Further Reading, Other Developments, and Coming Events (5 October)

Coming Events

  • On 6 October, the House Administration Committee’s Elections Subcommittee will hold a virtual hearing titled “Voting Rights and Election Administration: Combatting Misinformation in the 2020 Election.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The House Intelligence Committee released an unclassified executive summary of “The China Deep Dive: A Report on the Intelligence Community’s Capabilities and Competencies with Respect to the People’s Republic of China.” In a press release, the committee “found that “the United States’ (U.S.) Intelligence Community (IC) has not sufficiently adapted to a changing geopolitical and technological environment increasingly shaped by a rising China and the growing importance of interlocking non-military transnational threats, such as global health, economic security, and climate change.” The committee further claimed “[a]bsent a significant realignment of resources, the U.S. government and intelligence community will fail to achieve the outcomes required to enable continued U.S. competition with China on the global stage for decades to come, and to protect the U.S. health and security.”
    • The committee stated that while its “review was scoped to assess the IC’s efforts against the China target, some of its findings address not merely China, but also broader issues foundational to the IC’s structure and continued ability to operate in a 21st century environment—an environment shaped by the ravages of COVID-19.”
    • The committee made the following findings:
      • Intelligence Community [REDACTED] compete with China. Absent a significant realignment of resources, the U.S. government will fail to achieve the outcomes required to enable U.S. competition with China on the global stage.
      • The Intelligence Community places insufficient emphasis and focus on “soft,” often interconnected long-term national security threats, such as infectious diseases of pandemic potential and climate change, and such threats’ macroeconomic impacts on U.S. national security. This could jeopardize the future relevance of the Intelligence Community’s analysis to policymakers on certain long-range challenges, particularly given the growing importance of these policy challenges to decision-makers and the public and the devastating impact of the current pandemic on U.S. national life.
      • The Intelligence Community has failed to fully achieve the integration objectives outlined in the 2004 Intelligence Reform and Terrorism Prevention Act (IRTPA) for targets and topics unrelated to counterterrorism.
      • The Intelligence Community is struggling to adapt to the increasing availability and commodification of data, [REDACTED].
      • The increasing pace of global events, fueled by the rise of social media and mobile communications, will continue to stress the IC’s ability to provide timely and accurate analysis within customers’ decision-making window.
      • The future successful application of artificial intelligence, machine learning, and other advanced analytic techniques will be integral enablers for the U.S. national security enterprise. Conversely, there is a high degree of strategic risk associated with stasis and a failure to modernize.
      • Existing intelligence requirement prioritization mechanisms [REDACTED] particularly with respect to decision-makers outside of the Department of Defense.
    • The committee made the following recommendations broadly about the IC:
      • The Committee recommends the creation of a bipartisan, bicameral congressional study group to evaluate the current organization of and authorities provided to the intelligence community, with the express goal of making necessary reforms to the National Security Act of 1947 and the Intelligence Reform and Preventing Terrorism Act (IRPTA) of 2004.
      • The Executive Branch, in consultation with congressional intelligence and appropriations committees, must undertake a zero-based review of all intelligence program expenditures, assess the programs’ continued relevance to forward-looking mission sets, such as the increased relevance of “soft” transnational threats and continued competition with China, and take immediate corrective action to align taxpayer resources in support of strategic requirements.
      • An external entity should conduct a formal review of the governance of open-source intelligence (OSINT) within the intelligence community, and submit to congressional intelligence and appropriations committees a proposal to streamline and strengthen U.S. government capabilities.
      • The Office of the Director of National Intelligence (ODNI) should identify shared artificial intelligence and machine learning (AI/ML) use cases across the intelligence community and use the its coordinating and budgetary authorities to consolidate spending, expertise, and data around shared community-wide AI/ML capabilities.
    • Specific to the People’s Republic of China, the committee stated
      • ODNI should strengthen its ability to effectively track [REDACTED]
      • The IC should [REDACTED] existing intelligence collection prioritization frameworks, particularly to inform resource allocation decisions.
      • The IC should formalize and broaden programs designed to mentor the next generation of China analysts. Agencies should leverage best practices from across the community, and develop internal Senior Steering Groups to prioritize investments in specific China-focused programs.
      • The IC should conduct a review of security clearance adjudication policies surrounding [REDACTED]
      • If an officer possesses critical skills relevant to China mission-set, such as proficiency in Mandarin Chinese, the Intelligence Community should [REDACTED]
      • The IC should engage in a dialogue with the U.S. Department of Education on the requirements for the future of the U.S. national security workforce.
      • The Intelligence Community should codify and nurture cadres of officers with China-focused expertise [REDACTED]
      • The U.S. should expand its diplomatic, economic, and defense presence in the Indo-Pacific region, to include in the Pacific Island Countries and Southeast Asia.
      • The IC should consider developing a series of reskilling programs to leverage existing talent and expertise previously cultivated in counterterrorism programs.
      • The IC should streamline China-focused reporting across regional areas of responsibility.
      • The IC should leverage lessons learned from providing support to the counterterrorism mission in order to identify ways in which it can embed real-time support to customers, especially those located outside of the Department of Defense, such as the Department of State, the United States Trade Representative, or U.S. health and disaster preparedness agencies.
      • In recognition of the growing importance of economic and policy agencies to the overall success of the U.S. government’s approach to China, the intelligence community should develop plans to increase analytic support to, or otherwise ensure consistent, agile communications and appropriate interactions with, non-traditional agencies, such as the Department of Commerce, the Department of Homeland Security, the National Science Foundation, the Department of Education, and U.S. public health agencies.
  • The United States (U.S.), Australia, India, and Japan convened a virtual session of the Quadrilateral Security Dialogue (aka The Quad) late last month ahead of in person talks in Tokyo set for tomorrow. The renewal of this diplomatic relationship is being portrayed by the People’s Republic of China (PRC) as “an anti-China frontline,” a “mini-NATO,” and a reflection of the U.S.’ “Cold War mentality” according to the PRC’s Vice Foreign Minister. Nonetheless, the four nations issued a statement indicating the “four democracies discussed ways to work together to respond to the COVID-19 pandemic, promote transparency and counter disinformation, and protect the rules-based order the region has long enjoyed,” a statement that includes some pokes at the PRC. First, obviously the PRC is not a democracy and is in the process of cracking down on democracy in Hong Kong. Second, the PRC’s government is not renowned for its transparency and is coming to be one of the world’s foremost purveyors of disinformation online. Third, the U.S. has been arguing since the Obama Administration that the PRC is violating the rules and norms that have ensured prosperity and peace in the Pacific and Indian Oceans since World War II. Not surprisingly, the PRC sees this order as having been established by the U.S. and largely for its benefit.
    • The four nations added:
      • Noting the importance of digital connectivity and secure networks, the officials discussed ways to promote the use of trusted vendors, particularly for fifth generation (5G) networks. They explored ways to enhance coordination on counterterrorism, maritime security, cyber security, and regional connectivity, as well as quality infrastructure based upon international best practices, such as the G20 Principles for Quality Infrastructure Investment. Participants also highlighted the need to improve supply chains in sectors including critical minerals, medical supplies, and pharmaceuticals.
      • The officials reaffirmed their countries’ strong support for ASEAN centrality and ASEAN-led regional architecture. They explored ways to work together in the Mekong sub-region, in the South China Sea, and across the Indo-Pacific to support international law, pluralism, regional stability, and post-pandemic recovery efforts.
    • Again, many of these policy goals and problems are arising because of PRC actions, at least according to The Quad The U.S. and its allies have been fighting the PRC’s 5G push and have accused the PRC of stepping up its cyber activities, including espionage.
    • Moreover, Japan created and advocated what eventually became the G20 Principles for Quality Infrastructure Investment as a policy counterpoint to the PRC’s Silk Belt and Road initiative that has resulted in massive aid from and indebtedness to Beijing in the developing world.
    • The Quad’s work, alongside bilateral relationships in the region, could well coalesce into an informal alliance against the PRC, an outcome that would likely help Washington achieve some of its professed policy goals.
  • Representative Jennifer Wexton (D-VA) and Senator Mazie K. Hirono (D-HI) introduced the “COVID-19 Disinformation Research and Reporting Act” (H.R.8395/S.4732) that “would examine the role of disinformation and misinformation on the public response to COVID-19 and the role that social media has in promoting the spread of false information” per their press release. The bill would require the “National Academies of Sciences, Engineering, and Medicine to conduct a study on the current understanding of the spread of COVID–19-related disinformation and misinformation on the internet and social media platforms.”
