It is still not clear how matters will play out with a proposed Oracle/TikTok deal and the ban on WeChat (and possibly TikTok if an acceptable deal cannot be made.)
Today, the Trump Administration issued orders barring TikTok and WeChat pursuant to executive orders issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively, the former being much more popular in the United States (U.S.) than the latter. Working in the background is a potential deal between United States’ (U.S.) company Oracle and ByteDance that may address U.S. concerns about TikTok. On this front, there have been multiple stories from the Trump Administration about the positions of stakeholders on whether Oracle’s proposed role as a “trusted technology partner” will satisfy the national security concerns articulated in the executive order banning the app and the order from the United States government to ByteDance to divest a key part of their platform. Moreover, there is growing pressure from Republicans in Congress to reject the Oracle/TikTok arrangement as it stands.
In his public remarks this week, President Donald Trump seemed underwhelmed about the proposed Oracle/TikTok deal. He said that “[c]onceptually, I can tell you I don’t like [ByteDance maintaining a stake].” Trump stated “[i]f that’s the case, I’m not going to be happy with that.” He added any acceptable deal “has to be 100 percent as far as national security is concerned, and no, I’m not prepared to sign off on anything…[and] I have to see the deal.” On the other hand, Secretary of the Treasury and chair of Committee on Foreign Investment in the United States (CFIUS) Steven Mnuchin seemed to be taking a different view. He stated “I will just say from our standpoint, we’ll need to make sure that the code is, one, secure, Americans’ data is secure, that the phones are secure and we’ll be looking to have discussions with Oracle over the next few days with our technical teams.” And to this end, the New York Times is reporting that ByteDance has accepted some unspecified changes to the deal in order to address national security concerns, and Reuters is claiming ByteDance has agreed to an initial public offering within a year.
As noted, the U.S. Department of Commerce (Commerce) issued orders effectuating the executive orders, which are set to take effect this weekend. In a press release, Commerce explained:
As of September 20, 2020, the following transactions are prohibited:
Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.
As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTok, the following transactions are prohibited:
Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.
Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the U.S. Government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.
Commerce has submitted notices to be published next week in the Federal Register identifying the transactions that will be illegal regarding TikTok and WeChat:
Pursuant to Executive Order 13942, the Secretary of Commerce is publishing the list of prohibited transactions by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, including TikTok Inc., in which any such company has any interest, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13942 posed by mobile application TikTok.
Pursuant to Executive Order 13943, the Secretary of Commerce is publishing this Identification of Prohibited Transactions related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent Holdings Ltd. (a.k.a. Téngxùn Kònggŭ Yŏuxiàn Gōngsī), Shenzhen, China, or any subsidiary of that entity, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13943 posed by mobile application WeChat.
While the TikTok order could be rescinded if a deal with Oracle is approved by the U.S. government, it seems unlikely that the WeChat order will be undone, at least in the short term. Moreover, these orders will undoubtedly be challenged further in court. Last month, TikTok filed suit in United States federal court in Northern California, asking for an injunction to stop enforcement of the EO and a declaration that it is illegal. It is possible the company, along with Tencent, WeChat’s parent, ask a federal court to stop the Trump Administration from proceeding.
Moreover, there are questions about enforcement, for the Administration cannot reasonably expect people in the U.S. to stop using and delete TikTok and WeChat. There may also be a case to be made on First Amendment grounds that the orders violate rights of free speech and association.
As mentioned, a number of Republicans have come out against the Oracle/TikTok deal. At the beginning of the week, Senator Josh Hawley (R-MO) wrote Mnuchin “calling on CFIUS to reject Oracle’s proposed partnership with ByteDance to obtain control of TikTok’s U.S. operations…[because]…the proposed partnership allows for continued Chinese Communist Party (CCP) control of TikTok, putting American data at risk and violating President Trump’s executive order.” Hawley added:
CFIUS should promptly reject any Oracle-ByteDance collaboration and send the ball back to ByteDance’s court so that the company can come up with a more acceptable solution. ByteDance can still pursue a full sale of TikTok, its code, and its algorithm to a U.S. company, so that the app can be rebuilt from the ground up to remove any trace of CCP influence.
Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Commerce, Science, and Transportation Committee Chair Roger Wicker (R-MS), and Thom Tillis (R-NC), Rick Scott (R-FL), Dan Sullivan (R-AK), and John Cornyn (R-TX) sent a letter to the President “outlining significant concerns regarding reports that Oracle Corp. confirmed a deal with ByteDance to become a “trusted technology provider” for TikTok’s U.S. operations, including that the “arrangement could violate the requirements set about in the August 6, 2020 Executive Order on Addressing the Threat Posed by TikTok and would do little to satisfy the range of concerns expressed in that order.”
Senator Ted Cruz (R-TX) also wrote Mnuchin arguing:
The Chinese Communist Party and its expansionist actions represent a threat the United States, its interests, and its allies. This Administration has correctly recognized this threat and has taken substantial counter-measures in response to protect our national security. I urge you to do the same when reviewing the newly submitted plan of a transaction between the Chinese company ByteDance and Oracle.
So far, Democrats in Congress, and the Biden campaign, have remained silent, apparently willing to let Republicans criticize the proposed deal from the right. The White House may ultimately prove susceptible to criticism and seek a modified deal to allay these concerns. However, these Republican Senators seem to be laying out a case for a much more dramatic transaction, but one that would likely run afoul of new regulations issued by the People’s Republic of China on export controls. Late last month, two PRC agencies changed the PRC’s export control rules for the first time since 2008 to likely have leverage over TikTok’s sale to a U.S. entity. Ostensibly, the changes are “to regulate technology exports, promote scientific and technological progress and economic and technological cooperation, and maintain national economic security,” but the inclusion of “personalised information recommendation service technology based on data analysis” and “artificial intelligence interactive interfaces” likely point to ByteDance’s app, TikTok. In fact, a researcher with the PRC Ministry of Commerce was quoted as asserting “[t]he time to publish the new update of the export control list has been expedited due to the TikTok sale.”
The committee examined the counterintelligence component of Russia’s interference in the 2016 election and made recommendations out of proportion with the alleged conduct.
