Further Reading, Other Developments, and Coming Events (11 February 2021)

Further Reading

  • 3G Could End This Year. For People Who Rely on Basic Phones, That’s a Big Problem.” By Hannah Frishberg — OneZero. The major telecommunications carriers will soon shut down their 3G coverage and with it, the last of the “dumb” phones will theoretically no longer work. There are other issues, however. In some rural areas 4G is spotty when available.
  • ‘It let white supremacists organize’: the toxic legacy of Facebook’s Groups” By Kari Paul — The Guardian. Who knew that stacking up dry wood, dousing it in lighter fluid, and keeping an open flame nearby would lead to bad results? In the same vein, who knew that putting together an algorithm that pushed people to join groups, the prevalence of extremist and white supremacist groups, and little to no oversight or policing of these groups would result in an explosion of radicalization on Facebook? Only Nostradamus could have seen this coming. And, shockingly, experts and critics of Facebook are not impressed with the latest layout of deck chairs on the proverbial Titanic in response to the extremism the platform helped bring about.
  • World Wide Web inventor Tim Berners-Lee takes on Google, Facebook, Amazon to fix the internet” By Michael Braga — USA Today. Tim Berners-Lee and John Bruce have started Inrupt.com a new paradigm that would allow people to essentially store their personal data in pods that platforms would have to request permission to use. They are banking that this shift could lead to the decline in dominance of Google, Apple, Facebook, Amazon and Microsoft (GAFAM).
  • Biden’s whole-of-National Security Council strategy” By Bethany Allen-Ebrahimian — Axios. This is a good overview of how the National Security Council has been remade to focus on the People’s Republic of China (PRC) across its entire remit. How this translates into policy remains to be seen.
  • Amazon’s anti-union blitz stalks Alabama warehouse workers everywhere, even the bathroom” By Jay Greene — The Washington Post. As it has in the past, Amazon is going all out to stop a facility in Alabama from forming a union. Ballots are currently being cast by mail. If a union is certified, it would be the first in the United States at an Amazon facility.  

Other Developments

  • 37 Democratic Senators wrote the acting chair of the Federal Communications Commission (FCC) to “utilize the E-Rate program to start bridging the “homework gap” without delay.” A few days earlier, the FCC announced that it is “seeking comment on several petitions requesting permission to use E-Rate program funds to support remote learning during the pandemic.” Comments are due by 16 February and reply comments are due by 23 February. Nonetheless, the group of Senators, led by Senator Ed Markey (D-MA) and new Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA), asserted to acting FCC Chair Jessica Rosenworcel:
    • As we approach the one year-anniversary of this public health crisis, studies indicate that as many as 12 million children in the United States still lack internet access at home and are unable to participate in online learning. These students are disproportionally from communities of color, low-income households, Tribal lands, and rural areas. Despite our repeated call to address this homework gap, your predecessor at the FCC refused to use the emergency authority available to the Chair and resources available through the E-Rate program to connect these vulnerable children. This mistake allowed far too many students to fall behind in their education.
    • We appreciate that you have already recognized the FCC’s ability to act, including by asserting in congressional testimony that “the FCC could use E-Rate right now to provide every school library with Wi-Fi hotspots and other connectivity devices to loan out to students who lack reliable internet access at home.” In accordance with this statement, we urge you to now use your new leadership of the FCC to depart from the prior Commission’s erroneous position. Specifically, we request that you leverage the E-Rate program to begin providing connectivity and devices for remote learning. Although the funds currently available through the E-Rate will not be enough to connect every student across the country, your prompt action would provide an essential down payment. From there, Congress must provide the resources needed to finish the job by passing our Emergency Educational Connections Act, legislation that would appropriate billions more to be delivered through the E-Rate program to help close the homework gap during the pandemic.
  • Two Senators and Eight Representatives, all Democrats, “asked the National Security Agency (NSA) to explain the NSA’s actions to protect the government from supply chain attacks, like the recent SolarWinds hack, in which malicious code is snuck into commercial software used by the government” per their press release. They recited the history of a compromised encryption algorithm the NSA pressed on the National Institute of Standards and Technology (NIST) to publish as a government standard even though it contained a backdoor NSA created. Juniper, a networking company, started using this encryption algorithm a few years afterwards without knowing of the NSA’s action. The letter presses the NSA to turn over information about the subsequent hack of Juniper, which the Members implicitly compare to SolarWinds. Senators Ron Wyden (D-OR) and Cory Booker (D-NJ) and Representatives Pramila Jayapal (D-WA), Tom Malinowski (D-NJ), Ted Lieu (D-CA), Stephen Lynch (D-MA), Bill Foster (D-IL), Suzan DelBene (D-WA), Yvette Clarke (D-NY), and Anna Eshoo (D-CA) signed the letter. They claimed:
    • The recent SolarWinds hack has brought attention to the vulnerability of the government to supply chain attacks. However, five years ago another vendor to the U.S. government – Juniper Networks – revealed it also inadvertently delivered software updates containing malicious code. 
    • In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers. Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, and that the hackers modified the key to this backdoor.
    • However, despite promising a full investigation after it announced the breach, Juniper has never publicly accounted for the incident.
    • The Members “asked the NSA to answer the following questions
      • After Juniper’s 2015 public disclosure that it inadvertently delivered software updates and products to customers containing malicious code, what actions did NSA take to protect itself, the Department of Defense, and the U.S. government from future software supply chain hacks? For each action, please identify why it was not successful in preventing the compromise of numerous government agencies in 2020 by a malware-laden update delivered by SolarWinds.
      • In the summer of 2018, during an unclassified briefing with Senator Wyden’s office, senior NSA officials revealed the existence of a “lessons learned” report on the Dual_EC_DRBG algorithm. Senator Wyden’s office has repeatedly requested this report, but NSA has yet to provide it. Please provide us with a copy of this report and any official historical reports that describe this algorithm, its development, and subsequent exploitation.
      • At the time that NSA submitted Dual_EC_DRBG to NIST for certification, did NSA know the algorithm contained a backdoor?
      • According to the NIST cryptographer’s postmortem, NSA informed NIST in 2005 that it selected the “Q” value that was published in the NIST Duel_EC_DRBG standard in a “secure, classified way.” Was this statement accurate? Please explain.
      • Juniper has confirmed that it added support for Dual_EC_DRBG “at the request of a customer,” but refused to identify that customer, or even confirm whether that customer was a U.S. government agency. Did NSA request that Juniper include in its products the Dual_EC_DRBG algorithm, P and Q values which were different from those published by NIST, or another NSA-designed encryption standard named Extended Random?
      • What statutory legal authority, if any, would permit NSA to introduce vulnerabilities into U.S. government approved algorithms certified by NIST and to keep those vulnerabilities hidden from NIST?
      • Would efforts by NSA to introduce backdoors or other vulnerabilities into government standards require the approval of the NSA Director, an inter-agency consultation, including input from the Cybersecurity and Infrastructure Security Agency, the Department of Commerce, the Federal Trade Commission, and the Federal Communications Commission? Would they require notification to the Congressional intelligence committees or an order from the Foreign Intelligence Surveillance Court? If no, please explain why.
  • The National Telecommunications and Information Administration (NTIA) has been holding a series of “Tribal Consultations for input on implementation of the Tribal Broadband Connectivity Program (TBCP),” a program seeded with $1 billion in the “Consolidated Appropriations Act, 2021” (P.L. 116-260).
    • In a letter, the NTIA explained:
      • The Act directs NTIA to make grants available to eligible entities within short time frames. NTIA is committed to holding consultation sessions expeditiously to ensure that your input informs the new grant program prior to the application process. In accordance with Commerce’s tribal consultation policy, I am inviting you and/or a tribal representative to participate in the virtual National Tribal Consultation to provide your advice and insights as NTIA staff are working through the critical issues related to the program.
    • In its presentation on the TBCP, the NTIA explained the provisions in the Consolidated Appropriations Act, 2021:
      • Section 905(c)(5) stipulates the following eligible uses of grant funds:
        • broadband infrastructure deployment, including support for the establishment of carrier-neutral submarine cable landing stations;
        • affordable broadband programs, including—–providing free or reduced-cost broadband service; and –preventing disconnection of existing broadband service;
        • distance learning;
        • telehealth;
        • digital inclusion efforts; and
        • broadband adoption activities.
      • Section 905(c)(6) caps the amount of grand funds to be used for administrative expenses:
        • An eligible entity may use not more than 2 percent of grant funds received under this subsection for administrative purposes.
      • Section 905(c)(8) provides information about broadband infrastructure deployment:
        • In using grant funds received under this subsection for new construction of broadband infrastructure, an eligible entity shall prioritize projects that deploy broadband infrastructure to unserved households.
      • Section 905(c)(3)(A) mandates that grant funds are awarded on an equitable basis:
      • The amounts appropriated under subsection (b)(1) shall be made available to eligible entities on an equitable basis, and not less than 3 percent of those amounts shall be made available for the benefit of Native Hawaiians.
  • The Department of Health and Human Services (HHS) issued an “Artificial Intelligence (AI)” that establishes an AI Council “to support AI governance, strategy execution, and development of strategic AI priorities across the enterprise…[and] has complementary objectives to:
    • Communicate and champion the Department’s AI vision and ambition
    • Execute and govern the implementation of the enterprise AI strategy and key strategic priorities to scale AI across the Department
    • HHS further explained:
      • To achieve HHS’s ambition, this enterprise AI strategy will set forth an approach and focus areas intended to encourage and enable Department-wide familiarity, comfort, and fluency with AI technology and its potential (AI adoption), the application of best practices and lessons learned from piloting and implementing AI capabilities to additional domains and use cases across HHS (AI scaling), and increased speed at which HHS adopts and scales AI (AI acceleration).
      • Ultimately, this strategy is the first step towards transforming HHS into an AI fueled enterprise. This strategy lays the foundation upon which the AI Council can use to drive change across the Department by encouraging the application of AI to promote advances in the sciences, public health, and social services—improving the quality of life for all Americans.
  • The New York State Department of Financial Services (NYDFS) issued “a new Cyber Insurance Risk Framework…[that] outlines industry best practices for New York-regulated property/casualty insurers that write cyber insurance to effectively manage their cyber insurance risk.” The NYDFS claimed the framework “is the first guidance by a U.S. regulator on cyber insurance” in its press release. NYDFS asserted:
    • The Framework is a result of DFS’s ongoing dialogue with the insurance industry and experts on cyber insurance, including meetings with insurers, insurance producers, cyber experts, and insurance regulators across the U.S. and Europe.  Building on DFS’s longstanding work fostering a strong and resilient insurance market that protects New Yorkers, the Framework furthers DFS’s commitment to improving cybersecurity for consumers and the industry.  DFS’s first-in-the-nation Cybersecurity Regulation took effect in March 2017.  In 2019, DFS was also the first financial services regulator to create a Cybersecurity Division to oversee all aspects of its cybersecurity regulation and policy.
    • The NYDFS claimed:
      • The growing risk makes cyber insurance protection more important than ever, while at the same time creating new challenges for insurers managing that risk.  DFS advises New York-regulated property/casualty insurers offering cyber insurance to establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity.  The strategy should be proportionate with each insurer’s risk based on the insurer’s size, resources, geographic distribution, and other factors. Insurers are encouraged to incorporate the following best practices into their risk strategy:
      • Manage and eliminate exposure to “silent” cyber insurance risk, which results from an insurer’s obligation to cover loss from a cyber incident under a policy that does not explicitly mention cyber incidents;
      • Evaluate systemic risk, including the impact of catastrophic cyber events on third party service providers like the recently discovered SolarWinds supply chain attack;
      • Rigorously measure insured risk by using a data-driven approach to assess potential gaps and vulnerabilities in insureds’ cybersecurity;
      • Educate insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations to cyber insurance;
      • Obtain cybersecurity expertise through strategic recruiting and hiring practices; and
      • Require notice to law enforcement in the event of a cyber attack.
  • The National Counterintelligence and Security Center (NCSC) published a fact sheet titled “China’s Collection Of Genomic And Other Healthcare Data From  America: Risks To Privacy And U.S. Economic And National Security.” The NCSC stated:
    • Would you want your DNA or other healthcare data going to an authoritarian regime with a record of exploiting DNA for repression and surveillance? For years, the People’s Republic of China (PRC) has collected large healthcare data sets from the U.S. and nations around the globe, through both legal and illegal means, for purposes only it can control. While no one begrudges a nation conducting research to improve medical treatments, the PRC’s mass collection of DNA at home has helped it carry out human rights abuses against domestic minority groups and support state surveillance. The PRC’s collection of healthcare data from America poses equally serious risks, not only to the privacy of Americans, but also to the economic and national security of the U.S.
    • The NCSC identified the “Implications for Privacy and U.S. National Security:”
      • China’s access to U.S. healthcare and genomic data poses serious privacy and national security risks to the U.S.
        • Through its cyber intrusions in recent years, the PRC has already obtained the Personal Identifying Information (PII) of much of the U.S. population.
        • Recent breaches attributed to the PRC government or to cyber actors based in China include the theft of personnel records of roughly 21 million individuals from the U.S. Office of Personnel Management; the theft from Marriott hotels of roughly 400 million records; the theft of data from Equifax on roughly 145 million people; and the theft of data from Anthem on roughly 78 million people.
      • Furthermore, under the PRC’s national security laws, Chinese companies are compelled to share data they have collected with the PRC government. Article 7 of China’s 2017 National Intelligence Law, for instance, mandates that all Chinese companies and citizens shall support, assist, and cooperate with Chinese national intelligence efforts, and guard the secrecy of any national intelligence work that they are aware of. There is no mechanism for Chinese companies to refuse their government’s requests for data.
      • The combination of stolen PII, personal health information, and large genomic data sets collected from abroad affords the PRC vast opportunities to precisely target individuals in foreign governments, private industries, or other sectors for potential surveillance, manipulation, or extortion.
        • For instance, vulnerabilities in specific individuals revealed by genomic data or health records could be used to help target these individuals. Data associated with an embarrassing addiction or mental illness could be leveraged for blackmail. Combine this information with stolen credit data indicating bankruptcy or major debt and the tools for exerting leverage increase. Such data sets could help the PRC not only recruit individuals abroad, but also act against foreign dissidents.
    • The NCSC also named the “Economic Implications for the United States:”
      • Aside from these immediate privacy risks, China’s access to U.S. health and genomic data poses long-term economic challenges for the United States.
      • The PRC’s acquisition of U.S. healthcare data is helping to fuel China’s Artificial Intelligence and precision medicine industries, while the PRC severely restricts U.S. and other foreign access to such data from China, putting America’s roughly $100 billion biotech industry at a disadvantage.
      • Over time, this dynamic could allow China to outpace U.S. biotech firms with important new drugs and health treatments and potentially displace American firms as global biotech leaders.
      • Although new medicines coming out of China could benefit U.S. patients, America could be left more dependent on Chinese innovation and drug development for its cures, leading to a transfer of wealth, co-opting of new businesses and greater job opportunities in China.
  • The New York University Stern Center for Business and Human Rights (Center) issued a report titled “False Accusation: The Unfounded Claim that Social Media Companies Censor Conservatives” that concludes “[e]ven anecdotal evidence of supposed bias tends to crumble under close examination.” The Center stated:
    • Conservatives commonly accuse the major social media companies of censoring the political right. In response to Twitter’s decision on January 8, 2021, to exclude him from the platform, then-President Donald Trump accused the company of “banning free speech” in coordination with “the Democrats and Radical Left.”
    • This accusation—that social media platforms suppress conservatives— riles a Republican base that has long distrusted the mainstream media and is prone to seeing public events as being shaped by murky liberal plots. On a policy level, the bias claim serves as a basis for Republican attacks on Section 230 of the Communications Decency Act, the federal law that protects platforms from liability associated with user posts and content moderation decisions.
    • But the claim of anti-conservative animus is itself a form of disinformation: a falsehood with no reliable evidence to support it. No trustworthy large-scale studies have determined that conservative content is being removed for ideological reasons or that searches are being manipulated to favor liberal interests.
    • The Center offered these recommendations:
      • For the social media industry:
        • 1) Provide greater disclosure for content moderation actions. The platforms should give an easily under- stood explanation every time they sanction a post or account, as well as a readily available means to appeal enforcement actions. Greater transparency—such as that which Twitter and Facebook offered when they took action against President Trump in January—would help to defuse claims of political bias, while clarifying the boundaries of acceptable user conduct.
        • 2) Offer users a choice among content moderation algorithms. Users would have greater agency if they were offered a menu of choices among algorithms. Under this system, each user would be given the option of retaining the existing moderation algorithm or choosing one that screens out harmful content more vigorously. The latter option also would provide enhanced engagement by human moderators operating under more restrictive policies. If users had the ability to select from among several systems, they would be empowered to choose an algorithm that reflects their values and preferences.
        • 3) Undertake more vigorous, targeted human moderation of influential accounts. To avoid high-profile moderation mistakes, the platforms should significantly increase the number of full-time employees working directly for them who would help to create a more rigorous human-led moderation channel for the most influential accounts. To supervise this and other important issues related to policing content, we recommend that the platforms each hire a senior executive—a content overseer—who reports directly to the CEO or COO.
        • 4) Release more data for researchers. More granular disclosure would allow academics and civil society researchers to identify enforcement patterns, such as whether content is being removed for ideological reasons. This greater transparency should include the nature of any content that is removed, the particular rule(s) a post violated, how the platform became aware of noncompliance (user report versus algorithmic moderation), and how any appeals were resolved.
      • For the Biden administration:
        • 5) Pursue a constructive reform agenda for social media. This will require the federal government to press Facebook, Google, and Twitter to improve content policies and their enforcement, even as the government pursues pending antitrust lawsuits against Facebook and Google. The industry, for its part, must strive with urgency to do a better job of protecting users and society at large from harmful content—progress that can’t wait for the resolution of what might be years-long antitrust court battles.
        • 6) Work with Congress to update Section 230. The controversial law should be amended so that its liability shield is conditional, based on social media companies’ acceptance of a range of new responsibilities related to policing content. One of the new platform obligations could be ensuring that algorithms involved in content ranking and recommendation not favor sensationalistic or unreliable material in pursuit of user engagement.
        • 7) Create a new Digital Regulatory Agency. The false claim of anti-conservative bias has contributed to widespread distrust of the platforms’ willingness and ability to govern their sites. A new independent authority, charged with enforcing the responsibilities of a revised Section 230, could begin to rebuild that eroded trust. As an alternative, expanded jurisdiction and funding for social media oversight could be directed to an existing agency such as the Federal Trade Commission or Federal Communications Commission.

