Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.

Further Reading, Other Developments, and Coming Events (18 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing on 23 September titled “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • On 23 September, the Commerce, Science, and Transportation Committee will hold a hearing titled “Revisiting the Need for Federal Data Privacy Legislation,” with these witnesses:
    • The Honorable Julie Brill, Former Commissioner, Federal Trade Commission
    • The Honorable William Kovacic, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Jon Leibowitz, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Maureen Ohlhausen, Former Commissioner and Acting Chairman, Federal Trade Commission
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • Former Principal Deputy Under Secretary in the Office of Intelligence and Analysis Brian Murphy has filed a whistleblower reprisal complaint against the United States Department of Homeland Security (DHS) for providing intelligence analysis the Trump White House and DHS did not want, mainly for political reasons, and then refusing to make alterations to fit the Administration’s chosen narrative on issues, especially on the Russian Federation’s interference in the 2020 Election. Murphy alleges “he was retaliatorily demoted to the role of Assistant to the Deputy Under Secretary for the DHS Management Division” because he refused to comply with orders from acting Secretary of Homeland Security Chad Wolf. Specifically, he claims:
    • In mid-May 2020, Mr. Wolf instructed Mr. Murphy to cease providing intelligence assessments on the threat of Russian interference in the United States, and instead start reporting on interference activities by China and Iran. Mr. Wolf stated that these instructions specifically originated from White House National Security Advisor Robert O’Brien. Mr. Murphy informed Mr. Wolf he would not comply with these instructions, as doing so would put the country in substantial and specific danger.
  • The National Security Agency (NSA) Office of the Inspector General (OIG) issued an unclassified version of its Semiannual Report to Congress consisting of “the audits, evaluations, inspections, and investigations that were completed and ongoing” from 1 October 2019 to 31 March 2020.
    • The OIG found ongoing problems with how the NSA is administering surveillance of United States’ people overseas (i.e. Section 704 and 705 of the Foreign Intelligence Surveillance Act), something that has been a long running problem at the agency. The OIG found
      • NSA does not have adequate and complete documentation of scenario-based data tagging rules for accurately assigning data labels to restrict access to data in accordance with legal and policy requirements, and consistently assessing data labeling errors;
      • NSA has not designated a standardized field in NSA data tags to efficiently store and identify data needed to verify the accuracy of data label assignments;
      • NSA does not document in its targeting tool a majority of a certain type of targeting request; and
      • NSA controls do not adequately and completely verify the accuracy of data labels assigned to data prior to ingest into NSA repositories.
      • As a result of these findings, the OIG made seven recommendations, six to assist NSA in strengthening its corporate data tagging controls and governance, and a seventh to help ensure that NSA’s FISA §§704 and 705(b) data tagging legal and policy determinations are consistent with NSA representations made to the FISC and other external overseers regarding how NSA handles such data, and that these tagging requirements are fully documented and promulgated to the NSA workforce.
    • The OIG noted the middling progress the NSA has made in securing its information technology, a weakness that could well be used by adversaries to penetrate the agency’s networks:
      • In accordance with U.S. Office of Management and Budget guidance, the OIG is required annually to assess the effectiveness of information security programs on a maturity model spectrum, which ranges from Level 1 (ad hoc) to Level 5 (optimized). Our assessment of eight IT security areas revealed that while progress was made in some areas from FY2018 to FY2019, there continues to be room for improvement in all eight IT security areas.
      • For the second consecutive year, Identity and Access Management was deemed the strongest security area with an overall maturity level of 3, consistently implemented. The Agency’s challenges in Security Training dropped the maturity level from 3, consistently implemented, to 2, defined. For the second consecutive year, Contingency Planning was assessed at an overall maturity level of ad hoc; although the Agency has made some improvements to the program, additional improvements need to be made.
  • The Office of the National Director of Intelligence (ODNI) released a June 2020 Foreign Intelligence Surveillance Court (FISC) opinion that sets the limits on using information gained from electronic surveillance of former Trump campaign adviser Carter Page
    • FISC noted
      • The government has acknowledged that at least some of its collection under color of those FISC orders was unlawful. It nevertheless now contends that it must temporarily retain, and potentially use and disclose, the information collected, largely in the context of ongoing or anticipated litigation. The Court hereby sets parameters for such use or disclosure.
    • The FISC ordered:
      • (1) With regard to the third-party FOIA litigation, see supra pp. 9-10, and the pending litigation with Page, see supra p. 12, the government may use or disclose Page FISA information insofar as necessary for the good-faith conduct of that litigation;
      • (2) With regard to any future claims brought by Page seeking redress for unlawful electronic surveillance or physical search or for disclosure of the results of such surveillance or search, the government may use or disclose Page FISA information insofar as necessary to the good-faith conduct of the litigation of such claims;
      • (3) Further use or disclosure of Page FISA information is permitted insofar as necessary to effective performance or disciplinary reviews of government personnel, provided that any such use or disclosure of raw information is permitted only insofar as a particular need to use or disclose the specific information at issue has been demonstrated. This paragraph applies, but is not limited to, use by, and disclosure by or to, the FBI’s INSD or OPR;
      • (4) Further use or disclosure of Page FISA information by DOJ OIG is permitted only insofar as necessary to assess the implementation of Recommendation 9 of the OIG Report;
      • (5) Further use or disclosure of Page FISA information is permitted only insofar as necessary to investigate or prosecute potential crimes relating to the conduct of the Page or Crossfire Hurricane investigations, provided that any such use or disclosure of raw information is permitted only insofar as a particular need to use or disclose the specific information at issue has been demonstrated. This paragraph applies, but is not limited to, use by, and disclosure by or to, personnel engaged in the review being lead by United States Attorney Durham. See supra p.17;and
      • (6) By January 29, 2021, and at intervals of no more than six months thereafter, the government shall submit under oath a written report on the retention, and any use or disclosure, of Page FISA information
  • Portland, Oregon has passed bans on the use of facial recognition technology by its government and private entities that is being characterized as the most stringent in the United States. Effective immediately, no city agency may use FRT and come 1 January 2021 no private companies may do so. In contrast, FRT bans in Boston, San Francisco, and Oakland only bar government entities from using the technology. However, Portland residents would still be permitted to use FRT; for example, those choosing to use FRT to unlock their phone would still be legal. The legislation explains
    • The purpose of this Chapter is to prohibit the use of Face Recognition Technologies in Places of Public Accommodation by Private Entities within the boundaries of the City of Portland.
    • Face Recognition Technologies have been shown to falsely identify women and People of Color on a routine basis. While progress continues to be made in improving Face Recognition Technologies, wide ranges in accuracy and error rates that differ by race and gender have been found in vendor testing.
    • Community members have raised concerns on the impacts of Face Recognition Technologies on civil liberties and civil rights. In addition, the collection, trade, and use of face biometric information may compromise the privacy of individuals even in their private setting. While these claims are being assessed, the City is creating safeguards aiming to protect Portlanders’ sensitive information until better infrastructure and policies are in place.
    • Portland’s commitment to equity means that we prioritize the safety and well-being of communities of color and other marginalized and vulnerable community members.
    • However, the ban does not apply
      • To the extent necessary for a Private Entity to comply with federal, state, or local laws;
      • For user verification purposes by an individual to access the individual’s own personal or employer issued communication and electronic devices; or
      • In automatic face detection services in social media applications.
  • President Donald Trump has nominated Nathan Simington to replace Federal Communications Commission (FCC) Commissioner Michael O’Reilly. Reports indicate Trump was displeased that O’Reilly was not receptive to Executive Order (EO) 13925 “Preventing Online Censorship” and so declined to renominate O’Reilly for anther term. Simington is currently serving as Senior Advisor in the National Telecommunications and Information Administration (NTIA) and is reported to have been deeply involved in the drafting of the EO. A White House press release provided this biography:
    • Among his many responsibilities across the telecommunications industry, he works on 5G security and secure supply chains, the American Broadband Initiative, and is NTIA’s representative to the Government Advisory Committee of the Internet Corporation for Assigned Names and Numbers.
    • Prior to his appointment at NTIA, Mr. Simington was Senior Counsel to Brightstar Corporation, a leading international company in the wireless industry.  In this role, he negotiated deals with companies across the spectrum of the telecommunications and internet industry, including most of the world’s leading wireless carriers. As the head lawyer on the advanced mobility products team, he spearheaded numerous international transactions in the devices, towers and services fields and forged strong relationships with leading telecom equipment manufacturers.  Prior to his career with Brightstar, Mr. Simington was an attorney in private practice with prominent national and international law firms.
    • Following the directive in the EO, on 27 July, the NTIA filed a petition with the FCC, asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself.
    • In early August, the FCC asked for comments on the NTIA petition, and comments were due by 2 September. Over 2500 comments have been filed, and a cursory search turned up numerous form letter comments drafted by a conservative organization that were then submitted by members and followers.

Further Reading

  • “I Have Blood on My Hands”: A Whistleblower Says Facebook Ignored Global Political Manipulation” By Craig Silverman, Ryan Mac, and Pranav Dixit — BuzzFeed News. In a blistering memo on her way out the door, a Facebook engineer charged with moderating fake content around the world charged the company is unconcerned about how the manipulation of its platform is benefitting regimes throughout the world. There is also the implication the company is much more focused on content moderation in the United States (U.S.) and western Europe, possibly because of political pressure from those nations. Worse than allowing repressive and anti-democratic governments target news organizations and opposition figures, the company was slow to respond when human rights advocates accounts were falsely flagged as violating terms of service. The engineer finally quit after sleepless nights of worrying about how her time and efforts may be falling short of protecting nations and people in many nations. She further claimed “[i]t’s an open secret within the civic integrity space that Facebook’s short-term decisions are largely motivated by PR and the potential for negative attention.”
  • Online learning’s toll on kids’ privacy” By Ashley Gold — Axios. With the shift to online education for many students in the United States, the privacy and data security practices of companies in this space are starting to be examined. But schools and parents may be woefully underinformed about or lack power to curb some data collection and usage practices. The Federal Trade Commission (FTC) enforces the Children’s Online Privacy Protection Act (COPPA), which critics claim is not strong enough and to the extent the FTC enforces the law, it is “woefully insufficient.” Moreover, the differences between richer schools and poorer schools plays out with respect to privacy and data security and the latter group of schools likely cannot afford to vet and use the best companies.
  • Unlimited Information Is Transforming Society” By Naomi Oreskes and Erik M. Conway — Scientific American. This comprehensive article traces the field of information alongside other technological advances like electricity, nuclear power, and space travel. The authors posit that we are at a new point with information in that creation and transmission of it now flows in two directions whereas for much of history it flowed one way, often from the elites to everyone else.
  • First death reported following a ransomware attack on a German hospital” By Catalin Cimpanu — ZDNet. The first fatality associated with a ransomware attack happened in Gernmany when a patient in an ambulance was diverted from a hospital struggling with ransomware. Appafently, the hackers did not even mean to target the hospital in Dusseldorf and instead were aiming to infect and extort a university hospital nearby. Nonetheless, Germany’s Bundesamt für Sicherheit in der Informationstechnik thereafter issued a warning advising entities to update the CVE-2019-19871 vulnerability on Citrix network gateways.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Peggy und Marco Lachmann-Anke from Pixabay

Further Reading, Other Developments, and Coming Events (13 August)

Here are Further Reading, Other Developments, and Coming Events:

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.

