purposes of enhancing competition, expediting procurement, enabling market research, and ensuring reasonable pricing of commercial products.” GSA “awarded contracts to three e-marketplace platform providers…[to] Amazon Business, Fisher Scientific, and Overstock.com, Inc. allows GSA to test the use of commercial e-commerce portals for purchases below the micro-purchase threshold of $10,000 using a proof-of-concept (for up to three years).” Section 846 of the 2018 National Defense Authorization Act (P. L. 115-91) directed GSA to implement such a program, and the agency claimed in a blog posting:
    • These contracts and platforms will be available to federal agencies as part of a governmentwide effort to modernize the buying experience for agencies and help them gain insights into open-market online spend occurring outside of existing contracts.  It is estimated that open market purchases on government purchase cards represent an addressable market of $6 billion annually.
    • The goal of the proof of concept is to provide a modern buying solution for federal customers and increase transparency on agency spending that’s already taking place with better data through this solution. Further, this solution leverages the government’s buying power and increases supply chain security awareness with a governmentwide approach.
  • In response to the ongoing and growing advertising boycott, Facebook announced in a press release some changes to the platform’s policies regarding voter suppression or hateful content. CEO Mark Zuckerberg stated “Three weeks ago, I committed to reviewing our policies ahead of the 2020 elections…[and] [t]hat work is ongoing, but today I want to share some new policies to connect people with authoritative information about voting, crack down on voter suppression, and fight hate speech:
    • 1. Providing Authoritative Information on Voting During the Pandemic
      • Last week, we announced the largest voting information campaign in American history, with the goal of helping 4 million people register to vote. As part of this, we’re creating a Voting Information Center to share authoritative information on how and when you can vote, including voter registration, voting by mail and early voting. During a pandemic when people may be afraid of going to polls, sharing authoritative information on voting by mail will be especially important. We’ll be showing the Voting Information Center at the top of the Facebook and Instagram apps over the coming months.
    • 2. Additional Steps to Fight Voter Suppression
      • Since the most dangerous voter suppression campaigns can be local and run in the days immediately before an election, we’re going to use our Elections Operations Center to quickly respond and remove false claims about polling conditions in the 72 hours leading into election day. Learning from our experience fighting Covid misinformation, we will partner with and rely on state election authorities to help determine the accuracy of information and what is potentially dangerous. We know this will be challenging in practice as facts on the ground may be uncertain and we don’t want to remove accurate information about challenges people are experiencing, but we’re building our operation to be able to respond quickly.
      • We will also ban posts that make false claims saying ICE agents are checking for immigration papers at polling places, which is a tactic used to discourage voting. We’ll also remove any threats of coordinated interference, like someone saying “My friends and I will be doing our own monitoring of the polls to make sure only the right people vote”, which can be used to intimidate voters. We will continue to review our voter suppression policies on an ongoing basis as part of our work on voter engagement and racial justice.
    • 3. Creating a Higher Standard for Hateful Content in Ads
      • This week’s study from the EU showed that Facebook acts faster and removes a greater percent of hate speech on our services than other major internet platforms, including YouTube and Twitter. We’ve invested heavily in both AI systems and human review teams so that now we identify almost 90% of the hate speech we remove before anyone even reports it to us. We’ve also set the standard in our industry by publishing regular transparency reports so people can hold us accountable for progress. We will continue investing in this work and will commit whatever resources are necessary to improve our enforcement.
      • We believe there is a public interest in allowing a wider range of free expression in people’s posts than in paid ads. We already restrict certain types of content in ads that we allow in regular posts, but we want to do more to prohibit the kind of divisive and inflammatory language that has been used to sow discord. So today we’re prohibiting a wider category of hateful content in ads. Specifically, we’re expanding our ads policy to prohibit claims that people from a specific race, ethnicity, national origin, religious affiliation, caste, sexual orientation, gender identity or immigration status are a threat to the physical safety, health or survival of others. We’re also expanding our policies to better protect immigrants, migrants, refugees and asylum seekers from ads suggesting these groups are inferior or expressing contempt, dismissal or disgust directed at them.
    • 4. Labeling Newsworthy Content
      • A handful of times a year, we leave up content that would otherwise violate our policies if the public interest value outweighs the risk of harm. Often, seeing speech from politicians is in the public interest, and in the same way that news outlets will report what a politician says, we think people should generally be able to see it for themselves on our platforms.
      • We will soon start labeling some of the content we leave up because it is deemed newsworthy, so people can know when this is the case. We’ll allow people to share this content to condemn it, just like we do with other problematic content, because this is an important part of how we discuss what’s acceptable in our society — but we’ll add a prompt to tell people that the content they’re sharing may violate our policies.