Coming Events

  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights” on 11 February.
  • The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by cottonbro from Pexels

Further Reading, Other Developments, and Coming Events (10 February 2021)

Further Reading

  • A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say” By Andy Greenberg — WIRED. Given the fact that most water and sewage systems are linked to the internet, even their operational systems, it is surprising these sorts of incidents do not occur more frequently.
  • UK regulator to write to WhatsApp over Facebook data sharing” By Alex Hern — The Guardian. The United Kingdom’s (UK) Information Commissioner Elizabeth Denham said her agency will be pressing Facebook to keep the data its subsidiary, WhatsApp, separate. Now that the UK has exited the European Union, it is no longer bound by the EU‘s system which made Ireland’s Data Protection Commission the lead regulator on Facebook and WhatsApp. And so, WhatsApp’s 2017 commitment not to hand over user data to Facebook until it was compliant with the General Data Protection Regulation (GDPR) falls to the ICO to oversee in the UK.
  • Telegram, Pro-Democracy Tool, Struggles Over New Fans From Far Right” By Michael Schwirtz — The New York Times. The same features that makes messaging app Telegram ideal for warding off attacks by authoritarian regimes to shut down communication makes the platform ideal for right-wing extremists in the United States (U.S.) Federal and state authorities may see their attempts to track and monitor domestic terrorism hit the same roadblocks that foiled Moscow and Tehran’s attempts to crack down on Telegram. The platform uses end-to-end encrypted communications and has servers all over the world.
  • Exclusive: The end of the Maher era at Wikipedia” By Felix Salmon — Axios. The CEO who revitalized Wikimedia is leaving the organization stronger than she found it.
  • After Defending Its Low-Cost Internet Offering, Comcast Agrees To Increase Speeds” By Caroline O’Donovan — BuzzFeed News. The bad publicity seems to have worked on Comcast as the company is now meeting most of the demands of activists, students, and officials by increasing the speed of its low cost broadband option. Comcast said the changes will take effect on 1 March.

Other Developments

  • The Federal Communications Commission (FCC) announced that it is “seeking comment on several petitions requesting permission to use E-Rate program funds to support remote learning during the pandemic.” Comments are due by 16 February and reply comments are due by 23 February. The FCC explained:
    • Today’s Public Notice from the FCC’s Wireline Competition Bureau highlights three petitions that cover the bulk of issues presented in other petitions filed with the Commission.  These include petitions filed by a coalition of E-Rate stakeholders led by the Schools, Health & Libraries Broadband (SHLB) Coalition; a petition filed on behalf of the State of Colorado; and a petition filed by the State of Nevada, Nevada Board of Education and Nevada Department of Education. 
    • The FCC noted:
      • The E-Rate program was authorized by Congress as part of the Telecommunications Act of 1996 (the Telecommunications Act), and created by the Commission in 1997 to, among other things, enhance, to the extent technically feasible and economically reasonable, access to advanced telecommunications and information services for all public and nonprofit elementary and secondary schools and libraries. Under the E-Rate program, eligible schools, libraries, and consortia (comprised of eligible schools and libraries) may request universal service discounts for eligible services and/or equipment (collectively, eligible services), including connections necessary to support broadband connectivity to eligible schools and libraries. Eligible services must be used “primarily for educational purposes.” In the case of schools, “educational purposes” is defined as “activities that are integral, immediate, and proximate to the education of students. In the case of libraries, “educational purposes” is defined as activities that are “integral, immediate, and proximate to the provision of library services to library patrons.”
      • As the pandemic continues to force schools and libraries across the country to remain closed and rely on remote learning and virtual services, either in whole or in part, the need for broadband connections—particularly for those students, teachers, staff, and patrons that lack an adequate connection at home—is more critical than ever.  Eligible schools and libraries explain that they are hampered in their ability to address the connectivity needs brought on, and in many cases exacerbated, by COVID-19 because of the restrictions on off-campus use of E-Rate-funded services and facilities.   Last spring, as the COVID-19 pandemic forced schools and libraries to grapple with the challenges of transitioning to remote learning, the FCC began to receive requests for emergency relief aimed at ensuring that all students have sufficient connectivity at home.
  • The European Commission’s President appealed to the United States (U.S.) in joining the European Union to jointly regulate technology. At the Davos Agenda, EC President Ursula von der Leyen made remarks, a significant portion of which focused on technological issues and the European Union’s (EU) proposals, the Digital Services Act and Digital Markets Act. It is unclear to extent to which the new administration in Washington will be willing to work with the EU. Undoubtedly, the Biden Administration will interpret a number of EU policies and decisions as being implicitly aimed at the U.S. technology sector but there may be common ground. Von der Leyen stated:
    • A year ago at Davos, we talked also intensively about digitalisation. The pandemic has massively accelerated the process. The European Union will dedicate 20% of NextGenerationEU to digital projects. To nurture innovative ecosystems, for example where universities, companies, innovators can access data and cooperate. To boost the vibrant start-up scene we have in cities like Sofia and Lisbon and to become a global hub for Artificial Intelligence. So that the 2020s can finally be Europe’s Digital Decade.
    • But for this to be a success, we must also address the darker sides of the digital world. Like for so many of us, the storming of the Capitol came as a shock to me. We are always quick to say: Democracy and values, they are part of our DNA. And that is true. But we must nurture our democracy every day, and defend our institutions against the corrosive power of hate speech, of disinformation, fake news and incitement to violence. In a world where polarising opinions are the loudest, it is a short step from crude conspiracy theories to the death of a police officer. Unfortunately, the storming of the Capitol Hill showed us how just true that is.
    • The business model of online platforms has an impact – and not only on free and fair competition, but also on our democracies, our security and on the quality of our information. That is why we need to contain this immense power of the big digital companies. Because we want the values we cherish in the offline world also to be respected online. At its most basic, this means that what is illegal offline should be illegal online too. And we want the platforms to be transparent about how their algorithms work. Because we cannot accept that decisions, that have a far-reaching impact on our democracy, are taken by computer programmes alone.
    • Right after von der Leyen addressed the unease she and others felt about the U.S. President’s freedom of expression being abridged because of a company’s rules outside of any controlling legal framework, she stated:
      • I want to invite our friends in the United States to join our initiatives. Together, we could create a digital economy rulebook that is valid worldwide: It goes from data protection and privacy to the security of critical infrastructure. A body of rules based on our values: Human rights and pluralism, inclusion and the protection of privacy. So Europe stands ready.
      • The challenges to our democracy, the pandemic, climate change – in his inauguration speech President Joe Biden so aptly spoke of a Cascade of Crises. And indeed, we face an outstanding set of challenges. But we can meet them – if we work together. That is what we all have to learn again after four long years. That it is not a sign of weakness, to reach out and help each other, but a signal of strength.
  • Consumer Reports tried to become an authorized agent under the “California Consumer Privacy Act” (CCPA) (AB 375) to make do not sell personal data requests or opt out requests. The CCPA was designed to allow California residents to use services that would handle these preferences on a global scale. In their report on the pilot program, Consumer Reports concluded:
    • Unfortunately, too many companies have made it difficult, if not impossible, for agents and consumers to submit opt-out requests. The AG should enforce companies’ compliance with the law so that the authorized agent provisions work as intended. Moreover, the AG should promulgate additional common-sense rules to make sure that opt outs are simple and effective, even when submitted by an authorized agent.
    • Consumer Reports made these recommendations:
      • The AG should hold companies accountable when they violate the law. The AG needs to hold companies accountable for failure to comply with the CCPA’s authorized agent provisions. Without a viable authorized agent option, consumers could be left to navigate complicated processes or interfaces in order to exercise their California privacy rights themselves. Enforcement will help ensure that companies work harder to make sure that they have appropriate agent flows. The AG should also step in when customer service isn’t effective, and should consider directing enforcement resources to encourage better training in this area.
      • The AG should clarify that data shared for cross-context targeted advertising is a sale, and tighten the restrictions on service providers. Many companies have exploited ambiguities in the definition of sale and the rules surrounding service providers to ignore consumers’ requests to opt out of behavioral advertising. While the newly-passed California Privacy Rights Act will largely address these loopholes, these provisions will not go into effect until January 1, 2023. Thus, the AG should exercise its broad authority to issue rules to clarify that the transfer of data between unrelated companies for any commercial purpose falls under the definition of sale. Another common way for companies to avoid honoring consumers’ right to opt out of behavioral advertising is by claiming a service provider exemption. For example, the Interactive Advertising Bureau (IAB), a trade group that represents the ad tech industry, developed a framework for companies to evade the opt out by abusing a provision in the CCPA meant to permit a company to perform certain limited services on its behalf. To address this problem, the AG should clarify that companies cannot transfer data to service providers for behavioral advertising if the consumer has opted out of sale.
      • The AG should prohibit dark patterns as outlined in the Third Set of Proposed Modifications. We appreciate that the AG has proposed to “require minimal steps to allow the consumer to opt-out” and to prohibit dark patterns, “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out[,]” in the Third Set of Proposed Modifications to the CCPA Regulations. This proposal should be finalized as quickly as possible. This is essential, given the difficulties that authorized agents and consumers have experienced in attempting to stop the sale of their information, as demonstrated in the study.
      • The AG should require companies to notify agents when the opt-out request has been received and when it has been honored. Too often, the company provided no information on whether or not the opt-out request had been honored. While the CCPA rules require companies to notify consumers if an opt-out request has been rejected, there is no requirement to provide notice of receipt, or notice of confirmation—nor is there guidance on how to respond to opt-out requests when the company does not possess the consumer’s data. The authorized agent was, in some cases, unable to explain to the consumer whether not the opt-out process had been completed. To ensure that the authorized agent service is effective, companies must be required to provide notification upon receipt and completion of the opt-out request. Required notification is also important for compliance purposes. For example, the regulations require companies to comply with opt outs within 15 business days. Without providing adequate notification, there’s no way to judge whether or not the company has honored the law and to hold them accountable if not. Further, if the company does sell consumers’ personal information, but does not have personal information about the consumer who is the subject of the request, the company should be required to notify the agent that the request has been received, and that the company will honor the opt out if and when they do collect the consumer’s data. In the case of an agent opt out, the notification should go to the agent. Otherwise, the consumer could end up getting emails from hundreds, if not thousands, of different companies.
      • The AG should clarify that if an agent inadvertently submits a request incorrectly, the company should either accept it or inform the agent how to submit it appropriately. The regulations provide helpful guidance with respect to consumer access and deletion requests, which ensures that even if a consumer inadvertently submits a request incorrectly, there is a process in place to help them submit it properly. If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall either: (1) Treat the request as if it had been submitted in accordance with the business’s designated manner, or (2) Provide the consumer with information on how to submit the request or remedy any deficiencies with the request, if applicable. The AG should clarify that this guidance applies to all authorized agent-submitted requests as well.
  • The Government Accountability Office (GAO) assessed the Department of Defense’s (DOD) efforts to transition to a more secure version of the Global Positioning System (GPS), an initiative that spans back to the administration of former President George W. Bush. The GAO stated “due to the complexity of the technology, M-code remains years away from being widely fielded across DOD. M-code-capable receiver equipment includes different components, and the development and manufacture of each is key to the modernization effort. These include:
    • special M-code application-specific integrated circuit chips,
    • special M-code receiver cards, being developed under the Air Force Military GPS User Equipment (MGUE) programs, and
    • the next generation of GPS receivers capable of using M-code signals from GPS satellites.
    • The GAO added:
      • DOD will need to integrate all of these components into different types of weapon systems… Integration across DOD will be a considerable effort involving hundreds of different weapon systems, including some with complex and unique integration needs or configurations.
    • The GAO further asserted:
      • The Air Force is almost finished—approximately one year behind schedule— developing and testing one M-code card for testing on the Marine Corps Joint Light Tactical Vehicle and the Army Stryker vehicle. However, one card intended for use in aircraft and ships is significantly delayed and missed key program deadlines. The Air Force is revising its schedule for testing this card.
      • The M-code card development delays have had ripple effects on GPS receiver modernization efforts and the weapon systems that intend to use them.
  • The advocate who brought the cases that brought down both the Safe Harbor and Privacy Shield agreements between the United States (U.S.) and European Union (EU) announced that Ireland’s Data Protection Commission (DPC) has agreed to finally decide on the legality of Facebook’s data transfers to the U.S. that gave rise to both lawsuits. In a press release, none of your business (noyb). Last fall, noyb announced “[t]he Irish High Court has granted leave for a “Judicial Review” against the Irish DPC today…[and] [t]he legal action by noyb aims to swiftly implement the [Court of Justice for the European Union (CJEU)] Decision prohibiting Facebook’s” transfer of personal data from the European Union to the United States (U.S.)” In September 2020, after the DPC directed Facebook to stop transferring the personal data of European Union citizens to the U.S., the company filed suit in Ireland’s court to stop enforcement of the order and succeeded in staying the matter until the court rules on the merits of the challenge.
    • In explaining the most recent development, noyb further asserted:
      • The DPC has agreed with Max Schrems’ demand to swiftly end a 7.5 year battle over EU-US data transfers by Facebook and come to a decision on Facebook’s EU-US data flows. This only came after a Judicial Review against the DPC was filed by Mr Schrems. The case would have been heard by the Irish High Court today.
      • New “own volition” procedure blocked pending complaint from 2013. The Irish DPC oversees the European operations of Facebook. In Summer 2020 the European Court of Justice (CJEU) ruled on a complaint by Mr Schrems that had been pending since 2013 and came before the CJEU for the second time (“Schrems II”): Under the CJEU judgment the DPC must stop Facebook’s EU-US data flows over extreme US Surveillance Laws (like FISA 702). Instead of implementing this ruling, the DPC started a new “own volition” case and paused the original procedure for an indefinite time. Mr Schrems and Facebook brought two Judicial Review procedures against the DPC: While Facebook argued in December that the “own volition” procedure should not go ahead, Mr Schrems argued that his complaints procedure should be heard independently of the “own volition” case.
      • Walls are closing in on Facebook’s EU-US data transfers. The DPC has now settled the second Judicial Review with Mr Schrems just a day before the hearing was to take place, and pledged to finalize his complaints procedure swiftly.
      • As part of the settlement, Mr Schrems will also be heard in the “own volition” procedure and get access to all submissions made by Facebook, should the Court allow the “own volition” investigation to go ahead. Mr Schrems and the DPC further agreed that the case will be dealt with under the GDPR, not the Irish Data Protection Act that was applicable before 2018. The DPC may await the High Court judgement in Facebook’s Judicial Review before investigating the original complaint.
      • This agreement could in essence make the original complaints procedure from 2013 the case that ultimately determines the destiny of Facebook’s EU-US transfers in the wake of the Snowden disclosures. Under the GDPR the DPC has every liberty to issue fines of up to 4% pf Facebook’s global turnover and transfer prohibitions, even on the basis of this individual case.
  • The Information Technology Industry Council (ITI), BSA | The Software Alliance, Internet Association, Computer and Communications Industry Association, and the National Foreign Trade Council made recommendations to the Biden Administration on technology policy and asserted in their press release:
    • Prioritize strategic engagement with U.S. trading partners by ensuring continued protected transatlantic data flows, establishing a U.S.-EU Trade & Technology Council, engaging China through prioritization of digital and technology issues, broadening U.S. engagement and leadership in the Asia-Pacific region, addressing key barriers to digital trade with India, and providing capacity building assistance to the African Union;
    • Promote U.S. competitiveness through leadership on digital trade by countering unilateral, targeted digital taxes, building acceptance of state-of-the-art digital trade commitments, promoting workforce development initiatives globally, and more; and
    • Reassert U.S. multilateral leadership by strengthening and leveraging engagement in global fora such as the WTO, OECD, United Nations, G20, G7, APEC, and others, and by expanding existing plurilateral trade agreements.
  • A group of civil rights organizations and public interest organizations issued “Civil Rights, Privacy, and Technology: Recommended 2021 Oversight Priorities for the 117th Congress” that builds upon the October 2020 Civil Rights Principles for the Era of Big Data. These groups stated:
    • The 117th Congress must take action to ensure that technology serves all people in the United States, rather than facilitating discrimination or reinforcing existing inequities.
    • They cited the following areas of policy that need to be addressed:
      • Broadband Internet
      • Democracy: Voting, the Census, and Hateful Content Online
      • Policing and Justice
      • Immigration Surveillance Technology
      • Commercial Data Practices and Privacy
      • Workers, Labor, and Hiring
  • The United Kingdom’s (UK) Information Commissioner Elizabeth Denham sketched out how she is approaching her final year in office in a blog post. Denham stated:
    • The ICO’s immediate focus remains supporting organisations through the impacts of COVID 19. We have prioritised providing advice and support on data protection related aspects of the pandemic since the start, and will continue to do so, adjusting and responding to the new challenges the country will face until, well, ‘all this is finished’. That work includes protecting people’s rights, and making sure data protection is considered at the earliest stage of any innovations.
    • The Age Appropriate Design Code will start to have a real impact, as the transition period around its introduction comes to an end, and we will be working hard to support organisations to make the necessary changes to comply with the law.
    • We’ll also be focused on supporting organisations around data sharing, following the publication of our guidance last month. The guidance is accompanied by practical resources to help organisations share data in line with the law. As I discussed with the House of Lords Public Services Committee this month, data sharing is an important area of focus, and we will also be supporting broader work to encourage the necessary culture change to remove obstacles to data sharing.
    • Other support for organisations planned for this year includes guidance on political campaigning, facial recognition, and codes of conduct and certification schemes, as well as a digital version of our Data Protection Practitioners’ Conference in April. We’ll also have the latest phases of our grants scheme and sandbox programme. Both are an effective way of the ICO supporting original thinking around privacy, illustrated by the innovative data sharing projects we’ve recently worked with.
    • Our operational work will also continue, including the latest phases of our work looking at data broking, the use of sexual crime victims’ personal information, and adtech, including audits focused on digital marketing platforms.