Other Developments

  • Senate Intelligence Committee Acting Chair Marco Rubio (R-FL) and Vice Chairman Mark Warner (D-VA) released a statement indicating the committee had voted to adopt the fifth and final volume of its investigation of the Russian Federation’s interference in the 2016 election. The committee had submitted the report to the Intelligence Community for vetting and have received the report with edits and redactions. The report could be released sometime over the next few weeks.  Rubio and Warner stated “the Senate Intelligence Committee voted to adopt the classified version of the final volume of the Committee’s bipartisan Russia investigation. In the coming days, the Committee will work to incorporate any additional views, as well as work with the Intelligence Community to formalize a properly redacted, declassified, publicly releasable version of the Volume 5 report.” The Senate Intelligence Committee’s has released four previous reports:
  • The National Institute of Standards and Technology (NIST) is accepting comments until 11 September on draft Special Publication 800-53B, “Control Baselines for Information Systems and Organizations,” a guidance document that will serve a key role in the United States government’s efforts to secure and protect the networks and systems it operates and those run by federal contractors. NIST explained:
    • This publication establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. The use of the security control baselines is mandatory, in accordance with OMB Circular A-130 [OMB A-130] and the provisions of the Federal Information Security Modernization Act4 [FISMA], which requires the implementation of a set of minimum controls to protect federal information and  information systems. Whereas use of the privacy control baseline is not mandated by law or [OMB A-130], SP 800-53B, along with other supporting NIST publications, is designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974 [PRIVACT], selected OMB policies (e.g., [OMB A-130]), and designated Federal Information Processing Standards (FIPS), among others
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released an “Election Vulnerability Reporting Guide
    to provide “election administrators with a step-by-step guide, list of resources, and a template for establishing a successful vulnerability disclosure program to address possible vulnerabilities in their state and local election systems…[and] [t]he six steps include:
    • Step 1: Identify Systems Where You Would Accept Security Testing, and those Off-Limits
    • Step 2: Draft an Easy-to-Read Vulnerability Disclosure Policy (See Appendix III)
    • Step 3: Establish a Way to Receive Reports/Conduct Follow-On Communication
    • Step 4: Assign Someone to Thank and Communicate with Researchers
    • Step 5: Assign Someone to Vet and Fix the Vulnerabilities
    • Step 6: Consider Sharing Information with Other Affected Parties
  • The United Kingdom’s Information Commissioner’s Office (ICO) has issued “Guidance on AI and data protection” that “clarifies how you can assess the risks to rights and freedoms that AI can pose from a data protection perspective; and the appropriate measures you can implement to mitigate them.” The ICO explained “[w]hile data protection and ‘AI ethics’ overlap, this guidance does not provide generic ethical or design principles for your use of AI.” The ICO stated “[i]t corresponds to data protection principles, and is structured as follows:
    • part one addresses accountability and governance in AI, including data protection impact assessments (DPIAs);
    • part two covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination;
    • part three addresses data minimisation and security; and
    • part four covers compliance with individual rights, including rights related to automated decision-making.
  •  20 state attorneys general wrote Facebook Chief Executive Officer Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg “to request  that  you  take  additional  steps  to prevent   Facebook   from   being used   to   spread   disinformation   and   hate   and   to   facilitate discrimination.” They also asked “that you take more steps to provide redress for users who fall victim to intimidation and harassment, including violence and digital abuse.” The attorneys general said that “[b]ased on our collective experience, we believe that Facebook should take additional actions including the following steps—many of which are highlighted in Facebook’s recent Civil Rights Audit—to strengthen its commitment to civil rights and fighting disinformation and discrimination:
    • Aggressively enforce Facebook policies against hate speech and organized hate organizations: Although Facebook has developed policies against hate speech and organizations that peddle it, we remain concerned that Facebook’s policies on Dangerous Individuals and Organizations, including but not limited to its policies on white nationalist and white supremacist content, are not enforced quickly and comprehensively enough. Content that violates Facebook’s own policies too often escapes removal just because it comes as coded language, rather than specific magic words. And even where Facebook takes steps to address a particular violation, it often fails to proactively address the follow-on actions by replacement or splinter groups that quickly emerge.
    • Allow public, third-party audits of hate content and enforcement: To gauge the ongoing progress of Facebook’s enforcement efforts, independent experts should be permitted access to the data necessary to conduct regular, transparent third-party audits of hate and hate-related misinformation on the platform, including any information made available to the Global Oversight Board. As part of this effort, Facebook should capture data on the prevalence of different forms of hate content on the platform, whether or not covered by Facebook’s own community standards, thus allowing the public to determine whether enforcement of anti-hate policies differs based on the type of hate content at issue.
    • Commit to an ongoing, independent analysis of Facebook’s content population scheme and the prompt development of best practices guidance: By funneling users toward particular types of content, Facebook’s content population scheme, including its algorithms, can push users into extremist online communities that feature divisive and inflammatory messages, often directed at particular groups. Although Facebook has conducted research and considered programs to reduce this risk, there is still no mandatory guidance for coders and other teams involved in content population. Facebook should commit to an ongoing, independent analysis of its content population scheme, including its algorithms, and also continuously implement mandatory protocols as best practices are identified to curb bias and prevent recommendations of hate content and groups.
    • Expand policies limiting inflammatory advertisements that vilify minority groups: Although Facebook currently prohibits ads that claim that certain people, because of their membership in a protected group, pose a threat to the physical safety of communities or the nation, its policies still allow attacks that characterize such groups as threats to national culture or values. The current prohibition should be expanded to include such ads.
  • New Zealand’s Ministry of Statistics “launched the Algorithm Charter for Aotearoa New Zealand” that “signals that [the nation’s agencies] are committed to being consistent, transparent and accountable in their use of algorithms.”
    • The Ministry explained “[t]he Algorithm Charter is part of a wider ecosystem and works together with existing tools, networks and research, including:
      • Principles for the Safe and Effective Use of Data and Analytics (Privacy Commissioner and Government Chief Data Steward, 2018)
      • Government Use of Artificial Intelligence in New Zealand (New Zealand Law Foundation and Otago University, 2019)
      • Trustworthy AI in Aotearoa – AI Principles (AI Forum New Zealand, 2020)
      • Open Government Partnership, an international agreement to increase transparency.
      • Data Protection and Use Policy (Social Wellbeing Agency, 2020)
      • Privacy, Human Rights and Ethics Framework (Ministry of Social Development).
  • The European Union (EU) imposed its first cyber sanctions under its Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (aka the cyber diplomacy toolbox) against six hackers and three entities from the Russian Federation, the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea for attacks against the against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, the malware attacks known as Petya and WannaCry, and Operation Cloud Hopper. The EU’s cyber sanctions follow sanctions the United States has placed on a number of people and entities from the same nations and also indictments the U.S. Department of Justice has announced over the years. The sanctions are part of the effort to levy costs on nations and actors that conduct cyber attacks. The EU explained:
    • The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
    • “WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.
    • “NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
    • “Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.
  • The United States’ Federal Communications Commission (FCC) is asking for comments on the Department of Commerce’s the National Telecommunications and Information Administration’s (NTIA) petition asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself. The NTIA was acting per direction in an executive order allegedly aiming to correct online censorship. Executive Order 13925, “Preventing Online Censorship” was issued in late May after Twitter factchecked two of President Donald Trump’s Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic. Comments are due by 2 September.
  • The Australian Competition & Consumer Commission (ACCC) released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury
    • The ACCC explained
      • The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
    • This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
    • A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “released core guidance documentation for the Trusted Internet Connections (TIC) program, developed to assist agencies in protecting modern information technology architectures and services.” CISA explained “In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: Update to the TIC Initiative, TIC 3.0 expands on the original initiative to drive security standards and leverage advances in technology to secure a wide spectrum of agency network architectures.” Specifically, CISA released three core guidance documents:
    • Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
    • Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
  • Senators Ron Wyden (D-OR), Bill Cassidy (R-LA) and ten other Members wrote the Federal Trade Commission (FTC) urging the agency “to investigate widespread privacy violations by companies in the advertising technology (adtech) industry that are selling private data about millions of Americans, collected without their knowledge or consent from their phones, computers, and smart TVs.” They asked the FTC “to use its authority to conduct broad industry probes under Section 6(b) of the FTC Act to determine whether adtech companies and their data broker partners have violated federal laws prohibiting unfair and deceptive business practices.” They argued “[t]he FTC should not proceed with its review of the Children’s Online Privacy Protection Act (COPPA) Rule before it has completed this investigation.”
  •  “100 U.S. women lawmakers and current and former legislators from around the world,” including Speaker of the House Nancy Pelosi (D-CA), sent a letter to Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg urging the company “to take decisive action to protect women from rampant and increasing online attacks on their platform that have caused many women to avoid or abandon careers in politics and public service.” They noted “[j]ust a few days ago, a manipulated and widely shared video that depicted Speaker Pelosi slurring her speech was once again circulating on major social media platforms, gaining countless views before TikTok, Twitter, and YouTube all removed the footage…[and] [t]he video remains on Facebook and is labeled “partly false,” continuing to gain millions of views.” The current and former legislators “called on Facebook to enforce existing rules, including:
    • Quick removal of posts that threaten candidates with physical violence, sexual violence or death, and that glorify, incite or praise violence against women; disable the relevant accounts, and refer offenders to law enforcement.
    • Eliminate malicious hate speech targeting women, including violent, objectifying or dehumanizing speech, statements of inferiority, and derogatory sexual terms;
    • Remove accounts that repeatedly violate terms of service by threatening, harassing or doxing or that use false identities to attack women leaders and candidates; and
    • Remove manipulated images or videos misrepresenting women public figures.
  • The United States’ Departments of Commerce and Homeland Security released an update “highlighting more than 50 activities led by industry and government that demonstrate progress in the drive to counter botnet threats.” in May 2018, the agencies submitted “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” that identified a number of steps and prompted a follow on “A Road Map Toward Resilience Against Botnets” released in November 2018.
  • United States (U.S.) Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders released a joint statement explaining that “[t]he U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
    • Maximillian Schrems filed a complaint against Facebook with Ireland’s Data Protection Commission (DPC) in 2013, alleging that the company’s transfer of his personal data violated his rights under European Union law because of the mass U.S. surveillance revealed by former National Security Agency (NSA) contractor Edward Snowden. Ultimately, this case resulted in a 2015 Court of Justice of the European Union (CJEU) ruling that invalidated the Safe Harbor agreement under which the personal data of EU residents was transferred to the US by commercial concerns. The EU and US executed a follow on agreement, the EU-U.S. Privacy Shield, that was designed to address some of the problems the CJEU turned up, and the U.S. passed a law, the “Judicial Redress Act of 2015” (P.L. 114-126), to provide EU citizens a way to exercise their EU rights in US courts via the “Privacy Act of 1974.”
    • However, Schrems continued and soon sought to challenge the legality of the European Commission’s signing off on the Privacy Shield agreement, the adequacy decision issued in 2016, and also the use of standard contractual clauses (SCC) by companies for the transfer of personal data to the US. The CJEU struck down the adequacy decision, throwing into doubt many entities’ transfers out of the EU into the U.S. but upheld SCCs in a way that suggested EU data protection authorities (DPA) may need to review all such agreements to ensure they comply with EU law.
  • The European Commission (EC) announced an “an in-depth investigation to assess the proposed acquisition of Fitbit by Google under the EU Merger Regulation.” The EC voiced its concern “that the proposed transaction would further entrench Google’s market position in the online advertising markets by increasing the already vast amount of data that Google could use for personalisation of the ads it serves and displays.” The EC detailed its “preliminary competition concerns:
    • Following its first phase investigation, the Commission has concerns about the impact of the transaction on the supply of online search and display advertising services (the sale of advertising space on, respectively, the result page of an internet search engine or other internet pages), as well as on the supply of ”ad tech” services (analytics and digital tools used to facilitate the programmatic sale and purchase of digital advertising). By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to Fitbit’s one.
    • The data collected via wrist-worn wearable devices appears, at this stage of the Commission’s review of the transaction, to be an important advantage in the online advertising markets. By increasing the data advantage of Google in the personalisation of the ads it serves via its search engine and displays on other internet pages, it would be more difficult for rivals to match Google’s online advertising services. Thus, the transaction would raise barriers to entry and expansion for Google’s competitors for these services, to the ultimate detriment of advertisers and publishers that would face higher prices and have less choice.
    • At this stage of the investigation, the Commission considers that Google:
      • is dominant in the supply of online search advertising services in the EEA countries (with the exception of Portugal for which market shares are not available);
      • holds a strong market position in the supply of online display advertising services at least in Austria, Belgium, Bulgaria, Croatia, Denmark, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom, in particular in relation to off-social networks display ads;
      • holds a strong market position in the supply of ad tech services in the EEA.
    • The Commission will now carry out an in-depth investigation into the effects of the transaction to determine whether its initial competition concerns regarding the online advertising markets are confirmed.
    • In addition, the Commission will also further examine:
      • the effects of the combination of Fitbit’s and Google’s databases and capabilities in the digital healthcare sector, which is still at a nascent stage in Europe; and
      • whether Google would have the ability and incentive to degrade the interoperability of rivals’ wearables with Google’s Android operating system for smartphones once it owns Fitbit.
    • In February after the deal had been announced, the European Data Protection Board (EDPB) made clear it position that Google and Fitbit will need to scrupulously observe the General Data Protection Regulation’s privacy and data security requirements if the body is sign off on the proposed $2.2 billion acquisition. Moreover, at present Google has not informed European Union (EU) regulators of the proposed deal. The deal comes at a time when both EU and U.S. regulators are already investigating Google for alleged antitrust and anticompetitive practices, and the EDPB’s opinion could carry weight in this process.
  • The United States’ (U.S.) Department of Homeland Security released a Privacy Impact Assessment for the U.S. Border Patrol (USPB) Digital Forensics Programs that details how it may conduct searches of electronic devices at the U.S. border and ports of entry. DHS explained
    • As part of USBP’s law enforcement duties, USBP may search and extract information from electronic devices, including: laptop computers; thumb drives; compact disks; digital versatile disks (DVDs); mobile phones; subscriber identity module (SIM) cards; digital cameras; vehicles; and other devices capable of storing electronic information.
    • Last year, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
    • In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.
  • The Inter-American Development Bank (IDB) and the Organization of Americans States (OAS) released their second assessment of cybersecurity across Latin America and the Caribbean that used the Cybersecurity Capacity Maturity Model for Nations (CMM) developed at University of Oxford’s Global Cyber Security Capacity Centre (GSCC). The IDB and OAS explained:
    • When the first edition of the report “Cybersecurity: Are We Ready in Latin America and the Caribbean?” was released in March 2016, the IDB and the OAS aimed to provide the countries of Latin America and the Caribbean (LAC) not only with a picture of the state of cybersecurity but also guidance about the next steps that should be pursued to strengthen national cybersecurity capacities. This was the first study of its kind, presenting the state of cybersecurity with a comprehensive vision and covering all LAC countries.
    • The great challenges of cybersecurity, like those of the internet itself, are of a global nature. Therefore, it is undeniable that the countries of LAC must continue to foster greater cooperation among themselves, while involving all relevant actors, as well as establishing a mechanism for monitoring, analysis, and impact assessment related to cybersecurity both nationally and regionally. More data in relation to cybersecurity would allow for the introduction of a culture of cyberrisk management that needs to be extended both in the public and private sectors. Countries must be prepared to adapt quickly to the dynamic environment around us and make decisions based on a constantly changing threat landscape. Our member states may manage these risks by understanding the impact on and the likelihood of cyberthreats to their citizens, organizations, and national critical infrastructure. Moving to the next level of maturity will require a comprehensive and sustainable cybersecurity policy, supported by the country’s political agenda, with allocation of  financial resources and qualified human capital to carry it out.
    • The COVID-19 pandemic will pass, but events that will require intensive use of digital technologies so that the world can carry on will continue happening. The challenge of protecting our digital space will, therefore, continue to grow. It is the hope of the IDB and the OAS that this edition of the report will help LAC countries to have a better understanding of their current state of cybersecurity capacity and be useful in the design of the policy initiatives that will lead them to increase their level of cyberresilience.
  • The European Data Protection Supervisor (EDPS) issued an opinion on “the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final), published on 7 May 2020.” The EDPS asserted:
    • While  the  EDPS acknowledges the  importance  of  the  fight  against money  laundering  and terrorism financing as an objective of general interest, we call for the legislation to strike a balance between the interference with the fundamental rights of privacy and personal data protection and  the measures that  are  necessary  to  effectively  achieve  the  general  interest goals on anti-money  laundering  and  countering the  financing  of terrorism (AML/CFT) (the principle of proportionality).
    • The EDPS recommends that the Commission monitors the effective implementation of the existing  AML/CFT  framework while ensuring that the  GDPR  and  the  data  protection framework are respected and complied with. This is particularly relevant for the works on the interconnection of central bank account mechanisms and beneficial ownership registers that should be largely inspired by the principles of data minimisation, accuracy and privacy-by-design and by default.  

Further Reading

  • China already has your data. Trump’s TikTok and WeChat bans can’t stop that.” By Aynne Kokas – The Washington Post. This article persuasively makes the case that even if a ban on TikTok and WeChat were to work, and there are substantive questions as to how a ban would given how widely the former has been downloaded, the People’s Republic of China (PRC) is almost certainly acquiring massive reams of data on Americans through a variety of apps, platforms, and games. For example, Tencent, owner of WeChat, has a 40% stake in Epic Games that has Fortnite, a massively popular multiplayer game (if you have never heard of it, ask one of the children in your family). Moreover, a recent change to PRC law mandates that companies operating in the PRC must share their data bases for cybersecurity reviews, which may be an opportunity aside from hacking and exfiltrating United States entities, to access data. In summation, if the Trump Administration is serious about stopping the flow of data from the U.S. to the PRC, these executive orders will do very little.
  • Big Tech Makes Inroads With the Biden Campaign” by David McCabe and Kenneth P. Vogel – The New York Times. Most likely long before former Vice President Joe Biden clinched the Democratic nomination, advisers volunteered to help plot out his policy positions, a process that intensified this year. Of course, this includes technology policy, and many of those volunteering for the campaign’s Innovation Policy Committee have worked or are working for large technology companies directly or as consultants or lobbyists. This piece details some of these people and their relationships and how the Biden campaign is managing possible conflicts of interest. Naturally, those on the left wing of the Democratic Party calling for tighter antitrust, competition, and privacy regulation are concerned that Biden might be pulled away from these positions despite his public statements arguing that the United States government needs to get tougher with some practices.
  • A Bible Burning, a Russian News Agency and a Story Too Good to Check Out” By Matthew Rosenberg and Julian E. Barnes – The New York Times. The Russian Federation seems to be using a new tactic with some success for sowing discord in the United States that is the information equivalent of throwing fuel onto a fire. In this case, a fake story manufactured by a Russian outlet was seized on by some prominent Republicans, in part, because it fits their preferred world view of protestors. In this instance, a Russian outlet created a fake story amplifying an actual event that went viral. We will likely see more of this, and it is not confined to fake stories intended to appeal to the right. The same is happening with content meant for the left wing in the United States.
  • Facebook cracks down on political content disguised as local news” by Sara Fischer – Axios. As part of its continuing effort to crack down on violations of its policies, Facebook will no longer allow groups with a political viewpoint to masquerade as news. The company and outside experts have identified a range of instances where groups propagating a viewpoint, as opposed to reporting, have used a Facebook exemption by pretending to be local news outlets.
  • QAnon groups have millions of members on Facebook, documents show” By Ari Sen and Brandy Zadrozny – NBC News. It appears as if some Facebooks are leaking the results of an internal investigation that identified more than 1 million users who are part of QAnon groups. Most likely these employees want the company to take a stronger stance on the conspiracy group QAnon like the company has with COVID-19 lies and misinformation.
  • And, since Senator Kamala Harris (D-CA) was named former Vice President Joe Biden’s (D-DE) vice presidential pick, this article has become even more relevant than when I highlighted it in late July: “New Emails Reveal Warm Relationship Between Kamala Harris And Big Tech” – HuffPost. Obtained via an Freedom of Information request, new email from Senator Kamala Harris’ (D-CA) tenure as her state’s attorney general suggest she was willing to overlook the role Facebook, Google, and others played and still play in one of her signature issues: revenge porn. This article makes the case Harris came down hard on a scammer running a revenge porn site but did not press the tech giants with any vigor to take down such material from their platforms. Consequently, the case is made if Harris is former Vice President Joe Biden’s vice presidential candidate, this would signal a go easy approach on large companies even though many Democrats have been calling to break up these companies and vigorously enforce antitrust laws. Harris has largely not engaged on tech issues during her tenure in the Senate. To be fair, many of these companies are headquartered in California and pump billions of dollars into the state’s economy annually, putting Harris in a tricky position politically. Of course, such pieces should be taken with a grain of salt since it may have been suggested or planted by one of Harris’ rivals for the vice president nomination or someone looking to settle a score.
  • Unwanted Truths: Inside Trump’s Battles With U.S. Intelligence Agencies” by Robert Draper – The New York Times. A deeply sourced article on the outright antipathy between President Donald Trump and Intelligence Community officials, particularly over the issue of how deeply Russia interfered in the election in 2016. A number of former officials have been fired or forced out because they refused to knuckle under to the White House’s desire to soften or massage conclusions of Russia’s past and current actions to undermine the 2020 election in order to favor Trump.
  • Huawei says it’s running out of chips for its smartphones because of US sanctions” By Kim Lyons – The Verge and “Huawei: Smartphone chips running out under US sanctions” by Joe McDonald – The Associated Press. United States (U.S.) sanctions have started biting the Chinese technology company Huawei, which announced it will likely run out of processor chips for its smartphones. U.S. sanctions bar any company from selling high technology items like processors to Huawei, and this capability is not independently available in the People’s Republic of China (PRC) at present.
  • Targeting WeChat, Trump Takes Aim at China’s Bridge to the World” By Paul Mozur and Raymond Zhong – The New York Times. This piece explains WeChat, the app, the Trump Administration is trying to ban in the United States (U.S.) without any warning. It is like a combination of Facebook, WhatsApp, news app, and payment platform and is used by more than 1.2 billion people.
  • This Tool Could Protect Your Photos From Facial Recognition” By Kashmir Hill – The New York Times. Researchers at the University of Chicago have found a method of subtly altering photos of people that appears to foil most facial recognition technologies. However, a number of experts interviewed said it is too late to stop companies like AI Clearview.
  • I Tried to Live Without the Tech Giants. It Was Impossible.” By Kashmir Hill – The New York Times. This New York Times reporter tried living without the products of large technology companies, which involved some fairly obvious challenges and some that were not so obvious. Of course, it was hard for her to skip Facebook, Instagram, and the like, but cutting out Google and Amazon proved hardest and basically impossible because of the latter’s cloud presence and the former’s web presence. The fact that some of the companies cannot be avoided if one wants to be online likely lends weight to those making the case these companies are anti-competitive.
  • To Head Off Regulators, Google Makes Certain Words Taboo” by Adrianne Jeffries – The Markup. Apparently, in what is a standard practice at large companies, employees at Google were coached to avoid using certain terms or phrases that antitrust regulators would take notice of such as: “market,” “barriers to entry,” and “network effects.” The Markup obtained a 16 August 2019 document titled “Five Rules of Thumb For Written Communications” that starts by asserting “[w]ords matter…[e]specially in antitrust laws” and goes on to advise Google’s employees:
    • We’re out to help users, not hurt competitors.
    • Our users should always be free to switch, and we don’t lock anyone in.
    • We’ve got lots of competitors, so don’t assume we control or dominate any market.
    • Don’t try and define a market or estimate our market share.
    • Assume every document you generate, including email, will be seen by regulators.
  • Facebook Fired An Employee Who Collected Evidence Of Right-Wing Pages Getting Preferential Treatment” By Craig Silverman and Ryan Mac – BuzzFeed News. A Facebook engineer was fired after adducing proof in an internal communications system that the social media platform is more willing to change false and negative ratings to claims made by conservative outlets and personalities than any other viewpoint. If this is true, it would be opposite to the narrative spun by the Trump Administration and many Republicans in Congress. Moreover, Facebook’s incentives would seem to align with giving conservatives more preferential treatment because many of these websites advertise on Facebook, the company probably does not want to get crosswise with the Administration, sensational posts and content drive engagement which increases user numbers that allows for higher ad rates, and it wants to appear fair and impartial.
  • How Pro-Trump Forces Work the Refs in Silicon Valley” By Ben Smith – The New York Times. This piece traces the nearly four decade old effort of Republicans to sway mainstream media and now Silicon Valley to its viewpoint.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo credit: Gerd Altmann on Pixabay