The Senate Intelligence Committee released the fifth and final volume of its investigation into Russia’s interference with the 2016 presidential election in favor of the Trump Campaign. This volume focused on the counterintelligence aspect of the 2016 election. However, even though the committee detailed extensive troubling communication and connection between the Trump Campaign and likely Russian Federation intelligence operatives, the committee is not recommending much in the way of statutory or regulatory changes to prevent future interactions and influence campaigns of this ilk. A number of the recommendations would likely prove helpful, but the committee is stopping short of making the sort of sweeping recommendations one might expect given the breadth and enormity of Russian interference in 2016 and during the current election.
found that the Russian government engaged in an aggressive, multi-faceted effort to influence, or attempt to influence, the outcome of the 2016 presidential election. Parts of this effort are outlined in the Committee’s earlier volumes on election security, social media, the Obama Administration’s response to the threat, and the January 2017 Intelligence Community Assessment (ICA).
The committee stated “[t]he fifth and final volume focuses on the counterintelligence threat, outlining a wide range of Russian efforts to influence the Trump Campaign and the 2016 election…[and] lays out its findings in detail by looking at many aspects of the counterintelligence threat posed by the Russian influence operation.” The committee asserted
While the Committee does not describe the final result as a complete picture, this volume provides the most comprehensive description to date of Russia’s activities and the threat they posed. This volume presents this information in topical sections in order to address coherently and in detail the wide variety of Russian actions. The events explained in these sections in many cases overlap, and references in each section will direct the reader to those overlapping parts of the volume. Immediately below is a summary of key findings from several sections.
The committee stated its “inquiry highlighted several ways in which hostile actors were able to capitalize on gaps in laws or norms and exert influence…[and] [t]hose areas included unclear laws regarding foreign advocacy, flawed assumptions about what intelligence activity looks like, and a campaign’s status as a private entity intertwined with the structures of democracy.” The committee contended “[f]urther, the freedom of expression at the root of our democratic society became an opportunity for Russian influence to hide in plain sight.”
The committee explained that its recommendations “present a variety of paths through which Congress, the executive branch, and private entities and individuals can and should begin to respond to these threats, both jointly and independently.” The committee vowed that “[t]hese recommendations, however, do not mark the end of the Committee’s work in this space, which requires ongoing vigilance by the United States government and further consideration of legislative and policy responses.” The committee pledged to “continue to evaluate and consider the results of this investigation as part of its ongoing oversight and legislative responsibilities and its efforts to understand and address malign foreign interference targeting U.S. democratic processes.”
The committee called for updating and more vigorously enforcing the law that requires those acting for foreign governments to register and abide by, greater awareness of foreign influence and intelligence operations, better outreach by the Federal Bureau of Investigation (FBI) to targeted campaigns, and to expand Congressional power visa vis expansive, novel claims of executive privilege, the types of which the Trump Administration has extensively made throughout the investigation.
The Senate Intelligence Committee made the following recommendations:
1. Review, Update, and Enforce the Foreign Agents Registration Act and Related Statutes
The Committee recommends that Congress update the Foreign Agents Registration Act (FARA), and that the Department of Justice (DOJ) clarify the statute’s requirements by issuing public guidance on enforcement and more stringently enforcing the existing statute. FARA was enacted over 80years ago, in large part to target Nazi propaganda. FARA seeks to aid the U.S. Government and the American people in understanding and evaluating the activities, statements, and motives of individuals and entities functioning as agents of foreign principals in the United States. Since that time, Congress has made some modifications to the statute to increase transparency with respect to lawyers and lobbyists who also engage in political activity on behalf of foreign powers inside the United States. However, loopholes still exist, and foreign actors exploited those loopholes in 2016. The Committee’s investigation revealed a number of lawyers, public relations experts, businesses, political consultants, and campaign operatives working in the United States in coordination with or at the request of, foreign principals. Many of these individuals and businesses did not register under FARA.
DOJ should increase enforcement of FARA. For years, DOJ failed to pursue criminal penalties for even the most flagrant violations of the statute. While recent enforcement efforts have resulted in several successful criminal prosecutions, the Committee found numerous incidents where FARA registrations were excessively delayed, retroactive, incomplete, inaccurate, or otherwise insufficient to accomplish the objectives of the law.
DOJ should publish comprehensive public guidance on FARA. In part as a result of limited enforcement, the public has insufficient information about the statute’s scope and application. DOJ’s interpretation of the statute is largely untested and undefined. While DOJ has made efforts to publish more information about its interpretation of the statute, including through the publication of advisory opinions, these are overly redacted and incomplete. Comprehensive public guidance has been beneficial for other similarly- situated statutes, and those publications, such as DOJ’s Resource Guide to the US. Foreign Corrupt Practices Act, may serve as a helpful model in issuing useful and practical guidance on FARA.
Congress should update FARA to more clearly define the activities covered by the statute. This may include narrowing or redefining the breadth of some provisions, such as ·those that may apply to purely foreign consulting, while strengthening other provisions, such as activities targeting the U.S. Government or the American people.
Congress should remove the Lobbying Disclosure Act (LDA) exemption to FARA registration. Currently, FARA registrants for foreign principals who are not themselves foreign governments or political parties may register under the LDA regime rather than the more comprehensive registration regime under FARA. The Committee found that individuals not formally affiliated with a foreign government may nonetheless sufficiently represent that government’s interest, even if that government is not the principal beneficiary, to merit the application of FARA’s heightened requirements.
Congress should also examine whether other foreign agent laws and the Espionage Act need to be updated to more effectively address the reality of modern intelligence operations targeting the United States.
For example, 18 U.S.C. §951 makes it a crime to operate as an agent of a foreign government, to include an agent with respect to non-political activity, without first notifying the Attorney General. While DOJ has generally reserved prosecutions under this statute for behavior that resembles espionage, the statute’s overlap with FARA and its general scope may need refined and updated. 18 U.S.C. § 219 provides criminal penalties for a public official of the United States to be or act as an agent of a foreign principal required to register under FARA. Together, these and other interrelated law make up a patchwork of overlapping and ill-defined prohibitions that are overdue for a more thorough review.
Although DOJ makes FARA registration filings publicly available on its website, there is no obligation on registrants to disclose this information when they are engaged in covered political activities. As a result, the registration materials do little to further the statute’s goal of transparency for the American public. This lack of transparency is especially acute in the media space, where messaging by a single FARA registrant has the potential to reach millions of Americans.
Congress should amend FARA to mandate, or the Federal Communications Commission (FCC) and other relevant authorities should impose a requirement, that FARA-registered news agencies operating in the United States provide clear, prominent, and regular notifications to audiences regarding the outlet’s FARA-registered status. Transparency should be affirmatively provided to audiences on a regular basis so that the American public is able to make informed decisions about information consumption.