    • Wexton and Hirono asserted:
      • Disinformation and misinformation can be particularly dangerous during public health emergencies like COVID-19. This kind of false information can erode trust in science, government officials, and medical and public health experts. Disinformation and misinformation can also make it harder to get accurate and important materials to vulnerable communities, particularly once a vaccine becomes available. The internet and social media have made it easier to spread fake medical information such as unproven treatments for COVID-19.
    • The National Academies of Science, Engineering, and Medicine would need to submit a report to Congress, including “potential strategies to mitigate the dissemination and negative impacts of COVID–19-related disinformation and misinformation (and specifically the dissemination of disinformation and misinformation on social media),” which would likely have utility in fighting other disinformation and misinformation spread online. In fact, the sponsors may be using the current pandemic as the rationale to pass a bill that may otherwise be opposed. It is not hard to imagine the opposition from many on the right if Wexton, Hirono and their cosponsors had proposed legislation to study online extremism and hate in the United States, resulting in a report on how the U.S. might mitigate these phenomena given the role extremists and white supremacists have played in the Republican Party under President Donald Trump.
    • The bill is being sponsored by other Democrats in each chamber but no Republicans.
  • Senate Majority Whip John Thune (R-SD) and 18 Republican colleagues sent President Donald Trump a letter “to express our concerns about a Request For Information (RFI) released by the Department of Defense (DOD) that contradicts the successful free-market strategy you have embraced for 5G.” Late last month, The United States Department of Defense (DOD) released a  RFI on the possibility of the agency sharing its prized portions of electromagnetic spectrum with commercial providers to speed the development and adoption of 5G in the United States. The Senators argued:
    • Rather than rely on private industry and market forces to foster multiple, facilities-based 5G networks, the RFI seeks information on a government-managed process for 5G networks.
    • Nationalizing 5G and experimenting with untested models for 5G deployment is not the way the United States will win the 5G race.  While we recognize the need for secure communications networks for our military, we are concerned that such a proposal threatens our national security.  When bad actors only need to penetrate one network, they have a greater likelihood of disrupting the United States’ communications services.
  • The Department of Defense (DOD) implemented a new rule designed to drive better cybersecurity among United States (U.S.) defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the Cybersecurity Maturity Model Certification (CMMC) Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often misaligned incentives present in third party certification schemes.
  • Nonetheless, the DOD explained this is “an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DOD Assessment Methodology and CMMC framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DOD supply chain.
  • The DOD added
    • This rule amends DFARS subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting, to implement the National Institute of Standards and Technology (NIST) Special Publication 800-171 DOD Assessment Methodology. The new coverage in the subpart directs contracting officers to verify in the Supplier Performance Risk System (SPRS) that an offeror has a current NIST SP 800-171 DOD Assessment on record, prior to contract award, if the offeror is required to implement NIST SP 800-171 pursuant to DFARS clause 252.204-7012. The contracting officer is also directed to include a new DFARS provision 252.204-7019, Notice of NIST SP 800-171 DOD Assessment Requirements, and a new DFARS clause 252.204-7020, NIST SP 800-171 DOD Assessment Requirements, in solicitations and contracts including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of COTS items.
    • This rule adds a new DFARS subpart, Subpart 204.75, CMMC, to specify the policy and procedures for awarding a contract, or exercising an option on a contract, that includes the requirement for a CMMC certification. Specifically, this subpart directs contracting officers to verify in SPRS that the apparently successful offeror’s or contractor’s CMMC certification is current and meets the required level prior to making the award.
  • The House Republican’s China Task Force (CTF) released its final report with its recommendations on how the United States (U.S.) should change its policies to counter the People’s Republic of China (PRC), which includes a slew of technology-related recommendations.
    • The CTF asserted:
      • Since the establishment of diplomatic relations with the PRC more than 40 years ago, the United States has sought to draw the PRC into the community of nations as a responsible stakeholder. U.S. leaders pursued a strategy of engagement based on the assumption that expanding the bilateral economic relationship with the PRC would advance the U.S. national interest and lead the Chinese Communist Party (CCP) to change. This engagement strategy often turned a blind eye to the CCP’s human rights violations, economic malfeasance, expansionist aggression, and empty promises, as well as the CCP’s deep commitment to a hostile Communist ideology that drives this malign behavior. This strategy has, simply put, failed.
    • The CTF made these recommendations:
      • Supply Chain Security
        • Better securing our medical and national security supply chains by:
        • Providing aggressive, smart, and targeted tax incentives to accelerate our research and development (R&D) and production of crucial medicines, medical supplies, ingredients, tests, and vaccines;
        • Creating a grant program necessary to catalyze domestic production of important technologies and designing tax incentives to secure U.S. supply of advanced semiconductors; and
        • Overhauling the federal permitting process for mineral development and prioritizing advancements in mineral refining so neither industry nor the Defense Industrial Base are reliant on the CCP.
      • National Security
        • Working with the DoD to modernize force structure, posture, operational concepts, and acquisitions in order to deter CCP aggression in the Indo-Pacific and around the world.
        • Ensuring modernization of all three legs of the nuclear triad as well as development and fielding of conventional capabilities critical to counter the PLA in the Indo-Pacific, including ground-launched cruise and ballistic missiles.
        • Underscoring the need for a minimum three to five percent real growth in the defense budget per year in order to deter and defeat the PLA and other key adversaries.
        • Increasing focus on how the U.S. military protects space capabilities and carrying out space exploration goals by leveraging private sector investments.
        • Cutting off material support of CCP military industrial base companies, including divestment from companies with ties to the CCP’s military.
        • Safeguarding the U.S. electoral process and the integrity of our elections with various measures, including the identification of foreign malign actors and ensuring any individuals who engage in interference are inadmissible for entry to the U.S. or deportable if already present.
        • Providing more resources for investigations, criminal prosecutions, and other actions against CCP sponsored IP theft in addition to closing loopholes the CCP has exploited in our visa system.
        • Enhancing federal counterintelligence capabilities and bolstering Mandarin language capacity.
      • Technology
        • Taking a whole-of-government approach to assess the security risks posed by the PRC in 5G networks and increasing cooperation between the U.S. and its allies and partners in identifying and countering them.
        • Supporting the formation of a new D-10 group of leading democracies to develop and deploy 5G and subsequent generations and establishing a reimbursement program for companies to remove equipment from their communications networks that poses a national security risk.
        • Securing international leadership in the technologies of tomorrow, including AI, quantum, 5G, and autonomous vehicles.
        • Sanctioning PRC telecommunications companies engaged in economic or industrial espionage and any PRC entity that tries to hack COVID-19 researchers working on a vaccine.
      • Economics and Energy
        • Ensuring no U.S. taxpayer dollars support any PRC state- owned enterprises.
        • Harmonizing export control policies with our partners and allies to keep critical technologies, including semiconductor manufacturing equipment and R&D, from our adversaries.
        • Applying heightened scrutiny for investments in U.S. companies or operations from the PRC.
        • Strengthening trade relationships with our allies to establish U.S. standards and counter the PRC’s influence.
        • Pursuing trade policies that deter and protect against the PRC’s theft of IP.
        • Enforcing reciprocal treatment of PRC investment into the U.S. to restore symmetry in bilateral investment rules.
        • Ensuring PRC companies are held to the same financial disclosure standards as American companies when listing on U.S. stock exchanges.
        • Working to deepen our trade ties with Taiwan and resolving specific outstanding trade issues so the Administration can take steps to launch trade agreement negotiations once those issues are addressed.
        • Strengthening the Development Finance Corporation, Export Import Bank, and other government efforts to more robustly counter the CCP’s Belt and Road Initiative and debt trap diplomacy.
        • Continuing to advance U.S. energy security in order to be a global counter against the PRC, particularly on the nuclear energy front.
      • Competitiveness
        • Doubling the funding of basic science and technology research over the next 10 years.
        • Increasing coordination and funding for STEM education to create a more capable, skilled workforce.
        • Strengthening the protection of sensitive research at America’s colleges and universities and leading research institutions which includes restricting all federal employees and contractors from participating in foreign talent programs.
        • Requiring colleges and universities to annually report all donations from the PRC.