U.S. Announces Plan To Release Prized Mid-Band Spectrum For 5G

The U.S. government has rolled out a plan to make available desirable mid-band spectrum in an arrangement under which the military would share with commercial providers. However, these new frequencies would be used in mid-2022 at the earliest.   

The White House and the United States (U.S.) Department of Defense (DOD) will share a prime slice of mid band electromagnetic frequency with commercial entities that would be ideal for 5G according to their announcements. The development of the next iteration of wireless communications has been hampered in the U.S. because the DOD controls a range of the usable frequency spectrum other nations have been using to test and deploy 5G. This announcement would allow commercial entities to ultimately bid on 100 continuous MHz of spectrum that has been used exclusively by the DOD for guidance and navigation. It is an open question whether the relinquishment of this spectrum will speed 5G development and adoption in the U.S., and the timeline provided by the Administration suggests licenses to use these mid-band frequencies will not be in the hands of commercial entities until mid-2022 at the earliest, assuming President Donald Trump is reelected, for a Biden Administration may propose a different course of action. Nonetheless, one Administration official asserted releasing this 100 MHz will be “the fastest transfer of Federal spectrum to commercial use in history.”

The Trump Administration has pursued a number of efforts to foster the development, deployment, and use of 5G in the U.S. A key part of the motivation for doing so is the role companies from the People’s Republic of China (PRC) have played in pushing forward this technology such as Huawei. This PRC company is playing a significant, perhaps even dominant role, in helping pioneer the technology that would allow nations around the globe to move from 4G to the significantly faster download and upload speeds of 5G because of much higher bandwidth. Experts believe this transition will be a paradigm shift in wireless communications the same way transitioning from 3G to 4G earlier in this decade changed how people used smartphones to cite just one technology. For example, 4G speeds range between 10-100 Mbps whereas 5G will allow for 1000-1400 Mbps and will allow for the development of faster phones and computers, more functional Internet of Things devices and networks, new potential military uses, and other applications not yet conceived of. However, there is the belief that whichever nation is on the forefront of developing this technology and the standards used to govern the various protocols will gain the first mover advantage and may reap a lion’s share of the benefits. Hence, if this view if correct, being first and preeminent in 5G is a national security issue, and, whether true or not, policymakers in Beijing, Washington, and other capitals believe this to be the case. At present, in the assessment of a DOD advisory board, the U.S. is among the first tier of competitors along with the PRC, South Korea, and Japan.

The announcement by the White House and DOD matters because while other nations have been allowing their commercial entities a portion of the spectrum considered ideal for 5G between 1 and 6 GHz (aka sub-6GHz), much of this spectrum has been used by the Pentagon for national security systems. Consequently, there has been a push from policymakers for use higher frequencies on the electromagnetic spectrum between 24 and 300 GHz. However, if the U.S. were to do so, the fear is that this decision would put U.S. technology companies using and operating in the 5G realm at a disadvantage as virtually the rest of the world would use sub-6Ghz spectrum. The Obama Administration began grappling with this issue, and the Trump Administration has continued through a variety of means, including a working group that led to the present announcement that 100 MHz of sub-6GHz will be available to companies and entities looking to deploy and use 5G.

In a press release, the Trump Administration said

  • Today, at President Donald J. Trump’s direction, the White House and the DOD announced that 100 megahertz of contiguous, coast-to-coast mid-band spectrum will be made available for commercial 5G deployment.
  • President Trump is committed to strengthening United States leadership in 5G communications for the security and prosperity of the American people. With 5G networks already available to more than 250 million Americans, we have made significant strides. The availability of more mid-band spectrum is a key factor to driving widespread 5G access across rural America.
  • Throughout this process, the Trump Administration has worked carefully to ensure that commercial use of this critically needed mid-band spectrum will never compromise military preparedness or national security.

In a statement, DOD Chief Information Officer Dana Deasy explained:

  • In mid-April, the White House and DOD met to discuss what could be done quickly to make more mid-band spectrum available for 5G in the 3 gigahertz band range, commonly known as mid-band, which is paramount to maintaining American leadership in 5G.
  • As a result, the America’s Mid-Band Initiative Team (AMBIT) was established and worked on an unprecedented 15-week schedule to make 100 megahertz (MHz) of contiguous mid-band spectrum available in the 3450-3550 MHz band for 5G by the end of the summer.
  • The 3450-3550 MHz band supports critical DOD radar operations including high-powered defense radar systems on fixed, mobile, shipborne, and airborne platforms. Capabilities for these systems include air defense, missile and gunfire control, counter-mortar, bomb scoring, battlefield weapon locations, air traffic control, and range safety.
  • With this additional 100 MHz, the U.S. now has a contiguous 530 megahertz of mid-band spectrum from 3450-3980 MHz to enable higher capacity 5G networks.
  • The Federal Communications Commission will auction the spectrum after service rules are adopted. Through the hard work of the AMBIT, we expect these rules to be similar to AWS-3, where for the most part the spectrum will be available for commercial use without limits, while simultaneously minimizing impact to DOD operations.

U.S. Chief Technology Officer (CTO) and acting Under Secretary of Defense for Research and Engineering Michael Kratsios claimed on a call with reporters that the Federal Communications Commission (FCC) will hold an auction for the 100 MHz in late December 2021 and by mid-2022 the winning bidders would be able to start using their slice of spectrum. FCC Chair Ajit Pai asserted in a statement that “[t]ogether with the spectrum being made available for 5G in the C-band as well as the 3.5 GHz band, we are now on track to have a 530-megahertz swath of mid-band spectrum available for 5G from 3.45 to 3.98 GHz…[and] [t]he FCC looks forward to moving quickly to adopt service rules for the 3.45 GHz band and then hold an auction to bring this prime mid-band spectrum to market.”

Preceding the AMBIT initiative, in January, the National Telecommunications and Information Administration (NTIA) prepared a technical report on the 3450-3550 MHz band “[a]s part of its ongoing effort to identify candidate bands for repurposing to accommodate commercial wireless services.” NTIA worked with DOD, “which operates the federal systems in the band, to determine the conditions needed to enable commercial services to operate without causing impact to incumbent operations.” NTIA asserted “[t]he report indicates that commercial operations would impact incumbent federal systems; however, spectrum sharing that provides both sufficient protection to incumbent operations and an attractive commercial business case may be possible with further information and analysis, including studying the efficacy of deploying appropriate time-based sharing mechanisms.”

The NTIA found

  • The primary allocations in the band include federal radiolocation and aeronautical radionavigation. The incumbent federal operations currently consist of shipborne radars, several types of airborne systems, and ground-based radars. The shipborne radars operate at over twenty ports and along the entire Atlantic, Pacific, and Gulf coasts. Some of the airborne systems operate nationwide, while other systems are limited to four locations. The ground-based radars operate at over one hundred locations, including many near high-population areas. In addition, DOD continues to deploy systems at additional locations and to develop new systems for operation in the band.
  • While some federal systems operate intermittently and in only one part of the 3450-3550 MHz band at a time, the time when they operate and the specific frequencies they use can be dynamic and unpredictable depending on mission requirements. In the aggregate and in some cases individually, the federal systems use the entire band throughout the United States and its possessions, including near and over the most populated areas. Current and future DOD system usage and operational mission requirements are important considerations for establishing sharing conditions. Sufficient information, however, was not available to fully account for these considerations, and therefore further study is needed. In addition, some aspects of the systems are classified, which reduced the ability for the report to be as transparent regarding the analysis as otherwise possible, but did not affect the quality of the results.

The NTIA proposed a “dynamic, time-based sharing mechanism” in the 3450-3550 MHz band as a means of allowing commercial entities to access what is considered a prime frequency for 5G while reserving, as needed, the ability of the DOD to operate crucial defense systems. The NTIA stated:

  • Frequency-based and geographic-based sharing approaches would result in significant restrictions on commercial services, in terms of emitter power limits and exclusion zones, making sufficient access for viable commercial applications unlikely. However, a dynamic, time-based sharing mechanism could present a potentially attractive approach to both protecting federal systems and providing viable commercial operations. Commercial operations would be contingent on spectrum availability, which will depend on the frequency, time, and location of federal system operations.
  • The assessment identifies further work needed to reach a more definitive conclusion regarding the extent to which a sharing mechanism would enable assured access for uninterrupted (i.e., without harmful interference) federal missions while also enabling commercial shared access. The study assumed that all federal systems could implement a spectrum sharing mechanism, except for the nationwide airborne systems, which present unique challenges due to their large area of operations. The table below summarizes the power levels that would be possible for commercial operations.

In late 2019, The Department of Commerce, acting through the National Telecommunications and Information Administration (NTIA), released its initial annual report “on the status of existing efforts and planned near- to mid-term spectrum repurposing initiatives” as required by an October 2018 Presidential Memorandum “on Developing a Sustainable Spectrum Strategy for America’s Future.” In the report, NTIA explained

This report is part of a broader effort to maintain the U.S. position as a global leader in pioneering and sustaining technological and economic leadership in developing and deploying spectrum-dependent products and services, from 5G wireless systems to innovative satellite and space applications. A significant component of this effort is the construction and execution of the National Spectrum Strategy called for by the Presidential Memorandum. The U.S. Government will continue to support this leadership in ground-breaking wireless technologies, including those that greatly improve the spectrum efficiency and effectiveness of federal operations. This is being accomplished through ongoing efforts to assess the Nation’s spectrum needs and to identify additional bands with federal and non-federal allocations to serve those needs. This will entail examining and implementing effective protective measures for incumbent services and managing the transitions as spectrum uses shift and new spectrum-sharing tools and techniques are developed and implemented. These ongoing efforts constitute a process that resembles a “pipeline” for continuous identification and assessment of bands, followed by repurposing or implementing other spectrum access mechanisms wherever needed and feasible.

In July 2019, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released an assessment that “Fifth Generation Mobile Network (5G) will present opportunities and challenges, and its implementation will introduce vulnerabilities related to supply chains, deployment, network security, and the loss of competition and trusted options.

  • Use of 5G components manufactured by untrusted companies could expose U.S. entities to risks introduced by malicious software and hardware, counterfeit components, and component flaws caused by poor manufacturing processes and maintenance procedures. 5G hardware, software, and services provided by untrusted entities could increase the risk of compromise to the confidentiality, integrity, and availability of network assets. Even if U.S. networks are secure, U.S. data that travels overseas through untrusted telecommunication networks is potentially at risk of interception, manipulation, disruption, and destruction.
  • 5G will use more components than previous generations of wireless networks, and the proliferation of 5G infrastructure may provide malicious actors more attack vectors. The effectiveness of 5G’s security enhancements will in part depend on proper implementation and configuration.
  • Despite security enhancement over previous generations, it is unknown what new vulnerabilities may be discovered in 5G networks. Further, 5G builds upon previous generations of wireless networks and will initially be integrated into 4G Long-Term Evolution (LTE) networks that contain some legacy vulnerabilities.
  • Untrusted companies may be less likely to participate in interoperability efforts. Custom 5G technologies that do not meet interoperability standards may be difficult to update, repair, and replace. This potentially increases the lifecycle cost of the product and delays 5G deployment if the equipment requires replacement. The lack of interoperability may also have negative impacts on the competitive market as companies could be driven out if the available competitive market decreases.

CISA further explained that “[t]he United States Government can manage these vulnerabilities and increase the security of communications networks as 5G is adopted by:

  • Encouraging continued development of trusted 5G technologies, services, and products.
  • Encouraging continued trusted development of future generations of communications technologies.
  • Promoting international standards and processes that are open, transparent, consensus–driven, and that do not place trusted companies at a disadvantage.
  • Limiting the adoption of 5G equipment with known or suspected vulnerabilities.
  • Continued engagement with the private sector on risk identification and mitigation efforts.
  • Ensuring robust security capabilities for 5G applications and services.

In 2019, an advisory body to the Pentagon drafted a report on the options facing the Department of Defense (DOD) as the U.S. and other nations are on the cusp of transitioning to the next generation of wireless networks that promise even faster speeds that will likely drive the development of new applications and devices. The Defense Innovation Board (Board) released “THE 5G ECOSYSTEM: RISKS & OPPORTUNITIES FOR DOD” to “insight into the commercial landscape as well as the DOD landscape to give a comprehensive view of the stakeholders and future of 5G.” The Board explained that “[t]he shift from 4G to 5G will drastically impact the future of global communication networks and fundamentally change the environment in which DOD operates.” The Board conceded that “[w]hile DOD will feel the impact of 5G, the rollout itself will be driven by the U.S. commercial sector.”

The Board explained

The term “5G” refers to the oncoming fifth generation of wireless networks and technology that will produce a step-change improvement in data speed, volume, and latency (delay in data transfer) over fourth generation (4G and 4G LTE) networks. 5G will enable a host of new technologies that will change the standard of public and private sector operations, from autonomous vehicles to smart cities, virtual reality, and battle networks. Historical shifts between wireless generations suggest that the first-mover country stands to gain billions in revenue accompanied by substantial job creation and leadership in technology innovation. First movers also set standards and practices that were then adopted by subsequent entrants. Conversely, countries that fell behind in previous wireless generation shifts were obligated to adopt the standards, technologies, and architectures of the leading country and missed out on a generation of wireless capabilities and market potential.