Coming Events

  • On 10 February, the House Homeland Committee will hold a hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” with these witnesses:
    • Mr. Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
    • Ms. Sue Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence
    • Mr. Michael Daniel, President & CEO, Cyber Threat Alliance
    • Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights” on 11 February.
  • The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Supushpitha Atapattu from Pexels

Further Reading, Other Developments, and Coming Events (9 February 2021)

Further Reading

  • Why Intel’s troubles should concern us all” By Ina Fried — Axios. One of the last major American semi-conductor manufacturers is struggling to keep up with rivals, and this could be very bad for United States (U.S.) national security. Biden Administration officials have made noise signifying they understand, but we will see what, if any action, is taken. A provision in the FY 2021 National Defense Authorization Act (NDAA) could help, but it requires the Appropriations Committees to provide the funding to maintain and stimulate semi-conductor manufacturing in the U.S.
  • Companies and foreign countries vying for your DNA” By Jon Wertheim — CBS News. This piece is a frightening view of the waterfront in the high-tech world of genealogy, which is serving as a front of sorts to collect huge DNA data sets pharmaceutical companies and others will pay billions of dollars for. There are also concerns about investors from the People’s Republic of China (PRC) in light of the country’s ambition to lead the way into biotechnologies.
  • Brazil’s government plans 5G network separate from private market – document” By Lisandra Paraguassu — Reuters. It appears with former President Donald Trump having left office, plans in Brasilia to ban or sideline Huawei have left, too. Now the right-wing government is planning for a government 5G network in Brazil’s capital subject to high security standards that may rule out Huawei while leaving the rest of the nation’s 5G rollout to companies such as Huawei, a state of affairs Brazilian telcos might like considering that an estimated 50% of existing infrastructure is Huawei.
  • An AI saw a cropped photo of AOC. It autocompleted her wearing a bikini.” By Karen Hao — MIT Technology Review. Unsupervised learning algorithms are a new means by which algorithms are educated. Normally, algorithms are fed information, and with respect to images, researchers feed them an image along with its name. But, unsupervised leaning algorithms are let loose on the internet to learn, so it should not be surprising the toxicity of online life is absorbed. Consequently, an autocomplete function with a headshot of a man puts him in a suit whereas the headshot of a woman will be “completed” with a low-cut top or a bikini.
  • How the US Lost to Hackers” By Nicole Perlroth — The New York Times. This piece makes the point that the United States’ (U.S.) relentless focus on offensive cyber operations is now costing the nation as Russian, Chinese, Iranian, and other hackers are pillaging U.S. systems and assets. Defensive capabilities were always a stepchild, and this has left the U.S. vulnerable. A paradigm shift is needed across the U.S. because a number of other nations are every bit as good as the U.S. is.

Other Developments

  • Maryland may be on the verge of enacting the first tax in the United States (U.S.) on digital advertising. The Democratic majorities in the state Senate and House of Delegates seem poised to override the veto the Maryland governor’s veto. The “Taxation – Tobacco Tax, Sales and Use Tax, and Digital Advertising Gross Revenues Tax” (HB0732) would impose a tax on digital advertising in the state and may be outside a federal bar on certain taxes on internet services. However, if the veto is overridden, there will inevitably be challenges, and quite likely a push in Congress to enact a federal law preempting such digital taxes. Additionally, the primary sponsor of the legislation has introduced another bill barring companies from passing along the costs of the tax to Maryland businesses and consumers.
    • In a bill analysis, the legislature asserted about HB0732:
      • The bill imposes a tax on the annual gross revenues of a person derived from digital advertising services in the State. The bill provides for the filing of the tax returns and making tax payments. The part of the annual gross revenues of a person derived from digital advertising services in the State are to be determined using an apportionment fraction based on the annual gross revenues of a person derived from digital advertising services in the State and the annual gross revenues of a person derived from digital advertising services in the United States. The Comptroller must adopt regulations that determine the state from which revenues from digital advertising services are derived.
      • The digital advertising gross revenues tax is imposed at the following rates:
        • 2.5% of the assessable base for a person with global annual gross revenues of $100.0 million through $1.0 billion;
        • 5% of the assessable base for a person with global annual gross revenues of $1.0 billion through $5.0 billion;
        • 7.5% of the assessable base for a person with global annual gross revenues of $5.0 billion through $15.0 billion; and
        • 10% of the assessable base for a person with global annual gross revenues exceeding $15.0 billion.
    • In his analysis, Maryland’s Attorney General explained:
      • House Bill 732 would enact a new “digital advertising gross revenues tax.” The tax would be “imposed on annual gross revenues of a person derived from digital advertising services in the State.” Digital advertising services are defined in the bill to include “advertisement services on a digital interface, including advertisements in the form of banner advertising, search engine advertising, interstitial advertising, and other comparable advertising services.” The annual gross revenues derived from digital advertising services is set out in a formula in the bill.
      • Attorney General Brian Frosh conceded there will be legal challenges to the new Maryland tax: there are “three grounds on which there is some risk that a reviewing court would find that the taxis unconstitutional: (1) preemption under the federal Internet Tax Freedom Act; (2) the Commerce Clause; and, (3) the First Amendment.”
    • Governor Larry Hogan (R) vetoed the bill in May along with others, asserting:
      • These misguided bills would raise taxes and fees on Marylanders at a time when many are already out of work and financially struggling. With our state in the midst of a global pandemic and economic crash, and just beginning on our road to recovery, it would be unconscionable to raise taxes and fees now. To do so would further add to the very heavy burden that our citizens are already facing.
    • As mentioned, a follow on bill has been introduced to ensure the digital advertising tax will not result in higher costs for Maryland businesses and residents. The “Digital Advertising Gross Revenues Tax – Exemption and Restriction” (SB0787) provides:
      • A person who derives gross revenues from digital advertising services in the state may not directly pass on the cost of the tax imposed under this section to a customer who purchases the digital advertising services by means of a separate fee, surcharge, or line-item.
      • However, the news media would be exempted from the digital advertising tax in this bill.
  • The chair and subcommittee chairs of the House Energy and Commerce Committee wrote Facebook, Twitter, and Google “as part of their ongoing investigation into tech companies’ handling of the COVID-19 pandemic in response to reports that COVID-19 vaccine misinformation is escalating on their platforms” per the press release. Chair Frank Pallone, Jr. (D-NJ), Health Subcommittee Chair Anna G. Eshoo (D-CA), Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), Communications and Technology Subcommittee Chair Mike Doyle (D-PA), and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) noted the letters “are a follow-up to letters they sent to the same companies in July, expressing deep concern regarding the rampant rise of COVID-19 disinformation more generally.” They argued:
    • These COVID-19 vaccines and others in development present hope in turning the deadly tide of the last year and can be a powerful tool in our efforts to contain the pandemic—but only if the public has confidence in them. Thus, it is imperative that [Facebook, Twitter, and Google] stop[] the spread of false or misleading information about coronavirus vaccines on its platform. False and misleading information is dangerous, and if relied on by the public to make critical health choices, it could result in the loss of human life.
    • They posed the following questions:
      • Details of all actions the companies have taken to limit false or misleading COVID-19 vaccine misinformation or disinformation on their platforms;
      • Descriptions of all policy changes the companies have implemented to stop the spread of false or misleading COVID-19 vaccine misinformation, and how the companies are measuring the effectiveness of each such policy change;
      • Whether the companies have used information labels or other types of notifications to alert users about COVID-19 vaccine misinformation or disinformation, and if so, the date(s) it first began implanting labels or notifications and how the companies are measuring its effectiveness;
      • Details about the five common targeted advertisements that appear alongside COVID-19 vaccine misinformation or disinformation on the platforms;
      • Details on the companies’ COVID-19 vaccine misinformation and disinformation enforcement efforts; and
      • Whether the companies have coordinated any actions or activities with other online platforms related to COVID-19 vaccine misinformation or disinformation.
  • Graphika released a report on fake social media activity that seems to be advocating for Huawei and against the Belgian government’s proposed ban of the Chinese company in its 5G networks. Graphika asserted the following:
    • A cluster of inauthentic accounts on Twitter amplified, and sometimes created, articles that attacked the Belgian government’s recent plans to limit the access of “high-risk” suppliers to its 5G network. The plans are reportedly designed to limit the influence of Chinese firms, notably Huawei and ZTE. 
    • The operation appears to have been limited to Twitter, and it did not gain substantial traction: other than a systematic amplification by the real accounts of Huawei executives in Western Europe, its main amplification came from bots with zero followers. 
    • As so often in recent influence operations, the accounts used profile pictures created by artificial intelligence. 
    • There is insufficient forensic evidence to prove conclusively who was running the fake accounts, or who sponsored the operation.
  • One of the dueling groups convened at the United Nations (UN) to address information and communications technologies (ICTs) issues and problems has issued a draft report and related materials. The group backed by the Russian Federation, People’s Republic of China (PRC), and other nations, the Open-Ended Working Group (OEWG), has issued its Zero Draft, which details its discussions, findings, and recommendations. The OEWG is working alongside the United States led Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, which is expected to finish its work in May 2021. The OEWG also made available the following:
    • In a 2018 U.N. press release, it was explained that two resolutions to create groups “aimed at shaping norm-setting guidelines for States to ensure responsible conduct in cyberspace:”
      • the draft resolution “Developments in the field of information and telecommunications in the context of international security” (document A/C.1/73/L.27.Rev.1), tabled by the Russian Federation.  By the text, the Assembly would decide to convene in 2019 an open-ended working group acting on a consensus basis to further develop the rules, norms and principles of responsible behaviour of States.
      • the draft resolution “Advancing Responsible State Behaviour in Cyberspace in the Context of International Security” (document A/C.1/73/L.37), tabled by the United States…[that] would request the Secretary-General, with the assistance of a group of governmental experts to be established in 2019, to continue to study possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States.
      • The U.N. noted that ‘[s]everal speakers pointed out that language in [the Russian proposal] departed from previous year’s versions and included excerpts from the Group of Governmental Experts reports in a manner that distorted their meaning and transformed the draft resolution.” The U.N. also acknowledged that “some delegates said [the U.S. proposal] called for the establishment of a new group of governmental experts, with the same mandate as the previous ones and the same selectivity in terms of its composition.” The U.N. added that “[m]ore broadly, while some delegates regretted to note that two separate, yet similar draft resolutions were tabled, others highlighted a need for bold, swift action to prevent cyberattacks and malicious online behaviour.”
    • In the 2018 resolution offered by Russia, an OEWG was convened “with a view to making the United Nations negotiation process on security in the use of information and communications technologies more democratic, inclusive and transparent…and to further develop the rules, norms and principles of responsible behaviour of States” from previous UN-sponsored efforts. The OEWG was further tasked with examining “the ways for their implementation; if necessary, to introduce changes to them or elaborate additional rules of behaviour; to study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the United Nations; and to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them and how international law applies to the use of information and communications technologies by States, as well as confidence-building measures and capacity-building and the concepts.” The OEWG is charged with submitting “a report on the results of the study to the General Assembly at its seventy-fifth session, and to provide the possibility of holding, from within voluntary contributions, intersessional consultative meetings with the interested parties, namely business, non-governmental organizations and academia, to share views on the issues within the group’s mandate.”
  • The United States (U.S.) Department of Justice (DOJ) “announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” The DOJ asserted:
    • NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.
    • The NetWalker action includes charges against a Canadian national in relation to NetWalker ransomware attacks in which tens of millions of dollars were allegedly obtained, the seizure of approximately $454,530.19 in cryptocurrency from ransom payments, and the disablement of a dark web hidden resource used to communicate with NetWalker ransomware victims.
    • According to the affidavit, once a victim’s computer network is compromised and data is encrypted, actors that deploy NetWalker deliver a file, or ransom note, to the victim. Using Tor, a computer network designed to facilitate anonymous communication over the internet, the victim is then provided with the amount of ransom demanded and instructions for payment.
    • Actors that deploy NetWalker commonly gain unauthorized access to a victim’s computer network days or weeks prior to the delivery of the ransom note. During this time, they surreptitiously elevate their privileges within the network while spreading the ransomware from workstation to workstation. They then send the ransom note only once they are satisfied that they have sufficiently infiltrated the victim’s network to extort payment, according to the affidavit.
    • According to an indictment unsealed today, Sebastien Vachon-Desjardins of Gatineau, a Canadian national, was charged in the Middle District of Florida. Vachon-Desjardins is alleged to have obtained at least over $27.6 million as a result of the offenses charged in the indictment.
    • The Justice Department further announced that on Jan. 10, law enforcement seized approximately $454,530.19 in cryptocurrency, which was comprised of ransom payments made by victims of three separate NetWalker ransomware attacks.
    • This week, authorities in Bulgaria also seized a dark web hidden resource used by NetWalker ransomware affiliates to provide payment instructions and communicate with victims. Visitors to the resource will now find a seizure banner that notifies them that it has been seized by law enforcement authorities.
  • The European Data Protection Board (EDPB) has issued guidance to European Union (EU) member states that governs transfers of personal data under Directive (EU) 2016/680 (the Law Enforcement Directive aka the LED.) This guidance flows, in significant part, from Schrems II, the case that struck down the adequacy decision on which the United States-EU Privacy Shield relied. The EDPB noted
    • The LED “lay[s] down the specific rules with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against the prevention of threats to public security.”
    • The LED determines the grounds allowing the transfer of personal data to a third country or an international organisation in this context. One of the grounds for such transfer is the decision by the European Commission that the third country or international organisation in question ensures an adequate level of protection.
    • As specified by the CJEU, while the level of protection in the third country must be essentially equivalent to that guaranteed in the EU, ‘the means to which that third country has recourse, in this connection, for the purpose of such a level of protection may differ from those employed within the European Union ’but‘ those means must nevertheless prove, in practice, effective’. The adequacy standard therefore does not require to mirror point by point the EU legislation, but to establish the essential-core requirements of that legislation.
  • Canada’s federal and state privacy officials asserted in a statement “that [Clearview AI] violated federal and provincial privacy laws.” Clearview AI is an American firm that assembled much of its database by scraping photos from public facing websites, a practice that has left many privacy stakeholders uncomfortable. In a sense these findings are moot, for in summer 2020 shortly after this investigation was launched, Clearview AI announced it would no longer offer its facial recognition technology in Canada. However, a separate federal investigation of whether the Royal Mounted Canadian Police’s use of Clearview AI’s services violated Canadian law is ongoing. The Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Information and Privacy Commissioner of Alberta claimed:
    • Clearview AI’s technology allowed law enforcement and commercial organizations to match photographs of unknown people against the company’s databank of more than 3 billion images, including of Canadians and children, for investigation purposes. Commissioners found that this creates the risk of significant harm to individuals, the vast majority of whom have never been and will never be implicated in a crime.
    • The investigation found that Clearview had collected highly sensitive biometric information without the knowledge or consent of individuals. Furthermore, Clearview collected, used and disclosed Canadians’ personal information for inappropriate purposes, which cannot be rendered appropriate via consent.
    • When presented with the investigative findings, Clearview argued that:
      • Canadian privacy laws do not apply to its activities because the company does not have a “real and substantial connection” to Canada;
      • Consent was not required because the information was publicly available;
      • Individuals who placed or permitted their images to be placed on websites that were scraped did not have substantial privacy concerns justifying an infringement of the company’s freedom of expression;
      • Given the significant potential benefit of Clearview’s services to law enforcement and national security and the fact that significant harm is unlikely to occur for individuals, the balancing of privacy rights and Clearview’s business needs favoured the company’s entirely appropriate purposes; and
      • Clearview cannot be held responsible for offering services to law enforcement or any other entity that subsequently makes an error in its assessment of the person being investigated.
    • Commissioners rejected these arguments. They were particularly concerned that the organization did not recognize that the mass collection of biometric information from billions of people, without express consent, violated the reasonable expectation of privacy of individuals and that the company was of the view that its business interests outweighed privacy rights.
    • On the applicability of Canadian laws, they noted that Clearview collected the images of Canadians and actively marketed its services to law enforcement agencies in Canada. The RCMP became a paying customer and a total of 48 accounts were created for law enforcement and other organizations across the country.
    • The investigation also noted the potential risks to individuals whose images were captured and included in Clearview’s biometric database.  These potential harms include the risk of misidentification and exposure to potential data breaches.