In addition, all U.S. media outlets should clearly label or otherwise identify content that appears in connection with FARA-registered work, even if it comes in the form of an opinion column. It is the ultimate responsibility of the editorial staff at U.S. media outlets to understand the origins of the information that their journalists and outside contributors are promoting, and to inform their audiences when that information is ,in some way sponsored or influenced by a foreign agent.
More broadly, all U.S. media outlets should clearly label opinion content as such, in particular when opinion content, in tone or in format, could be mistaken for journalistic reporting.
2. Recognize Russia’s Use of Non-Traditional Intelligence Actors for Influence
The Russian government treats oligarchs, organized crime, and associated businesses as tools of the state, rather than independent, private entities. The Kremlin uses these entities to pursue- Kremlin priorities, including money laundering, sanctions evasion, and influence operations. This is a fundamentally different model than in the United States.
While U.S. companies can and should conduct business as they see fit within the bounds of the law, they should proceed with maximum caution when doing business in Russia. Business exchanges can be a vehicle for compromise of electronic devices, collection of compromising information for influence efforts, theft of proprietary business information, and recruitment by intelligence services. Such efforts can be overt or covert, and can target national security information and hamper the competitiveness of U.S. companies. American business leaders need to understand that they, too, are a target and take precautions.
Politically-active U.S. organizations, including non-profits and advocacy groups, should likewise recognize that they can also be, and likely are, targeted by foreign intelligence services. Although the known targeting in 2016 was directed toward conservative organizations, organizations of all political and ideological stripes should be prepared for it. Hostile foreign governments may seek to influence U.S. policy in foreign affairs, energy and environmental policy, military conflict, and others matters involving international relations, through indirect channels like these. Leadership in such organizations should consider conducting due diligence, as appropriate, when dealing with counterparts from adversarial countries, and adopting sound cyber security practices to protect their networks and sensitive information.
[REDACTED]Just as business leaders need to recognize their counterparts may be extensions of the Russian state, the U.S. Government should similarly treat non-governmental entities close to the Kremlin as legitimate targets for intelligence collection and surveillance. The U.S. Government needs the tools and authorities in place to determine whether a non-governmental entity is operating on behalf of the Russian state and mitigate the counterintelligence threat, particularly if that entity seeks to operate in the United States or allied countries. These tools and authorities should augment the entire spectrum of U.S. Government activities, including to the ability to deny visas, the ability to conduct surveillance akin to that used against suspected intelligence officers, and the ability to target financial operations, such as the ability to deny transactions or seize assets.
3. Protect Campaigns from Foreign Influence Efforts
As part of its counterintelligence mission, FBI should offer defensive briefings to all presidential campaigns, including during the primaries, for both candidates and staff. FBI should provide detailed briefings as specific issues arise. When nominees are official, FBI should undertake a renewed effort to educate campaigns-from leadership to schedulers-about the avenues of influence adversaries use. These briefings should include specific, if hypothetical, examples and clear defensive steps campaigns can take. FBI has traditionally delivered these briefings as brief conversations; given the aggressive efforts Russia undertook in 2016 and the likelihood of similar future efforts by Russia and others, these conversations should cover cybersecurity best practices and how to recognize approaches that are outside ordinary relationship building.
Future presidential campaigns should perform thorough vetting of staff, particularly those staff who have responsibilities that entail interacting with foreign governments. Diligence, experience, and caution are all the more critical when interacting with representatives of adversaries’ governments.
Campaigns should recognize that campaign staff are attractive targets for foreign intelligence services, and that staff who have not previously been sensitized to counterintelligence threats are especially vulnerable to targeting and exploitation. Presidential campaigns should require staff who interact with foreign governments to receive counterintelligence training from the FBI. Further, that staff should report to designated campaign leadership any foreign contacts, including any offers of foreign assistance, so that the campaign can recognize patterns in foreign outreach. Campaigns should institute a centralized reporting structure to ensure that suspicious contacts with foreign governments or their proxies are documented and can be shared with law enforcement when appropriate, in a timely and accurate manner. This information would assist U.S. counterintelligence efforts to more quickly identify patterns and a clearer picture of nation-level threats. FBI and law enforcement should treat the information passed by campaigns as extremely sensitive, and protect the information from inadvertent disclosure, such as by limiting the number of personnel with access. In addition, a full understanding of the problem will encourage law enforcement agencies to pass defensive information back to campaigns.
To facilitate these activities, campaigns should designate specific individuals to be responsible for counterintelligence and for cybersecurity issues. These individuals should be clearly identified within the campaign as a point of contact for security-related questions or concerns, but will also serve as an accountable entry point for the FBI’s interaction and information sharing with the campaign.
Campaigns should notify FBI of all foreign offers of assistance, and all staff should be made aware of this expectation. In order to not encourage, or amplify, foreign influence efforts, campaigns should reject the use of foreign origin material, especially if it has potentially been obtained though the violation of U.S. law.
The Russian Government has sought to understand, and potentially exploit, vulnerabilities in the U.S. campaign finance system in furtherance of Russia’s election influence activities. Russia’s interest in this tactic· is longstanding. The Committee is not aware of specific successful efforts in this regard related to the 2016 U.S. election, however the Committee’s insight is limited, and in other countries Russia has gone to great lengths to launder money intended for election influence. The DOJ, the Intelligence Community, regulators and legislators should work together to identify and address any loopholes that could be abused, by Russia or any other foreign actor, in malign influence operations targeting U.S. elections.
4. Protect Government Employees from Foreign Influence Efforts
Congressional leadership should work with the IC and federal law enforcement to assess the counterintelligence and foreign influence risk associated with foreign government- funded travel by congressional staff, in particular the Mutual Educational and Cultural Exchange Act. Congress does not allow registered lobbyists to pay for the travel or the meals of congressional staff due to concerns about undue influence. This same logic should apply to foreign governments. Congressional leadership should explore increasing the budget for staff travel, so that it is funded and managed by Congress and not by foreign governments.
In addition to enhanced cybersecurity training for all U.S. Government personnel, all federal government employees who travel internationally, regardless of agency or department, should be required to receive counterintelligence training.
5. Bolster Resources for IC Elements to Uncover Influence Campaigns and Focus the National Intelligence Priorities Framework (NIPF) on Foreign Government Influence
These terms are vague and vast, and do not acknowledge the growing threat of disruption by foreign actors conducting malign influence activities targeting the United States.
The Committee recommends, therefore, that all future iterations of the NIPF, which is an exercise and tool used to distribute finite IC resources across a wide variety of threats, specify and prioritize foreign malign influence activities.