The development of 5G will require the bonding together of 100 MHz channels to deliver faster speeds in new spectrums. The Board explained that the U.S., Japan, and South Korea are looking at using the electromagnetic spectrum frequencies between 24 and 300 GHz (aka mmWave) for 5G while other nations, like China, are looking at using the 3 and 4 GHZ range (aka sub-6) for 5G networks. Moreover, in the U.S., the DOD uses the latter spectrum, meaning that any transition could be tricky for 5G using that band of spectrum. The Board noted that “U.S. carriers are primarily focused on mmWave deployment for 5G because most of the 3 and 4 GHz spectrum being used by the rest of the world for 5G are exclusive Federal bands in the United States, extensively used by DOD in particular.”

The Board added that

Spectrum bands in the 3 and 4 Ghz range dominate global 5G activity because of improved propagation (range) over mmWave spectrum, resulting in far fewer base stations needed to be deployed to deliver the same coverage and performance. Because large swaths of the sub-6 bands in the United States are not available for civil/commercial use, U.S. carriers and the FCC (which controls civil spectrum in the US) are betting on mmWave spectrum as the core domestic 5G approach.

The Board stated that “[b]oth DOD and the FCC are currently prioritizing mmWave over sub-6 mid-band spectrum with a particular focus on the 28 and 37 GHz bands, but this is a fundamentally flawed focus due to the impracticality of mmWave deployment.” The Board stated that “DOD must prepare to operate in a sub-6 5G ecosystem, which will require a shift in strategy and a consideration of where DOD is willing to share bandwidth in the sub-6 realm.”

The Board explained that

However, 5G also presents a serious potential risk for DOD going forward. When operating overseas in the future, the vast majority of these networks and systems may depend on 5G infrastructure. If China leads the field in 5G infrastructure and systems, then the future 5G ecosystem will likely have Chinese components embedded throughout. This would pose a serious threat to the security of DOD operations and networks going forward. Additionally, the growth in the number of connected devices increases the potential “attack surface” for adversaries to target across DOD networks, which will require increased vigilance and security across systems. The larger volume of data being transferred will complicate this task, as it will make it more difficult to detect malicious traffic on a network.

The Board asserted that “5G has the ability to enhance DOD decision-making and strategic capabilities from the enterprise network to the tactical edge of the battlefield…[and] will increase DOD’s ability to link multiple systems into a broader network while sharing information in real time, improving communication across Services, geographies, and domains while developing a common picture of the battlefield to improve situational awareness.” The Board claimed that “[t]his improved connectivity may in turn enable a host of new technologies and missions, from hypersonics and hypersonic defense to resilient satellite constellations and mesh networks.”

The Board made the following recommendations:

  • DOD needs to make a plan for sharing sub-6 GHz spectrum to shape the future 5G ecosystem, including an assessment of how much and which bandwidths need to be shared, within what timeframe, and how that sharing will impact DOD systems.
  • DOD must prepare to operate in a “post-Western” wireless ecosystem. This plan should include R&D investments towards system security and resiliency on an engineering and strategic level.
  • DOD should advocate for adjusted trade policies to discourage vulnerabilities in its supply chain on the grounds that they put national security assets and missions at risk.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by helder100 from Pixabay

Trump Administration Asks FCC To Act on Social Media EO

NTIA is asking the FCC to interpret Section 230 in a way that would reduce the liability protection of social media companies with the goal of pressuring these companies to reduce moderation of conservative viewpoints .

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Trump Administration has proceeded with a step in implementing its executive order (EO) to regulate social media platforms for alleged violations of freedom of speech through a clarification of 47 USC 230 (aka Section 230). At issue is the liability shield companies like Twitter, Facebook, and others enjoy in federal law to most claims for content posted by third parties that the Trump Administration is arguing has been misconstrued both from Congress’ original intent and the plain language of the 1996 law. Moreover, the Trump Administration and many Republicans claim some of these companies are actively censoring conservative viewpoints unfairly and in violation of Section 230 and imply First Amendment rights are being violated, too. Many on the left are also unhappy with how Section 230 seems to be insulating large technology companies from legal responsibility to take down what they see as violent and extremist content, especially white supremacist material and untrue claims. The EO that set this proceeding into motion had been rumored for more than a year, possibly as leverage over Twitter and Facebook so they would not moderate conservative content. Lending credence to this view is the fact that the EO was hurriedly issued after Twitter fact checked two of President Donald Trump’s untrue claims about mail voting.

Following the directive in the EO, on 27 July, the Department of Commerce’s the National Telecommunications and Information Administration (NTIA) filed a petition with the Federal Communications Commission (FCC), asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself.

The NTIA asserted “[t]he FCC should use its authorities to clarify ambiguities in section 230 so as to make its interpretation appropriate to the current internet marketplace and provide clearer guidance to courts, platforms, and users…[and] urges the FCC to promulgate rules addressing the following points:

  1. Clarify the relationship between subsections (c)(1) and (c)(2), lest they be read and applied in a manner that renders (c)(2) superfluous as some courts appear to be doing.
  2. Specify that Section 230(c)(1) has no application to any interactive computer service’s decision, agreement, or action to restrict access to or availability of material provided by another information content provider or to bar any information content provider from using an interactive computer service.
  3. Provide clearer guidance to courts, platforms, and users, on what content falls within (c)(2) immunity, particularly section 230(c)(2)’s “otherwise objectionable” language and its requirement that all removals be done in “good faith.”
  4. Specify that “responsible, in whole or in part, for the creation or development of information” in the definition of “information content provider,” 47 U.S.C.
    § 230(f)(3), includes editorial decisions that modify or alter content, including but not limited to substantively contributing to, commenting upon, editorializing about, or presenting with a discernible viewpoint content provided by another information content provider.
  5. Mandate disclosure for internet transparency similar to that required of other internet companies, such as broadband service providers.

NTIA argued that

  • Section 230(c)(1) has a specific focus: it prohibits “treating” “interactive computer services,” i.e., internet platforms, such as Twitter or Facebook, as “publishers.” But, this provision only concerns “information” provided by third parties, i.e., “another internet content provider”68 and does not cover a platform’s own content or editorial decisions.
  • Section (c)(2) also has a specific focus: it eliminates liability for interactive computer services that act in good faith “to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.”

The FCC has discretion in whether it will accede to the NTIA’s petition that it conduct this rulemaking. If the agency determines action is justified by the petition, it could either start a notice and comment rulemaking with a proposed rule being released for comment or it could merely issue a final rule. If the FCC decides the NTIA’s petition does not require agency action, it must notify the NTIA why it is rejecting its petition.

It is possible the FCC will prove receptive to the NTIA petition and start a rulemaking that may or may not conclude before the election or a potential Biden Administration in January. The agency will need to process and analyze the likely voluminous comments and arguments that will be submitted under FCC rules on the NTIA’s petition. It may also be the case that the agency is privately not receptive to the Trump Administration’s arguments and slow walks the process. The agency could sidestep this petition in a number of ways. First, its regulations provide “[p]etitions which are moot, premature, repetitive, frivolous, or which plainly do not warrant consideration by the Commission may be denied or dismissed without prejudice to the petitioner.” Second, the agency may be able to argue with justification it is working through the numerous comments and legal ramifications. Thirdly, there is at least one lawsuit pending to enjoin action on the EO that the agency could use as justification for not immediately acting.

Executive Order 13925, “Preventing Online Censorship” was issued in late May after Twitter factchecked two of his Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic, Trump signed the long rumored EO seen by many as a means of cowing social media platforms. Given that the First Amendment to the United States Constitution guarantees freedom of speech in relation to government action, it is not clear how Twitter would be considered a government agency and therefore subject to the First Amendment.

Twitter’s first factchecking of Trump’s tweeting occurred when he made false claims about California’s plan to mail ballots to registered voters, and, not as the President claimed, to all residents of California. On 26 May, Trump tweeted across two Tweets:

There is NO WAY (ZERO!) that Mail-In Ballots will be anything less than substantially fraudulent. Mail boxes will be robbed, ballots will be forged & even illegally printed out & fraudulently signed. The Governor of California is sending Ballots to millions of people, anyone….. ….living in the state, no matter who they are or how they got there, will get one. That will be followed up with professionals telling all of these people, many of whom have never even thought of voting before, how, and for whom, to vote. This will be a Rigged Election. No way!

On 27 May, Twitter added “a label to two @realDonaldTrump Tweets about California’s vote-by-mail plans as part of our efforts to enforce our civic integrity policy. We believe those Tweets could confuse voters about what they need to do to receive a ballot and participate in the election process.”

In the next day after Twitter added this label, word began to leak from the White House that a long rumored executive order regarding Section 230 of the Communications Decency Act was being prepared for the president’s signature. And, late in the day on 28 May, after a day of reporting on the EO by media, Trump did indeed sign the “Executive Order on Preventing Online Censorship,” which asserted

Section 230 was not intended to allow a handful of companies to grow into titans controlling vital avenues for our national discourse under the guise of promoting open forums for debate, and then to provide those behemoths blanket immunity when they use their power to censor content and silence viewpoints that they dislike.  When an interactive computer service provider removes or restricts access to content and its actions do not meet the criteria of subparagraph (c)(2)(A), it is engaged in editorial conduct.  It is the policy of the United States that such a provider should properly lose the limited liability shield of subparagraph (c)(2)(A) and be exposed to liability like any traditional editor and publisher that is not an online provider.

Consequently, the EO directs that “all executive departments and agencies should ensure that their application of section 230(c) properly reflects the narrow purpose of the section and take all appropriate actions in this regard.”

In addition to tasking the NTIA to file a petition with the FCC, the EO directed other agencies to act. Elsewhere in the EO, it is provided that the head of each federal agency must review their online spending and then report to the Office of Management and Budget (OMB). The Department of Justice would then “review the viewpoint-based speech restrictions imposed by each online platform identified in the [reports submitted to OMB] and assess whether any online platforms are problematic vehicles for government speech due to viewpoint discrimination, deception to consumers, or other bad practices.”

The Federal Trade Commission (FTC) must consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

Of course, the House’s FY 2021 Financial Services and General Government Appropriations Act (H.R. 7668) has a provision that would bar either the FTC or FCC from taking certain actions related to EO. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gerd Altmann from Pixabay

Further Reading and Other Developments (17 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Speaking of which, the Technology Policy Update is being published daily during the week, and here are the Other Developments and Further Reading from this week.