Further Reading

  • In U.S.-China Tech Feud, Taiwan Feels Heat From Both Sides” By Raymond Zhong — The New York Times. Not surprisingly, this island nation (or renegade province according to the People’s Republic of China (PRC)) is being squeezed in the trade war between the United States (U.S.) and the PRC. The main factor that has led to its central role is the Taiwan Semiconductor Manufacturing Company (TSMC), which produces many of the semiconductors needed by both nations. However, with the U.S. tightening ever further the PRC’s access to this technology, Taiwan’s place in the technology world becomes ever more important. Many in. Taiwan see this technological prowess as a bulwark against a PRC-style takeover as in Hong Kong.
  • Beautiful, perk-filled and mostly empty: What the future holds for tech’s billion-dollar headquarters” By Heather Kelly — The Washington Post. Understandably, COVID-19 has caused many large companies to rethink their real estate footprint. Tech is no different as some companies have told workers to stay home until well into next year. Might the pandemic mark a paradigm shift and companies will require much less building and office space? Or will top companies continue their trend of building company towns of sorts?
  • Ad Tech Could Be the Next Internet Bubble” By Gilad Edelman — WIRED. This deep dive into the online advertising world peels back some of the fictions that have kept this multi-billion-dollar black box running. The question is what would happen to the world economy if it crashes?
  • What the antitrust proposals would actually mean for tech” By Emily Birnbaum — Protocol. This article surveys the waterfront on current antitrust proposals before Congress to address large technology companies.
  • Now You Can Use Instagram to Chat With Friends on Facebook Messenger” By Mike Issac — The New York Times. In a move sure not to make friends among those convinced Facebook is monopolistic, the platform has crossed a Rubicon of sorts by combining messaging platforms. Facebook is now allowing those using Messenger and Instagram to message users on the other platform. Soon, this will also be the case with WhatsApp. Critics claim Facebook is doing this to make the company harder to break up in an antitrust action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by mohamed Hassan from Pixabay

NSA Location Data Guidance

The U.S. signals intelligence agency releases guidance on mobile device location services that should not shock anyone versed in cybersecurity. Why the agency did so is the question.   

The National Security Agency (NSA) has issued guidance for those who work for the United States’ (U.S.) security services and military on how to limit their exposure on their mobile devices to the risks of apps and operating systems use of location data. This public guidance is the latest in a series of recommendations and best practices from the previously more secretive agency charged primarily with signals intelligence for the U.S.

The NSA is aiming the guidance at the U.S. Intelligence Community, Department of Defense, and other users of “national security systems” who are usually outside the purview and authority of the U.S. agency empowered to police the cyber and data security of civilian agencies: the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Perhaps the NSA sees space in the federal scheme to advise those working for national security agencies or in these functions at civilian agencies.

The timing of the document is puzzling, however, unless, of course, this is an exercise in public relations given that it is not exactly a secret that location data may compromise all sorts of data about a person. The NSA is  likely seeking to recraft its image along the lines of the United Kingdom’s National Cyber Security Centre (NCSC), which often issues advice aimed at a general audience. In the fall of 2019, the NSA announced a reorganization resulting in the creation of the Cybersecurity Directorate, “a major organization that unifies NSA’s foreign intelligence and cyberdefense missions.” NSA asserted this new entity would “work to prevent and eradicate threats to national security systems and critical infrastructure, with an initial focus on the defense industrial base and the improvement of our weapons’ security.” Moreover, “[t]he Cybersecurity Directorate will reinvigorate NSA’s white hat mission by sharing critical threat information and collaborating with partners and customers to better equip them to defend against malicious cyber activity,” the agency claimed.

Since June, NSA has issued a range of guidance documents and warnings, including:

On the other hand, presumably, the NSA, other IC agencies, the DOD and other agencies are aware of the dangers proposed by the use of mobile devices. In fact, the programs exposed by former NSA contractor Edward Snowden included the collection and use of metadata, most likely including location data. Moreover, agencies of the DOD, including the Army and Navy, ordered personnel to remove TikTok from their military devices, in part, because the company would be able to collect location data. More relevantly, in a 3 August 2018 memorandum issued by then Deputy Secretary of Defense Patrick Shanahan, the DOD explained “[e]ffective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and nongovernment-issued devices, applications and services while in locations designated as operational areas.” This memorandum resulted from the exercise app Strava releasing a heatmap of the exercise routes of people all over the world, including military personnel that highlighted precise locations of some previously secret bases. In 2017, the U.S. Government Accountability Office (GAO) released a report specific to the DOD on the security risks of the Internet of Things, and in 2012 the GAO flagged location data as a potential weak spot in mobile device security.