FBI should empower its analysts to check assumptions underpinning FBI operations, to apply the rigor of intelligence analysis to assessments and confidential human sources, and to create a culture where questioning previously held assumptions is acceptable and encouraged.
6. Improve Victim Notification and Information Sharing
While the Committee understands FBI’s reluctance to force solutions on hacked victims, FBI should develop a clear policy to address how to escalate victim notifications within a hacked entity, particularly for those involved in an election, when it appears that entity has not successfully remediated a cyber breach.
In addition, the FBI’s Cyber Division should have an escalation policy for how to engage a victim entity when the victim is not responsive to the FBI’s investigative needs. The policy should include how to communicate with the victim entity about escalation, and, in narrow situations where the security of the election is at risk, the potential use of compulsory process. Channels of communication, both within the FBI and with political organizations, should be established early in a campaign cycle.
The FBI should seek to downgrade and share classified information for defense against cyber intrusions whenever possible. If downgrading the information is not feasible, the FBI should work to find a cleared individual at the victim entity and brief that individual at the highest possible level about the incident, prior to or contemporaneous with engaging with the entity’s IT staff.
The FBI should develop clear best practices for dealing with cybersecurity vendors in incident response. Congress should consider legislation that mandates third-party cybersecurity vendors to report indicators of nation-state compromise to the U.S. Government, be it through FBI or other entities, which may include sharing malware, network traffic, forensic images, and other appropriate data to enable the U.S. Government to protect against nation-state cyber adversaries. Any sharing mandate should also include suitable protections for personally identifiable information or other sensitive or privileged material.
7. Strengthen Congressional Authority to Challenge Executive Privilege
Congress should consider amending the Senate’s subpoena enforcement statute to remove or otherwise limit the carve out in 28 U.S.C. § 1365(a) that precludes enforcement against government officials asserting a ”governmental privilege or objection.” This exception, the Committee’s investigation showed, allows for the potential abuse of executive privilege claims. Such an amendment should include a process to expedite judicial review of disputes between Congress and the executive branch over subpoena compliance, and clarify that a government official’s mere assertion of a government privilege does not strip a federal court of jurisdiction.
The report contained the additional views of a group of Republican Senators, a group of Democrats, and one Democratic Senator. These sections drew conclusions from the evidence the committee, as a whole, did not support. Not surprisingly, the Republican Senators, including the acting chair, claimed the evidence showed neither Trump nor his campaign colluded with Russia. Senators Jim Risch (R-ID), Marco Rubio (R-FL), Roy Blunt (R-MO), Tom Cotton (R-AR), John Cornyn (R-TX), and Ben Sasse (R-NE) asserted:
Volume 5 of the report on Russian Active Measures Campaigns and Interference is the last body of work relating to the Committee’s investigation into Russian meddling in the 2016 U.S. presidential election. This final volume brings an end to more than three years of investigative work. Bipartisan professional staff reviewed more than one million documents and interviewed more than 200 witnesses to produce over 1,000 pages of analysis. Volume 5 exhaustively reviews the counterintelligence threats and vulnerabilities to the 2016 election, but never explicitly states the critical fact: the Committee found no evidence that then-candidate Donald Trump or his campaign colluded with the Russian government in its efforts to meddle in the election (emphasis in the original).
Volume 5 is an important contribution to the historical record from which historians will someday draw. As is evident to those who read all five volumes of the Committee’s report, the Russian government inappropriately meddled in our 2016 general election in many ways but then-Candidate Trump was not complicit. After more than three years of investigation by this Committee, we can now say with no doubt, there was no collusion (emphasis in the original).
Also, to no great surprise, Democrats took a different view, arguing the report definitively establishes coordination between Russia and the Trump Campaign. Senators Martin Heinrich (D-NM), Dianne Feinstein (D-CA), Ron Wyden (D-OR), Kamala Harris (D-CA), and Michael Bennet (D-CO) contended:
Almost four years after the 2016 U.S. presidential election, the Committee has now published the bipartisan results of its investigation of the Russian government’s election interference and efforts- to aid Donald Trump’s candidacy. The Committee’s work product is voluminous, fact-oriented, and essential reading for all Americans. But the Committee has not sought to draw overarching conclusions about its investigation, opting instead to let the reader determine the significance of these events. These additional views provide necessary context for the reader regarding (1) the Trump Campaign’s cooperation with Russia; (2) investigative limitations; and (3) significant ongoing concerns.
It is our conclusion, based on the facts detailed in the Committee’s Report, that the Russian intelligence services’ assault on the integrity of the 2016 U.S. electoral process and Trump and his associates’ participation in and enabling of this Russian activity, represents one of the single most grave counterintelligence threats to American national security in the modem era.
Wyden appended additional views of his to the report
The fifth and final volume of the Committee’s report includes a wealth of extremely troubling new revelations about the counterintelligence threat posed by Donald Trump and his campaign. Much of the new information in this report, however, remains needlessly classified. That is unfortunate, not only because the counterintelligence concerns that surround Donald Trump constitute an ongoing threat to national security, but because this report includes redacted information that is directly relevant to Russia’s interference in the 2020 election.
As the report details, the Committee was hindered in numerous ways by the subjects of its investigation. In other respects, however, the impediments to the investigation were self- inflicted. First, while the Committee investigated interactions between Donald Trump and particular Russians and identified deeply concerning financial links, it did not seek to answer key questions about Donald Trump’s finances that relate directly to counterintelligence. In short, the Committee did not follow the money.
As noted, despite decrying the interactions between agents of the Russian Federation and Trump Campaign officials and associates that ultimately led to unprecedented interference in a presidential election, the Senate Intelligence Committee offered limited recommendations on how to address likely, future attempts to interfere. The explanation may lie in the additional views Republican and Democratic Members offered that arrived at dramatically different conclusions, suggesting the committee’s report was necessarily limited in the remedies that could be agreed upon. For example, the report calls out the interactions of those like one-time Trump Campaign chair Paul Manafort with likely Russian intelligence operatives and the information he shared with them. And yet, Senate Republicans have blocked legislation that would place an affirmative duty of campaign officials to alert the Federal Bureau of Investigations, the agency that leads on counterintelligence investigations and operations, in the event a foreign power offers assistance or seeks to influence an election.
In fact, in July, Senate Republicans stripped out just such a bill from the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242). This bill had been added to the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) in committee markup and then most of this bill had been added to S.4049 expect the FIRE Act. The sponsor of the FIRE Act, Senate Intelligence Committee Ranking Member Mark Warner (D-VA), went to the Senate floor to protest the striking of his bill: “[t]he committee voted 14 to 1 to pass an intel authorization bill that included the FIRE Act, the act that I just described, so that if a foreign government interferes or offers you assistance or offers you dirt, you don’t say thanks; you call the FBI.”