Coming Events

  • On 10 February, the House Homeland Committee will hold a hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” with these witnesses:
    • Mr. Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
    • Ms. Sue Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence
    • Mr. Michael Daniel, President & CEO, Cyber Threat Alliance
    • Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights.”
  • The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Ranjat M from Pixabay

Further Reading, Other Developments, and Coming Events (8 February 2021)

Further Reading

  • ‘A kiss of death’: Top GOP tech critics are personae non gratae after election challenge” By Cristiano Lima — Politico. I take these articles with a block of salt, not least of which because many inside the Beltway articles lack perspective and a sense of history. For sure, in the short term the Josh Hawleys and Ted Cruzes of the world are radioactive to Democrats, but months down the road things will look different, especially if Democrats need votes or allies in the Senate. For example, former Senator David Vitter’s (R-LA) interesting activities with prostitutes made him radioactive for some time and then all was forgotten because he held a valuable currency: a vote.
  • I Talked to the Cassandra of the Internet Age” By Charlie Warzel — The New York Times. A sobering read on the implications of the attention economy. We would all be helped by slowing down and choosing what to focus on.
  • A Vast Web of Vengeance” By Kashmir Hill — The New York Times. A true horror story illustrating the power platforms give anyone to slander others. The more these sorts of stories move to the fore of the consciousness of policymakers, the greater the chances of reform to 47 USC 230 (Section 230), which many companies used to deny requests that they take down defamatory, untrue material.
  • Amazon says government demands for user data spiked by 800% in 2020” By Zack Whitaker — TechCrunch. In an interesting development, Germany far outpaced the United States (U.S.) in information requests between 1 July and 31 December 2020 for Amazon except for Amazon Web Services (AWS). Regarding AWS, the U.S. accounted for 75% of requests. It bears note there were over 27,000 non-AWS requests and only 523 AWS requests.
  • Russian hack brings changes, uncertainty to US court system” By MaryClaire Dale — Associated Press. Because the Administrative Office of United States (U.S.) Courts may have been part of the massive SolarWinds hack, lawyers involved with cases that have national security aspects may no longer file materials electronically. It appears these cases will go old school with paper filings only, stored on a computers in federal courts that have no connection to the internet. However, it is apparently believed at present that the Foreign Intelligence Surveillance Court system was not compromised by the Russians.

Other Developments

  • Senator Ted Cruz (R-TX) placed a hold on Secretary of Commerce designate Gina Raimondo’s nomination, explaining on Twitter: “I’ll lift the hold when the Biden admin commits to keep the massive Chinese Communist Party spy operation Huawei on the Entity List.” Cruz was one of three Republicans to vote against reporting out Raimondo’s nomination from the Senate Commerce, Science, and Transportation Committee. Even though the Ranking Member, Senator Roger Wicker (R-MS), voted to advance her nomination to the Senate floor, he, too, articulated concerns about Raimondo and the Biden Administration’s refusal to commit to keeping Huawei on the Department of Commerce’s Entity List, a designation that cuts off needed technology and products from the company from the People’s Republic of China (PRC). Wicker said “I do remain concerned about the Governor’s reluctance to state unequivocally that she intends to keep Huawei on the department’s entity list…[and] [k]eeping Huawei on this list is important for the security of our networks and I urge the Governor and the administration to make its position clear.” Of course, the continuing Republican focus on the PRC is seeking to box in the Biden Administration and to try to force them to maintain the Trump Administration’s policies. The new administration has refused to make hard commitments on the PRC thus far and will likely seek different tactics than the Trump Administration even though there will likely be agreement on the threat posed by the PRC and its companies.
  • Virginia’s “Consumer Data Protection Act” (SB 1392/HB 2307) advanced from the Virginia Senate to the House of Delegates by a 36-0-1 vote on 5 February. The package was sent to the Communications, Technology and Innovation Subcommittee in the House on 7 February. Last week, it appeared as if the legislature would not have time to finish work on the United States’ second privacy law, but Governor Ralph Northam (D) convened a special session right before the legislature was set to adjourn. Now, there will be more time to address this bill and other priorities.
  • Senators Brian Schatz (D-HI), Deb Fischer (R-NE), Richard Blumenthal (D-CT), Rick Scott (R-FL) and Jacky Rosen (D-NV) introduced “The Safe Connections Act” “to help survivors of domestic violence and other crimes cut ties with their abusers and separate from shared wireless service plans, which can be exploited to monitor, stalk, or control victims” per their press release. The Senators asserted “the Safe Connections Act would help them stay safe and connected by:
    • Allowing survivors to separate a mobile phone line from any shared plan involving an abuser without penalties or other requirements. This includes lines of any dependents in their care;
    • Requiring the Federal Communications Commission (FCC) to initiate a rulemaking proceeding to seek comment on how to help survivors who separate from a shared plan enroll in the Lifeline Program for up to six-months as they become financially stable; and
    • Requiring the FCC to establish rules that would ensure any calls or texts to hotlines do not appear on call logs.
  • The European Commission’s Directorate-General for Justice and Consumers issued the “Report on the implementation of specific provisions of Regulation (EU) 2016/679,” the General Data Protection Regulation (GDPR), in which it was determined that implementation of these provisions at the member state level is uneven. The implication of this assessment released some 2.5 years after the GDPR took effect is that it may be some time more before each European Union state has made the statutory and policy changes necessary to the data protection regime full effect. And so, the Directorate-General made “[t]he following general observations can be made in relation to the implementation of the GDPR clauses under assessment:
    • As regards Article 8(1) GDPR (i.e., Conditions applicable to child’s consent in relation to information society services), the majority of the Member States have set an age limit lower than 16 years of age for the validity of the consent of a minor in relation to information society services. Nine Member States set the age limit at 16 years age, while eight Member States opted for that of 13 years, six for that of 14 years and three for 15 years.
    • With respect to Article 9(4) GDPR (i.e., Processing of special categories of personal data), most Member States provide for conditions/limitations with regard to the processing of genetic data, biometric data or data concerning health. Such limitations/conditions typically consist in listing the categories of persons who have access to such data, ensuring that they are subject to confidentiality obligations, or making processing subject to prior authorisation from the competent national authority. No national provision restricting or prohibiting the free movement of personal data within the European Union has been identified.
    • As regards Article 23(1) GDPR, and irrespective of the areas of public interest assessed under Article 23(1)(c) and (e) GDPR (i.e. public security, public administration, public health, taxation and migration), some Member States provide for restrictions in the area of (i) social security; or (ii) supervision of financial market participants, functioning of the guarantee systems and resolution and macroeconomic analyses. Concerning Article 23(1)(c) GDPR, the majority of Member States allow for restrictions of various provisions referred to in Article 23(1) GDPR. Normally there is a general reference to public security, while more specific areas of processing include the processing of personal data for the investigation and prosecution of crimes, and the use of video cameras for surveillance. Most commonly, the restrictions apply only where certain conditions are met. In some Member States the proportionality and necessity test is not contemplated at all, while in most Member States it is established in law, rather than left to the data controller. The overwhelming majority of Member States do not sufficiently implement the conditions and safeguards under Article 23(2) GDPR.
    • As regards Article 23(1)(e) GDPR in relation to public administration, half of the Member States provide for restrictions for such purpose. Normally there is a general reference to general public interest or public administration, while more specific areas of processing include discussions of the Council of Ministers and investigation of judicial or ‘administrative’ police authorities in connection with the commission of a crime or administrative infringement. Most commonly, the restrictions apply only where certain conditions are met. In some Member States the proportionality and necessity test is not contemplated at all, whereas in some other Member States the test is established in law or left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
    • As regards Article 23(1)(e) GDPR in relation to public health, a minority of the Member States provide for restrictions for such purpose. Normally there is a general reference to public health or general public interest, while more specific areas of processing include the security of food chain and medical files. In most Member States, the applicable restrictions apply only where certain conditions are met. The proportionality and necessity test is generally established in the law. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
    • With respect to Article 23(1)(e) GDPR in relation to taxation, a sizeable number of Member States provide restrictions for such purposes. There tends to be a general reference to taxation or general public interest, while more specific areas of processing include recovery of taxes, as well as automated tax data transfer procedures. Normally, the applicable restrictions apply only where certain conditions are met. The proportionality and necessity test is generally left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
    • As regards Article 23(1)(e) GDPR in relation to migration, a minority of the Member States provide for restrictions for such purpose. Normally there is a general reference to migration or general public interest. The applicable restrictions tend to apply only where certain conditions are met. The proportionality and necessity test is generally left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
    • As regards Article 85(1) GDPR (which requires Member States to reconcile by law the right to the protection of personal data with the right to freedom of expression and information), the majority of the Member States provide for provisions aiming to reconcile the right to the protection of personal data with the right to freedom of expression and information. These provisions are usually in the national data protection act implementing the GDPR, however, in some instances there are also specific provisions in media laws to this effect.
    • With respect to Article 85(2) GDPR (Reconciliation of the right to the protection of personal data with the right to freedom of expression and information), most Member States provide exemptions/derogations from the rules set out in Chapters II, III, IV, V, VI, VII and IX GDPR. More often than not, no specific balancing or reconciliation test is identified in the national legislation. A detailed account of the exemptions/derogations can be found in Annex 2 – Implementation of Article 85(2) GDPR.
  • The United Kingdom’s (UK) Information Commissioner’s Office (ICO) announced it is resuming the “investigation into real time bidding (RTB) and the adtech industry” in response to the COVID-19 pandemic. Simon McDougall, ICO Deputy Commissioner – Regulatory Innovation and Technology stated in a blog posting:
    • Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.
    • Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.
    • Our work will continue with a series of audits focusing on data management platforms* and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.
    • The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded.
    • We are also continuing to work with the Competition and Markets Authority (CMA) in considering Google’s Privacy Sandbox proposals to phase out support for third party cookies on Chrome.
  • Washington State Representative Shelley Kloba (D) and cosponsors introduced a bill, HB 1303, to establish a data brokers registry in Washington state that would also levy a 1.8% tax on gross revenue from selling personal data. In her press release, Kloba stated:
    • We are spending more and more of our lives on our phones and devices. From this has arisen a new business model where brokers collect, analyze, and resell personal data collected from applications on our phones and other devices. Currently, this type of business is totally unregulated and untaxed, and these businesses are reselling information with no compensation to the people of Washington. My legislation would shine a light on this very active segment of our economy while also establishing a small tax on the companies that profit from selling our personal data. Brokers that make money from collecting our personal information should contribute their fair share in tax revenue, and there should be more transparency on the number of businesses engaged in this industry.
    • HB 1303 would:
      • Impose a 1.8% Business & Occupation (B&O) tax on gross income arising from the sale of personal data.
      • Require companies that engage in this type of economic activity to register annually with the Department of Revenue (DOR).
      • Require DOR to provide the Legislature with an annual report on this information.
    • Recently, Kloba and cosponsors introduced the “People’s Privacy Act” (HB 1433), a bill to establish a privacy and data protection regime in Washington state. (see here for analysis.)
  • The Federal Trade Commission (FTC) used recently granted authority to police the use of algorithms and automated processes to buy tickets for entertainment and sporting events. The “Better Online Ticket Sales (BOTS) Act” (P.L. 114-274) “was enacted in 2016 and gives the FTC authority to take law enforcement action against individuals and companies that use bots or other means to circumvent limits on online ticket purchases” per the agency’s press release. The FTC stating it is taking “legal action against three ticket brokers based in New York who allegedly used automated software to illegally buy up tens of thousands of tickets for popular concerts and sporting events, then subsequently made millions of dollars reselling the tickets to fans at higher prices.” The FTC added:
    • The three ticket brokers will be subject to a judgment of more than $31 million in civil penalties for violating the Better Online Ticket Sales (BOTS) Act, under a proposed settlement reached with the FTC. Due to their inability to pay, the judgment will be partially suspended, requiring them to pay $3.7 million.
    • The FTC explained “[u]nder the terms of the proposed orders, judgments will be entered against the defendants for civil penalties as follows:
  • The National Institute of Standards and Technology (NIST) pushed back the deadline for comments until 26 February 2021 for four guidance documents on the Internet of Things:
    • Draft NIST SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, has background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management. SP 800-213 provides guidance on considering system security from the device perspective. This allows for the identification of IoT device cybersecurity requirements—the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties, respectively.
    • Draft NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline, complements the NISTIR 8259A device cybersecurity core baseline by detailing additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties. This non-technical baseline collects and makes explicit supporting capabilities like documentation, training, customer feedback, etc.
    • Draft NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, describes a process, usable by any organization, that starts with the core baselines provided in NISTIRs 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop a IoT cybersecurity profile suitable for specific IoT device customers or applications. The process in NISTIR 8259C guides organizations needing to define a more detailed set of capabilities responding to the concerns of a specific sector, based on some authoritative source such as a standard or other guidance, and could be used by organizations seeking to procure IoT technology or by manufacturers looking to match their products to customer requirements.
    • Draft NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government, provides a worked example result of applying the NISTIR 8259C process, focused on the federal government customer space, where the requirements of the FISMA process and the SP 800-53 security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-centric, cybersecurity-oriented profile of the NISTIR 8259A and 8259B core baselines, calibrated against the FISMA low baseline described in NIST SP 800-53B as an example of the criteria for minimal securability for federal use cases.
  • The New York State Department of Financial Services (NYDFS) announced “[r]egulated entities and licensed persons must file the Certification of Compliance for the calendar year 2020 by April 15, 2021” These certificates are due under the NYDFS’ cybersecurity regulations with which most financial services companies in the state must comply. These regulations took effect in May 2017.

Coming Events

  • On 10 February, the House Homeland Committee will hold a hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” with these witnesses:
    • Mr. Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
    • Ms. Sue Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence
    • Mr. Michael Daniel, President & CEO, Cyber Threat Alliance
    • Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights.”
  • The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Martin Ceralde on Unsplash

Klobuchar Proposes Major Update Of Antitrust Law

The incoming chair of the subcommittee that oversees antitrust is proposing the most significant revision of U.S. antitrust law since Hart-Scott-Rodino in 1976.

Senator Amy Klobuchar (D-MN) and three Democratic colleagues on the subcommittee with oversight of antitrust and anti-competitive matters have unveiled their bill to remake the United States’ (U.S.) antitrust enforcement regime. Left unsaid in their press release and in the lengthy findings section of the bill is the fact that the growing concentration in technology markets has been a major driving factor in Congress’ reawakened interest in changing policy in these areas. Last year’s House Judiciary Committee report on digital markets focused exclusively on the effect that Google, Facebook, Apple, and Amazon had across many markets and proposed dramatic changes to change how the U.S. stops monopolistic and anti-competitive behavior.

It is expected Klobuchar will chair the Antitrust, Competition Policy and Consumer Rights Subcommittee on the Senate Judiciary Committee when Democrats formally take control of Senate committees. Therefore, Klobuchar is positioned to be a major stakeholder and to use the power of the subcommittee to call hearings and largely control the witness list to set an agenda making the case for antitrust reform.

And yet, House and Senate Republicans will likely oppose portions of the bill. Last year, despite a significant number of Republicans on the House Judiciary Committee agreeing with the majority about antitrust and anti-competitive problems in digital markets, they published a separate report that had more modest changes.

As mentioned earlier, the House Judiciary Committee’s report called for wide-ranging changes to the antitrust and anti-competitive system. However, the committee has not yet introduced a bill despite the subcommittee chair who helmed the investigation vowing to do so. It is probably just a matter of time before Representative David Cicilline (D-RI) unveils a bill, one likely to propose even more sweeping changes to U.S. antitrust law.

As for the White House and Biden Administration, it is not immediately clear how receptive to antitrust reform it will be. While President Joe Biden made some comments about this field on the campaign trail, it was not a point of emphasis the way it was for rivals Senators Elizabeth Warren (D-MA) and Bernie Sanders (I-VT) who focus on the issue did pull the Democratic Party leftward on these issues.