Other Developments

  • Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Foreign Relations Committee Chair Jim Risch (R-ID), and Senators Chris Coons (D-DE) and John Cornyn (R-TX) wrote Secretary of Commerce Wilbur Ross and Secretary of Defense Mike Esper “to ask that the Administration take immediate measures to bring the most advanced digital semiconductor manufacturing capabilities to the United States…[which] are critical to our American economic and national security and while our nation leads in the design of semiconductors, we rely on international manufacturing for advanced semiconductor fabrication.” This letter follows the Trump Administration’s May announcement that the Taiwan Semiconductor Manufacturing Corporation (TSMC) agreed to build a $12 billion plant in Arizona. It also bears note that one of the amendments pending to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would establish a grants program to stimulate semiconductor manufacturing in the US.
  • Senators Mark R. Warner (D-VA), Mazie K. Hirono (D-HI) and Bob Menendez (D-NJ) sent a letter to Facebook “regarding its failure to prevent the propagation of white supremacist groups online and its role in providing such groups with the organizational infrastructure and reach needed to expand.” They also “criticized Facebook for being unable or unwilling to enforce its own Community Standards and purge white supremacist and other violent extremist content from the site” and posed “a series of questions regarding Facebook’s policies and procedures against hate speech, violence, white supremacy and the amplification of extremist content.”
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published the Pipeline Cyber Risk Mitigation Infographic that was “[d]eveloped in coordination with the Transportation Security Administration (TSA)…[that] outlines activities that pipeline owners/operators can undertake to improve their ability to prepare for, respond to, and mitigate against malicious cyber threats.”
  • Representative Kendra Horn (D-OK) and 10 other Democrats introduced legislation “requiring the U.S. government to identify, analyze, and combat efforts by the Chinese government to exploit the COVID-19 pandemic” that was endorsed by “[t]he broader Blue Dog Coalition” according to their press release. The “Preventing China from Exploiting COVID-19 Act” (H.R.7484) “requires the Director of National Intelligence—in coordination with the Secretaries of Defense, State, and Homeland Security—to prepare an assessment of the different ways in which the Chinese government has exploited or could exploit the pandemic, which originated in China, in order to advance China’s interests and to undermine the interests of the United States, its allies, and the rules-based international order.” Horn and her cosponsors stated “[t]he assessment must be provided to Congress within 90 days and posted in unclassified form on the DNI’s website.”
  • The Supreme Court of Canada upheld the “Genetic Non-Discrimination Act” and denied a challenge to the legality of the statute brought by the government of Quebec, the Attorney General of Canada, and others. The court found:
    • The pith and substance of the challenged provisions is to protect individuals’ control over their detailed personal information disclosed by genetic tests, in the broad areas of contracting and the provision of goods and services, in order to address Canadians’ fears that their genetic test results will be used against them and to prevent discrimination based on that information. This matter is properly classified within Parliament’s power over criminal law. The provisions are supported by a criminal law purpose because they respond to a threat of harm to several overlapping public interests traditionally protected by the criminal law — autonomy, privacy, equality and public health.
  • The U.S.-China Economic and Security Review Commission published a report “analyzing the evolution of U.S. multinational enterprises (MNE) operations in China from 2000 to 2017.” The Commission found MNE’s operations in the People’s Republic of China “may indirectly erode the  United  States’  domestic industrial competitiveness  and  technological  leadership relative  to  China” and “as U.S. MNE activity in China increasingly focuses on the production of high-end technologies, the risk  that  U.S.  firms  are  unwittingly enabling China to  achieve  its industrial  policy and  military  development objectives rises.”
  • The Federal Communications Commission (FCC) and Huawei filed their final briefs in their lawsuit before the United States Court of Appeals for the Fifth Circuit arising from the FCC’s designation of Huawei as a “covered company” for purposes of a rule that denies Universal Service Funds (USF) “to purchase or obtain any equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain.” Huawei claimed in its brief that “[t]he rulemaking and “initial designation” rest on the FCC’s national security judgments..[b]ut such judgments fall far afield of the FCC’s statutory  authority  and  competence.” Huawei also argued “[t]he USF rule, moreover, contravenes the Administrative Procedure Act (APA) and the Due Process Clause.” The FCC responded in its filing that “Huawei challenges the FCC’s decision to exclude carriers whose networks are vulnerable to foreign interference, contending that the FCC has neither statutory nor constitutional authority to make policy judgments involving “national security”…[but] [t]hese arguments are premature, as Huawei has not yet been injured by the Order.” The FCC added “Huawei’s claim that the Communications Act textually commits all policy determinations with national security implications to the President is demonstrably false.”
  • European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski released his Strategy for 2020-2024, “which will focus on Digital Solidarity.” Wiewiórowski explained that “three core pillars of the EDPS strategy outline the guiding actions and objectives for the organisation to the end of 2024:
    • Foresight: The EDPS will continue to monitor legal, social and technological advances around the world and engage with experts, specialists and data protection authorities to inform its work.
    • Action: To strengthen the EDPS’ supervision, enforcement and advisory roles the EDPS will promote coherence in the activities of enforcement bodies in the EU and develop tools to assist the EU institutions, bodies and agencies to maintain the highest standards in data protection.
    • Solidarity: While promoting digital justice and privacy for all, the EDPS will also enforce responsible and sustainable data processing, to positively impact individuals and maximise societal benefits in a just and fair way.
  • Facebook released a Civil Rights Audit, an “investigation into Facebook’s policies and practices began in 2018 at the behest and encouragement of the civil rights community and some members of Congress.” Those charged with conducting the audit explained that they “vigorously advocated for more and would have liked to see the company go further to address civil rights concerns in a host of areas that are described in detail in the report” including but not limited to
    • A stronger interpretation of its voter suppression policies — an interpretation that makes those policies effective against voter suppression and prohibits content like the Trump voting posts — and more robust and more consistent enforcement of those policies leading up to the US 2020 election.
    • More visible and consistent prioritization of civil rights in company decision-making overall.
    • More resources invested to study and address organized hate against Muslims, Jews and other targeted groups on the platform.
    • A commitment to go beyond banning explicit references to white separatism and white nationalism to also prohibit express praise, support and representation of white separatism and white nationalism even where the terms themselves are not used.
    • More concrete action and specific commitments to take steps to address concerns about algorithmic bias or discrimination.
    • They added that “[t]his report outlines a number of positive and consequential steps that the company has taken, but at this point in history, the Auditors are concerned that those gains could be obscured by the vexing and heartbreaking decisions Facebook has made that represent significant setbacks for civil rights.”
  • The National Security Commission on Artificial Intelligence (NSCAI) released a white paper titled “The Role of AI Technology in Pandemic Response and Preparedness” that “outlines a series of investments and initiatives that the United States must undertake to realize the full potential of AI to secure our nation against pandemics.” NSCAI noted its previous two white papers:
  • Secretary of Defense Mark Esper announced that Chief Technology Officer Michael J.K. Kratsios has “been designated to serve as Acting Under Secretary of Defense for Research and Engineering” even though he does not have a degree in science. The last Under Secretary held a PhD. However, Kratsios worked for venture capitalist Peter Thiel who backed President Donald Trump when he ran for office in 2016.
  • The United States’ Department of Transportation’s Federal Railroad Administration (FRA) issued research “to develop a cyber security risk analysis methodology for communications-based connected railroad technologies…[and] [t]he use-case-specific implementation of the methodology can identify potential cyber attack threats, system vulnerabilities, and consequences of the attack– with risk assessment and identification of promising risk mitigation strategies.”
  • In a blog post, a National Institute of Standards and Technology (NIST) economist asserted cybercrime may be having a much larger impact on the United States’ economy than previously thought:
    • In a recent NIST report, I looked at losses in the U.S. manufacturing industry due to cybercrime by examining an underutilized dataset from the Bureau of Justice Statistics, which is the most statistically reliable data that I can find. I also extended this work to look at the losses in all U.S. industries. The data is from a 2005 survey of 36,000 businesses with 8,079 responses, which is also by far the largest sample that I could identify for examining aggregated U.S. cybercrime losses. Using this data, combined with methods for examining uncertainty in data, I extrapolated upper and lower bounds, putting 2016 U.S. manufacturing losses to be between 0.4% and 1.7% of manufacturing value-added or between $8.3 billion and $36.3 billion. The losses for all industries are between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion. The lower bound is 40% higher than the widely cited, but largely unconfirmed, estimates from McAfee.
  • The Government Accountability Office (GAO) advised the Federal Communications Commission (FCC) that it needs a comprehensive strategy for implementing 5G across the United States. The GAO concluded
    • FCC has taken a number of actions regarding 5G deployment, but it has not clearly developed specific and measurable performance goals and related measures–with the involvement of relevant stakeholders, including National Telecommunications and Information Administration (NTIA)–to manage the spectrum demands associated with 5G deployment. This makes FCC unable to demonstrate whether the progress being made in freeing up spectrum is achieving any specific goals, particularly as it relates to congested mid-band spectrum. Additionally, without having established specific and measurable performance goals with related strategies and measures for mitigating 5G’s potential effects on the digital divide, FCC will not be able to assess the extent to which its actions are addressing the digital divide or what actions would best help all Americans obtain access to wireless networks.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Time Guidance for Network Operators, Chief Information Officers, and Chief Information Security Officers” “to inform public and private sector organizations, educational institutions, and government agencies on time resilience and security practices in enterprise networks and systems…[and] to address gaps in available time testing practices, increasing awareness of time-related system issues and the linkage between time and cybersecurity.”
  • Fifteen Democratic Senators sent a letter to the Department of Defense, Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS), Federal Bureau of Investigations (FBI), and U.S. Cyber Command, urging them “to take additional measures to fight influence campaigns aimed at disenfranchising voters, especially voters of color, ahead of the 2020 election.” They called on these agencies to take “additional measures:”
    • The American people and political candidates are promptly informed about the targeting of our political processes by foreign malign actors, and that the public is provided regular periodic updates about such efforts leading up to the general election.
    • Members of Congress and congressional staff are appropriately and adequately briefed on continued findings and analysis involving election related foreign disinformation campaigns and the work of each agency and department to combat these campaigns.
    • Findings and analysis involving election related foreign disinformation campaigns are shared with civil society organizations and independent researchers to the maximum extent which is appropriate and permissible.
    • Secretary Esper and Director Ratcliffe implement a social media information sharing and analysis center (ISAC) to detect and counter information warfare campaigns across social media platforms as authorized by section 5323 of the Fiscal Year 2020 National Defense Authorization Act.
    • Director Ratcliffe implement the Foreign Malign Influence Response Center to coordinate a whole of government approach to combatting foreign malign influence campaigns as authorized by section 5322 of the Fiscal Year 2020 National Defense Authorization Act.
  • The Information Technology and Innovation Foundation (ITIF) unveiled an issue brief “Why New Calls to Subvert Commercial Encryption Are Unjustified” arguing “that government efforts to subvert encryption would negatively impact individuals and businesses.” ITIF offered these “key takeaways:”
    • Encryption gives individuals and organizations the means to protect the confidentiality of their data, but it has interfered with law enforcement’s ability to prevent and investigate crimes and foreign threats.
    • Technological advances have long frustrated some in the law enforcement community, giving rise to multiple efforts to subvert commercial use of encryption, from the Clipper Chip in the 1990s to the San Bernardino case two decades later.
    • Having failed in these prior attempts to circumvent encryption, some law enforcement officials are now calling on Congress to invoke a “nuclear option”: legislation banning “warrant-proof” encryption.
    • This represents an extreme and unjustified measure that would do little to take encryption out of the hands of bad actors, but it would make commercial products less secure for ordinary consumers and businesses and damage U.S. competitiveness.
  • The White House released an executive order in which President Donald Trump determined “that the Special Administrative Region of Hong Kong (Hong Kong) is no longer sufficiently autonomous to justify differential treatment in relation to the People’s Republic of China (PRC or China) under the particular United States laws and provisions thereof set out in this order.” Trump further determined “the situation with respect to Hong Kong, including recent actions taken by the PRC to fundamentally undermine Hong Kong’s autonomy, constitutes an unusual and extraordinary threat, which has its source in substantial part outside the United States, to the national security, foreign policy, and economy of the United States…[and] I hereby declare a national emergency with respect to that threat.” The executive order would continue the Administration’s process of changing policy to ensure Hong Kong is treated the same as the PRC.
  • President Donald Trump also signed a bill passed in response to the People’s Republic of China (PRC) passing legislation the United States and other claim will strip Hong Kong of the protections the PRC agreed to maintain for 50 years after the United Kingdom (UK) handed over the city. The “Hong Kong Autonomy Act” “requires the imposition of sanctions on Chinese individuals and banks who are included in an annual State Department list found to be subverting Hong Kong’s autonomy” according to the bill’s sponsor Representative Brad Sherman (D-CA).
  • Representative Stephen Lynch, who chairs House Oversight and Reform Committee’s National Security Subcommittee, sent letters to Apple and Google “after the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI) confirmed that mobile applications developed, operated, or owned by foreign entities, including China and Russia, could potentially pose a national security risk to American citizens and the United States” according to his press release. He noted in letters sent by the technology companies to the Subcommittee that:
    • Apple confirmed that it does not require developers to submit “information on where user data (if any such data is collected by the developer’s app) will be housed” and that it “does not decide what user data a third-party app can access, the user does.”
    • Google stated that it does “not require developers to provide the countries in which their mobile applications will house user data” and acknowledged that “some developers, especially those with a global user base, may store data in multiple countries.”
    • Lynch is seeking “commitments from Apple and Google to require information from application developers about where user data is stored, and to make users aware of that information prior to downloading the application on their mobile devices.”
  • Minnesota Attorney General Keith Ellison announced a settlement with Frontier Communications that “concludes the three major investigations and lawsuits that the Attorney General’s office launched into Minnesota’s major telecoms providers for deceptive, misleading, and fraudulent practices.” The Office of the Attorney General (OAG) stated
    • Based on its investigation, the Attorney General’s Office alleged that Frontier used a variety of deceptive and misleading practices to overcharge its customers, such as: billing customers more than they were quoted by Frontier’s agents; failing to disclose fees and surcharges in its sales presentations and advertising materials; and billing customers for services that were not delivered.
    • The OAG “also alleged that Frontier sold Minnesotans expensive internet services with so-called “maximum speed” ratings that were not attainable, and that Frontier improperly advertised its service as “reliable,” when in fact it did not provide enough bandwidth for customers to consistently receive their expected service.”
  • The European Data Protection Board (EDPB) issued guidelines “on the criteria of the Right to be Forgotten in the search engines cases under the GDPR” that “focuses solely on processing by search engine providers and delisting requests  submitted by data subjects” even Article 17 of the General Data Protection Regulation applies to all data controllers. The EDPB explained “This paper is divided into two topics:
    • The first topic concerns the grounds a data subject can rely on for a delisting request sent to a search engine provider pursuant to Article 17.1 GDPR.
    • The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR.
  • The Australian Competition & Consumer Commission (ACCC) “is seeking views on draft Rules and accompanying draft Privacy Impact Assessment that authorise third parties who are accredited at the ‘unrestricted’ level to collect Consumer Data Right (CDR) data on behalf of another accredited person.” The ACCC explained “[t]his will allow accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers.” In a March explanatory statement, the ACCC stated “[t]he CDR is an economy-wide reform that will apply sector-by-sector, starting with the banking sector…[and] [t]he objective of the CDR is to provide individual and business consumers (consumers) with the ability to efficiently and conveniently access specified data held about them by businesses (data holders), and to authorise the secure disclosure of that data to third parties (accredited data recipients) or to themselves.” The ACCC noted “[t]he CDR is regulated by both the ACCC and the Office of the Australian Information Commissioner (OAIC) as it concerns both competition and consumer matters as well as the privacy and confidentiality of consumer data.” Input is due by 20 July.
  • Office of the Inspector General (OIG) for the Department of the Interior (Interior) found that even though the agency spends $1.4 billion annually on cybersecurity “[g]uarding against increasing cybersecurity threats” remains one of Interior’s top challenges. The OIG asserted Interior “continues to struggle to implement an enterprise information technology (IT) security program that balances compliance, cost, and risk while enabling bureaus to meet their diverse missions.”
  • In a summary of its larger investigation into “Security over Information Technology Peripheral Devices at Select Office of Science Locations,” the Department of Energy’s Office of the Inspector General (OIG) that “identified weaknesses related to access controls and configuration settings” for peripheral devices (e.g. thumb drives, printers, scanners and other connected devices)  “similar in type to those identified in prior evaluations of the Department’s unclassified cybersecurity program.”
  • The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee Ranking Member John Katko (R-NY) “a comprehensive national cybersecurity improvement package” according to his press release, consisting of these bills:
    • The “Cybersecurity and Infrastructure Security Agency Director and Assistant Directors Act:”  This bipartisan measure takes steps to improve guidance and long-term strategic planning by stabilizing the CISA Director and Assistant Directors positions. Specifically, the bill:
      • Creates a 5-year term for the CISA Director, with a limit of 2 terms. The term of office for the current Director begins on date the Director began to serve.
      • Elevates the Director to the equivalent of a Deputy Secretary and Military Service Secretaries.
      • Depoliticizes the Assistant Director positions, appointed by the Secretary of the Department of Homeland Security (DHS), categorizing them as career public servants. 
    • The “Strengthening the Cybersecurity and Infrastructure Security Agency Act of 2020:” This measure mandates a comprehensive review of CISA in an effort to strengthen its operations, improve coordination, and increase oversight of the agency. Specifically, the bill:
      • Requires CISA to review how additional appropriations could be used to support programs for national risk management, federal information systems management, and public-private cybersecurity and integration. It also requires a review of workforce structure and current facilities and projected needs. 
      • Mandates that CISA provides a report to the House and Senate Homeland Committees within 1-year of enactment. CISA must also provide a report and recommendations to GSA on facility needs. 
      • Requires GSA to provide a review to the Administration and House and Senate Committees on CISA facilities needs within 30-days of Congressional report. 
    • The “CISA Public-Private Talent Exchange Act:” This bill requires CISA to create a public-private workforce program to facilitate the exchange of ideas, strategies, and concepts between federal and private sector cybersecurity professionals. Specifically, the bill:
      • Establishes a public-private cyber exchange program allowing government and industry professionals to work in one another’s field.
      • Expands existing private outreach and partnership efforts. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is ordering United States federal civilian agencies “to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours.” CISA stated “[t]he software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.” CISA Director Christopher Krebs explained “due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.”
  • The United States (US) Department of State has imposed “visa restrictions on certain employees of Chinese technology companies that provide material support to regimes engaging in human rights abuses globally” that is aimed at Huawei. In its statement, the Department stated “Companies impacted by today’s action include Huawei, an arm of the Chinese Communist Party’s (CCP) surveillance state that censors political dissidents and enables mass internment camps in Xinjiang and the indentured servitude of its population shipped all over China.” The Department claimed “[c]ertain Huawei employees provide material support to the CCP regime that commits human rights abuses.”
  • Earlier in the month, the US Departments of State, Treasury, Commerce, and of Homeland Security issued an “advisory to highlight the harsh repression in Xinjiang.” The agencies explained
    • Businesses, individuals, and other persons, including but not limited to academic institutions, research service providers, and investors (hereafter “businesses and individuals”), that choose to operate in Xinjiang or engage with entities that use labor from Xinjiang elsewhere in China should be aware of reputational, economic, and, in certain instances, legal, risks associated with certain types of involvement with entities that engage in human rights abuses, which could include Withhold Release Orders (WROs), civil or criminal investigations, and export controls.
  • The United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications  Security Establishment (CSE), United States’ National Security Agency (NSA) and the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security  Agency (CISA) issued a joint advisory on a Russian hacking organization’s efforts have “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.” The agencies named APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’), “a cyber espionage group, almost certainly part of the Russian intelligence services,” as the culprit behind “custom malware known as ‘WellMess’ and ‘WellMail.’”
    • This alert follows May advisories issued by Australia, the US, and the UK on hacking threats related to the pandemic. Australia’s Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre (ACSC) issued “Advisory 2020-009: Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services” that asserted “APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally.” CISA and NCSC issued a joint advisory for the healthcare sector, especially companies and entities engaged in fighting COVID-19. The agencies stated that they have evidence that Advanced Persistent Threat (APT) groups “are exploiting the COVID-19 pandemic as part of their cyber operations.” In an unclassified public service announcement, the Federal Bureau of Investigation (FBI) and CISA named the People’s Republic of China as a nation waging a cyber campaign against U.S. COVID-19 researchers. The agencies stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.”
  • The National Initiative for Cybersecurity Education (NICE) has released a draft National Institute of Standards and Technology (NIST) Special Publication (SP) for comment due by 28 August. Draft NIST Special Publication (SP) 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework) that features several updates, including:
    • an updated title to be more inclusive of the variety of workers who perform cybersecurity work,
    • definition and normalization of key terms,
    • principles that facilitate agility, flexibility, interoperability, and modularity,
    • introduction of competencies,
  • Representatives Glenn Thompson (R-PA), Collin Peterson (D-MN), and James Comer (R-KY) sent a letter to Federal Communications Commission (FCC) “questioning the Commission’s April 20, 2020 Order granting Ligado’s application to deploy a terrestrial nationwide network to provide 5G services.”
  • The European Commission (EC) is asking for feedback on part of its recently released data strategy by 31 July. The EC stated it is aiming “to create a single market for data, where data from public bodies, business and citizens can be used safely and fairly for the common good…[and] [t]his initiative will draw up rules for common European data spaces (covering areas like the environment, energy and agriculture) to:
    • make better use of publicly held data for research for the common good
    • support voluntary data sharing by individuals
    • set up structures to enable key organisations to share data.
  • The United Kingdom’s Parliament is asking for feedback on its legislative proposal to regulate Internet of Things (IoT) devices. The Department for Digital, Culture, Media & Sport explained “the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative.” The Department is also “developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation.” The Department also touted the publishing of the European Telecommunications Standards Institute’s (ETSI) “security baseline for Internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes.”
  • Facebook issued a white paper, titled “CHARTING A WAY FORWARD: Communicating Towards People-Centered and Accountable Design About Privacy,” in which the company states its desire to be involved in shaping a United States privacy law (See below for an article on this). Facebook concluded:
    • Facebook recognizes the responsibility we have to make sure that people are informed about the data that we collect, use, and share.
    • That’s why we support globally consistent comprehensive privacy laws and regulations that, among other things, establish people’s basic rights to be informed about how their information is collected, used, and shared, and impose obligations for organizations to do the same, including the obligation to build internal processes that maintain accountability.
    • As improvements to technology challenge historic approaches to effective communications with people about privacy, companies and regulators need to keep up with changing times.
    • To serve the needs of a global community, on both the platforms that exist now and those that are yet to be developed, we want to work with regulators, companies, and other interested third parties to develop new ways of informing people about their data, empowering them to make meaningful choices, and holding ourselves accountable.
    • While we don’t have all the answers, there are many opportunities for businesses and regulators to embrace modern design methods, new opportunities for better collaboration, and innovative ways to hold organizations accountable.
  • Four Democratic Senators sent Facebook a letter “about reports that Facebook has created fact-checking exemptions for people and organizations who spread disinformation about the climate crisis on its social media platform” following a New York Times article this week on the social media’s practices regarding climate disinformation. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars. Senators Elizabeth Warren (D-WA), Tom Carper (D-DE), Sheldon Whitehouse (D-R.I.) and Brian Schatz (D-HI) argued “[i]f Facebook is truly “committed to fighting the spread of false news on Facebook and Instagram,” the company must immediately acknowledge in its fact-checking process that the climate crisis is not a matter of opinion and act to close loopholes that allow climate disinformation to spread on its platform.” They posed a series of questions to Facebook CEO Mark Zuckerberg on these practices, requesting answers by 31 July.
  • A Canadian court has found that the Canadian Security Intelligence Service (CSIS) “admittedly collected information in a manner that is contrary to this foundational commitment and then relied on that information in applying for warrants under the Canadian Security Intelligence Service Act, RSC 1985, c C-23 [CSIS Act]” according to a court summary of its redacted decision. The court further stated “[t]he Service and the Attorney General also admittedly failed to disclose to the Court the Service’s reliance on information that was likely collected unlawfully when seeking warrants, thereby breaching the duty of candour owed to the Court.” The court added “[t]his is not the first time this Court has been faced with a breach of candour involving the Service…[and] [t]he events underpinning this most recent breach were unfolding as recommendations were being implemented by the Service and the Attorney General to address previously identified candour concerns.” CSIS was found to have illegally collected and used metadata in a 2016 case ion its conduct between 2006-2016. In response to the most recent ruling, CSIS is vowing to implement a range of reforms. The National Security and Intelligence Review Agency (NSIRA) is pledging the same.
  • The United Kingdom’s National Police Chiefs’ Council (NPCC) announced the withdrawal of “[t]he ‘Digital device extraction – information for complainants and witnesses’ form and ‘Digital Processing Notice’ (‘the relevant forms’) circulated to forces in February 2019 [that] are not sufficient for their intended purpose.” In mid-June, the UK’s data protection authority, the Information Commissioner’s Office (ICO) unveiled its “finding that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” This withdrawal was also due, in part, to a late June Court of Appeal decision.  
  • A range of public interest and advocacy organizations sent a letter to Speaker of the House Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) noting “there are intense efforts underway to do exactly that, via current language in the House and Senate versions of the FY2021 National Defense Authorization Act (NDAA) that ultimately seek to reverse the FCC’s recent bipartisan and unanimous approval of Ligado Networks’ regulatory plans.” They urged them “not endorse efforts by the Department of Defense and its allies to veto commercial spectrum authorizations…[and][t]he FCC has proven itself to be the expert agency on resolving spectrum disputes based on science and engineering and should be allowed to do the job Congress authorized it to do.” In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”
  • The European Data Protection Supervisor (EDPS) rendered his opinion on the European Commission’s White Paper on Artificial Intelligence: a European approach to excellence and trust and recommended the following for the European Union’s (EU) regulation of artificial intelligence (AI):
    • applies both to EU Member States and to EU institutions, offices, bodies and agencies;
    • is designed to protect from any negative impact, not only on individuals, but also on communities and society as a whole;
    • proposes a more robust and nuanced risk classification scheme, ensuring any significant potential harm posed by AI applications is matched by appropriate mitigating measures;
    • includes an impact assessment clearly defining the regulatory gaps that it intends to fill.
    • avoids overlap of different supervisory authorities and includes a cooperation mechanism.
    • Regarding remote biometric identification, the EDPS supports the idea of a moratorium on the deployment, in the EU, of automated recognition in public spaces of human features, not only of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, so that an informed and democratic debate can take place and until the moment when the EU and Member States have all the appropriate safeguards, including a comprehensive legal framework in place to guarantee the proportionality of the respective technologies and systems for the specific use case.
  • The Bundesamt für Verfassungsschutz (BfV), Germany’s domestic security agency, released a summary of its annual report in which it claimed:
    • The Russian Federation, the People’s Republic of China, the Islamic Republic of Iran and the Republic of Turkey remain the main countries engaged in espionage activities and trying to exert influence on Germany.
    • The ongoing digital transformation and the increasingly networked nature of our society increases the potential for cyber attacks, worsening the threat of cyber espionage and cyber sabotage.
    • The intelligence services of the Russian Federation and the People’s Republic of China in particular carry out cyber espionage activities against German agencies. One of their tasks is to boost their own economies with the help of information gathered by the intelligence services. This type of information-gathering campaign severely threatens the success and development opportunities of German companies.
    • To counteract this threat, Germany has a comprehensive cyber security architecture in place, which is operated by a number of different authorities. The BfV plays a major role in investigating and defending against cyber threats by detecting attacks, attributing them to specific attackers, and using the knowledge gained from this to draw up prevention strategies. The National Cyber Response Centre, in which the BfV plays a key role, was set up to consolidate the co-operation between the competent agencies. The National Cyber Response Centre aims to optimise the exchange of information between state agencies and to improve the co-ordination of protective and defensive measures against potential IT incidents.