Prior to its inclusion in the FY 2021 Intelligence Authorization Act, Warner had asked unanimous consent to take up the FIRE Act multiple times but was met with Republican objections each time. And there are other election security bills Republicans have continued to block, including:
However, the Senate has taken up and passed two election-related bills addressing facets of the cybersecurity challenges. On July 17, the Senate passed the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent that would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills.
Here are Further Reading, Other Developments, and Coming Events:
On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
Senate Intelligence Committee Acting Chair Marco Rubio (R-FL) and Vice Chairman Mark Warner (D-VA) released a statement indicating the committee had voted to adopt the fifth and final volume of its investigation of the Russian Federation’s interference in the 2016 election. The committee had submitted the report to the Intelligence Community for vetting and have received the report with edits and redactions. The report could be released sometime over the next few weeks. Rubio and Warner stated “the Senate Intelligence Committee voted to adopt the classified version of the final volume of the Committee’s bipartisan Russia investigation. In the coming days, the Committee will work to incorporate any additional views, as well as work with the Intelligence Community to formalize a properly redacted, declassified, publicly releasable version of the Volume 5 report.” The Senate Intelligence Committee’s has released four previous reports:
This publication establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. The use of the security control baselines is mandatory, in accordance with OMB Circular A-130 [OMB A-130] and the provisions of the Federal Information Security Modernization Act4 [FISMA], which requires the implementation of a set of minimum controls to protect federal information and information systems. Whereas use of the privacy control baseline is not mandated by law or [OMB A-130], SP 800-53B, along with other supporting NIST publications, is designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974 [PRIVACT], selected OMB policies (e.g., [OMB A-130]), and designated Federal Information Processing Standards (FIPS), among others
The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released an “Election Vulnerability Reporting Guide” to provide “election administrators with a step-by-step guide, list of resources, and a template for establishing a successful vulnerability disclosure program to address possible vulnerabilities in their state and local election systems…[and] [t]he six steps include:
Step 1: Identify Systems Where You Would Accept Security Testing, and those Off-Limits
Step 2: Draft an Easy-to-Read Vulnerability Disclosure Policy (See Appendix III)
Step 3: Establish a Way to Receive Reports/Conduct Follow-On Communication
Step 4: Assign Someone to Thank and Communicate with Researchers
Step 5: Assign Someone to Vet and Fix the Vulnerabilities
Step 6: Consider Sharing Information with Other Affected Parties
The United Kingdom’s Information Commissioner’s Office (ICO) has issued “Guidance on AI and data protection” that “clarifies how you can assess the risks to rights and freedoms that AI can pose from a data protection perspective; and the appropriate measures you can implement to mitigate them.” The ICO explained “[w]hile data protection and ‘AI ethics’ overlap, this guidance does not provide generic ethical or design principles for your use of AI.” The ICO stated “[i]t corresponds to data protection principles, and is structured as follows:
part one addresses accountability and governance in AI, including data protection impact assessments (DPIAs);
part two covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination;
part three addresses data minimisation and security; and
part four covers compliance with individual rights, including rights related to automated decision-making.
20 state attorneys general wrote Facebook Chief Executive Officer Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg “to request that you take additional steps to prevent Facebook from being used to spread disinformation and hate and to facilitate discrimination.” They also asked “that you take more steps to provide redress for users who fall victim to intimidation and harassment, including violence and digital abuse.” The attorneys general said that “[b]ased on our collective experience, we believe that Facebook should take additional actions including the following steps—many of which are highlighted in Facebook’s recent Civil Rights Audit—to strengthen its commitment to civil rights and fighting disinformation and discrimination:
Aggressively enforce Facebook policies against hate speech and organized hate organizations: Although Facebook has developed policies against hate speech and organizations that peddle it, we remain concerned that Facebook’s policies on Dangerous Individuals and Organizations, including but not limited to its policies on white nationalist and white supremacist content, are not enforced quickly and comprehensively enough. Content that violates Facebook’s own policies too often escapes removal just because it comes as coded language, rather than specific magic words. And even where Facebook takes steps to address a particular violation, it often fails to proactively address the follow-on actions by replacement or splinter groups that quickly emerge.
Allow public, third-party audits of hate content and enforcement: To gauge the ongoing progress of Facebook’s enforcement efforts, independent experts should be permitted access to the data necessary to conduct regular, transparent third-party audits of hate and hate-related misinformation on the platform, including any information made available to the Global Oversight Board. As part of this effort, Facebook should capture data on the prevalence of different forms of hate content on the platform, whether or not covered by Facebook’s own community standards, thus allowing the public to determine whether enforcement of anti-hate policies differs based on the type of hate content at issue.
Commit to an ongoing, independent analysis of Facebook’s content population scheme and the prompt development of best practices guidance: By funneling users toward particular types of content, Facebook’s content population scheme, including its algorithms, can push users into extremist online communities that feature divisive and inflammatory messages, often directed at particular groups. Although Facebook has conducted research and considered programs to reduce this risk, there is still no mandatory guidance for coders and other teams involved in content population. Facebook should commit to an ongoing, independent analysis of its content population scheme, including its algorithms, and also continuously implement mandatory protocols as best practices are identified to curb bias and prevent recommendations of hate content and groups.
Expand policies limiting inflammatory advertisements that vilify minority groups: Although Facebook currently prohibits ads that claim that certain people, because of their membership in a protected group, pose a threat to the physical safety of communities or the nation, its policies still allow attacks that characterize such groups as threats to national culture or values. The current prohibition should be expanded to include such ads.
New Zealand’s Ministry of Statistics “launched the Algorithm Charter for Aotearoa New Zealand” that “signals that [the nation’s agencies] are committed to being consistent, transparent and accountable in their use of algorithms.”
The Ministry explained “[t]he Algorithm Charter is part of a wider ecosystem and works together with existing tools, networks and research, including:
Principles for the Safe and Effective Use of Data and Analytics (Privacy Commissioner and Government Chief Data Steward, 2018)
Government Use of Artificial Intelligence in New Zealand (New Zealand Law Foundation and Otago University, 2019)
Trustworthy AI in Aotearoa – AI Principles (AI Forum New Zealand, 2020)
Open Government Partnership, an international agreement to increase transparency.
Data Protection and Use Policy (Social Wellbeing Agency, 2020)
Privacy, Human Rights and Ethics Framework (Ministry of Social Development).