If enacted as written, the “Competition and Antitrust Law Enforcement Reform Act of 2021” represents the most significant reform of U.S. antitrust law since the “Hart-Scott-Rodino Antitrust Improvements Act of 1976” (P.L. 94-435) were enacted when President Gerald Ford was in office. The bill seeks to reverse and undo some of the case law U.S. courts have put in place to interpret the Sherman and Clayton Antitrust Acts that critics claim have severely compromised the effectiveness and intent of those statutes.

The bill adds a definition of “market power” to the Clayton Act:

the ability of a person, or a group of persons acting in concert, to profitably impose terms or conditions on counterparties, including terms regarding price, quantity, product or service quality, or other terms affecting the value of consideration exchanged in the transaction, that are more favorable to the person or group of persons imposing them than what the person or group of persons could obtain in a competitive market.

Market power has been defined as “the ability ‘to increase prices above competitive levels, and sustain them for an extended period’” as explained in the trial court’s decision in the recent case, FTC v. Qualcomm. In the case the trial court cited, it is further explained:

In order unilaterally to raise prices above competitive levels, the predator must obtain sufficient market power. A predator has sufficient market power when, by restricting its own output, it can restrict marketwide output and, hence, increase marketwide prices. Phillip Areeda & Donald F. Turner, Antitrust Law p 501, at 322 (1978) (hereinafter Areeda & Turner). Prices increase marketwide in response to the reduced output because consumers bid more in competing against one another to obtain the smaller quantity available. Ball Memorial Hosp., Inc. v. Mutual Hosp. Ins., Inc., 784 F.2d 1325, 1335 (7th Cir.1986). Without market power to increase prices above competitive levels, and sustain them for an extended period, a predator’s actions do not threaten consumer welfare

The Supreme Court of the United States has defined the term a bit differently:

Market power is the ability to raise price profitably by restricting output.

As may be obvious, the definitions of market power in the FTC v. Qualcomm case and in the aforementioned case, Ohio v. American Express,focus primarily on the ability to unilaterally raise price, for if there are no other products or services in the relevant market consumers can buy, then the firm may extract the price it wants. Obviously for many technology companies, they do not charge money for their service or product. Hence, in a strict reading of antitrust law, it is hard to make the case they have market power. This bill seeks to close this apparent loophole and make clear that entities can have market power in ways other than just price.

Klobuchar and her cosponsors make this case in the Findings and Purposes section:

  • anticompetitive exclusionary conduct constitutes a particularly harmful exercise of market power and a substantial threat to the United States economy;
  • when dominant sellers exercise market power, they harm buyers by overcharging them, reducing product or service quality, limiting their choices, and impairing innovation;
  • when dominant buyers exercise market power, they harm suppliers by underpaying them, limiting their business opportunities, and impairing innovation;
  • when dominant employers exercise market power, they harm workers by paying them low wages, reducing their benefits, and limiting their future employment opportunities;
  • nascent or potential rivals—even those that are unprofitable or inefficient—can be an important source of competitive discipline for dominant firms;
  • antitrust enforcement against anticompetitive exclusionary conduct has been impeded when courts have declined to rigorously examine the facts in favor of relying on inaccurate economic assumptions that are inconsistent with contemporary economic learning, such as presuming that market power is not durable and can be expected to self-correct, that monopolies can drive as much or more innovation than a competitive market, that above-cost pricing cannot harm competition, and other flawed assumptions;

The “Competition and Antitrust Law Enforcement Reform Act of 2021” would change the current paradigm for most mergers. At present, firms go to the United States (U.S.) Department of Justice (DOJ) or the Federal Trade Commission (FTC) and make their case as to why it is okay for them to buy another, and the impetus is on the agencies to demonstrate prospectively the proposed deal would violate anti-trust law. The bill flips that dynamic, and firms would now have to prove to the agencies the deals are not anti-competitive. Consequently, Klobuchar and her cosponsors would make a number of mergers and acquisitions illegal “unless the acquiring or acquired person establish, by a preponderance of the evidence, that the effect of the acquisition will not be to create an appreciable risk of materially lessening competition or tend to create a monopoly or a monopsony.”

To wit, the bill provides that if the FTC, DOJ, or state attorneys general bring an anti-trust action to block a merger or acquisition, a court must “determine that the effect of an acquisition described in this section may be to create an appreciable risk of materially lessening competition or to tend to create a monopoly or a monopsony, in or affecting commerce, if—

  • The deal “would lead to a significant increase in market concentration in any relevant market;”
  • the acquiring person has a market share of greater than 50 percent or otherwise has significant market power, as a seller or a buyer, in any relevant market, and as a result of the acquisition, the acquiring person would obtain control over entities or assets that compete or have a reasonable probability of competing with the acquiring person in the same relevant market; or
  • as a result of the acquisition, the acquiring person would obtain control over entities or assets that have a market share of greater than 50 percent or otherwise have significant market power, as a seller or a buyer, in any relevant market, and the acquiring person competes or has a reasonable probability of competing with the entities or assets over which it would obtain control, as result of the acquisition, in the same relevant market;
  • the acquisition would lead to the combination of entities or assets that compete or have a reasonable probability of competing in a relevant market, and either the acquiring person or the entities or assets over which it would obtain control prevents, limits, or disrupts coordinated interaction among competitors in a relevant market or has a reasonable probability of doing so;
  • the acquisition—
    • would likely enable the acquiring person to unilaterally and profitably exercise market power or materially increase its ability to do so; or
    • would materially increase the probability of coordinated interaction among competitors in any relevant market
  • the acquiring person would hold an aggregate total amount of the voting securities and assets of the acquired person in excess of $5,000,000,000 (as adjusted and published for each fiscal year beginning after September 30, 2022…
  • the person acquiring or the person being acquired has assets, net annual sales, or a market capitalization greater than $100,000,000,000 (as so adjusted and published); and
  • as a result of such acquisition, the acquiring person would hold an aggregate total amount of the voting securities and assets of the acquired person in excess of $50,000,000 (as so adjusted and published),

The “Competition and Antitrust Law Enforcement Reform Act of 2021” also takes aim at “exclusionary conduct,” making it “unlawful for a person, acting alone or in concert with other persons, to engage in exclusionary conduct that presents an appreciable risk of harming competition.” Exclusionary conduct is defined as: conduct that ‘‘ materially disadvantages 1 or more actual or potential competitors; or tends to foreclose or limit the ability or incentive of 1 or more actual or potential competitors to compete.” Moreover, there shall be the presumption of exclusionary conduct harming competition in a relevant market if

  • An entity or group of entities already have a 50% or greater share of the market; or
  • “otherwise has significant market power in the relevant market.”

However, any person or entity accused of exclusionary conduct may show by a preponderance of the evidence that “distinct procompetitive benefits” obviate any such risks to competition, the entrance or presence of other players in the market decrease the risk of anti-competitive harm, or the conduct does not, in fact, pose a risk of harm to competition. Again, this change in anti-trust law would shift the burden to the companies that apparently dominate a market that they do not, other competitors have introduced real competition, or there are benefits that aid competition.

Klobuchar and her cosponsors also seek to address the imbalance in resources wrought by the money firms like Google and Apple can throw at mergers and anti-trust versus the regulators. The bill proposes dramatic changes for the next fiscal year in funding for the DOJ and FTC

  • $484,500,000 for the Antitrust Division of the DOJ; and
  • $651,000,000 for the FTC

To put those numbers in perspective, the DOJ’s Antitrust Division will get $184 million for FY 2021, and the entire FTC will get $351 million for the current fiscal year. So, obviously these are massive increases in authorized levels of funding, but appropriators and the White House would need to agree on actually providing these funds, something either, or both, may be unwilling to do. And, of course, Republicans will have leverage through the filibuster in the Senate, meaning they would ultimately need to sign off on these dramatic increases in funding, something they may not be willing to do.

The package would also establish a new position, Competition Advocate, and an office, the Office of the Competition Advocate. This position would be filled by the FTC chair according to a vote by the Commissioners with at least one vote coming from members of the minority. The Competition Advocate would have a range of responsibilities, including

  • Making recommendations to the FTC and DOJ on how to improve the solicitation and collection of reports from a variety of sources on anti-competitive behavior
  • Advise other federal agencies on administrative actions that may be anti-competitive and any actions that may be pro-competitive
  • Publish reports on market competition in the U.S. and how successful anti-trust actions brought by the FTC and DOJ are
  • Collect data on market concentration in a number of markets

Within this new Office, a Division of Market Analysis would be established to serve as an in-house think tank to aid the Competition Advocate of FTC in analyzing markets and proposed acquisitions.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Vincent Ledvina on Unsplash

ACCC Ad Tech Report

Stopping short of saying it will file suit against Google, Australia’s competition authority finds plenty of issues in the “ad tech” market caused by Google.

Australia’s competition regulator has issued its interim report on the state of a section of the online advertising world, and like other regulators around the world, have found that Google plays on outsized role in many sectors of this part of the internet.

The Australia Consumer & Competition Commission (ACCC) was tasked by the Treasurer of Australia Josh Frydenberg “to hold an inquiry into markets for the supply of digital advertising technology services (ad tech services) and digital advertising agency services (ad agency services) (the Inquiry)” as explained in the ACCC’s March 2020 Issues Paper. This interim report was due by the end of December 2020, and the ACCC is looking for feedback, especially its proposed remedies, by 26 February 2021 and aims to provide its final report by 31 August 2021.

In the agency’s press release, ACCC Chair Rod Sims asserted:

  • [T]here is a real lack of competition, choice and transparency in this industry. These issues add to the cost of advertising for businesses, which will ultimately impact the prices paid by consumers.
  • Google’s significant presence across the whole ad tech supply chain, combined with its significant data advantage, means Google is likely to have the ability and the incentive to preference its own ad tech businesses in ways that affect competition.

At this point, the ACCC is not calling for changes to Australian law and is holding off on formally launching an investigation into Google’s dominance of what the ACCC is calling the ad tech market. But, the ACCC signalled its keen interest in one of the antitrust suits in the United States (U.S.) against Google, suggesting it may follow suit.

The ACCC noted other jurisdictions have investigated the ad tech market and found problems. The ACCC further suggested cooperation and seemed to hint that successful government regulation in other markets may help solve those in Australia:

A number of governments and regulatory agencies have previously released reports that include consideration of the ad tech industry. This Inquiry builds on that body of previous work and describes the issues as they relate to Australia. The ACCC is seeking stakeholder views on the proposals outlined in this report, which reflect the ACCC’s initial views of measures that may be effective in addressing competition and transparency issues in the supply of ad tech services. There is close alignment between these proposals and those discussed in overseas reports into the industry. The ACCC considers that the success of any proposed interventions in this industry is likely to be enhanced, and the regulatory costs minimised, if policymakers collaborate and coordinate policy solutions across national borders.

The ACCC’s report follows other investigations into concentration in digital markets, including:

It bears note that this ACCC inquiry is aside and apart from the recently unveiled measure that could require Google, Facebook, and others pay Australian media for use of content. The “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020” that “establishes a mandatory code of conduct to help support the sustainability of the Australian news media sector by addressing bargaining power imbalances between digital platforms and Australian news businesses” according to the Explanatory Memorandum. The legislation comes after the center-right government, the Liberal–National Coalition, tried to negotiate a voluntary agreement with Google and Facebook, but talks fell apart. In late July 2020, the ACCC released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” In publishing the draft, the ACCC explained

The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.

However, the interim report on ad tech does bear on the financial health of the Australian media, one of the major reasons why the Liberal-National Coalition moved forward with its program of making platforms pay for media. The extent to which there are anti-competitive forces in the online advertising market, it stands to reason the revenues of media companies would be depressed, thus further jeopardizing their viability.

The ACCC explained the scope of its ad tech inquiry and why a major online advertising player like Facebook was not implicated:

Digital display advertisements are the images or videos that appear before or alongside content viewed online. This Inquiry considers the advertising technology (or ‘ad tech’) services that deliver personalised digital display advertising on websites and apps, and associated advertising agency services. The Inquiry does not consider online search advertising and does not focus on advertising sold by businesses such as Facebook that is not sold through the ad tech supply chain.

With respect to the scope of the inquiry, the ACCC added that

This report focuses on concerns identified by online publishers, advertisers, industry groups, academics and ad tech providers with the supply of ad tech services in Australia.

The ACCC summarized “[t]he main themes explored in the report:

  • Google’s industry-leading position. While there are a large number of ad tech providers across the supply chain as a whole, Google is by far the largest provider of each of the four key ad tech services considered. The report considers the reasons for, and implications of, Google’s position
  • concerns about opacity in the operation and pricing of ad tech and ad agency services. This has been a key issue for both online publishers and advertisers, and raises multiple questions. First, with so many different ad tech services used to deliver an ad to a consumer, how much advertising spend on digital display is being retained by ad tech providers, and how much is flowing through to publishers? Secondly, are advertisers and publishers getting enough information about how the whole supply chain operates to make informed choices about which suppliers to use? Thirdly, how should transparency and competition in the supply of ad tech services be promoted while ensuring consumer privacy is protected?

As noted, the ACCC namechecked one of the three anti-trust suits currently pending in the U.S.:

  • The ACCC is closely following recent overseas enforcement actions in relation to digital platforms and the supply of ad tech services. On 16 December 2020, the Texas Attorney-General on behalf of nine US states filed a complaint against Google, alleging Google has monopoly power and forecloses competition in US markets for the supply of ad tech services.
  • The alleged anti-competitive conduct includes unlawful tying arrangements, exclusionary conduct, market allocation and price fixing arrangements. The complaint alleges Google’s exclusionary conduct has foreclosed competition and harmed consumers, evidenced by the exit of rival firms and limited and declining entry rates. The filed complaint also alleges the existence of an unlawful agreement between Google and Facebook and deceptive trade practices in breach of some states’ consumer protection laws.
  • Most of the allegations and concerns raised with the ACCC and discussed in this Interim Report are set out in the complaint filed by the US states. The ACCC will continue to consider these issues during this Inquiry, including whether enforcement proceedings under the Competition and Consumer Act 2010 (Cth) (CCA) are required.

In December, Texas Attorney General Ken Paxton and nine other attorneys general[1] filed their antitrust action in the Eastern District of Texas and dropped a bomb: they allege Google and Facebook conspired to monopolize the online advertising market after publishers have devised a system to blunt Google’s dominance. However, Paxton and his colleagues argue that Google’s illegal actions have essentially taxed Americans through higher prices and lower quality products and services because companies are forced to pay a premium to Google to advertise online.

Paxton and the attorneys general summarized their suit and the relief they think appropriate in light of Google’s conduct:

As a result of Google’s anticompetitive conduct, including its unlawful agreement with Facebook, Google has violated and continues to violate Sections 1 and 2 of the Sherman Act, 15 U.S.C. §§ 1, 2. Plaintiff States bring this action to remove the veil of Google’s secret practices and end Google’s abuse of its monopoly power in online advertising markets. Plaintiff States seek to restore free and fair competition to these markets and to secure structural, behavioral, and monetary relief to prevent Google from ever again engaging in deceptive trade practices and abusing its monopoly power to foreclose competition and harm consumers.

The ACCC delved into these topics, among others:

  • Vertical integration and conflicts of interest
  • Pricing of ad tech services
  • Opacity in the supply of digital advertising technology services

The ACCC laid out what it wanted input on and how it may ultimately proceed to address Google’s seemingly deleterious conduct:

  • The ACCC invites stakeholder views on a range of possible proposals that it is considering to address the issues identified in this report. These proposals are based on suggestions received during this inquiry, and the ACCC’s assessment of industry developments.
  • If ultimately recommended by the ACCC, many of these proposals could be implemented through industry arrangements. Should industry participants be unable to reach agreed industry solutions, the ACCC may consider it appropriate to make further recommendations.
  • The ACCC also considers it critical that prior to the adoption of any measures of the type outlined below for consultation careful scrutiny is undertaken to ensure those measures could be implemented in a way that sufficiently safeguards the privacy of consumers.

Nonetheless, before having received formal consultation, the ACCC made six policy proposals, summarized thusly:

  • Proposal 1: Measures to improve data portability and interoperability. The ACCC is considering measures aimed at increasing data portability and interoperability, to reduce barriers to entry and expansion and promote competition in the supply of ad tech services. Any such measures would require safeguards to ensure that consumers have sufficient control over the sharing and processing of their data.
  • Proposal 2: Data separation mechanisms. The ACCC is considering the extent to which data separation mechanisms, such as data silos or purpose limitation requirements, may be effective in levelling the playing field between large platforms with a significant data advantage and rival ad tech providers.
  • Proposal 3 – Rules to manage conflicts of interest and self-preferencing in the supply of ad tech services. The ACCC is considering whether rules should be introduced that would aim to prevent and manage the competition and other issues that can arise from vertical integration. In particular such rules could prevent self-preferencing, and manage conflicts of interest. The high-level obligations which could be covered by these rules include:
    • requirements to put measures in place to manage conflicts of interest, such as preventing the sharing of information between ad tech services, or obligations to act in the best interest of publisher or advertiser customers
    • requirements to provide equal access to ad tech services (i.e. level playing field obligations to prevent self-preferencing), and
    • requirements to increase the transparency of the operation of the supply chain.
  • Proposal 4 – Implementation of a voluntary industry standard to enable full, independent verification of DSP services. To enable advertisers to assess DSP services fully and independently and encourage competition, industry should develop a standard that allows full and independent verification of DSP services. This standard should set out minimum requirements for this, along with the categories of data necessary to enable third-parties to provide full and independent viewability, fraud and brand safety verification services. The ACCC considers that this should initially be left to industry to develop and implement, but that other options could be considered if this was not successful.
  • Proposal 5 – Implementation of a common transaction ID. Industry should implement a common system whereby each transaction in the ad tech supply chain is identified with a single identifier which allows a single transaction to be traced through the entire supply chain. This should be done in a way that protects the privacy of consumers.
  • Proposal 6 – Implementation of a common user ID to allow tracking of attribution activity in a way which protects consumers’ privacy. Introduction of a secure common user ID, which ad tech providers would be required to assign to any data used for attribution purposes. This should be done in a way that protects the privacy of consumers.