In the guidance on location data, the NSA conceded

Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible. While the guidance in this document may be useful to a wide range of users, it is intended primarily for NSS/DOD system users.

Thereafter, the agency lays out how mobile device users may minimize their exposure and the tradeoffs for disabling location data for certain apps and for entire operating systems, to the extent that is possible.

NSA noted that “[d]ifferent users accept different levels of risk regarding location tracking, but most users have some level of concern…[and] [t]he following general mitigations can be used for those with location sensitivities:

  • Disable location services settings on the device.
  • Disable radios when they are not actively in use: disable BT and turn off Wi-Fi if these capabilities are not needed. Use Airplane Mode when the device is not in use. Ensure BT and Wi-Fi are disabled when Airplane Mode is engaged.
  • Apps should be given as few permissions as possible:
    • Set privacy settings to ensure apps are not using or sharing location data.
    • Avoid using apps related to location if possible, since these apps inherently expose user location data. If used, location privacy/permission settings for such apps should be set to either not allow location data usage or, at most, allow location data usage only while using the app. Examples of apps that relate to location are maps, compasses, traffic apps, fitness apps, apps for finding local restaurants, and shopping apps.
  • Disable advertising permissions to the greatest extent possible:
    • Set privacy settings to limit ad tracking, noting that these restrictions are at the vendor’s discretion.
    • Reset the advertising ID for the device on a regular basis. At a minimum, this should be on a weekly basis.
    • Turn off settings (typically known as Find My or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
    • Minimize web-browsing on the device as much as possible, and set browser privacy/permission location settings to not allow location data usage.
    • Use an anonymizing Virtual Private Network (VPN) to help obscure location.
    • Minimize the amount of data with location information that is stored in the cloud, if possible.
  • If it is critical that location is not revealed for a particular mission, consider the following recommendations:
    • Determine a non-sensitive location where devices with wireless capabilities can be secured prior to the start of any activities. Ensure that the mission site cannot be predicted from this location.
    • Leave all devices with any wireless capabilities (including personal devices) at this non-sensitive location. Turning off the device may not be sufficient if a device has been compromised.
    • For mission transportation, use vehicles without built-in wireless communication capabilities, or turn off the capabilities, if possible.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Bianca Ackermann on Unsplash

Further Reading, Other Developments, and Coming Events (13 August)

Here are Further Reading, Other Developments, and Coming Events:

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.