The European Union (EU) imposed its first cyber sanctions under its Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (aka the cyber diplomacy toolbox) against six hackers and three entities from the Russian Federation, the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea for attacks against the against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, the malware attacks known as Petya and WannaCry, and Operation Cloud Hopper. The EU’s cyber sanctions follow sanctions the United States has placed on a number of people and entities from the same nations and also indictments the U.S. Department of Justice has announced over the years. The sanctions are part of the effort to levy costs on nations and actors that conduct cyber attacks. The EU explained:
The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
“WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.
“NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
“Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.
The United States’ Federal Communications Commission (FCC) is asking for comments on the Department of Commerce’s the National Telecommunications and Information Administration’s (NTIA) petition asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself. The NTIA was acting per direction in an executive order allegedly aiming to correct online censorship. Executive Order 13925, “Preventing Online Censorship” was issued in late May after Twitter factchecked two of President Donald Trump’s Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic. Comments are due by 2 September.
The Australian Competition & Consumer Commission (ACCC) released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury
The ACCC explained
The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “released core guidance documentation for the Trusted Internet Connections (TIC) program, developed to assist agencies in protecting modern information technology architectures and services.” CISA explained “In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: Update to the TIC Initiative, TIC 3.0 expands on the original initiative to drive security standards and leverage advances in technology to secure a wide spectrum of agency network architectures.” Specifically, CISA released three core guidance documents:
Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
Senators Ron Wyden (D-OR), Bill Cassidy (R-LA) and ten other Members wrote the Federal Trade Commission (FTC) urging the agency “to investigate widespread privacy violations by companies in the advertising technology (adtech) industry that are selling private data about millions of Americans, collected without their knowledge or consent from their phones, computers, and smart TVs.” They asked the FTC “to use its authority to conduct broad industry probes under Section 6(b) of the FTC Act to determine whether adtech companies and their data broker partners have violated federal laws prohibiting unfair and deceptive business practices.” They argued “[t]he FTC should not proceed with its review of the Children’s Online Privacy Protection Act (COPPA) Rule before it has completed this investigation.”
“100 U.S. women lawmakers and current and former legislators from around the world,” including Speaker of the House Nancy Pelosi (D-CA), sent a letter to Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg urging the company “to take decisive action to protect women from rampant and increasing online attacks on their platform that have caused many women to avoid or abandon careers in politics and public service.” They noted “[j]ust a few days ago, a manipulated and widely shared video that depicted Speaker Pelosi slurring her speech was once again circulating on major social media platforms, gaining countless views before TikTok, Twitter, and YouTube all removed the footage…[and] [t]he video remains on Facebook and is labeled “partly false,” continuing to gain millions of views.” The current and former legislators “called on Facebook to enforce existing rules, including:
Quick removal of posts that threaten candidates with physical violence, sexual violence or death, and that glorify, incite or praise violence against women; disable the relevant accounts, and refer offenders to law enforcement.
Eliminate malicious hate speech targeting women, including violent, objectifying or dehumanizing speech, statements of inferiority, and derogatory sexual terms;
Remove accounts that repeatedly violate terms of service by threatening, harassing or doxing or that use false identities to attack women leaders and candidates; and
Remove manipulated images or videos misrepresenting women public figures.
United States (U.S.) Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders released a joint statement explaining that “[t]he U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
Maximillian Schrems filed a complaint against Facebook with Ireland’s Data Protection Commission (DPC) in 2013, alleging that the company’s transfer of his personal data violated his rights under European Union law because of the mass U.S. surveillance revealed by former National Security Agency (NSA) contractor Edward Snowden. Ultimately, this case resulted in a 2015 Court of Justice of the European Union (CJEU) ruling that invalidated the Safe Harbor agreement under which the personal data of EU residents was transferred to the US by commercial concerns. The EU and US executed a follow on agreement, the EU-U.S. Privacy Shield, that was designed to address some of the problems the CJEU turned up, and the U.S. passed a law, the “Judicial Redress Act of 2015” (P.L. 114-126), to provide EU citizens a way to exercise their EU rights in US courts via the “Privacy Act of 1974.”
However, Schrems continued and soon sought to challenge the legality of the European Commission’s signing off on the Privacy Shield agreement, the adequacy decision issued in 2016, and also the use of standard contractual clauses (SCC) by companies for the transfer of personal data to the US. The CJEU struck down the adequacy decision, throwing into doubt many entities’ transfers out of the EU into the U.S. but upheld SCCs in a way that suggested EU data protection authorities (DPA) may need to review all such agreements to ensure they comply with EU law.
The European Commission (EC) announced an “an in-depth investigation to assess the proposed acquisition of Fitbit by Google under the EU Merger Regulation.” The EC voiced its concern “that the proposed transaction would further entrench Google’s market position in the online advertising markets by increasing the already vast amount of data that Google could use for personalisation of the ads it serves and displays.” The EC detailed its “preliminary competition concerns:
Following its first phase investigation, the Commission has concerns about the impact of the transaction on the supply of online search and display advertising services (the sale of advertising space on, respectively, the result page of an internet search engine or other internet pages), as well as on the supply of ”ad tech” services (analytics and digital tools used to facilitate the programmatic sale and purchase of digital advertising). By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to Fitbit’s one.
The data collected via wrist-worn wearable devices appears, at this stage of the Commission’s review of the transaction, to be an important advantage in the online advertising markets. By increasing the data advantage of Google in the personalisation of the ads it serves via its search engine and displays on other internet pages, it would be more difficult for rivals to match Google’s online advertising services. Thus, the transaction would raise barriers to entry and expansion for Google’s competitors for these services, to the ultimate detriment of advertisers and publishers that would face higher prices and have less choice.
At this stage of the investigation, the Commission considers that Google:
is dominant in the supply of online search advertising services in the EEA countries (with the exception of Portugal for which market shares are not available);
holds a strong market position in the supply of online display advertising services at least in Austria, Belgium, Bulgaria, Croatia, Denmark, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom, in particular in relation to off-social networks display ads;
holds a strong market position in the supply of ad tech services in the EEA.
The Commission will now carry out an in-depth investigation into the effects of the transaction to determine whether its initial competition concerns regarding the online advertising markets are confirmed.
In addition, the Commission will also further examine:
the effects of the combination of Fitbit’s and Google’s databases and capabilities in the digital healthcare sector, which is still at a nascent stage in Europe; and
whether Google would have the ability and incentive to degrade the interoperability of rivals’ wearables with Google’s Android operating system for smartphones once it owns Fitbit.