At this point, the ACCC seems to be favoring surgical changes that would theoretically result in a lessening of Google’s dominance through increased competition. These measures include promulgating rules to address conflicts of interest Google has throughout the advertising chain the ACCC compares to these possible rules to the European Commission’s proposed Digital Markets Act (see here for more analysis) and the UK’s proposal (see here for more analysis.)


[1] These states sued Google: Texas, Arkansas  Idaho, Indiana, Mississippi,  Missouri,  North Dakota,  South Dakota, Utah, and the Commonwealth of Kentucky.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Srikant Sahoo on Unsplash

EU Announces One Antitrust Action Against A Big Tech Firm and Previews Another

The EU commences with one antitrust action against Amazon while investigating other possible violations.

The European Commission (EC) released a summary of its findings in one antitrust investigation against Amazon, finding enough evidence to proceed while also starting the process to investigate another alleged violation by the United States (U.S.) multinational. The EC started its investigation of Amazon in July 2019, and this action follows an announced investigation of Apple earlier this year. Also, the European Union (EU) has fined Google €8.2 billion cumulatively for three separate antitrust violations over the last five or six years. Moreover, the EC is readying a “Digital Markets Act” to update the EU’s competition laws.

Article 102 of the Treaty on the Functioning of the European Union (TFEU) bars a company from abusing its dominant market position. The EC is asserting that Amazon has a dominant market position regarding its use of sales data from selling the items of third parties that the company sometimes uses to undercut the third parties. According to the EC, this is abuse in violation of Article 102, and it has issued a Statement of Objections. However, the process by which an antitrust action in the EU is brought is not finished at this stage. Amazon will have the opportunity to respond and any final decision, particularly fines, must be approved by the Advisory Committee which consists of the EU’s competition authorities.

In its press statement, the EC explained:

  • The European Commission has informed Amazon of its preliminary view that it has breached EU antitrust rules by distorting competition in online retail markets. The Commission takes issue with Amazon systematically relying on non-public business data of independent sellers who sell on its marketplace, to the benefit of Amazon’s own retail business, which directly competes with those third party sellers.
  • The Commission also opened a second formal antitrust investigation into the possible preferential treatment of Amazon’s own retail offers and those of marketplace sellers that use Amazon’s logistics and delivery services.

In its Statement of Objections, the EC further detailed its case that Amazon’s access to and use of private business data of third-party sellers for Amazon’s benefit distorts competition contrary to EU law:

  • Amazon has a dual role as a platform: (i) it provides a marketplace where independent sellers can sell products directly to consumers; and (ii) it sells products as a retailer on the same marketplace, in competition with those sellers.
  • As a marketplace service provider, Amazon has access to non-public business data of third party sellers such as the number of ordered and shipped units of products, the sellers’ revenues on the marketplace, the number of visits to sellers’ offers, data relating to shipping, to sellers’ past performance, and other consumer claims on products, including the activated guarantees.
  • The Commission’s preliminary findings show that very large quantities of non-public seller data are available to employees of Amazon’s retail business and flow directly into the automated systems of that business, which aggregate these data and use them to calibrate Amazon’s retail offers and strategic business decisions to the detriment of the other marketplace sellers. For example, it allows Amazon to focus its offers in the best-selling products across product categories and to adjust its offers in view of non-public data of competing sellers.
  • The Commission’s preliminary view, outlined in its Statement of Objections, is that the use of non-public marketplace seller data allows Amazon to avoid the normal risks of retail competition and to leverage its dominance in the market for the provision of marketplace services in France and Germany- the biggest markets for Amazon in the EU. If confirmed, this would infringe Article 102 of the TFEU that prohibits the abuse of a dominant market position.

The EC also launched another inquiry into the platform’s practices that allegedly favor the company’s items as compared to third-party sellers and also those items offered by third-parties that use Amazon’s logistics and delivery services. The EC explained it “opened a second antitrust investigation into Amazon’s business practices that might artificially favour its own retail offers and offers of marketplace sellers that use Amazon’s logistics and delivery services (the so-called “fulfilment by Amazon or FBA sellers”).” The EC continued:

  • In particular, the Commission will investigate whether the criteria that Amazon sets to select the winner of the “Buy Box” and to enable sellers to offer products to Prime users, under Amazon’s Prime loyalty programme, lead to preferential treatment of Amazon’s retail business or of the sellers that use Amazon’s logistics and delivery services.
  • The “Buy Box” is displayed prominently on Amazon’s websites and allows customers to add items from a specific retailer directly into their shopping carts. Winning the “Buy Box” (i.e. being chosen as the offer that features in this box) is crucial to marketplace sellers as the Buy Box prominently shows the offer of one single seller for a chosen product on Amazon’s marketplaces, and generates the vast majority of all sales. The other aspect of the investigation focusses on the possibility for marketplace sellers to effectively reach Prime users. Reaching these consumers is important to sellers because the number of Prime users is continuously growing and because they tend to generate more sales on Amazon’s marketplaces than non-Prime users.
  • If proven, the practice under investigation may breach Article 102 of the TFEU that prohibits the abuse of a dominant market position.

The EC’s antitrust action may be followed by an action by the United States (U.S.) government. It has been reported in the media that the Federal Trade Commission (FTC) is also investigating Amazon’s conduct visa vis third-party sellers on its platform and could also bring suit. However, there may be a lack of bandwidth and resources at the agency if it proceeds with an antitrust action against Facebook as is rumored to be filed by year’s end.

Moreover, the U.S. House of Representatives’ Judiciary Committee’s Antitrust, Commercial and Administrative Law Subcommittee’s “Investigation into Competition in Online Markets” detailed the same conduct the EU is alleging violates antitrust law:

One of the widely reported ways in which Amazon treats third-party sellers unfairly centers on Amazon’s asymmetric access to and use of third-party seller data. During the investigation, the Subcommittee heard repeated concerns that Amazon leverages its access to third-party sellers’ data to identify and replicate popular and profitable products from among the hundreds of millions of listings on its marketplace. Armed with this information, it appears that Amazon would: (1) copy the product to create a competing private-label product; or (2) identify and source the product directly from the manufacturer to free ride off the seller’s efforts, and then cut that seller out of the equation.

Amazon claims that it has no incentive to abuse sellers’ trust because third-party sales make up nearly 60% of its sales, and that Amazon’s first-party sales are relatively small. Amazon has similarly pointed out that third-party listings far outnumber Amazon’s first-party listings. In a recent shareholder letter, CEO Jeff Bezos wrote, “Third-party sellers are kicking our first-party butt. Badly.” In response to a question from the Subcommittee, however, Amazon admitted that by percentage of sales—a more telling measure—Amazon’s first-party sales are significant and growing in a number of categories. For example, in books, Amazon owns 74% of sales, whereas third-party sellers only account for 26% of sales. At the category level, it does not appear that third-party sellers are kicking Amazon’s first-party butt. Amazon may, in fact, be positioned to overtake its thirdparty sellers in several categories as its first-party business continues to grow.

As noted, earlier this year, the EC announced two antitrust investigations of Apple regarding allegations of unfair and anticompetitive practices with its App Store and Apple Pay.

In a press release, the EC announced it “has opened a formal antitrust investigation to assess whether Apple’s conduct in connection with Apple Pay violates EU competition rules…[that] concerns Apple’s terms, conditions and other measures for integrating Apple Pay in merchant apps and websites on iPhones and iPads, Apple’s limitation of access to the Near Field Communication (NFC) functionality (“tap and go”) on iPhones for payments in stores, and alleged refusals of access to Apple Pay.” The EC noted that “[f]ollowing a preliminary investigation, the Commission has concerns that Apple’s terms, conditions, and other measures related to the integration of Apple Pay for the purchase of goods and services on merchant apps and websites on iOS/iPadOS devices may distort competition and reduce choice and innovation.” The EC contended “Apple Pay is the only mobile payment solution that may access the NFC “tap and go” technology embedded on iOS mobile devices for payments in stores.” The EC revealed “[t]he investigation will also focus on alleged restrictions of access to Apple Pay for specific products of rivals on iOS and iPadOS smart mobile devices” and “will investigate the possible impact of Apple’s practices on competition in providing mobile payments solutions.”

In a press release issued the same day, the EC explained it had also “opened formal antitrust investigations to assess whether Apple’s rules for app developers on the distribution of apps via the App Store violate EU competition rules.” The EC said “[t]he investigations concern in particular the mandatory use of Apple’s own proprietary in-app purchase system and restrictions on the ability of developers to inform iPhone and iPad users of alternative cheaper purchasing possibilities outside of apps.” The EC added “[t]he investigations concern the application of these rules to all apps, which compete with Apple’s own apps and services in the European Economic Area (EEA)…[and] [t]he investigations follow-up on separate complaints by Spotify and by an e-book/audiobook distributor on the impact of the App Store rules on competition in music streaming and e-books/audiobooks.”

Finally, recently, EU Executive Vice-President Margrethe Vestager gave a speech titled “Building trust in technology,” in which she previewed one long awaited draft EU law on technology and another to address antitrust and anti-competitive practices of large technology companies. Vestager stated “in just a few weeks, we plan to publish two draft laws that will help to create a more trustworthy digital world.” Both drafts are expected on 2 December and represent key pieces of the new EU leadership’s Digital Strategy, the bloc’s initiative to update EU laws to account for changes in technology since the beginning of the century. The Digital Services Act will address and reform the legal treatment of both online commerce and online content. The draft Digital Markets Act would give the EC more tools to combat the same competition and market dominance issues posed by companies like Apple, Amazon, Facebook, and Google. Vestager stated:

  • So, to keep our markets fair and open to competition, it’s vital that we have the right toolkit in place. And that’s what the second set of rules we’re proposing – what we call the Digital Markets Act – is for. 
  • That proposal will have two pillars. The first of those pillars will be a clear list of dos and don’ts for big digital gatekeepers, based on our experience with the sorts of behaviour that can stop markets working well. 
  • For instance, the decisions that gatekeepers take, about how to rank different companies in search results, can make or break businesses in dozens of markets that depend on the platform. And if platforms also compete in those markets themselves, they can use their position as player and referee to help their own services succeed, at the expense of their rivals. For instance, gatekeepers might manipulate the way that they rank different businesses, to show their own services more visibly than their rivals’. So, the proposal that we’ll put forward in a few weeks’ time will aim to ban this particular type of unfair self-preferencing. 
  • We also know that these companies can collect a lot of data about companies that rely on their platform – data which they can then use, to compete against those very same companies in other markets. That can seriously damage fairness in these markets – which is why our proposal aims to ban big gatekeepers from misusing their business users’ data in that way. 
  • These clear dos and don’ts will allow us to act much faster and more effectively, to tackle behaviour that we know can stop markets working well. But we also need to be ready for new situations, where digitisation creates deep, structural failures in the way our markets work.  
  • Once a digital company gets to a certain size, with the big network of users and the huge collections of data that brings, it can be very hard for anyone else to compete – even if they develop a much better service. So, we face a constant risk that big companies will succeed in pushing markets to a tipping point, sending them on a rapid, unstoppable slide towards monopoly – and creating yet another powerful gatekeeper. 
  • One way to deal with risks like this would be to stop those emerging gatekeepers from locking users into their platform. That could mean, for instance, that those gatekeepers would have to make it easier for users to switch platform, or to use more than one service. That would keep the market open for competition, by making it easier for innovative rivals to compete. But right now, we don’t have the power to take this sort of action when we see these risks arising. 
  • It can also be difficult to deal with large companies which use the power of their platforms again and again, to take over one related market after another. We can deal with that issue with a series of cases – but the risk is that we’ll always find ourselves playing catch-up, while platforms move from market to market, using the same strategies to drive out their rivals. 
  • The risk, though, is that we’ll have a fragmented system, with different rules in different EU countries. That would make it hard to tackle huge platforms that operate throughout Europe, and to deal with other problems that you find in digital markets in many EU countries. And it would mean that businesses and consumers across Europe can’t all rely on the same protection. 
  • That’s why the second pillar of the Digital Markets Act would put a harmonised market investigation framework in place across the single market, giving us the power to tackle market failures like this in digital markets, and stop new ones from emerging. That would give us a harmonised set of rules that would allow us to investigate certain structural problems in digital markets. And if necessary, we could take action to make these markets contestable and competitive.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by stein egil liland from Pexels

Setting The Plate For Section 230 Hearing

The top Republican and Democrat on the Senate Commerce Committee seek to frame the 28 October hearing on Section 230 in the light they favor.

Before the Senate Commerce, Science, and Transportation Committee held its hearing today on 47 U.S.C. 230 (Section 230), both Chair Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) sought to provide their slant on the proceedings. Wicker continued with the Republican narrative by suggesting social media platforms may be cooperating with the Biden Campaign, and Cantwell released a report on how these platforms have adversely affected local journalism to the detriment of American democracy.

Wicker sent letters to Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey that seem obliquely along the same lines as Senator Josh Hawley’s (R-MO) letter to the Federal Election Commission (FEC) claiming that the two platforms’ restriction on spreading the dubious New York Post story on Hunter Biden was an in-kind campaign contribution.

Wicker wrote to Zuckerberg and Dorsey

In the interest of fully disclosing any interactions with the candidates and their campaigns, I request that you provide the Committee with specific information regarding whether and how [Facebook/Twitter have] provided access to any data, analytics, or other information to either major political party, candidate, or affiliates thereof. This includes information related to advertising, post or page performance, engagement, or other data that might shape or influence decision-making by the candidate or campaign. In addition, please indicate whether this information is provided equitably to all candidates, and how decisions are made regarding what information is provided and to whom.

Clearly Wicker is after any indication that the Biden Campaign has received undue or extra help or information the Trump Campaign has not. Facebook taken millions in dollars of advertising from the two campaigns and from other parties. Twitter stopped accepting political advertising in late 2019. Consequently, it is likely there will be mountains of material to provide the committee. This inquiry may have been made in the interest of ensuring a fairly contested election. Or, perhaps Wicker and his staff have some inside information into the two platforms relations to the Biden Campaign. Perhaps the letter is meant as a fishing expedition in the hopes any such evidence will turn up.

Nonetheless, these letters may have the prophylactic effect of chilling any efforts Facebook and Twitter may take in the last week of the election lest they be hauled again before Congress to answer for their moderation and take down decisions regarding political and misinformation material. If it turns out the Trump Campaign has gotten advantageous treatment, it would be hard to see how Wicker and other Republicans would weave the fact of greater assistance to President Donald Trump into their perpetual campaign of decrying alleged but never proven anti-conservative bias.

But, as mentioned before, Wicker could attempt to portray any assistance provided to the Biden Campaign as an in-kind contribution as Hawley did after sharing of the dubious New York Post article was limited on the platforms even though there are clear exemptions for the media to federal laws and regulations on aid to campaigns.

Hawley claimed in a letter to the FEC that Twitter and Facebook have given the Biden Campaign an in-kind contribution by blocking the article in violation of federal campaign finance law. Hawley, however, was careful to couch his language in language suggesting that Twitter and Facebook’s actions (which he terms suppression) were in-kind contributions instead of outright asserting they are.

While Hawley quite accurately quotes the law on what constitutes a contribution (“[a] “contribution” includes “anything of value . . . for the purpose of influencing any election for Federal office”), he is apparently unaware of the regulations promulgated by the FEC to explicate gaps and unaddressed issues in the statute. FEC regulations shed further light on the issue at hand. Notably, in 11 CFR 100.71, the FEC’s regulations provide extensive exceptions to what is a contribution and provide “[t]he term contribution does not include payments, services or other things of value described in this subpart.” One such exception is found in 11 CFR 100.73, “News story, commentary, or editorial by the media,” which makes clear:

Any cost incurred in covering or carrying a news story, commentary, or editorial by any broadcasting station (including a cable television operator, programmer or producer), Web site, newspaper, magazine, or other periodical publication, including any Internet or electronic publication, is not a contribution unless the facility is owned or controlled by any political party, political committee, or candidate, in which case the costs for a news story.

One of the essential elements for such an action to be a contribution is control or ownership. I am fairly certain the Biden Campaign neither owns nor controls Twitter or Facebook. For if they do, they have been colossally inept in allowing President Donald Trump and his partisans to spread widely misinformation and lies about mail-in voting to name one such subject.