Other Developments

  • Senate Intelligence Committee Acting Chair Marco Rubio (R-FL) and Vice Chairman Mark Warner (D-VA) released a statement indicating the committee had voted to adopt the fifth and final volume of its investigation of the Russian Federation’s interference in the 2016 election. The committee had submitted the report to the Intelligence Community for vetting and have received the report with edits and redactions. The report could be released sometime over the next few weeks.  Rubio and Warner stated “the Senate Intelligence Committee voted to adopt the classified version of the final volume of the Committee’s bipartisan Russia investigation. In the coming days, the Committee will work to incorporate any additional views, as well as work with the Intelligence Community to formalize a properly redacted, declassified, publicly releasable version of the Volume 5 report.” The Senate Intelligence Committee’s has released four previous reports:
  • The National Institute of Standards and Technology (NIST) is accepting comments until 11 September on draft Special Publication 800-53B, “Control Baselines for Information Systems and Organizations,” a guidance document that will serve a key role in the United States government’s efforts to secure and protect the networks and systems it operates and those run by federal contractors. NIST explained:
    • This publication establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. The use of the security control baselines is mandatory, in accordance with OMB Circular A-130 [OMB A-130] and the provisions of the Federal Information Security Modernization Act4 [FISMA], which requires the implementation of a set of minimum controls to protect federal information and  information systems. Whereas use of the privacy control baseline is not mandated by law or [OMB A-130], SP 800-53B, along with other supporting NIST publications, is designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974 [PRIVACT], selected OMB policies (e.g., [OMB A-130]), and designated Federal Information Processing Standards (FIPS), among others
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released an “Election Vulnerability Reporting Guide
    to provide “election administrators with a step-by-step guide, list of resources, and a template for establishing a successful vulnerability disclosure program to address possible vulnerabilities in their state and local election systems…[and] [t]he six steps include:
    • Step 1: Identify Systems Where You Would Accept Security Testing, and those Off-Limits
    • Step 2: Draft an Easy-to-Read Vulnerability Disclosure Policy (See Appendix III)
    • Step 3: Establish a Way to Receive Reports/Conduct Follow-On Communication
    • Step 4: Assign Someone to Thank and Communicate with Researchers
    • Step 5: Assign Someone to Vet and Fix the Vulnerabilities
    • Step 6: Consider Sharing Information with Other Affected Parties
  • The United Kingdom’s Information Commissioner’s Office (ICO) has issued “Guidance on AI and data protection” that “clarifies how you can assess the risks to rights and freedoms that AI can pose from a data protection perspective; and the appropriate measures you can implement to mitigate them.” The ICO explained “[w]hile data protection and ‘AI ethics’ overlap, this guidance does not provide generic ethical or design principles for your use of AI.” The ICO stated “[i]t corresponds to data protection principles, and is structured as follows:
    • part one addresses accountability and governance in AI, including data protection impact assessments (DPIAs);
    • part two covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination;
    • part three addresses data minimisation and security; and
    • part four covers compliance with individual rights, including rights related to automated decision-making.
  •  20 state attorneys general wrote Facebook Chief Executive Officer Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg “to request  that  you  take  additional  steps  to prevent   Facebook   from   being used   to   spread   disinformation   and   hate   and   to   facilitate discrimination.” They also asked “that you take more steps to provide redress for users who fall victim to intimidation and harassment, including violence and digital abuse.” The attorneys general said that “[b]ased on our collective experience, we believe that Facebook should take additional actions including the following steps—many of which are highlighted in Facebook’s recent Civil Rights Audit—to strengthen its commitment to civil rights and fighting disinformation and discrimination:
    • Aggressively enforce Facebook policies against hate speech and organized hate organizations: Although Facebook has developed policies against hate speech and organizations that peddle it, we remain concerned that Facebook’s policies on Dangerous Individuals and Organizations, including but not limited to its policies on white nationalist and white supremacist content, are not enforced quickly and comprehensively enough. Content that violates Facebook’s own policies too often escapes removal just because it comes as coded language, rather than specific magic words. And even where Facebook takes steps to address a particular violation, it often fails to proactively address the follow-on actions by replacement or splinter groups that quickly emerge.
    • Allow public, third-party audits of hate content and enforcement: To gauge the ongoing progress of Facebook’s enforcement efforts, independent experts should be permitted access to the data necessary to conduct regular, transparent third-party audits of hate and hate-related misinformation on the platform, including any information made available to the Global Oversight Board. As part of this effort, Facebook should capture data on the prevalence of different forms of hate content on the platform, whether or not covered by Facebook’s own community standards, thus allowing the public to determine whether enforcement of anti-hate policies differs based on the type of hate content at issue.
    • Commit to an ongoing, independent analysis of Facebook’s content population scheme and the prompt development of best practices guidance: By funneling users toward particular types of content, Facebook’s content population scheme, including its algorithms, can push users into extremist online communities that feature divisive and inflammatory messages, often directed at particular groups. Although Facebook has conducted research and considered programs to reduce this risk, there is still no mandatory guidance for coders and other teams involved in content population. Facebook should commit to an ongoing, independent analysis of its content population scheme, including its algorithms, and also continuously implement mandatory protocols as best practices are identified to curb bias and prevent recommendations of hate content and groups.
    • Expand policies limiting inflammatory advertisements that vilify minority groups: Although Facebook currently prohibits ads that claim that certain people, because of their membership in a protected group, pose a threat to the physical safety of communities or the nation, its policies still allow attacks that characterize such groups as threats to national culture or values. The current prohibition should be expanded to include such ads.
  • New Zealand’s Ministry of Statistics “launched the Algorithm Charter for Aotearoa New Zealand” that “signals that [the nation’s agencies] are committed to being consistent, transparent and accountable in their use of algorithms.”
    • The Ministry explained “[t]he Algorithm Charter is part of a wider ecosystem and works together with existing tools, networks and research, including:
      • Principles for the Safe and Effective Use of Data and Analytics (Privacy Commissioner and Government Chief Data Steward, 2018)
      • Government Use of Artificial Intelligence in New Zealand (New Zealand Law Foundation and Otago University, 2019)
      • Trustworthy AI in Aotearoa – AI Principles (AI Forum New Zealand, 2020)
      • Open Government Partnership, an international agreement to increase transparency.
      • Data Protection and Use Policy (Social Wellbeing Agency, 2020)
      • Privacy, Human Rights and Ethics Framework (Ministry of Social Development).
  • The European Union (EU) imposed its first cyber sanctions under its Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (aka the cyber diplomacy toolbox) against six hackers and three entities from the Russian Federation, the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea for attacks against the against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, the malware attacks known as Petya and WannaCry, and Operation Cloud Hopper. The EU’s cyber sanctions follow sanctions the United States has placed on a number of people and entities from the same nations and also indictments the U.S. Department of Justice has announced over the years. The sanctions are part of the effort to levy costs on nations and actors that conduct cyber attacks. The EU explained:
    • The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
    • “WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.
    • “NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
    • “Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.
  • The United States’ Federal Communications Commission (FCC) is asking for comments on the Department of Commerce’s the National Telecommunications and Information Administration’s (NTIA) petition asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself. The NTIA was acting per direction in an executive order allegedly aiming to correct online censorship. Executive Order 13925, “Preventing Online Censorship” was issued in late May after Twitter factchecked two of President Donald Trump’s Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic. Comments are due by 2 September.
  • The Australian Competition & Consumer Commission (ACCC) released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury
    • The ACCC explained
      • The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
    • This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
    • A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “released core guidance documentation for the Trusted Internet Connections (TIC) program, developed to assist agencies in protecting modern information technology architectures and services.” CISA explained “In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: Update to the TIC Initiative, TIC 3.0 expands on the original initiative to drive security standards and leverage advances in technology to secure a wide spectrum of agency network architectures.” Specifically, CISA released three core guidance documents:
    • Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
    • Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
  • Senators Ron Wyden (D-OR), Bill Cassidy (R-LA) and ten other Members wrote the Federal Trade Commission (FTC) urging the agency “to investigate widespread privacy violations by companies in the advertising technology (adtech) industry that are selling private data about millions of Americans, collected without their knowledge or consent from their phones, computers, and smart TVs.” They asked the FTC “to use its authority to conduct broad industry probes under Section 6(b) of the FTC Act to determine whether adtech companies and their data broker partners have violated federal laws prohibiting unfair and deceptive business practices.” They argued “[t]he FTC should not proceed with its review of the Children’s Online Privacy Protection Act (COPPA) Rule before it has completed this investigation.”