Further Reading

  • Trump confirms cyberattack on Russian trolls to deter them during 2018 midterms” – The Washington Post. In an interview with former George W. Bush speechwriter Marc Thiessen, President Donald Trump confirmed he ordered a widely reported retaliatory attack on the Russian Federation’s Internet Research Agency as a means of preventing interference during the 2018 mid-term election. Trump claimed this attack he ordered was the first action the United States took against Russian hacking even though his predecessor warned Russian President Vladimir Putin to stop such activities and imposed sanctions at the end of 2016. The timing of Trump’s revelation is interesting given the ongoing furor over reports of Russian bounties paid to Taliban fighters for killing Americans the Trump Administration may have known of but did little or nothing to stop.
  • Germany proposes first-ever use of EU cyber sanctions over Russia hacking” – Deutsche Welle. Germany is looking to use the European Union’s (EU) cyber sanctions powers against Russia for its alleged 2015 16 GB exfiltration of data from the Bundestag’s systems, including from Chancellor Angela Merkel’s office. Germany has been alleging that Fancy Bear (aka APT28) and Russia’s military secret service GRU carried out the attack. Germany has circulated its case for sanctions to other EU nations and EU leadership. In 2017, the European Council declared “[t]he EU diplomatic response to malicious cyber activities will make full use of measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures…[and] [a] joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.”
  • Wyden Plans Law to Stop Cops From Buying Data That Would Need a Warrant” – VICE. Following on a number of reports that federal, state, and local law enforcement agencies are essentially sidestepping the Fourth Amendment through buying location and other data from people’s smartphones, Senator Ron Wyden (D-OR) is going to draft legislation that would seemingly close what he, and other civil libertarians, are calling a loophole to the warrant requirement.
  • Amazon Backtracks From Demand That Employees Delete TikTok” – The New York Times. Amazon first instructed its employees to remove ByteDance’s app, TikTok, on 11 July from company devices and then reversed course the same day, claiming the email had been erroneously sent out. The strange episode capped another tumultuous week for ByteDance as the Trump Administration is intensifying pressure in a number of ways on the company which officials claim is subject to the laws of the People’s Republic of China and hence must share information with the government in Beijing. ByteDance counters the app marketed in the United States is through a subsidiary not subject to PRC law. ByteDance also said it would no longer offer the app in Hong Kong after the PRC change in law has extended the PRC’s reach into the former British colony. TikTok was also recently banned in India as part of a larger struggle between India and he PRC. Additionally, the Democratic National Committee warned staff about using the app this week, too.
  • Is it time to delete TikTok? A guide to the rumors and the real privacy risks.” – The Washington Post. A columnist and security specialist found ByteDance’s app vacuums up information from users, but so does Facebook and other similar apps. They scrutinized TikTok’s privacy policy and where the data went, and they could not say with certainty that it goes to and stays on servers in the US and Singapore. 
  • California investigating Google for potential antitrust violations” – Politico. California Attorney General Xavier Becerra is going to conduct his own investigation of Google aside and apart from the investigation of the company’s advertising practices being conducted by virtually every other state in the United States. It was unclear why Becerra opted against joining the larger probe launched in September 2019. Of course, the Trump Administration’s Department of Justice is also investigating Google and could file suit as early as this month.
  • How May Google Fight an Antitrust Case? Look at This Little-Noticed Paper” – The New York Times. In a filing with the Australian Competition and Consumer Commission (ACCC), Google claimed it does not control the online advertising market and it is borne out by a number of indicia that argue against a monopolistic situation. The company is likely to make the same case to the United States’ government in its antitrust inquiry. However, similar arguments did not gain tractions before the European Commission, which levied a €1.49 billion for “breaching EU antitrust rules” in March 2019.
  •  “Who Gets the Banhammer Now?” – The New York Times. This article examines possible motives for the recent wave of action by social media platforms to police a fraction of the extreme and hateful speech activists and others have been asking them to take down for years. This piece makes the argument that social media platforms are businesses and operate as such and expecting them to behave as de facto public squares dedicated to civil political and societal discourse is more or less how we ended up where we are.
  • TikTok goes tit-for-tat in appeal to MPs: ‘stop political football’ – The Australian. ByteDance is lobbying hard in Canberra to talk Ministers of Parliament out of possibly banning TikTok like the United States has said it is considering. While ByteDance claims the data collected on users in Australia is sent to the US or Singapore, some experts are arguing just to maintain and improve the app would necessarily result in some non-People’s Republic of China (PRC) user data making its way back to the PRC. As Australia’s relationship with the PRC has grown more fraught with allegations PRC hackers infiltrated Parliament and the Prime Minister all but saying PRC hackers were targeting hospitals and medical facilities, the government in Canberra could follow India’s lead and ban the app.
  • Calls for inquiry over claims Catalan lawmaker’s phone was targeted” – The Guardian. British and Spanish newspapers are reporting that an official in Catalonia who favors separating the region from Spain may have had his smartphone compromised with industrial grade spyware typically used only by law enforcement and counterterrorism agencies. The President of the Parliament of Catalonia Roger Torrent claims his phone was hacked for domestic political purposes, which other Catalan leaders argued, too. A spokesperson for the Spanish government said “[t]he government has no evidence that the speaker of the Catalan parliament has been the victim of a hack or theft involving his mobile.” However, the University of Toronto’s CitizenLab, the entity that researched and claimed that Israeli firm NSO Group’s spyware was deployed via WhatsApp to spy on a range of journalists, officials, and dissidents, often by their own governments, confirmed that Torrent’s phone was compromised.
  • While America Looks Away, Autocrats Crack Down on Digital News Sites” – The New York Times. The Trump Administration’s combative relationship with the media in the United States may be encouraging other nations to crack down on digital media outlets trying to hold those governments to account.
  •  “How Facebook Handles Climate Disinformation” – The New York Times. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars.
  • Here’s how President Trump could go after TikTok” – The Washington Post. This piece lays out two means the Trump Administration could employ to press ByteDance in the immediate future: use of the May 2019 Executive Order “Securing the Information and Communications Technology and Services Supply Chain” or the Committee on Foreign Investment in the United States process examining ByteDance of the app Music.ly that became TikTok. Left unmentioned in this article is the possibility of the Federal Trade Commission (FTC) examining its 2019 settlement with ByteDance to settle violations of the “Children’s Online Privacy Protection Act” (COPPA).
  • You’re Doomscrolling Again. Here’s How to Snap Out of It.” – The New York Times. If you find yourself endlessly looking through social media feeds, this piece explains why and how you might stop doing so.
  • UK selling spyware and wiretaps to 17 repressive regimes including Saudi Arabia and China” – The Independent. There are allegations that the British government has ignored its own regulations on selling equipment and systems that can be used for surveillance and spying to other governments with spotty human rights records. Specifically, the United Kingdom (UK) has sold £75m to countries non-governmental organizations (NGO) are rated as “not free.” The claims include nations such as the People’s Republic of China (PRC), the Kingdom of Saudi Arabia, Bahrain, and others. Not surprisingly, NGOs and the minority Labour party are calling for an investigation and changes.
  • Google sued for allegedly tracking users in apps even after opting out” – c/net. Boies Schiller Flexner filed suit in what will undoubtedly seek to become a class action suit over Google’s alleged continuing to track users even when they turned off tracking features. This follows a suit filed by the same firm against Google in June, claiming its browser Chrome still tracks people when they switch to incognito mode.
  • Secret Trump order gives CIA more powers to launch cyberattacks” – Yahoo! News. It turns out that in addition to signing National Security Presidential Memorandum (NSPM) 13 that revamped and eased offensive cyber operations for the Department of Defense, President Donald Trump signed a presidential finding that has allowed the Central Intelligence Agency (CIA) to launch its own offensive cyber attacks, mainly at Russia and Iran, according to unnamed former United States (US) officials according to this blockbuster story. Now, the decision to commence with an attack is not vetted by the National Security Council; rather, the CIA makes the decision. Consequently, there have been a number of attacks on US adversaries that until now have not been associated with the US. And, the CIA is apparently not informing the National Security Agency or Cyber Command of its operations, raising the risk of US cyber forces working at cross purposes or against one another in cyberspace. Moreover, a recently released report blamed the lax security environment at the CIA for a massive exfiltration of hacking tools released by Wikileaks. 
  • Facebook’s plan for privacy laws? ‘Co-creating’ them with Congress” – Protocol. In concert with the release of a new white paper, Facebook Deputy Chief Privacy Officer Rob Sherman sat for an interview in which he pledged the company’s willingness to work with Congress to co-develop a national privacy law. However, he would not comment on any of the many privacy bills released thus far or the policy contours of a bill Facebook would favor except for advocating for an enhanced notice and consent regime under which people would be better informed about how their data is being used. Sherman also shrugged off suggestions Facebook may not be welcome given its record of privacy violations. Finally, it bears mention that similar efforts by other companies at the state level have not succeeded as of yet. For example, Microsoft’s efforts in Washington state have not borne fruit in the passage of a privacy law.
  • Deepfake used to attack activist couple shows new disinformation frontier” – Reuters. We are at the beginning of a new age of disinformation in which fake photographs and video will be used to wage campaigns against nations, causes, and people. An activist and his wife were accused of being terrorist sympathizers by a university student who apparently was an elaborate ruse for someone or some group looking to defame the couple. Small errors gave away the ruse this time, but advances in technology are likely to make detection all the harder.
  • Biden, billionaires and corporate accounts targeted in Twitter hack” – The Washington Post. Policymakers and security experts were alarmed when the accounts of major figures like Bill Gates and Barack Obama were hacked yesterday by some group seeking to sell bitcoin. They argue Twitter was lucky this time and a more ideologically motivated enemy may seek to cause havoc, say on the United States’ coming election. A number of experts are claiming the penetration of the platform must have been of internal controls for so many high profile accounts to be taken over at the same time.
  • TikTok Enlists Army of Lobbyists as Suspicions Over China Ties Grow” – The New York Times. ByteDance’s payments for lobbying services in Washington doubled between the last quarter of 2019 and thirst quarter of 2020, as the company has retained more than 35 lobbyists to push back against the Trump Administration’s rhetoric and policy changes. The company is fighting against a floated proposal to ban the TikTok app on national security grounds, which would cut the company off from another of its top markets after India banned it and scores of other apps from the People’s Republic of China. Even if the Administration does not bar use of the app in the United States, the company is facing legislation that would ban its use on federal networks and devices that will be acted upon next week by a Senate committee. Moreover, ByteDance’s acquisition of the app that became TikTok is facing a retrospective review of an inter-agency committee for national security considerations that could result in an unwinding of the deal. Moreover, the Federal Trade Commission (FTC) has been urged to review ByteDance’s compliance with a 2019 settlement that the company violated regulations protecting the privacy of children that could result in multi-billion dollar liability if wrongdoing is found.
  • Why Google and Facebook Are Racing to Invest in India” – Foreign Policy. With New Delhi banning 59 apps and platforms from the People’s Republic of China (PRC), two American firms have invested in an Indian giant with an eye toward the nearly 500 million Indians not yet online. Reliance Industries’ Jio Platforms have sold stakes to Google and Facebook worth $4.5 billion and $5.7 billion that gives them prized positions as the company looks to expand into 5G and other online ventures. This will undoubtedly give a leg up to the United States’ online giants in vying with competitors to the world’s second most populous nation.
  • “Outright Lies”: Voting Misinformation Flourishes on Facebook” – ProPublica. In this piece published with First Draft, “a global nonprofit that researches misinformation,” an analysis of the most popular claims made about mail voting show that many of them are inaccurate or false, thus violating the platforms terms of services yet Facebook has done nothing to remove them or mark them as inaccurate until this article was being written.
  • Inside America’s Secretive $2 Billion Research Hub” – Forbes. Using contract information obtained through Freedom of Information requests and interviews, light is shined on the little known non-profit MITRE Corporation that has been helping the United States government address numerous technological problems since the late 1950’s. The article uncovers some of its latest, federally funded projects that are raising eyebrows among privacy advocates: technology to life people’s fingerprints from social media pictures, technology to scan and copy Internet of Things (IoT) devices from a distance, a scanner to read a person’s DNA, and others.
  • The FBI Is Secretly Using A $2 Billion Travel Company As A Global Surveillance Tool” – Forbes. In his second blockbuster article in a week, Forbes reporter Thomas Brewster exposes how the United States (US) government is using questionable court orders to gather travel information from the three companies that essentially provide airlines, hotels, and other travel entities with back-end functions with respect to reservations and bookings. The three companies, one of whom, Sabre is a US multinational, have masses of information on you if you have ever traveled, and US law enforcement agencies, namely the Federal Bureau of Investigation, is using a 1789 statute to obtain orders all three companies have to obey for information in tracking suspects. Allegedly, this capability has only been used to track terror suspects but will now reportedly be used for COVID-19 tracking.
  • With Trump CIA directive, the cyber offense pendulum swings too far” – Yahoo! News. Former United States (US) National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke argues against the Central Intelligence Agency (CIA) having carte blanche in conducting cyber operations without the review or input of other federal agencies. He suggests that the CIA in particular, and agencies in general, tend to push their authority to the extreme, which in this case could lead to incidents and lasting precedents in cyberspace that may haunt the US. Clarke also intimated that it may have been the CIA and not Israel that launched cyber attacks on infrastructure facilities in Tehran this month and last.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading and Other Developments (4 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The Senate invoked cloture on the nomination of acting Office of Management and Budget (OMB) Director Russell Vought to be confirmed in that role and will vote on the nomination on 20 July. OMB has been without a Senate-confirmed Director since Mick Mulvaney resigned at the end of March, but he was named acting White House Chief of Staff in January 2019, resulting in Vought serving as the acting OMB head since that time.
  • The United States Federal Chief Information Officer (CIO) Suzette Kent announced she is stepping down in July, and Deputy Federal CIO Maria Roat is expected to be named acting Federal CIO. Given the Trump Administration’s approach to submitting nominations to the Senate for confirmation and the Senate’s truncated work schedule due to the election, it is likely no nomination is made this year. Kent technically held the position of Administrator of the Office of Electronic Government within the Office of Management and Budget (OMB) and her portfolio includes a range of technology related matters including cybersecurity, information technology IT policy and procurement, workforce, data security, data management and others.
  • The General Services Administration (GSA) announced the next step in “establish[ing] a program to procure commercial products through commercial e-commerce portals for purposes of enhancing competition, expediting procurement, enabling market research, and ensuring reasonable pricing of commercial products.” GSA “awarded contracts to three e-marketplace platform providers…[to] Amazon Business, Fisher Scientific, and Overstock.com, Inc. allows GSA to test the use of commercial e-commerce portals for purchases below the micro-purchase threshold of $10,000 using a proof-of-concept (for up to three years).” Section 846 of the 2018 National Defense Authorization Act (P. L. 115-91) directed GSA to implement such a program, and the agency claimed in a blog posting:
    • These contracts and platforms will be available to federal agencies as part of a governmentwide effort to modernize the buying experience for agencies and help them gain insights into open-market online spend occurring outside of existing contracts.  It is estimated that open market purchases on government purchase cards represent an addressable market of $6 billion annually.
    • The goal of the proof of concept is to provide a modern buying solution for federal customers and increase transparency on agency spending that’s already taking place with better data through this solution. Further, this solution leverages the government’s buying power and increases supply chain security awareness with a governmentwide approach.
  • In response to the ongoing and growing advertising boycott, Facebook announced in a press release some changes to the platform’s policies regarding voter suppression or hateful content. CEO Mark Zuckerberg stated “Three weeks ago, I committed to reviewing our policies ahead of the 2020 elections…[and] [t]hat work is ongoing, but today I want to share some new policies to connect people with authoritative information about voting, crack down on voter suppression, and fight hate speech:
    • 1. Providing Authoritative Information on Voting During the Pandemic
      • Last week, we announced the largest voting information campaign in American history, with the goal of helping 4 million people register to vote. As part of this, we’re creating a Voting Information Center to share authoritative information on how and when you can vote, including voter registration, voting by mail and early voting. During a pandemic when people may be afraid of going to polls, sharing authoritative information on voting by mail will be especially important. We’ll be showing the Voting Information Center at the top of the Facebook and Instagram apps over the coming months.
    • 2. Additional Steps to Fight Voter Suppression
      • Since the most dangerous voter suppression campaigns can be local and run in the days immediately before an election, we’re going to use our Elections Operations Center to quickly respond and remove false claims about polling conditions in the 72 hours leading into election day. Learning from our experience fighting Covid misinformation, we will partner with and rely on state election authorities to help determine the accuracy of information and what is potentially dangerous. We know this will be challenging in practice as facts on the ground may be uncertain and we don’t want to remove accurate information about challenges people are experiencing, but we’re building our operation to be able to respond quickly.
      • We will also ban posts that make false claims saying ICE agents are checking for immigration papers at polling places, which is a tactic used to discourage voting. We’ll also remove any threats of coordinated interference, like someone saying “My friends and I will be doing our own monitoring of the polls to make sure only the right people vote”, which can be used to intimidate voters. We will continue to review our voter suppression policies on an ongoing basis as part of our work on voter engagement and racial justice.
    • 3. Creating a Higher Standard for Hateful Content in Ads
      • This week’s study from the EU showed that Facebook acts faster and removes a greater percent of hate speech on our services than other major internet platforms, including YouTube and Twitter. We’ve invested heavily in both AI systems and human review teams so that now we identify almost 90% of the hate speech we remove before anyone even reports it to us. We’ve also set the standard in our industry by publishing regular transparency reports so people can hold us accountable for progress. We will continue investing in this work and will commit whatever resources are necessary to improve our enforcement.
      • We believe there is a public interest in allowing a wider range of free expression in people’s posts than in paid ads. We already restrict certain types of content in ads that we allow in regular posts, but we want to do more to prohibit the kind of divisive and inflammatory language that has been used to sow discord. So today we’re prohibiting a wider category of hateful content in ads. Specifically, we’re expanding our ads policy to prohibit claims that people from a specific race, ethnicity, national origin, religious affiliation, caste, sexual orientation, gender identity or immigration status are a threat to the physical safety, health or survival of others. We’re also expanding our policies to better protect immigrants, migrants, refugees and asylum seekers from ads suggesting these groups are inferior or expressing contempt, dismissal or disgust directed at them.
    • 4. Labeling Newsworthy Content
      • A handful of times a year, we leave up content that would otherwise violate our policies if the public interest value outweighs the risk of harm. Often, seeing speech from politicians is in the public interest, and in the same way that news outlets will report what a politician says, we think people should generally be able to see it for themselves on our platforms.
      • We will soon start labeling some of the content we leave up because it is deemed newsworthy, so people can know when this is the case. We’ll allow people to share this content to condemn it, just like we do with other problematic content, because this is an important part of how we discuss what’s acceptable in our society — but we’ll add a prompt to tell people that the content they’re sharing may violate our policies.
      • To clarify one point: there is no newsworthiness exemption to content that incites violence or suppresses voting. Even if a politician or government official says it, if we determine that content may lead to violence or deprive people of their right to vote, we will take that content down. Similarly, there are no exceptions for politicians in any of the policies I’m announcing here today.
  • On 30 June, Facebook banned the boogaloo movement from its platform. The company “designat[ed] a violent US-based anti-government network under our Dangerous Individuals and Organizations policy and disrupting it on our services…[and] [a]s a result, this violent network is banned from having a presence on our platform and we will remove content praising, supporting or representing it.”
  • The United States Department of Commerce suspended “regulations affording preferential treatment to Hong Kong… including the availability of export license exceptions.” The Trump Administration took this latest action in its trade war with the People’s Republic of China (PRC) because of “the Chinese Communist Party’s imposition of new security measures on Hong Kong” and “the risk that sensitive U.S. technology will be diverted to the People’s Liberation Army or Ministry of State Security has increased, all while undermining the territory’s autonomy.” The United States Department of State added “the United States will today end exports of U.S.-origin defense equipment and will take steps toward imposing the same restrictions on U.S. defense and dual-use technologies to Hong Kong as it does for China.”
  • The Democratic National Committee (DNC) updated its “social media comparative analysis to reflect changes companies have made in recent months to their counter disinformation and election integrity policies.” The DNC is working with Facebook/Instagram, Twitter, Google/YouTube, and now Snapchat to “to combat platform manipulation and train our campaigns on how best to secure their accounts and protect their brands against disinformation.”
  • The Office of the Privacy Commissioner of Canada (OPC) and three privacy agencies for provinces of Canada announced an investigation “into a Tim Hortons mobile ordering application after media reports raised concerns about how the app may be collecting and using data about people’s movements as they go about their daily activities.” A journalist made a request to Tim Hortons under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and learned the company’s app had logged his longitude and latitude coordinates over 2,700 times in five months, sometimes when he was not using the app even though the company has claimed it only tracks users when the app is being used. Moreover, Tim Hortons combines data from sister companies also owned by Restaurant Brands International like Burger King and Popeyes.
  • The United Kingdom’s Information Commissioner’s Office (ICO) released an “investigation report into the use of mobile phone extraction (MPE) by police forces when conducting criminal investigations in England and Wales” which “found that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted and stored without an appropriate basis in existing data protection law.” The ICO made a range of recommendations, many of which will require a legislative revamp of the laws that currently govern these practices.
  • Ireland’s Data Protection Commission released its “2018-2020 Regulatory Activity Under GDPR” and listed the following enforcement actions under the General Data Protection Regulation:
    • An Garda Síochana–reprimand and corrective powers applied in accordance with the Data Protection Act, 2018.
    • Tusla; The Child and Family Agency –reprimand and fine applied in accordance with the Data Protection Act, 2018.
    • Tusla; The Child and Family Agency –reprimand and fine applied in accordance with the Data Protection Act, 2018.
    • Twitter–Inquiry completed and draft decision forwarded to EU concerned data protection authorities in accordance with Article 60 of the GDPR.
    • DEASP-Enforcement notice issued regarding the use of the Public Services Card (currently under appeal).
    • 59 Section 10 decisions issued.
    • 15,000 breach notifications assessed and concluded.
    • 9 litigation cases concluded in the Irish Courts.
    • Hearing in CJEU Standard Contractual Clauses case brought by DPC to Irish High Court.
    • 80 % of cases received under the GDPR have been concluded.
  • The National Telecommunications and Information Administration (NTIA) issued its “American Broadband Initiative Progress Report,” an update on a Trump Administration inter-agency effort to implement “a cohesive government-wide strategy to reform broadband deployment” started in 2019. NTIA highlighted the following accomplishment:
    • Through the ReConnect program, as of March 2020, the U.S. Department of Agriculture (USDA) awarded over $744 million in funds to support more than 80 broadband projects benefiting more than 430,000 rural residents in 34 states. The Federal Communications Commission (FCC) and USDA also established processes to coordinate awards for rural broadband deployment to ensure that USDA-funded grants do not overlap with the FCC’s $20 Billion Rural Digital Opportunity Fund (RDOF) or the $9 Billion 5G Fund for Rural America
    • The Department of the Interior (DOI) launched a Joint Overview-Established Locations (JOEL) mapping tool to make site locations visible to service providers looking to locate equipment on Federal property, and added new data layers from the General Services Administration, the U.S. Forest Service, and U.S. Postal Service. Since its release, the map has been viewed 4,294 times, averaging 7 views per day.
    • In June 2019, the General Services Administration (GSA) published the FY 2018 Federal Real Property Profile (FRPP) public data set, updated with a set of filters allowing users to identify Federal property that could be candidates for communications infrastructure installation. This publicly available data now includes the height of buildings and facilities and the elevation above mean sea level, helping the communications industry to determine a structure’s suitability for siting communications facilities. In June 2020, GSA will update the FRPP public data set with more current data from FY 2019.
    • In March 2019, the Department of Commerce’s NTIA updated its website with information about Federal Agencies’ permitting processes and funding information to provide easier, “one-stop” access to the information. NTIA continues to update this information with support from Agencies.
    • In September 2019, NTIA completed the first phase of its National Broadband Availability Map (NBAM), a geographic information system platform which allows for the visualization and analysis of federal, state, and commercially available data sets. As of June 2020, the NBAM program includes 18 States who are partnering on this critical broadband data platform.
    • In February 2020, GSA and USDA’s Forest Service (FS) finalized a revised Standard Form (SF-299), making this Common Application Form suitable for telecommunications purposes.

Further Reading

  • Google will start paying some publishers for news articles” – The Verge. In part because of pressure from regulators in Australia and France, Google will begin paying some new outlets for articles. This could be the start of a larger trend of online platforms compensating media which has long argued this should be the case. However, similar systems in Germany and Spain earlier this decade failed to bolster the media in those countries financially, and Google responded to the Spanish statute by ceasing to operate its News platform in that country.
  • Trump’s strike at Twitter risks collateral damage inside the executive branch” – Politico. One aspect to the Trump Administration executive order on online platforms is that it directs federal agencies to review their online advertising and marketing subject to additional Office of Management and Budget and Department of Justice review. If fully implemented, this process could derail a number of agency initiatives ranging from military recruitment to fighting drug addiction.
  • Column: With its Sprint merger in the bag, T-Mobile is already backing away from its promises” – The Los Angeles Times. Critics of the T-Mobile-Sprint merger have pounced on a recent filing with the California Public Utilities Commission in which the company has asked for two additional years to build out its 5G network despite making this a signal promise in selling California Attorney General Xavier Becerra on the deal. Likewise, the company is trying to renegotiate its promise to create 1,000 new jobs in the state.
  • Facebook policy changes fail to quell advertiser revolt as Coca-Cola pulls ads” – The Guardian. Despite Facebook CEO Mark Zuckerberg’s announcement of policy changes (see Other Developments above), advertisers continue to join a widening boycott that some companies are applying across all major social media platforms. Unilever, Coca Cola, Hershey’s, Honda, and other joined the movement. The majority of Facebook’s income comes from advertising, so a sustained boycott could do more than pushing down the company’s share value. And, the changes announced at the end of last week do not seem to have impressed the boycott’s organizers. It would be interesting if pressure placed on companies advertising on Facebook affects more change than pressure from the right and left in the United States, European Union, and elsewhere.
  • Trump administration tells Facebook, Twitter to act against calls to topple statues, commit violent acts” – The Washington Post. The Department of Homeland Security sent letters late last week to the largest technology companies, asserting they may have played a role in “burglary, arson, aggravated assault, rioting, looting, and defacing public property” by allowing people to post on or use their platforms. The thrust of the argument seems to be that Twitter, Facebook, Apple, Google, and other companies should have done more to prevent people from posting and sharing material that allegedly resulted in violence. Acting Secretary of Homeland Security Chad Wolf argued “In the wake of George Floyd’s death, America faced an unprecedented threat from violent extremists seeking to co-opt the tragedy of his death for illicit purposes.” These letters did not mention President Donald Trump’s tweets that seem to encourage authorities to use violence against protestors. Moreover, they seem to be of a piece with the recent executive order in that there is a scant legal basis for the action designed to cow the social media platforms.
  • Twitch, Reddit crack down on Trump-linked content as industry faces reckoning” – Politico. Two platforms acted against President Donald Trump and his supporters for violating the platforms terms of service and rules. The irony here is that the recent executive order on social platforms seeks to have them held accountable for not operating according to their terms of service.
  • Inside Facebook’s fight against European regulation” – Politico. Through until now unavailable European Commission documents on meetings with and positions of Facebook, this article traces the slow evolution of the company’s no-regulation approach in the European Union (EU) to a public position ostensibly amenable to regulation. It is also perhaps the tale of using lobbying tactics that work in Washington, DC, that have largely failed to gain traction in Brussels.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by congerdesign from Pixabay

NTIA Petitions FCC To Reconsider Ligado Decision

The Trump Administration is asking the FCC to reverse its decision to allow a company to use the L-Band for a wireless system that opponents claim will endanger GPS networks.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, the National Telecommunications and Information Administration (NTIA), a component agency of the Department of Commerce, filed two petitions with the Federal Communications Commission (FCC), asking the latter agency to stay its decision allowing Ligado to proceed with wireless service using a satellite-terrestrial network utilizing the L-Band opposed by a number of Trump Administration agencies and a number of key Congressional stakeholders. They argue the order would allow Ligado to set up a system that would interfere with the Department of Defense’s (DOD) Global Positioning System (GPS) and civilian federal agency applications of GPS as well. If the FCC denies these petitions, it is possible NTIA could file suit in federal court to block the FCC’s order and Ligado, and it is also conceivable Congress could fold language into the FY 2021 National Defense Authorization Act, or pass standalone legislation, to block the FCC.