In February after the deal had been announced, the European Data Protection Board (EDPB) made clear it position that Google and Fitbit will need to scrupulously observe the General Data Protection Regulation’s privacy and data security requirements if the body is sign off on the proposed $2.2 billion acquisition. Moreover, at present Google has not informed European Union (EU) regulators of the proposed deal. The deal comes at a time when both EU and U.S. regulators are already investigating Google for alleged antitrust and anticompetitive practices, and the EDPB’s opinion could carry weight in this process.
The United States’ (U.S.) Department of Homeland Security released a Privacy Impact Assessment for the U.S. Border Patrol (USPB) Digital Forensics Programs that details how it may conduct searches of electronic devices at the U.S. border and ports of entry. DHS explained
As part of USBP’s law enforcement duties, USBP may search and extract information from electronic devices, including: laptop computers; thumb drives; compact disks; digital versatile disks (DVDs); mobile phones; subscriber identity module (SIM) cards; digital cameras; vehicles; and other devices capable of storing electronic information.
Last year, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.
The Inter-American Development Bank (IDB) and the Organization of Americans States (OAS) released their second assessment of cybersecurity across Latin America and the Caribbean that used the Cybersecurity Capacity Maturity Model for Nations (CMM) developed at University of Oxford’s Global Cyber Security Capacity Centre (GSCC). The IDB and OAS explained:
When the first edition of the report “Cybersecurity: Are We Ready in Latin America and the Caribbean?” was released in March 2016, the IDB and the OAS aimed to provide the countries of Latin America and the Caribbean (LAC) not only with a picture of the state of cybersecurity but also guidance about the next steps that should be pursued to strengthen national cybersecurity capacities. This was the first study of its kind, presenting the state of cybersecurity with a comprehensive vision and covering all LAC countries.
The great challenges of cybersecurity, like those of the internet itself, are of a global nature. Therefore, it is undeniable that the countries of LAC must continue to foster greater cooperation among themselves, while involving all relevant actors, as well as establishing a mechanism for monitoring, analysis, and impact assessment related to cybersecurity both nationally and regionally. More data in relation to cybersecurity would allow for the introduction of a culture of cyberrisk management that needs to be extended both in the public and private sectors. Countries must be prepared to adapt quickly to the dynamic environment around us and make decisions based on a constantly changing threat landscape. Our member states may manage these risks by understanding the impact on and the likelihood of cyberthreats to their citizens, organizations, and national critical infrastructure. Moving to the next level of maturity will require a comprehensive and sustainable cybersecurity policy, supported by the country’s political agenda, with allocation of financial resources and qualified human capital to carry it out.
The COVID-19 pandemic will pass, but events that will require intensive use of digital technologies so that the world can carry on will continue happening. The challenge of protecting our digital space will, therefore, continue to grow. It is the hope of the IDB and the OAS that this edition of the report will help LAC countries to have a better understanding of their current state of cybersecurity capacity and be useful in the design of the policy initiatives that will lead them to increase their level of cyberresilience.
While the EDPS acknowledges the importance of the fight against money laundering and terrorism financing as an objective of general interest, we call for the legislation to strike a balance between the interference with the fundamental rights of privacy and personal data protection and the measures that are necessary to effectively achieve the general interest goals on anti-money laundering and countering the financing of terrorism (AML/CFT) (the principle of proportionality).
The EDPS recommends that the Commission monitors the effective implementation of the existing AML/CFT framework while ensuring that the GDPR and the data protection framework are respected and complied with. This is particularly relevant for the works on the interconnection of central bank account mechanisms and beneficial ownership registers that should be largely inspired by the principles of data minimisation, accuracy and privacy-by-design and by default.
“China already has your data. Trump’s TikTok and WeChat bans can’t stop that.” By Aynne Kokas – The Washington Post. This article persuasively makes the case that even if a ban on TikTok and WeChat were to work, and there are substantive questions as to how a ban would given how widely the former has been downloaded, the People’s Republic of China (PRC) is almost certainly acquiring massive reams of data on Americans through a variety of apps, platforms, and games. For example, Tencent, owner of WeChat, has a 40% stake in Epic Games that has Fortnite, a massively popular multiplayer game (if you have never heard of it, ask one of the children in your family). Moreover, a recent change to PRC law mandates that companies operating in the PRC must share their data bases for cybersecurity reviews, which may be an opportunity aside from hacking and exfiltrating United States entities, to access data. In summation, if the Trump Administration is serious about stopping the flow of data from the U.S. to the PRC, these executive orders will do very little.
“Big Tech Makes Inroads With the Biden Campaign” by David McCabe and Kenneth P. Vogel – The New York Times. Most likely long before former Vice President Joe Biden clinched the Democratic nomination, advisers volunteered to help plot out his policy positions, a process that intensified this year. Of course, this includes technology policy, and many of those volunteering for the campaign’s Innovation Policy Committee have worked or are working for large technology companies directly or as consultants or lobbyists. This piece details some of these people and their relationships and how the Biden campaign is managing possible conflicts of interest. Naturally, those on the left wing of the Democratic Party calling for tighter antitrust, competition, and privacy regulation are concerned that Biden might be pulled away from these positions despite his public statements arguing that the United States government needs to get tougher with some practices.
“A Bible Burning, a Russian News Agency and a Story Too Good to Check Out” By Matthew Rosenberg and Julian E. Barnes – The New York Times. The Russian Federation seems to be using a new tactic with some success for sowing discord in the United States that is the information equivalent of throwing fuel onto a fire. In this case, a fake story manufactured by a Russian outlet was seized on by some prominent Republicans, in part, because it fits their preferred world view of protestors. In this instance, a Russian outlet created a fake story amplifying an actual event that went viral. We will likely see more of this, and it is not confined to fake stories intended to appeal to the right. The same is happening with content meant for the left wing in the United States.
“Facebook cracks down on political content disguised as local news” by Sara Fischer – Axios. As part of its continuing effort to crack down on violations of its policies, Facebook will no longer allow groups with a political viewpoint to masquerade as news. The company and outside experts have identified a range of instances where groups propagating a viewpoint, as opposed to reporting, have used a Facebook exemption by pretending to be local news outlets.
“QAnon groups have millions of members on Facebook, documents show” By Ari Sen and Brandy Zadrozny – NBC News. It appears as if some Facebooks are leaking the results of an internal investigation that identified more than 1 million users who are part of QAnon groups. Most likely these employees want the company to take a stronger stance on the conspiracy group QAnon like the company has with COVID-19 lies and misinformation.