  •  “100 U.S. women lawmakers and current and former legislators from around the world,” including Speaker of the House Nancy Pelosi (D-CA), sent a letter to Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg urging the company “to take decisive action to protect women from rampant and increasing online attacks on their platform that have caused many women to avoid or abandon careers in politics and public service.” They noted “[j]ust a few days ago, a manipulated and widely shared video that depicted Speaker Pelosi slurring her speech was once again circulating on major social media platforms, gaining countless views before TikTok, Twitter, and YouTube all removed the footage…[and] [t]he video remains on Facebook and is labeled “partly false,” continuing to gain millions of views.” The current and former legislators “called on Facebook to enforce existing rules, including:
    • Quick removal of posts that threaten candidates with physical violence, sexual violence or death, and that glorify, incite or praise violence against women; disable the relevant accounts, and refer offenders to law enforcement.
    • Eliminate malicious hate speech targeting women, including violent, objectifying or dehumanizing speech, statements of inferiority, and derogatory sexual terms;
    • Remove accounts that repeatedly violate terms of service by threatening, harassing or doxing or that use false identities to attack women leaders and candidates; and
    • Remove manipulated images or videos misrepresenting women public figures.
  • The United States’ Departments of Commerce and Homeland Security released an update “highlighting more than 50 activities led by industry and government that demonstrate progress in the drive to counter botnet threats.” in May 2018, the agencies submitted “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” that identified a number of steps and prompted a follow on “A Road Map Toward Resilience Against Botnets” released in November 2018.
  • United States (U.S.) Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders released a joint statement explaining that “[t]he U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
    • Maximillian Schrems filed a complaint against Facebook with Ireland’s Data Protection Commission (DPC) in 2013, alleging that the company’s transfer of his personal data violated his rights under European Union law because of the mass U.S. surveillance revealed by former National Security Agency (NSA) contractor Edward Snowden. Ultimately, this case resulted in a 2015 Court of Justice of the European Union (CJEU) ruling that invalidated the Safe Harbor agreement under which the personal data of EU residents was transferred to the US by commercial concerns. The EU and US executed a follow on agreement, the EU-U.S. Privacy Shield, that was designed to address some of the problems the CJEU turned up, and the U.S. passed a law, the “Judicial Redress Act of 2015” (P.L. 114-126), to provide EU citizens a way to exercise their EU rights in US courts via the “Privacy Act of 1974.”
    • However, Schrems continued and soon sought to challenge the legality of the European Commission’s signing off on the Privacy Shield agreement, the adequacy decision issued in 2016, and also the use of standard contractual clauses (SCC) by companies for the transfer of personal data to the US. The CJEU struck down the adequacy decision, throwing into doubt many entities’ transfers out of the EU into the U.S. but upheld SCCs in a way that suggested EU data protection authorities (DPA) may need to review all such agreements to ensure they comply with EU law.
  • The European Commission (EC) announced an “an in-depth investigation to assess the proposed acquisition of Fitbit by Google under the EU Merger Regulation.” The EC voiced its concern “that the proposed transaction would further entrench Google’s market position in the online advertising markets by increasing the already vast amount of data that Google could use for personalisation of the ads it serves and displays.” The EC detailed its “preliminary competition concerns:
    • Following its first phase investigation, the Commission has concerns about the impact of the transaction on the supply of online search and display advertising services (the sale of advertising space on, respectively, the result page of an internet search engine or other internet pages), as well as on the supply of ”ad tech” services (analytics and digital tools used to facilitate the programmatic sale and purchase of digital advertising). By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to Fitbit’s one.
    • The data collected via wrist-worn wearable devices appears, at this stage of the Commission’s review of the transaction, to be an important advantage in the online advertising markets. By increasing the data advantage of Google in the personalisation of the ads it serves via its search engine and displays on other internet pages, it would be more difficult for rivals to match Google’s online advertising services. Thus, the transaction would raise barriers to entry and expansion for Google’s competitors for these services, to the ultimate detriment of advertisers and publishers that would face higher prices and have less choice.
    • At this stage of the investigation, the Commission considers that Google:
      • is dominant in the supply of online search advertising services in the EEA countries (with the exception of Portugal for which market shares are not available);
      • holds a strong market position in the supply of online display advertising services at least in Austria, Belgium, Bulgaria, Croatia, Denmark, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom, in particular in relation to off-social networks display ads;
      • holds a strong market position in the supply of ad tech services in the EEA.
    • The Commission will now carry out an in-depth investigation into the effects of the transaction to determine whether its initial competition concerns regarding the online advertising markets are confirmed.
    • In addition, the Commission will also further examine:
      • the effects of the combination of Fitbit’s and Google’s databases and capabilities in the digital healthcare sector, which is still at a nascent stage in Europe; and
      • whether Google would have the ability and incentive to degrade the interoperability of rivals’ wearables with Google’s Android operating system for smartphones once it owns Fitbit.
    • In February after the deal had been announced, the European Data Protection Board (EDPB) made clear it position that Google and Fitbit will need to scrupulously observe the General Data Protection Regulation’s privacy and data security requirements if the body is sign off on the proposed $2.2 billion acquisition. Moreover, at present Google has not informed European Union (EU) regulators of the proposed deal. The deal comes at a time when both EU and U.S. regulators are already investigating Google for alleged antitrust and anticompetitive practices, and the EDPB’s opinion could carry weight in this process.
  • The United States’ (U.S.) Department of Homeland Security released a Privacy Impact Assessment for the U.S. Border Patrol (USPB) Digital Forensics Programs that details how it may conduct searches of electronic devices at the U.S. border and ports of entry. DHS explained
    • As part of USBP’s law enforcement duties, USBP may search and extract information from electronic devices, including: laptop computers; thumb drives; compact disks; digital versatile disks (DVDs); mobile phones; subscriber identity module (SIM) cards; digital cameras; vehicles; and other devices capable of storing electronic information.
    • Last year, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
    • In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.
  • The Inter-American Development Bank (IDB) and the Organization of Americans States (OAS) released their second assessment of cybersecurity across Latin America and the Caribbean that used the Cybersecurity Capacity Maturity Model for Nations (CMM) developed at University of Oxford’s Global Cyber Security Capacity Centre (GSCC). The IDB and OAS explained:
    • When the first edition of the report “Cybersecurity: Are We Ready in Latin America and the Caribbean?” was released in March 2016, the IDB and the OAS aimed to provide the countries of Latin America and the Caribbean (LAC) not only with a picture of the state of cybersecurity but also guidance about the next steps that should be pursued to strengthen national cybersecurity capacities. This was the first study of its kind, presenting the state of cybersecurity with a comprehensive vision and covering all LAC countries.
    • The great challenges of cybersecurity, like those of the internet itself, are of a global nature. Therefore, it is undeniable that the countries of LAC must continue to foster greater cooperation among themselves, while involving all relevant actors, as well as establishing a mechanism for monitoring, analysis, and impact assessment related to cybersecurity both nationally and regionally. More data in relation to cybersecurity would allow for the introduction of a culture of cyberrisk management that needs to be extended both in the public and private sectors. Countries must be prepared to adapt quickly to the dynamic environment around us and make decisions based on a constantly changing threat landscape. Our member states may manage these risks by understanding the impact on and the likelihood of cyberthreats to their citizens, organizations, and national critical infrastructure. Moving to the next level of maturity will require a comprehensive and sustainable cybersecurity policy, supported by the country’s political agenda, with allocation of  financial resources and qualified human capital to carry it out.
    • The COVID-19 pandemic will pass, but events that will require intensive use of digital technologies so that the world can carry on will continue happening. The challenge of protecting our digital space will, therefore, continue to grow. It is the hope of the IDB and the OAS that this edition of the report will help LAC countries to have a better understanding of their current state of cybersecurity capacity and be useful in the design of the policy initiatives that will lead them to increase their level of cyberresilience.
  • The European Data Protection Supervisor (EDPS) issued an opinion on “the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final), published on 7 May 2020.” The EDPS asserted:
    • While  the  EDPS acknowledges the  importance  of  the  fight  against money  laundering  and terrorism financing as an objective of general interest, we call for the legislation to strike a balance between the interference with the fundamental rights of privacy and personal data protection and  the measures that  are  necessary  to  effectively  achieve  the  general  interest goals on anti-money  laundering  and  countering the  financing  of terrorism (AML/CFT) (the principle of proportionality).
    • The EDPS recommends that the Commission monitors the effective implementation of the existing  AML/CFT  framework while ensuring that the  GDPR  and  the  data  protection framework are respected and complied with. This is particularly relevant for the works on the interconnection of central bank account mechanisms and beneficial ownership registers that should be largely inspired by the principles of data minimisation, accuracy and privacy-by-design and by default.  