      • To clarify one point: there is no newsworthiness exemption to content that incites violence or suppresses voting. Even if a politician or government official says it, if we determine that content may lead to violence or deprive people of their right to vote, we will take that content down. Similarly, there are no exceptions for politicians in any of the policies I’m announcing here today.
  • On 30 June, Facebook banned the boogaloo movement from its platform. The company “designat[ed] a violent US-based anti-government network under our Dangerous Individuals and Organizations policy and disrupting it on our services…[and] [a]s a result, this violent network is banned from having a presence on our platform and we will remove content praising, supporting or representing it.”
  • The United States Department of Commerce suspended “regulations affording preferential treatment to Hong Kong… including the availability of export license exceptions.” The Trump Administration took this latest action in its trade war with the People’s Republic of China (PRC) because of “the Chinese Communist Party’s imposition of new security measures on Hong Kong” and “the risk that sensitive U.S. technology will be diverted to the People’s Liberation Army or Ministry of State Security has increased, all while undermining the territory’s autonomy.” The United States Department of State added “the United States will today end exports of U.S.-origin defense equipment and will take steps toward imposing the same restrictions on U.S. defense and dual-use technologies to Hong Kong as it does for China.”
  • The Democratic National Committee (DNC) updated its “social media comparative analysis to reflect changes companies have made in recent months to their counter disinformation and election integrity policies.” The DNC is working with Facebook/Instagram, Twitter, Google/YouTube, and now Snapchat to “to combat platform manipulation and train our campaigns on how best to secure their accounts and protect their brands against disinformation.”
  • The Office of the Privacy Commissioner of Canada (OPC) and three privacy agencies for provinces of Canada announced an investigation “into a Tim Hortons mobile ordering application after media reports raised concerns about how the app may be collecting and using data about people’s movements as they go about their daily activities.” A journalist made a request to Tim Hortons under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and learned the company’s app had logged his longitude and latitude coordinates over 2,700 times in five months, sometimes when he was not using the app even though the company has claimed it only tracks users when the app is being used. Moreover, Tim Hortons combines data from sister companies also owned by Restaurant Brands International like Burger King and Popeyes.
  • The United Kingdom’s Information Commissioner’s Office (ICO) released an “investigation report into the use of mobile phone extraction (MPE) by police forces when conducting criminal investigations in England and Wales” which “found that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted and stored without an appropriate basis in existing data protection law.” The ICO made a range of recommendations, many of which will require a legislative revamp of the laws that currently govern these practices.
  • Ireland’s Data Protection Commission released its “2018-2020 Regulatory Activity Under GDPR” and listed the following enforcement actions under the General Data Protection Regulation:
    • An Garda Síochana–reprimand and corrective powers applied in accordance with the Data Protection Act, 2018.
    • Tusla; The Child and Family Agency –reprimand and fine applied in accordance with the Data Protection Act, 2018.
    • Tusla; The Child and Family Agency –reprimand and fine applied in accordance with the Data Protection Act, 2018.
    • Twitter–Inquiry completed and draft decision forwarded to EU concerned data protection authorities in accordance with Article 60 of the GDPR.
    • DEASP-Enforcement notice issued regarding the use of the Public Services Card (currently under appeal).
    • 59 Section 10 decisions issued.
    • 15,000 breach notifications assessed and concluded.
    • 9 litigation cases concluded in the Irish Courts.
    • Hearing in CJEU Standard Contractual Clauses case brought by DPC to Irish High Court.
    • 80 % of cases received under the GDPR have been concluded.
  • The National Telecommunications and Information Administration (NTIA) issued its “American Broadband Initiative Progress Report,” an update on a Trump Administration inter-agency effort to implement “a cohesive government-wide strategy to reform broadband deployment” started in 2019. NTIA highlighted the following accomplishment:
    • Through the ReConnect program, as of March 2020, the U.S. Department of Agriculture (USDA) awarded over $744 million in funds to support more than 80 broadband projects benefiting more than 430,000 rural residents in 34 states. The Federal Communications Commission (FCC) and USDA also established processes to coordinate awards for rural broadband deployment to ensure that USDA-funded grants do not overlap with the FCC’s $20 Billion Rural Digital Opportunity Fund (RDOF) or the $9 Billion 5G Fund for Rural America
    • The Department of the Interior (DOI) launched a Joint Overview-Established Locations (JOEL) mapping tool to make site locations visible to service providers looking to locate equipment on Federal property, and added new data layers from the General Services Administration, the U.S. Forest Service, and U.S. Postal Service. Since its release, the map has been viewed 4,294 times, averaging 7 views per day.