Moreover, the FEC and federal courts have long recognized the “press exemption” to what might otherwise be considered in-kind contributions or expenditures in violation of the law. This exemption includes websites and the internet. It would seem that Facebook and Twitter were acting in ways much more similar to how the traditional print media has. It is telling that Hawley and others have not pilloried the so-called liberal media for looking askance at the New York Post’s story and not taking it at face value to the extent they have covered it at all. Therefore, it seems like any value the Biden Campaign may have derived from social media platforms using 47 USC 230 in moderating content on their platform is not an in-kind contribution.

Cantwell released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the Federal Trade Commission (FTC) may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action.

Cantwell detailed “Current and Suggested Congressional Considerations to Save Local News:”

  • Providing COVID-19 Emergency Financial Relief
    • As discussed in this report, the COVID-19 pandemic has had a devastating impact on local media outlets around the country. Congress should provide immediate support to stabilize these critical community institutions because it is very difficult to recreate a functioning local newsroom once its unique blend of knowledgeable local reporters, editorial controls, and regional subscribers is lost.
    • Congress should renew the Paycheck Protection Program (PPP), created by the Coronavirus Aid, Relief, and Economic Security (CARES) Act, to continue to support jobs at local news outlets. It should also expand the PPP to make thousands more local newspapers, radio, and television broadcasters eligible for emergency federal support.
    • Congress should also consider targeted tax incentives and grants as at least a short-term bridge to enable local news entities to survive the current economic turmoil.
  • Ensure Fair Return for Local News Content
    • Local news outlets create unmatched trusted content for local communities but, as discussed in this report, they are not being fairly compensated for their intellectual property by news aggregators, who are abusing their dominant positions in the marketplace.
    • Congress should consider requiring that news aggregation platforms enter into good faith negotiations with local news organizations and pay them fair market value for their content. Congress should also consider allowing local news organizations for a limited duration to collectively bargain for reuse of their content, provided there are strong controls in place to ensure that smaller publishers are not left behind.
  • Level the Playing Field for Local News
    • As detailed in this report, news aggregation platforms are using their market power and data aggregation practices to disadvantage local news.
    • Congress has a long history of addressing market abuses that stifle innovation and harm consumers. Rules preventing unfair, deceptive, and abusive practices can stop platforms from taking local news content without financial payment and retaliating against local news by hiding or removing their content from search engines or social media feeds. Similarly, statutes that prohibit market manipulation in other industries can serve as models to ensure online advertising markets are transparent and not contrived to benefit a dominant firm. Federal privacy protections can also serve to empower consumers to provide more support to local news organizations that provide them with more trusted and relevant information. Each of these changes should be crafted in a way to promote competition and consumer welfare and spur growth and innovation in the digital economy.

Cantwell’s report follows the House Judiciary Committee’s Antitrust, Commercial and Administrative Law Subcommittee’s “Investigation into Competition in Online Markets,” which also examined, in part, the effect of the digital dominance of Facebook and Google on the U.S. journalism industry. The Subcommittee asserted:

received testimony and submissions showing that the dominance of some online platforms has contributed to the decline of trustworthy sources of news, which is essential to our democracy. In several submissions, news publishers raised concerns about the “significant and growing asymmetry of power” between dominant platforms and news organizations, as well as the effect of this dominance on the production and availability of trustworthy sources of news. Other publishers said that they are “increasingly beholden” to these firms, and in particular, to Google and Facebook. Google and Facebook have an outsized influence over the distribution and monetization of trustworthy sources of news online, undermining the quality and availability of high-quality sources of journalism. This concern is underscored by the COVID-19 pandemic, which has laid bare the importance of preserving a vibrant free press in both local and national markets.

The Subcommittee recommended:

To address this imbalance of bargaining power, we recommend that the Subcommittee consider legislation to provide news publishers and broadcasters with a narrowly tailored and temporary safe harbor to collectively negotiate with dominant online platforms.

The Subcommittee noted:

In April 2019, Subcommittee Chairman [David] Cicilline (D-RI) and Doug Collins (R-GA), the former- Ranking Member of the Committee on the Judiciary, introduced H.R. 2054, the “Journalism Competition and Preservation Act of 2019.” H.R. 2054 would allow coordination by news publishers under the antitrust laws if it (1) directly relates to the quality, accuracy, attribution or branding, or interoperability of news; (2) benefits the entire industry, rather than just a few publishers, and is non-discriminatory to other news publishers; and (3) directly relates to and is reasonably necessary for these negotiations, instead of being used for other purposes.

Cantwell noted in her report “regulators across Europe and in Australia are taking steps to ensure that local publishers can continue to monetize their content and reach consumers.” She claimed “[p]artly in response to these regulatory actions, Google and Facebook have announced plans to provide limited compensation to a small slice of the news sector…[and [w]hether this compensation will be sufficient, or negotiated on fair terms, remains to be seen.”

In late July, the Australian Competition and Consumer Commission (ACCC) issued for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury and the companies. The ACCC explained:

The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.

This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off. Moreover, A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”

In mid-August, Google and the ACCC exchanged public letters, fighting over the latter’s proposal to ensure that media companies are compensated for articles and content the former uses.

  • In an Open Letter to Australians, Google claimed:
    • A proposed law, the News Media Bargaining Code, would force us to provide you with a dramatically worse Google Search and YouTube, could lead to your data being handed over to big news businesses, and would put the free services you use at risk in Australia.
    • You’ve always relied on Google Search and YouTube to show you what’s most relevant and helpful to you. We could no longer guarantee that under this law. The law would force us to give an unfair advantage to one group of businesses – news media businesses – over everyone else who has a website, YouTube channel or small business. News media businesses alone would be given information that would help them artificially inflate their ranking over everyone else, even when someone else provides a better result. We’ve always treated all website owners fairly when it comes to information we share about ranking. The proposed changes are not fair and they mean that Google Search results and YouTube will be worse for you.
    • You trust us with your data and our job is to keep it safe. Under this law, Google has to tell news media businesses “how they can gain access” to data about your use of our products. There’s no way of knowing if any data handed over would be protected, or how it might be used by news media businesses.
    • We deeply believe in the importance of news to society. We partner closely with Australian news media businesses — we already pay them millions of dollars and send them billions of free clicks every year. We’ve offered to pay more to license content. But rather than encouraging these types of partnerships, the law is set up to give big media companies special treatment and to encourage them to make enormous and unreasonable demands that would put our free services at risk.

In its response, the ACCC asserted:

  • The open letter published by Google today contains misinformation about the draft news media bargaining code which the ACCC would like to address. 
  • Google will not be required to charge Australians for the use of its free services such as Google Search and YouTube, unless it chooses to do so.
  • Google will not be required to share any additional user data with Australian news businesses unless it chooses to do so.
  • The draft code will allow Australian news businesses to negotiate for fair payment for their journalists’ work that is included on Google services.
  • This will address a significant bargaining power imbalance between Australian news media businesses and Google and Facebook.

Google has since published a follow up letter, claiming it does not oppose the draft code but rather wants a few changes. Google also dodged blame for the decline of media revenue, asserting “the fall in newspaper revenue over recent years was mainly the result of the loss of classified ads to online classifieds businesses.” Google trumpeted its 1 October decision to “to pay a number of publishers to license their content for a new product, including some in Australia, as well as helping train thousands of Australian journalists.” As announced by Google and Alphabet CEO Sundar Pichai, Google will pay some media outlets up to $1 billion over the next three years  “to create and curate high-quality content for a different kind of online news experience” for its new product, Google News Showcase. Pichai claimed:

This approach is distinct from our other news products because it leans on the editorial choices individual publishers make about which stories to show readers and how to present them. It will start rolling out today to readers in Brazil and Germany, and will expand to other countries in the coming months where local frameworks support these partnerships.

This decision was not well-received everywhere, especially in the European Union (EU), which is in the process of implementing an EU measure requiring Google and Facebook to pay the media for content. The European Publishers Council (EPC) noted:

The French Competition Authority decision from April considered that Google’s practices were likely to constitute an abuse of a dominant position and brought serious and immediate damage to the press sector. It calls on Google, within three months, to conduct negotiations in good faith with publishers and press agencies on the remuneration for their protected content. Google’s appeal in July seeks to get some legal clarity on parts of the decision.

Moreover, the European Union (EU) Directive on Copyright in the Digital Single Market is being implemented in EU member states and would allow them to require compensation from platforms like Facebook and Google. The EPC claimed:

Many are quite cynical about Google’s perceived strategy. By launching their own product, they can dictate terms and conditions, undermine legislation designed to create conditions for a fair negotiation, while claiming they are helping to fund news production.

Incidentally, earlier this month, a French appeals court ruled against Google in its fight to stop France’s competition authority to negotiate licensing fees for the use of French media. And, earlier today, Italy’s competition authority announced an investigation “against Google for an alleged abuse of dominant position in the Italian market for display advertising.” The agency asserted:

  • In the key market for online advertising, which Google controls also thanks to its dominant position on a large part of the digital value chain, the Authority questions the undertaking’s discriminatory use of the huge amount of data collected through its various applications, preventing rivals in the online advertising markets from competing effectively. More specifically, Google appears to have engaged in an internal/external discriminatory conduct, refusing to provide its competitors with Google ID decryption keys and excluding third-party tracking pixels. At the same time, Google has allegedly used tracking elements enabling its advertising intermediation services to achieve a targeting capability that some equally efficient competitors are unable to replicate.
  • The conducts investigated by the Authority may have a significant impact on competition in the various markets of the digital advertising value chain, with wide repercussions on competitors and consumers. The absence of competition in the intermediation of digital advertising, in fact, might reduce the resources allocated to website producers and publishers, thus impoverishing the quality of content directed to end customers. Moreover, the absence of effective competition based on merits could discourage technological innovation for the development of advertising technologies and techniques less intrusive for consumers.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Roman Kraft on Unsplash

Antitrust Report Released

A far reaching set of recommendations on how the U.S. should remake its antitrust policies to take on Big Tech

The subcommittee of the House Judiciary Committee that has been investigating digital competition for over a year issued its final report and is calling for nothing less than a complete remaking of United States (U.S.) antitrust policy and law. In the view of the subcommittee a handful of technology companies have strangleholds on a number of key markets, and the health of the U.S. economy demands that the companies be broken up and reformed. The four companies the subcommittee focused on are Amazon, Apple, Facebook, and Google, four of the world’s largest companies by market capitalization. Even though the tide has turned against these and other large technology companies that were feted during the Obama Administration, if the response of Republicans on the committee encapsulates the feeling of party members in the Senate, there is no likely path for enactment of many of these proposals even under a Biden Administration unless the filibuster is junked. And even then, tech companies would find many sympathetic moderate and centrist Democrats who could not go along with a wholesale reform of antitrust enforcement.

The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee started its inquiry over a year ago and held seven hearings, including one this past summer with the CEOs of the four companies. Subcommittee Chair David Cicilline (D-RI) has long made his leanings clear in his opening statements and questions as has the full Committee Chair Jerrold Nadler (D-NY). They agree that these companies are too large and current antitrust enforcement and law are inadequate to the job of addressing dominance of inline markets to rival to trusts from more than 100 years ago.

The Subcommittee found:

  • Over the past decade, the digital economy has become highly concentrated and prone to monopolization. Several markets investigated by the Subcommittee—such as social networking, general online search, and online advertising—are dominated by just one or two firms. The companies investigated by the Subcommittee—Amazon, Apple, Facebook, and Google—have captured control over key channels of distribution and have come to function as gatekeepers. Just a decade into the future, 30% of the world’s gross economic output may lie with these firms, and just a handful of others.
  • In interviews with Subcommittee staff, numerous businesses described how dominant platforms exploit their gatekeeper power to dictate terms and extract concessions that no one would reasonably consent to in a competitive market. Market participants that spoke with Subcommittee staff indicated that their dependence on these gatekeepers to access users and markets requires concessions and demands that carry significant economic harm, but that are “the cost of doing business” given the lack of options.
  • This significant and durable market power is due to several factors, including a high volume of acquisitions by the dominant platforms. Together, the firms investigated by the Subcommittee have acquired hundreds of companies just in the last ten years. In some cases, a dominant firm evidently acquired nascent or potential competitors to neutralize a competitive threat or to maintain and expand the firm’s dominance. In other cases, a dominant firm acquired smaller companies to shut them down or discontinue underlying products entirely—transactions aptly described as “killer acquisitions.”
  • In the overwhelming number of cases, the antitrust agencies did not request additional information and documentary material under their pre-merger review authority in the Clayton Act, to examine whether the proposed acquisition may substantially lessen competition or tend to create a monopoly if allowed to proceed as proposed. For example, of Facebook’s nearly 100 acquisitions, the Federal Trade Commission engaged in an extensive investigation of just one acquisition: Facebook’s purchase of Instagram in 2012.

Regarding the four companies themselves, the Subcommittee claimed:

  • Facebook
    • Facebook has monopoly power in the market for social networking. Internal communications among the company’s Chief Executive Officer, Mark Zuckerberg, and other senior executives indicate that Facebook acquired its competitive threats to maintain and expand its dominance. For example, a senior executive at the company described its acquisition strategy as a “land grab” to “shore up” Facebook’s position, while Facebook’s CEO said that Facebook “can likely always just buy any competitive startups,” and agreed with one of the company’s senior engineers that Instagram was a threat to Facebook.
    • Facebook’s monopoly power is firmly entrenched and unlikely to be eroded by competitive pressure from new entrants or existing firms. In 2012, the company described its network effects as a “flywheel” in an internal presentation prepared for Facebook at the direction of its Chief Financial Officer. This presentation also said that Facebook’s network effects get “stronger every day.”
  • Google
    • Google has a monopoly in the markets for general online search and search advertising. Google’s dominance is protected by high entry barriers, including its click-and-query data and the extensive default positions that Google has obtained across most of the world’s devices and browsers. A significant number of entities—spanning major public corporations, small businesses, and entrepreneurs—depend on Google for traffic, and no alternate search engine serves as a substitute.
    • Google maintained its monopoly over general search through a series of anticompetitive tactics. These include an aggressive campaign to undermine vertical search providers, which Google viewed as a significant threat. Documents show that Google used its search monopoly to misappropriate content from third parties and to boost Google’s own inferior vertical offerings, while imposing search penalties to demote third-party vertical providers. Since capturing a monopoly over general search, Google has steadily proliferated its search results page with ads and with Google’s own content, while also blurring the distinction between paid ads and organic results. As a result of these tactics, Google appears to be siphoning off traffic from the rest of the web, while entities seeking to reach users must pay Google steadily increasing sums for ads. Numerous market participants analogized Google to a gatekeeper that is extorting users for access to its critical distribution channel, even as its search page shows users less relevant results.
    • A second way Google has maintained its monopoly over general search has been through a series of anticompetitive contracts. After purchasing the Android operating system in 2005, Google used contractual restrictions and exclusivity provisions to extend Google’s search monopoly from desktop to mobile. Documents show that Google required smartphone manufacturers to pre-install and give default status to Google’s own apps, impeding competitors in search as well as in other app markets. As search activity now migrates from mobile to voice, third-party interviews suggest Google is again looking for ways to maintain its monopoly over search access points through a similar set of practices.
  • Amazon
    • Amazon has significant and durable market power in the U.S. online retail market. This conclusion is based on the significant record that Subcommittee staff collected and reviewed, including testimonials from third-party sellers, brand manufacturers, publishers, former employees, and other market participants, as well as Amazon’s internal documents. Although Amazon is frequently described as controlling about 40% of U.S. online retail sales, this market share is likely understated, and estimates of about 50% or higher are more credible.
    • As the dominant marketplace in the United States for online shopping, Amazon’s market power is at its height in its dealings with third-party sellers. The platform has monopoly power over many small- and medium-sized businesses that do not have a viable alternative to Amazon for reaching online consumers. Amazon has 2.3 million active third-party sellers on its marketplace worldwide, and a recent survey estimates that about 37% of them—about 850,000 sellers—rely on Amazon as their sole source of income.
    • Amazon achieved its current dominant position, in part, through acquiring its competitors, including Diapers.com and Zappos. It has also acquired companies that operate in adjacent markets, adding customer data to its stockpile and further shoring up its competitive moats. This strategy has entrenched and expanded Amazon’s market power in e-commerce, as well as in other markets. The company’s control over, and reach across, its many business lines enables it to self-preference and disadvantage competitors in ways that undermine free and fair competition. As a result of Amazon’s dominance, other businesses are frequently beholden to Amazon for their success.
    • Amazon has engaged in extensive anticompetitive conduct in its treatment of third-party sellers. Publicly, Amazon describes third-party sellers as “partners.” But internal documents show that, behind closed doors, the company refers to them as “internal competitors.” Amazon’s dual role as an operator of its marketplace that hosts third-party sellers, and a seller in that same marketplace, creates an inherent conflict of interest. This conflict incentivizes Amazon to exploit its access to competing sellers’ data and information, among other anticompetitive conduct.
  • Apple
    • Apple has significant and durable market power in the mobile operating system market. Apple’s dominance in this market, where it controls the iOS mobile operating system that runs on Apple mobile devices, has enabled it to control all software distribution to iOS devices. As a result, Apple exerts monopoly power in the mobile app store market, controlling access to more than 100 million iPhones and iPads in the U.S.
    • Apple’s mobile ecosystem has produced significant benefits to app developers and consumers. Launched in 2008, the App Store revolutionized software distribution on mobile devices, reducing barriers to entry for app developers and increasing the choices available to consumers. Despite this, Apple leverages its control of iOS and the App Store to create and enforce barriers to competition and discriminate against and exclude rivals while preferencing its own offerings. Apple also uses its power to exploit app developers through misappropriation of competitively sensitive information and to charge app developers supra-competitive prices within the App Store. Apple has maintained its dominance due to the presence of network effects, high barriers to entry, and high switching costs in the mobile operating system market.