Further Reading

  • China already has your data. Trump’s TikTok and WeChat bans can’t stop that.” By Aynne Kokas – The Washington Post. This article persuasively makes the case that even if a ban on TikTok and WeChat were to work, and there are substantive questions as to how a ban would given how widely the former has been downloaded, the People’s Republic of China (PRC) is almost certainly acquiring massive reams of data on Americans through a variety of apps, platforms, and games. For example, Tencent, owner of WeChat, has a 40% stake in Epic Games that has Fortnite, a massively popular multiplayer game (if you have never heard of it, ask one of the children in your family). Moreover, a recent change to PRC law mandates that companies operating in the PRC must share their data bases for cybersecurity reviews, which may be an opportunity aside from hacking and exfiltrating United States entities, to access data. In summation, if the Trump Administration is serious about stopping the flow of data from the U.S. to the PRC, these executive orders will do very little.
  • Big Tech Makes Inroads With the Biden Campaign” by David McCabe and Kenneth P. Vogel – The New York Times. Most likely long before former Vice President Joe Biden clinched the Democratic nomination, advisers volunteered to help plot out his policy positions, a process that intensified this year. Of course, this includes technology policy, and many of those volunteering for the campaign’s Innovation Policy Committee have worked or are working for large technology companies directly or as consultants or lobbyists. This piece details some of these people and their relationships and how the Biden campaign is managing possible conflicts of interest. Naturally, those on the left wing of the Democratic Party calling for tighter antitrust, competition, and privacy regulation are concerned that Biden might be pulled away from these positions despite his public statements arguing that the United States government needs to get tougher with some practices.
  • A Bible Burning, a Russian News Agency and a Story Too Good to Check Out” By Matthew Rosenberg and Julian E. Barnes – The New York Times. The Russian Federation seems to be using a new tactic with some success for sowing discord in the United States that is the information equivalent of throwing fuel onto a fire. In this case, a fake story manufactured by a Russian outlet was seized on by some prominent Republicans, in part, because it fits their preferred world view of protestors. In this instance, a Russian outlet created a fake story amplifying an actual event that went viral. We will likely see more of this, and it is not confined to fake stories intended to appeal to the right. The same is happening with content meant for the left wing in the United States.
  • Facebook cracks down on political content disguised as local news” by Sara Fischer – Axios. As part of its continuing effort to crack down on violations of its policies, Facebook will no longer allow groups with a political viewpoint to masquerade as news. The company and outside experts have identified a range of instances where groups propagating a viewpoint, as opposed to reporting, have used a Facebook exemption by pretending to be local news outlets.
  • QAnon groups have millions of members on Facebook, documents show” By Ari Sen and Brandy Zadrozny – NBC News. It appears as if some Facebooks are leaking the results of an internal investigation that identified more than 1 million users who are part of QAnon groups. Most likely these employees want the company to take a stronger stance on the conspiracy group QAnon like the company has with COVID-19 lies and misinformation.
  • And, since Senator Kamala Harris (D-CA) was named former Vice President Joe Biden’s (D-DE) vice presidential pick, this article has become even more relevant than when I highlighted it in late July: “New Emails Reveal Warm Relationship Between Kamala Harris And Big Tech” – HuffPost. Obtained via an Freedom of Information request, new email from Senator Kamala Harris’ (D-CA) tenure as her state’s attorney general suggest she was willing to overlook the role Facebook, Google, and others played and still play in one of her signature issues: revenge porn. This article makes the case Harris came down hard on a scammer running a revenge porn site but did not press the tech giants with any vigor to take down such material from their platforms. Consequently, the case is made if Harris is former Vice President Joe Biden’s vice presidential candidate, this would signal a go easy approach on large companies even though many Democrats have been calling to break up these companies and vigorously enforce antitrust laws. Harris has largely not engaged on tech issues during her tenure in the Senate. To be fair, many of these companies are headquartered in California and pump billions of dollars into the state’s economy annually, putting Harris in a tricky position politically. Of course, such pieces should be taken with a grain of salt since it may have been suggested or planted by one of Harris’ rivals for the vice president nomination or someone looking to settle a score.
  • Unwanted Truths: Inside Trump’s Battles With U.S. Intelligence Agencies” by Robert Draper – The New York Times. A deeply sourced article on the outright antipathy between President Donald Trump and Intelligence Community officials, particularly over the issue of how deeply Russia interfered in the election in 2016. A number of former officials have been fired or forced out because they refused to knuckle under to the White House’s desire to soften or massage conclusions of Russia’s past and current actions to undermine the 2020 election in order to favor Trump.
  • Huawei says it’s running out of chips for its smartphones because of US sanctions” By Kim Lyons – The Verge and “Huawei: Smartphone chips running out under US sanctions” by Joe McDonald – The Associated Press. United States (U.S.) sanctions have started biting the Chinese technology company Huawei, which announced it will likely run out of processor chips for its smartphones. U.S. sanctions bar any company from selling high technology items like processors to Huawei, and this capability is not independently available in the People’s Republic of China (PRC) at present.
  • Targeting WeChat, Trump Takes Aim at China’s Bridge to the World” By Paul Mozur and Raymond Zhong – The New York Times. This piece explains WeChat, the app, the Trump Administration is trying to ban in the United States (U.S.) without any warning. It is like a combination of Facebook, WhatsApp, news app, and payment platform and is used by more than 1.2 billion people.
  • This Tool Could Protect Your Photos From Facial Recognition” By Kashmir Hill – The New York Times. Researchers at the University of Chicago have found a method of subtly altering photos of people that appears to foil most facial recognition technologies. However, a number of experts interviewed said it is too late to stop companies like AI Clearview.
  • I Tried to Live Without the Tech Giants. It Was Impossible.” By Kashmir Hill – The New York Times. This New York Times reporter tried living without the products of large technology companies, which involved some fairly obvious challenges and some that were not so obvious. Of course, it was hard for her to skip Facebook, Instagram, and the like, but cutting out Google and Amazon proved hardest and basically impossible because of the latter’s cloud presence and the former’s web presence. The fact that some of the companies cannot be avoided if one wants to be online likely lends weight to those making the case these companies are anti-competitive.
  • To Head Off Regulators, Google Makes Certain Words Taboo” by Adrianne Jeffries – The Markup. Apparently, in what is a standard practice at large companies, employees at Google were coached to avoid using certain terms or phrases that antitrust regulators would take notice of such as: “market,” “barriers to entry,” and “network effects.” The Markup obtained a 16 August 2019 document titled “Five Rules of Thumb For Written Communications” that starts by asserting “[w]ords matter…[e]specially in antitrust laws” and goes on to advise Google’s employees:
    • We’re out to help users, not hurt competitors.
    • Our users should always be free to switch, and we don’t lock anyone in.
    • We’ve got lots of competitors, so don’t assume we control or dominate any market.
    • Don’t try and define a market or estimate our market share.
    • Assume every document you generate, including email, will be seen by regulators.
  • Facebook Fired An Employee Who Collected Evidence Of Right-Wing Pages Getting Preferential Treatment” By Craig Silverman and Ryan Mac – BuzzFeed News. A Facebook engineer was fired after adducing proof in an internal communications system that the social media platform is more willing to change false and negative ratings to claims made by conservative outlets and personalities than any other viewpoint. If this is true, it would be opposite to the narrative spun by the Trump Administration and many Republicans in Congress. Moreover, Facebook’s incentives would seem to align with giving conservatives more preferential treatment because many of these websites advertise on Facebook, the company probably does not want to get crosswise with the Administration, sensational posts and content drive engagement which increases user numbers that allows for higher ad rates, and it wants to appear fair and impartial.
  • How Pro-Trump Forces Work the Refs in Silicon Valley” By Ben Smith – The New York Times. This piece traces the nearly four decade old effort of Republicans to sway mainstream media and now Silicon Valley to its viewpoint.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo credit: Gerd Altmann on Pixabay

Fourth Volume of Report in 2016 Russian Hacking Endorses IC’s Conclusions

In a report that largely vindicates the Intelligence Community’s (IC) assessment of the 2016 election, a Senate committee continues with its investigation of Russian hacking with a heavily redacted fourth volume. The Republican-led committee rebuts the President’s assertions the IC was wrong and biased.  