    • In June 2019, the General Services Administration (GSA) published the FY 2018 Federal Real Property Profile (FRPP) public data set, updated with a set of filters allowing users to identify Federal property that could be candidates for communications infrastructure installation. This publicly available data now includes the height of buildings and facilities and the elevation above mean sea level, helping the communications industry to determine a structure’s suitability for siting communications facilities. In June 2020, GSA will update the FRPP public data set with more current data from FY 2019.
    • In March 2019, the Department of Commerce’s NTIA updated its website with information about Federal Agencies’ permitting processes and funding information to provide easier, “one-stop” access to the information. NTIA continues to update this information with support from Agencies.
    • In September 2019, NTIA completed the first phase of its National Broadband Availability Map (NBAM), a geographic information system platform which allows for the visualization and analysis of federal, state, and commercially available data sets. As of June 2020, the NBAM program includes 18 States who are partnering on this critical broadband data platform.
    • In February 2020, GSA and USDA’s Forest Service (FS) finalized a revised Standard Form (SF-299), making this Common Application Form suitable for telecommunications purposes.

Further Reading

  • Google will start paying some publishers for news articles” – The Verge. In part because of pressure from regulators in Australia and France, Google will begin paying some new outlets for articles. This could be the start of a larger trend of online platforms compensating media which has long argued this should be the case. However, similar systems in Germany and Spain earlier this decade failed to bolster the media in those countries financially, and Google responded to the Spanish statute by ceasing to operate its News platform in that country.
  • Trump’s strike at Twitter risks collateral damage inside the executive branch” – Politico. One aspect to the Trump Administration executive order on online platforms is that it directs federal agencies to review their online advertising and marketing subject to additional Office of Management and Budget and Department of Justice review. If fully implemented, this process could derail a number of agency initiatives ranging from military recruitment to fighting drug addiction.
  • Column: With its Sprint merger in the bag, T-Mobile is already backing away from its promises” – The Los Angeles Times. Critics of the T-Mobile-Sprint merger have pounced on a recent filing with the California Public Utilities Commission in which the company has asked for two additional years to build out its 5G network despite making this a signal promise in selling California Attorney General Xavier Becerra on the deal. Likewise, the company is trying to renegotiate its promise to create 1,000 new jobs in the state.
  • Facebook policy changes fail to quell advertiser revolt as Coca-Cola pulls ads” – The Guardian. Despite Facebook CEO Mark Zuckerberg’s announcement of policy changes (see Other Developments above), advertisers continue to join a widening boycott that some companies are applying across all major social media platforms. Unilever, Coca Cola, Hershey’s, Honda, and other joined the movement. The majority of Facebook’s income comes from advertising, so a sustained boycott could do more than pushing down the company’s share value. And, the changes announced at the end of last week do not seem to have impressed the boycott’s organizers. It would be interesting if pressure placed on companies advertising on Facebook affects more change than pressure from the right and left in the United States, European Union, and elsewhere.
  • Trump administration tells Facebook, Twitter to act against calls to topple statues, commit violent acts” – The Washington Post. The Department of Homeland Security sent letters late last week to the largest technology companies, asserting they may have played a role in “burglary, arson, aggravated assault, rioting, looting, and defacing public property” by allowing people to post on or use their platforms. The thrust of the argument seems to be that Twitter, Facebook, Apple, Google, and other companies should have done more to prevent people from posting and sharing material that allegedly resulted in violence. Acting Secretary of Homeland Security Chad Wolf argued “In the wake of George Floyd’s death, America faced an unprecedented threat from violent extremists seeking to co-opt the tragedy of his death for illicit purposes.” These letters did not mention President Donald Trump’s tweets that seem to encourage authorities to use violence against protestors. Moreover, they seem to be of a piece with the recent executive order in that there is a scant legal basis for the action designed to cow the social media platforms.
  • Twitch, Reddit crack down on Trump-linked content as industry faces reckoning” – Politico. Two platforms acted against President Donald Trump and his supporters for violating the platforms terms of service and rules. The irony here is that the recent executive order on social platforms seeks to have them held accountable for not operating according to their terms of service.
  • Inside Facebook’s fight against European regulation” – Politico. Through until now unavailable European Commission documents on meetings with and positions of Facebook, this article traces the slow evolution of the company’s no-regulation approach in the European Union (EU) to a public position ostensibly amenable to regulation. It is also perhaps the tale of using lobbying tactics that work in Washington, DC, that have largely failed to gain traction in Brussels.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by congerdesign from Pixabay