The Subcommittee summarized its recommendations:

a. Restoring Competition in the Digital Economy

  • Structural separations and prohibitions of certain dominant platforms from operating in adjacent lines of business;
  • Nondiscrimination requirements, prohibiting dominant platforms from engaging in self- preferencing, and requiring them to offer equal terms for equal products and services;
  • Interoperability and data portability, requiring dominant platforms to make their services compatible with various networks and to make content and information easily portable between them;
  • Presumptive prohibition against future mergers and acquisitions by the dominant platforms;
  • Safe harbor for news publishers in order to safeguard a free and diverse press; and
  • Prohibitions on abuses of superior bargaining power, proscribing dominant platforms from engaging in contracting practices that derive from their dominant market position, and requiring due process protections for individuals and businesses dependent on the dominant platforms.

b. Strengthening the Antitrust Laws

  • Reasserting the anti-monopoly goals of the antitrust laws and their centrality to ensuring a healthy and vibrant democracy;
  • Strengthening Section 7 of the Clayton Act, including through restoring presumptions and bright-line rules, restoring the incipiency standard and protecting nascent competitors, and strengthening the law on vertical mergers;
  • Strengthening Section 2 of the Sherman Act, including by introducing a prohibition on abuse of dominance and clarifying prohibitions on monopoly leveraging, predatory pricing, denial of essential facilities, refusals to deal, tying, and anticompetitive self-preferencing and product design; and
  • Taking additional measures to strengthen overall enforcement, including through overriding problematic precedents in the case law.

c. Reviving Antitrust Enforcement

  • Restoring robust congressional oversight of the antitrust laws and their enforcement;
  • Restoring the federal antitrust agencies to full strength, by triggering civil penalties and other relief for “unfair methods of competition” rules, requiring the Federal Trade Commission to engage in regular data collection on concentration, enhancing public transparency and accountability of the agencies, requiring regular merger retrospectives, codifying stricter prohibitions on the revolving door, and increasing the budgets of the FTC and the Antitrust Division; and
  • Strengthening private enforcement, through eliminating obstacles such as forced arbitration clauses, limits on class action formation, judicially created standards constraining what constitutes an antitrust injury, and unduly high pleading standards.

The Ranking Member on the Antitrust, Commercial, and Administrative Law Subcommittee, Jim Sensenbrenner (R-WI) signaled his agreement with some of the recommendations made in the report but articulated his views:

  • I disagree with the view that there needs to be a wholesale rewrite of our country’s antitrust laws.
  • Congressional review of our antitrust laws in the age of Big Tech was absolutely warranted.  Oversight of the existing legal and regulatory framework is one of the key functions of the committee system, and I applaud Chairman Cicilline on his undertaking of this project in a bipartisan manner. 
  • There actually is a lot that we agree on, including the lack of sufficient scrutiny on past activity by these companies.  For example, the report highlights that Facebook only had one acquisition extensively reviewed by the FTC out of nearly 100.  That lack of enforcement raises significant questions. What becomes clear is that better resources and funding for the enforcement agencies are key to having an effective antitrust framework.
  • Ultimately, I am concerned with several of the recommendations made by the committee.  A ‘Glass-Steagall’ like approach to tech regulation does not benefit consumers and will lead to too much government regulation of a very innovative industry.  Likewise, mandating data interoperability could hamper future innovation by preventing the development of new and better systems.
  • I am also opposed to several of the proposed changes to merger activity.  A presumptive ban on future acquisitions, especially now with economic uncertainty plaguing the world, could hinder potentially fruitful, beneficial business decisions. Also, shifting the burden of proof in merger cases misplaces the obligation upon companies to prove their innocence rather than the government proving their guilt.

In his statement, Ranking Member Jim Jordan (R-OH) again chose to ignore the competition and market dominance issues on which a number of his Republican colleagues agreed with Democrats to again reiterate unproven Republican talking points about alleged conservative bias:

Big tech is out to get conservatives. Unfortunately, the Democrats’ partisan report ignores this fundamental problem and potential solutions and instead advances radical proposals that would refashion antitrust law in the vision of the far left.

On the same day, a small group of committee Republicans released their report on “Big Tech” with their proposed policy and legal solutions. This effort was led by Representative Ken Buck (R-CO), a subcommittee member who participated in the hearings in a bipartisan fashion even praising Cicilline for his evenhanded conduct of the proceedings. However, Buck did indicate he could not agree with some of the directions his Democratic colleagues seem to be heading in response to the evidence. Buck was joined by Representatives Matt Gaetz (R-FL), Doug Collins (R-GA), and Andy Biggs (R-AZ).

They noted:

We write this response to join Chairman Cicilline and the majority staff on certain recommendations, offer modifications to some recommendations, and argue against the wisdom of proceeding on a few recommendations. We also want to point out that the committee’s ongoing efforts should emphasize issues that have been ignored but must be addressed in the future for a truly bipartisan approach to reforming Big Tech’s dominant position in the marketplace. Finally, we want to thank the Chairman for not using this report as an opportunity to push a progressive labor, environmental, or other unrelated policy agenda under the guise of antitrust enforcement. We sincerely appreciate the Chairman’s friendship and dedication to making this process open and accessible to all members.

Buck, Gaetz, Collins, and Biggs added:

The majority staff report offers a comprehensive review of the technology marketplace and accurately depicts the harmful effects of Big Tech’s anticompetitive reign over the digital economy. Many of the factual findings detailed in the report are undeniable. The majority staff accurately portrays how Apple, Amazon, Google, and Facebook have used their monopoly power to act as gatekeepers to the marketplace, undermine potential competition, and pick winners and losers, all while simultaneously cozying up to unfriendly nations like China in order to further expand their global footprint.

In terms of where they agree with Cicilline and the Democrats, they remarked:

  • We agree that antitrust enforcement agencies need additional resources and tools to provide proper oversight. However, these potential changes need not be dramatic to be effective. By reinforcing presumptions that certain behaviors are likely to reduce competition, lowering evidentiary burdens in litigated cases, and emphasizing that anticompetitive effects are not limited to price effects and include innovation competition, quality, output, and consumer choice, Congress can make a meaningful difference.
  • We also agree with a number of the majority’s other legislative recommendations, including proposals to shift the burden of proof for companies pursuing mergers and acquisitions and empowering consumers to take control of their user data through data portability and interoperability standards. Additionally, the report offers recommendations where we believe there is common ground, but the subcommittee should receive expert feedback before pushing forward. Some of these proposals include the majority’s monopoly reforms related to predatory pricing, monopoly leveraging, the Essential Facilities Doctrine, and policies related to the Supreme Court’s recent decision related to two-sided markets in Ohio v. American Express Co.

Buck, Gaetz, Collins, and Biggs spelled out the recommendations made by the majority they could not join:

  • However, the majority also offers policy prescriptions that are non-starters for conservatives. These proposals include eliminating arbitration clauses and further opening companies up to class action lawsuits. Similarly, the majority’s desire to institute Glass- Steagall for America’s tech sector and modeling the majority’s equal terms for equal services recommendation on President Obama’s net neutrality rule will not garner support from Republicans.
  • While we agree in principle with the findings identified in the report, we cannot endorse all of the legislative recommendations offered by the majority. We will work with the Chairman in a bipartisan fashion to help enact the legislative solutions where we can agree. However, we are concerned that sweeping changes could lead to overregulation and carry unintended consequences for the entire economy. We prefer a targeted approach, the scalpel of antitrust, rather than the chainsaw of regulation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by xresch from Pixabay

Further Reading, Other Developments, and Coming Events (6 October)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Operational IoT – 7 October at 15:00 to 16:30 CET
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, but the agenda has not yet been announced.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that a “malicious cyber actor” had penetrated an unnamed federal agency and “implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall.” Since CISA said it became aware of the penetration via EINSTEIN, it is likely a civilian agency that was compromised. The actor used “compromised credentials” to get into the agency, but “CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials.” It is not clear whether this is a nation state or sophisticated hackers working independently.
    • It should be noted that last month, the Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by CISA that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. 
  • Senators Ron Wyden (D-OR) and Jeff Merkley (D-OR) and Representatives Earl Blumenauer (D-OR) and Suzanne Bonamici (D-OR) wrote the Department of Homeland Security (DHS) regarding a report in The Nation alleging the DHS and Department of Justice (DOJ) surveilled the phones of protestors in Portland, Oregon in possible violation of United States (U.S.) law. These Members asked DHS to respond to the following questions by October 9:
    • During a July 23, 2020, briefing for Senate intelligence committee staff, Brian Murphy, then the Acting Under Secretary for Intelligence and Analysis (I&A) stated that DHS I&A had neither collected nor exploited or analyzed information obtained from the devices or accounts of protesters or detainees. On July 31, 2020, Senator Wyden and six other Senators on the Senate Select Committee on Intelligence wrote to Mr. Murphy to confirm the statement he had made to committee staff. DHS has yet to respond to that letter. Please confirm whether or not Mr. Murphy’s statement during the July 23, 2020, briefing was accurate at the time, and if it is still   
    • accurate.
    • Has DHS, whether directly, or with the assistance of any other government agency, obtained or analyzed data collected through the surveillance of protesters’ phones, including tracking their locations or intercepting communications content or metadata? If yes, for each phone that was surveilled, did the government obtain prior authorization from a judge before conducting this surveillance?
    • Has DHS used commercial data sources, including open source intelligence products, to investigate, identify, or track protesters or conduct network analysis? If yes, please identify each commercial data source used by DHS, describe the information DHS obtained, how DHS used it, whether it was subsequently shared with any other government agency, and whether DHS sought and obtained authorization from a court before querying the data source.
  • The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has published for comment the “Securing Data Integrity Against Ransomware Attacks: Using the NIST Cybersecurity Framework and NIST Cybersecurity Practice Guides” that provides an overview of [NCCoE and NIST’s]  Data Integrity projects…a high-level explanation of the architecture and capabilities, and how these projects can be brought together into one comprehensive data integrity solution…[that] can then be integrated into a larger security picture to address all of an organization’s data security needs.” Comments are due by 13 November. NCCoE and NIST explained:
    • This guide is designed for organizations that are not currently experiencing a loss of data integrity event (ransomware or otherwise). This document prepares an organization to adequately address future data integrity events. For information on dealing with a current attack, please explore guidance from organizations like the Federal Bureau of Investigation the United States Secret Service, or other pertinent groups or government bodies.
    • Successful ransomware impacts data’s integrity, yet ransomware is just one of many potential vectors through which an organization could suffer a loss of data integrity. Integrity is part of the CIA security triad which encompasses Confidentiality, Integrity, and Availability. As the CIA triad is applied to data security, data integrity is defined as “the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.” An attack against data integrity can cause corruption, modification, and/or destruction of the data which ultimately results in a loss in trust in the data.
  • As referenced in media reports, Graphika released a report on a newly discovered Russian disinformation efforts that led to the creation and propagation of propaganda to appeal to the right wing in the United States (U.S.) In “Step into My Parler: Suspected Russian Operation Targeted Far-Right American Users on Platforms Including Gab and Parler, Resembled Recent IRA-Linked Operation that Targeted Progressives,” Graphika explained:
    • Russian operators ran a far-right website and social media accounts that targeted American users with pro-Trump and anti-Biden messaging, according to information from Reuters and Graphika’s investigation. This included the first known Russian activity on the platforms Gab and Parler. The operation appeared connected to a recent Russian website that targeted progressives in America with anti-Biden messaging.
    • The far-right “Newsroom for American and European Based Citizens,” naebc[.]com, pushed the opposite end of the political spectrum from the ostensibly progressive PeaceData site, but the two assets showed such a strong family resemblance that they appear to be two halves of the same operation. Both ran fake editorial personas whose profile pictures were generated by artificial intelligence; both claimed to be young news outlets based in Europe; both made language errors consistent with Russian speakers; both tried to hire freelance writers to provide their content; and, oddly enough, both had names that translate to obscenities in Russian.
    • Reuters first tipped Graphika off to the existence of the NAEBC website and its likely relationship to PeaceData. U.S. law enforcement originally alerted the social media platforms to the existence of PeaceData. On September 1, Facebook attributed PeaceData to “individuals associated with past activity by the Russian Internet Research Agency (IRA).” Twitter attributed it to Russian state actors. Social media platforms (Facebook, Twitter, LinkedIn) have taken similar action to stop activity related to NAEBC on their platforms. To date, Parler and Gab have not taken action on their platforms.
  • The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint Ransomware Guide “meant to be a one-stop resource for stakeholders on how to be proactive and prevent these attacks from happening and also a detailed approach on how to respond to an attack and best resolve the cyber incident.” The organizations explained:
    • First, the guide focuses on best practices for ransomware prevention, detailing practices that organizations should continuously do to help manage the risk posed by ransomware and other cyber threats. It is intended to enable forward-leaning actions to successfully thwart and confront malicious cyber activity associated with ransomware. Some of the several CISA and MS-ISAC preventive services that are listed are Malicious Domain Blocking and Reporting, regional CISA Cybersecurity Advisors, Phishing Campaign Assessment, and MS-ISAC Security Primers on ransomware variants such as Ryuk.
    • The second part of this guide, response best practices and services, is divided up into three sections: (1) Detection and Analysis, (2) Containment and Eradication, and (3) Recovery and Post-Incident Activity. One of the unique aspects that will significantly help an organization’s leadership as well as IT professional with response is a comprehensive, step-by-step checklist. With many technical details on response actions and lists of CISA and MS-ISAC services available to the incident response team, this part of the guide can enable a methodical, measured and properly managed approach.  
  • The Government Accountability Office (GAO) released a guide on best practices for agile software development for federal agencies and contracting officers. The GAO stated:
    • The federal government spends at least $90 billion annually on information technology (IT) investments. In our January 2019 High Risk List report, GAO reported on 35 high risk areas, including the management of IT acquisitions and operations. While the executive branch has undertaken numerous initiatives to help agencies better manage their IT investments, these programs frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes.
    • GAO has found that the Office of Management and Budget (OMB) continues to demonstrate its leadership commitment by issuing guidance for covered departments and agencies to implement statutory provisions commonly referred to as Federal Information Technology Acquisition Reform Act (FITARA.) However, application of FITARA at federal agencies has not been fully implemented. For example, as we stated in the 2019 High Risk report, none of the 24 major federal agencies had IT management policies that fully addressed the roles of their Chief Information Officers (CIO) consistent with federal laws and guidance.
    • This Agile Guide is intended to address generally accepted best practices for Agile adoption, execution, and control. In this guide, we use the term best practice to be consistent with the use of the term in GAO’s series of best practices guides.

Further Reading

  • GOP lawmaker: Democrats’ tech proposals will include ‘non-starters for conservatives’” By Cristiano Lima — Politico. Representative Ken Buck (R-CO) is quoted extensively in this article about Republican concerns that the House Judiciary Committee’s antitrust recommendations may include policy changes he and other GOP Members of the committee will not be able to go along with. Things like banning mandatory arbitration clauses and changing evidentiary burdens (i.e. rolling back court decisions that have made antitrust actions harder to mount) are not acceptable to Republicans who apparently agree in the main that large technology companies do indeed have too much market power. Interestingly, Buck and others think the solution is more resources for the Department of Justice and the Federal Trade Commission (FTC), which is rapidly becoming a favored policy prescription for federal privacy legislation, too. However, even with a massive infusion of funding, the agencies could not act in all cases, and, in any event, would need to contend with a more conservative federal judiciary unlikely to change the antitrust precedents that have reduced the ability of these agencies to take action in the first place. Nonetheless, Republicans may join the report if the recommendations are changed. Of course, the top Republican on the committee, Representative Jim Jordan (R-OH), is allegedly pressuring Republicans not to join the report.
  • Why Is Amazon Tracking Opioid Use All Over the United States?” By Lauren Kaori Gurley — Motherboard. The online shopping giant is apparently tracking a range of data related to opioid usage for reasons that are not entirely clear. To be fair, the company tracks all sort of data.
  • As QAnon grew, Facebook and Twitter missed years of warning signs about the conspiracy theory’s violent nature” By Craig Timberg and Elizabeth Dwoskin — The Washington Post. This article traces the history of how Facebook and Twitter opted not to act against QAnon while other platforms like Reddit did, quite possibly contributing the rise and reach of the conspiracy. However, they were afraid of angering some on the right wing given the overlap between some QAnon supports and some Trump supporters.
  • Democratic Party leaders are “banging their head against the wall” after private meetings with Facebook on election misinformation” By Shirin Ghaffary — recode. Democratic officials who have been on calls with Facebook officials are saying the platform is not doing enough to combat disinformation and lies about the election. Facebook, of course, disputes this assessment. Democratic officials are especially concerned about the period between election day and when results are announced and think Facebook is not ready to handle the predicted wave of disinformation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Bermix Studio on Unsplash