The Senate Intelligence Committee has released the fourth of five planned volumes, detailing Russia’s interference in the 2016 presidential election. This volume, titled “Review of the Intelligence Community Assessment,” assessed the classified version of the Intelligence Community’s (IC) review and conclusions regarding Russian efforts to aid President Donald Trump’s campaign and to harm former Secretary of State Hillary Clinton’s bid for the presidency. In this assessment, the Committee found “unprecedented Russian interference” well-described, analyzed, and investigated by the IC. However, much of the report is redacted, and according to Committee Member, Senator Angus King (I-ME), this was done to protect the sources and methods the IC used.

An unclassified version of “Assessing Russian Activities and Intentions in Recent US Elections” was released in mid-2017 that was heavily criticized by the President, the White House, and a number of Republicans. Additionally, the House Intelligence Committee, led by then Chair and Trump ally Devin Nunes (R-CA), found that the IC assessment was plagued by “significant intelligence tradecraft failings.”

Given that the majority of Russian interference was executed in cyberspace, often through social media, it remains to be seen whether these reports will spur proposals to change laws regulating cybersecurity or U.S. intelligence activities. Moreover, like so many issues, the response to COVID-19 will likely overshadow this report and any potential impact it may have otherwise had.

While the White House has largely been silent on this volume of the Senate Intelligence Committee’s investigation, the subject of Russia’s activities during the 2016 election remains touchy at the White House, suggesting efforts to reform how the U.S. responds to this sort of hacking will remain at the agency-level with heads of key entities using authorities they currently possess. This opens the possibility that agencies and private sector entities will not receive new latitude to fight off disinformation campaigns likely to be waged by more than just Russia as North Korea, China, and Iran are often identified as those nations most able to interfer in this year’s election.

The Committee’s previous three volumes are: “Volume I: Russian Efforts Against Election Infrastructure,” “Volume II: Russia’s Use of Social Media,” and “Volume III: U.S. Government Response to Russian Activities.”

As threshold matters, the Committee found

  • [S]pecific intelligence as well as open source assessments support the assessment that President Putin approved and directed aspects of this influence campaign.
  • Further, a body of reporting, to include different intelligence disciplines, open source reporting on Russian leadership policy preferences, and Russian media content, showed that Moscow sought to denigrate then-candidate Clinton.
  • ICA presents information from public Russian leadership commentary, Russian state media reports, and specific intelligence reporting to support the assessment that Putin and the Russian Government demonstrated a preference for candidate Trump.

The Senate Intelligence Committee made the following findings:

1. The Committee found the Intelligence Community Assessment (ICA) presents a coherent and well-constructed intelligence basis for the case of unprecedented Russian interference in the 2016 U.S. presidential election. On the analytic lines of the ICA, the Committee concludes that all [REDACTED] lines are supported with all-source intelligence, although with varying substantiation. The Committee did not discover any significant analytic tradecraft issues in the preparation or final presentation of the ICA.

The ICA reflects proper analytic tradecraft despite being tasked and completed within a compressed time frame. The compact timeframe was a contributing factor for not conducting formal analysis of competing hypotheses.

The differing confidence levels on one analytic judgment are justified and properly represented. Those in disagreement all stated that they had the opportunity to express differing points of view. The decision regarding the presentation of differing confidence levels was the responsibility of the Director of the Central Intelligence Agency (CIA) John Brennan and the Director of the National Security Agency (NSA) Admiral Michael Rogers, both of whom independently expressed to the Committee that they reached the final wording openly and with sufficient exchanges of views.

Multiple intelligence disciplines are used and identified throughout the ICA. Where the Committee noted concerns about the use of specific sources, in no case did the Committee conclude any analytic line was compromised as a result.

In all the interviews of those who drafted and prepared the ICA, the Committee heard consistently that analysts were under no politically motivated pressure to reach specific conclusions. All analysts expressed that they were free to debate, object to content, and assess confidence levels, as is normal and proper for the analytic process.

2. The Committee found that the agencies responsible for the !CA-CIA, NSA, and FBI, under the aegis of ODNI-met the primary tasking as directed by President Obama, which was to assemble a product that reflected the intelligence available to the Intelligence Community (IC) regarding Russian interference in the 2016 election.

3. The Committee found that the ICA provides a proper representation of the intelligence collected by CIA, NSA, and FBI on Russian interference in 2016, and this body of evidence supports the substance and judgments of the ICA.

[REDACTED] Regarding FBI, the ICA states, in its “Scope and Sourcing” introduction, that “[w]e also do not include information from ongoing investigations.” [REDACTED] The Committee found that the information provided by Christopher Steele to FBI was not used in the body of the ICA or to support any of its analytic judgments. However, a summary of this material was included in Annex A as a compromise to FBI’s insistence that the information was responsive to the presidential tasking.

4. The Committee found the ICA makes a clear argument that the manner and aggressiveness of the Russian interference was historically unprecedented. However, the ICA and its sources do not provide a substantial representation of Russian interference in the 2008 and 2012 presidential elections, as the Committee understands was part of the President’s original tasking.

5. [REDACTED]The Committee found that the ICA did not provide a set of policy on how to respond to future Russian active measures, which was part of the tasking the President conveyed to the Director of National Intelligence (DNI) James Clapper. The ICA did include, in the compartmented version, an unclassified section independently produced by DHS, FBI, and the Department of Commerce’s National Institute of Standards and Technology (NIST), “DHS/FBI/NIST Recommendations: Options to Protect and Defend US Election Infrastructure and US Political Parties.”

The absence of policy recommendations was deliberate, due to the well-established norm that the IC provides insight and warning to policy makers, but does not itself make policy.

6. The Committee found the ICA would benefit from a more comprehensive presentation of how Russian propaganda-as generated by Russia’s multiple state-owned platforms-was used to complement the full Russian influence campaign.

Open source collection is a long-standing discipline for CIA and other elements of the IC, and open source reporting is used throughout the ICA to support specific analytic assertions. However, open source reporting on RT and Sputnik’s coverage of WikiLeaks releases of Democratic National Committee (DNC) information would have strengthened the ICA’s examination of Russia’s use of propaganda. On this point, the Committee finds that Annex [REDACTED] of the ICA-“Open Source Center Analysis: Russia: Kremlin’s TV Seeks to Influence Politics, Fuel Discontent in US,” published December 12, 2012-should have been updated to provide a summary of Kremlin propaganda in 2016, thereby making a more relevant contribution to the ICA. An update to this assessment was not produced by the Open Source Enterprise until after the publication of the ICA.

7. [REDACTED] The role of social media has been a significant focus by the Committee and is discussed in a separate volume of this report.