The NTIA stated in its press release that it “petitioned the Federal Communications Commission (FCC) to reconsider its Order and Authorization that conditionally granted license modification applications filed by Ligado Networks LLC…[that] permits Ligado to provide terrestrial wireless services that threaten to harm federal government users of the Global Positioning System (GPS) along with a variety of other public and private stakeholders.”

In the petition for a stay, NTIA asked that “Ligado Networks LLC’s (Ligado’s) mobile satellite service (MSS) license modification applications for ancillary terrestrial operations” be paused until the agency’s petition for reconsideration is decided by the FCC because of “executive branch concerns of harmful interference to federal government and other GPS devices.”

In the petition for reconsideration, the NTIA argued it “focuses on the problems in the Ligado Order that are uniquely related to the interests of Department of Defense (DOD) and other federal agencies and their mission-critical users of GPS.” The NTIA added “that the Commission failed to consider the major economic impact its decision will have on civilian GPS users and the American economy…[and] [a]s the lead civil agency for GPS, DOT explained…Ligado’s proposed operations would disrupt a wide range of civil GPS receivers owned and operated by emergency first responders, among others.”

NTIA made the following arguments in its petition:

  • The Ligado Order failed to adequately consider and give appropriate weight to important and valid executive branch concerns about harmful interference to GPS.
  • None of Ligado’s latest mitigation proposals, nor the conditions based on them, have been tested or evaluated by any independent party…[and] [a] more scientific way of resolving these technical disputes could be accomplished through further joint FCC-executive branch or independent testing based on Ligado’s actual network and base station parameters.
  • The license conditions imposed on Ligado will not adequately mitigate the risk of harmful interference to federal GPS devices, will shift the burden of fixing such interference to federal users, and are otherwise impractical for addressing actual impacts to national security systems. In light of the large number of federal GPS devices that potentially would be impacted by Ligado’s network, the FCC conditions, even if modified, will be a high-cost, time consuming effort for Ligado and federal agencies. As written, the condition requiring the repair or replacement of government receivers, is impractical, infeasible, and potentially illegal.

In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”

Defense and other civilian government stakeholders remained unconvinced. Also, in late April, the chairs and ranking members of the Armed Services Committees penned an op-ed, in which they claimed “the [FCC] has used the [COVID-19] crisis, under the cover of darkness, to approve a long-stalled application by Ligado Networks — a proposal that threatens to undermine our GPS capabilities, and with it, our national security.” Chairs James Inhofe (R-OK) and Adam Smith (D-WA) and Ranking Members Jack Reed (D-RI) and Mac Thornberry (R-TX) asserted:

  • So, we wanted to clarify things: domestic 5G development is critical to our economic competiveness against China and for our national security. The Pentagon is committed working with government and industry to share mid-band spectrum where and when it makes sense to ensure rapid roll-out of 5G.
  • The problem here is that Ligado’s planned usage is not in the prime mid-band spectrum being considered for 5G — and it will have a significant risk of interference with GPS reception, according to the National Telecommunications and Information Administration (NTIA). The signals interference Ligado’s plan would create could cost taxpayers and consumers billions of dollars and require the replacement of current GPS equipment just as we are trying to get our economy back on its feet quickly — and the FCC has just allowed this to happen.

The Ligado application was seen as so important, the first hearing of the Senate Armed Services Committee held after the beginning of the COVID-19 pandemic was on this issue. Not surprisingly the DOD explained the risks of Ligado’s satellite-terrestrial wireless system as it sees them at some length. Under Secretary of Defense for Research and Engineering Michael Griffin asserted at the 6 May hearing:

  • The U.S. Department of Transportation (DOT) conducted a testing program developed over multiple years with stakeholder involvement, evaluating 80 consumer-grade navigation, survey, precision agriculture, timing, space-based, and aviation GPS receivers. This test program was conducted in coordination with DoD testing of military receivers. The results, as documented in the DoT “Adjacent Band Compatibility” study released in March, 2018, demonstrated that even very low power levels from a terrestrial system in the adjacent band will overload the very sensitive equipment required to collect and process GPS signals.  Also, many high precision receivers are designed to receive Global Navigation Satellite System (GNSS) signals not only in the 1559 MHz to 1610 MHz band, but also receive Mobile Satellite Service (MSS) signals in the 1525 MHz to 1559 MHz band to provide corrections to GPS/GNSS to improve accuracy. With the present and future planned ubiquity of base stations for mobile broadband use, the use of GPS in entire metropolitan areas would be effectively blocked.  That is why every government agency having any stake in GPS, as well as dozens of commercial entities that will be harmed if GPS becomes unreliable,  opposed the FCC’s decision. 
  • There are two principal reasons for the Department’s opposition to Ligado’s proposal. The first and most obvious is that we designed and built GPS for reasons of national security, reasons which are at least as valid today as when the system was conceived. The second, less well-known, is that the DoD has a statutory responsibility to sustain and protect the system. Quoting from 10 USC 2281, the Secretary of Defense “…shall provide for the sustainment and operation of the GPS Standard Positioning Service for peaceful civil, commercial, and scientific uses…” and “…may not agree to any restriction of the GPS System proposed by the head of a department or agency of the United States outside DoD that would adversely affect the military potential of GPS.”

A few weeks ago, 32 Senators wrote the FCC expressing their concern that the “Order does not adequately project adjacent band operations – including those related to GPS and satellite communications –  from harmful interference that would impact countless commercial and military activities.” They also took issue “the hurried nature of the circulation and consideration of the Order,” which they claimed occurred during “a national crisis” and “was not conducive to addressing the many technical concerns raised by affected stakeholders.” Given that nearly one-third of the Senate signed the letter, this may demonstrate the breadth of opposition in Congress to the Ligado order.

Earlier this week, the House Armed Services Committee held a conference call with “FCC officials” and Inhofe issued a press release, claiming “I was concerned when I asked the FCC officials on the call if they had convinced any other agency this was good policy or if they had made an attempt to receive a classified briefing on the effects of their decision and their answer was no.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Trump Signs EO To Press Social Media Platforms

After Twitter fact checks Trump’s Tweets on mail voting in California, a rumored EO was signed that would direct the U.S. government to determine how to pare back Section 230 liability protection.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, after Twitter fact checked two of his Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic, President Donald Trump signed a long rumored executive order (EO) seen by many as a means of cowing social media platforms. Given that the First Amendment to the United States Constitution guarantees freedom of speech in relation to government action, it is not clear how Twitter would be considered a government agency and therefore subject to the First Amendment. Nonetheless, the new EO would request that an agency begin a rulemaking to clarify the liability shield with respect to editing content in 47 USC 230 online platforms benefit from and also task a different agency with investigating Twitter and other platforms to see if they are violating their terms of service.

Twitter’s first fact checking of Trump’s tweeting occurred when he made false claims about California’s plan to mail ballots to registered voters, and, not as the President claimed, to all residents of California. On 26 May, Trump tweeted across two Tweets:

There is NO WAY (ZERO!) that Mail-In Ballots will be anything less than substantially fraudulent. Mail boxes will be robbed, ballots will be forged & even illegally printed out & fraudulently signed. The Governor of California is sending Ballots to millions of people, anyone….. ….living in the state, no matter who they are or how they got there, will get one. That will be followed up with professionals telling all of these people, many of whom have never even thought of voting before, how, and for whom, to vote. This will be a Rigged Election. No way!

On 27 May, Twitter added “a label to two @realDonaldTrump Tweets about California’s vote-by-mail plans as part of our efforts to enforce our civic integrity policy. We believe those Tweets could confuse voters about what they need to do to receive a ballot and participate in the election process.”

In the next day after Twitter added this label, word began to leak from the White House that a long rumored executive order regarding Section 230 of the Communications Decency Act was being prepared for the president’s signature. And, late in the day on 28 May, after a day of reporting on the EO by media, Trump did indeed sign the “Executive Order on Preventing Online Censorship,” which asserted

Section 230 was not intended to allow a handful of companies to grow into titans controlling vital avenues for our national discourse under the guise of promoting open forums for debate, and then to provide those behemoths blanket immunity when they use their power to censor content and silence viewpoints that they dislike.  When an interactive computer service provider removes or restricts access to content and its actions do not meet the criteria of subparagraph (c)(2)(A), it is engaged in editorial conduct.  It is the policy of the United States that such a provider should properly lose the limited liability shield of subparagraph (c)(2)(A) and be exposed to liability like any traditional editor and publisher that is not an online provider.

Consequently, the EO directs that “all executive departments and agencies should ensure that their application of section 230(c) properly reflects the narrow purpose of the section and take all appropriate actions in this regard.”

With respect to specific actions, the Department of Commerce’s the National Telecommunications and Information Administration (NTIA) is directed to file a petition for rulemaking with the Federal Communications Commission (FCC) to clarify the interplay between clauses of Section 230, notably whether the liability shield that protects companies like Twitter and Facebook for content posted on an online platform also extends to so-called “editorial decisions,” presumably actions like Twitter’s in fact checking Trump regarding mail balloting. The NTIA would also ask the FCC to define better the conditions under which an online platform may take down content in good faith that are “deceptive, pretextual, or inconsistent with a provider’s terms of service; or taken after failing to provide adequate notice, reasoned explanation, or a meaningful opportunity to be heard.” The NTIA is also ask the FCC to promulgate any other regulations necessary to effectuate the EO.

Administration officials, including some at the FCC and FTC, have anonymously claimed the EO was pushed through this week, bypassing the usual policy vetting process. Moreover, some of these officials explained that FCC and FTC officials has mostly negative feedback on the draft EO circulated last year and claimed the agencies may even lack the authority to undertake the actions directed by the EO.

Three of the five FCC Commissioners made their positions clear on an NTIA petition to execute this portion of the EO. Commissioner Brendan Carr remarked “I welcome today’s Executive Order and its call for guidance on the scope of the unique and conditional set of legal privileges that Congress conferred on social media companies but no other set of speakers in Section 230…[and] I look forward to receiving the petition that the NTIA files.” Commissioner Geoffrey Starks said “I’ll review the final Executive Order when it’s released and assess its impact on the FCC, but one thing is clear:  the First Amendment and Section 230 remain the law of the land and control here.” Starks added “[o]ur top priority should be connecting all Americans to high-quality, affordable broadband.” Commissioner Jessica Rosenworcel stated

This does not work.  Social media can be frustrating.  But an Executive Order that would turn the Federal Communications Commission into the President’s speech police is not the answer.  It’s time for those in Washington to speak up for the First Amendment.  History won’t be kind to silence.

Elsewhere in the EO, it is provided that the head of each federal agency must review their online spending and then report to the Office of Management and Budget (OMB). The Department of Justice would then “review the viewpoint-based speech restrictions imposed by each online platform identified in the [reports submitted to OMB] and assess whether any online platforms are problematic vehicles for government speech due to viewpoint discrimination, deception to consumers, or other bad practices.”

The Federal Trade Commission (FTC) must consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

On 29 May Twitter labeled a Tweet of Trump’s about the riots in Minneapolis as being a violation of rules for “glorifying violence,” but the platform left the tweet up because “it may be in the public’s interest for the Tweet to remain accessible.” Twitter also disabled the reply function and explained “We try to prevent a tweet like this that otherwise breaks the Twitter rules from reaching more people, so we have disabled most of the ways to engage with it.”

Moreover, Twitter’s actions regarding Trump are not unprecedented for the platform. This year, it has removed Tweets from Brazil’s President Jair Bolsonaro and Venezuela’s President Nicolás Maduro who were pushing unproven COVID-19 treatments. However, these take downs seem at odds with a 2018 statement by Twitter:

Blocking a world leader from Twitter or removing their controversial Tweets would hide important information people should be able to see and debate. It would also not silence that leader, but it would certainly hamper necessary discussion around their words and actions.

Twitter claimed “[w]e review Tweets by leaders within the political context that defines them, and enforce our rules accordingly.”

Twitter also resisted calls from a number to suspend Trump’s account for violating the platform’s terms of service. In October 2019, then presidential candidate Senator Kamala Harris (D-CA) wrote Twitter CEO Jack Dorsey, arguing

I believe the President’s recent tweets rise to the level that Twitter should consider suspending his account. Others have had their accounts suspended for less offensive behavior. And when this kind of abuse is being spewed from the most powerful office in the United States, the stakes are too high to do nothing.

Moreover, Twitter banned political advertising in November 2019 but still allows issue advertising (e.g. an ad advocating for a southern border wall). And, Twitter is limiting the use of microtargeting.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Team Telecom Returns Negative Recommendation On China Telecom

Executive branch agencies veto a Chinese telecom operating in the U.S. because of “identified substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations, which render the FCC authorizations inconsistent with the public interest.”  

The “Team Telecom” agencies recommended that the Federal Communications Commission (FCC) “revoke and terminate China Telecom (Americas) Corp.’s authorizations to provide international telecommunications services to and from the United States.” This action comes a week after the White House issued an executive order, reorganizing the process by which the U.S. government will review foreign investment in the telecommunications. In this case, the executive branch agencies that form Team Telecom called on the FCC to terminate and revoke the application of a company from the People’s Republic of China (PRC) to operate in the U.S.

The Department of Commerce’s National Telecommunications and Information Administration (NTIA) “filed on behalf of the Executive Branch of the United States Government a recommendation that the FCC terminate and revoke the Section 214 international authorizations of China Telecom (Americas) Corporation (China Telecom) to provide international voice traffic between the United States and foreign countries” per the agency’s press release. The NTIA continued, “[f]or purposes of this recommendation, the Executive Branch represents agreement among the Departments of Justice (DOJ), Homeland Security (DHS), Defense (DOD), State, Commerce, and the U.S. Trade Representative (USTR).”

The DOJ’s press release provided additional details on Team Telecom’s recommendation, and the agencies “identified substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations, which render the FCC authorizations inconsistent with the public interest.” DOJ explained, “[m]ore specifically the recommendation was based on:

  • the evolving national security environment since 2007 and increased knowledge of the PRC’s role in malicious cyber activity targeting the United States;
  • concerns that China Telecom is vulnerable to exploitation, influence, and control by the PRC government;
  • inaccurate statements by China Telecom to U.S. government authorities about where China Telecom stored its U.S. records, raising questions about who has access to those records;
  • inaccurate public representations by China Telecom concerning its cybersecurity practices, which raise questions about China Telecom’s compliance with federal and state cybersecurity and privacy laws; and
  • the nature of China Telecom’s U.S. operations, which provide opportunities for PRC state-actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of U.S. communications. 

DOJ added

Some of the foregoing relate to China Telecom’s failure to comply with a 2007 Letter of Assurance, which was a basis for the existing FCC authorizations. The Department’s National Security Division, Foreign Investment Review Section, identified those compliance issues through its mitigation monitoring program.  As a result, the Executive Branch agencies concluded that the national security and law enforcement risks associated with China Telecom’s international Section 214 authorizations could not be mitigated by additional mitigation terms. Earlier this month, President Donald Trump has issued an executive order creating an inter-agency review body to determine whether foreign investment in U.S. telecommunications companies presents national security issues. However, the executive order merely formalizes and change the longstanding “Team Telecom” process through which proposed foreign investment in the U.S. telecommunications industry have been evaluated. Like the previous body, the new body will consist of representatives from the Departments of Defense, Homeland Security, and Justice and other agencies in an advisory role.