And, since Senator Kamala Harris (D-CA) was named former Vice President Joe Biden’s (D-DE) vice presidential pick, this article has become even more relevant than when I highlighted it in late July: “New Emails Reveal Warm Relationship Between Kamala Harris And Big Tech” – HuffPost. Obtained via an Freedom of Information request, new email from Senator Kamala Harris’ (D-CA) tenure as her state’s attorney general suggest she was willing to overlook the role Facebook, Google, and others played and still play in one of her signature issues: revenge porn. This article makes the case Harris came down hard on a scammer running a revenge porn site but did not press the tech giants with any vigor to take down such material from their platforms. Consequently, the case is made if Harris is former Vice President Joe Biden’s vice presidential candidate, this would signal a go easy approach on large companies even though many Democrats have been calling to break up these companies and vigorously enforce antitrust laws. Harris has largely not engaged on tech issues during her tenure in the Senate. To be fair, many of these companies are headquartered in California and pump billions of dollars into the state’s economy annually, putting Harris in a tricky position politically. Of course, such pieces should be taken with a grain of salt since it may have been suggested or planted by one of Harris’ rivals for the vice president nomination or someone looking to settle a score.
“Unwanted Truths: Inside Trump’s Battles With U.S. Intelligence Agencies” by Robert Draper – The New York Times. A deeply sourced article on the outright antipathy between President Donald Trump and Intelligence Community officials, particularly over the issue of how deeply Russia interfered in the election in 2016. A number of former officials have been fired or forced out because they refused to knuckle under to the White House’s desire to soften or massage conclusions of Russia’s past and current actions to undermine the 2020 election in order to favor Trump.
“Targeting WeChat, Trump Takes Aim at China’s Bridge to the World” By Paul Mozur and Raymond Zhong – The New York Times. This piece explains WeChat, the app, the Trump Administration is trying to ban in the United States (U.S.) without any warning. It is like a combination of Facebook, WhatsApp, news app, and payment platform and is used by more than 1.2 billion people.
“This Tool Could Protect Your Photos From Facial Recognition” By Kashmir Hill – The New York Times. Researchers at the University of Chicago have found a method of subtly altering photos of people that appears to foil most facial recognition technologies. However, a number of experts interviewed said it is too late to stop companies like AI Clearview.
“I Tried to Live Without the Tech Giants. It Was Impossible.” By Kashmir Hill – The New York Times. This New York Times reporter tried living without the products of large technology companies, which involved some fairly obvious challenges and some that were not so obvious. Of course, it was hard for her to skip Facebook, Instagram, and the like, but cutting out Google and Amazon proved hardest and basically impossible because of the latter’s cloud presence and the former’s web presence. The fact that some of the companies cannot be avoided if one wants to be online likely lends weight to those making the case these companies are anti-competitive.
“To Head Off Regulators, Google Makes Certain Words Taboo” by Adrianne Jeffries – The Markup. Apparently, in what is a standard practice at large companies, employees at Google were coached to avoid using certain terms or phrases that antitrust regulators would take notice of such as: “market,” “barriers to entry,” and “network effects.” The Markup obtained a 16 August 2019 document titled “Five Rules of Thumb For Written Communications” that starts by asserting “[w]ords matter…[e]specially in antitrust laws” and goes on to advise Google’s employees:
We’re out to help users, not hurt competitors.
Our users should always be free to switch, and we don’t lock anyone in.
We’ve got lots of competitors, so don’t assume we control or dominate any market.
Don’t try and define a market or estimate our market share.
Assume every document you generate, including email, will be seen by regulators.
“Facebook Fired An Employee Who Collected Evidence Of Right-Wing Pages Getting Preferential Treatment” By Craig Silverman and Ryan Mac – BuzzFeed News. A Facebook engineer was fired after adducing proof in an internal communications system that the social media platform is more willing to change false and negative ratings to claims made by conservative outlets and personalities than any other viewpoint. If this is true, it would be opposite to the narrative spun by the Trump Administration and many Republicans in Congress. Moreover, Facebook’s incentives would seem to align with giving conservatives more preferential treatment because many of these websites advertise on Facebook, the company probably does not want to get crosswise with the Administration, sensational posts and content drive engagement which increases user numbers that allows for higher ad rates, and it wants to appear fair and impartial.
While the President and close advisors keep downplaying Russian interference in the 2020 U.S. election while U.S. intelligence agencies are issuing muted warnings many Democrats think have been tempered to please the White House.
The Trump Administration has been sending mixed messages on the security of and risks to the 2020 election in the United States (U.S.) While the President and the White House have largely been silent on Russian Federation activities, they have accused the People’s Republic of China (PRC) of a range of activities to interfere with the election. However, U.S. intelligence agencies have been flagging the activities of the Russian Federation, the PRC, Iran, North Korea, and others, but many Democrats and subject matter experts are arguing these public warnings are not accurately portraying the scope of activities and possible effects. Republican leadership in Congress are, in turn, claiming Democrats are politicizing the issue. The ongoing effect may be to desensitize the American public to interference and to further divide the electorate.
At the White House’s COVID-19 briefing on 10 August, when asked about Russian interference, Trump responded:
The other day they said the three countries; they said China and Russia and Iran and some reporter got up and said, Russia is meddling. I said, well, didn’t it mention China and Iran? Why didn’t you mention them, too?
National Counterintelligence and Security Center (NCSC) Director William Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the PRC, and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).
Ahead of the 2020 U.S. elections, foreign states will continue to use covert and overt influence measures in their attempts to sway U.S. voters’ preferences and perspectives, shift U.S. policies, increase discord in the United States, and undermine the American people’s confidence in our democratic process. They may also seek to compromise our election infrastructure for a range of possible purposes, such as interfering with the voting process, stealing sensitive data, or calling into question the validity of the election results. However, it would be difficult for our adversaries to interfere with or manipulate voting results at scale.
Evanina stated “[m]any foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer…[and] [w]e are primarily concerned about the ongoing and potential activity by China, Russia, and Iran.
CHINA – We assess that China prefers that President Trump – whom Beijing sees as unpredictable – does not win reelection. China has been expanding its influence efforts ahead of November 2020 to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and deflect and counter criticism of China. Although China will continue to weigh the risks and benefits of aggressive action, its public rhetoric over the past few months has grown increasingly critical of the current Administration’s COVID-19 response, closure of China’s Houston Consulate, and actions on other issues. For example, it has harshly criticized the Administration’s statements and actions on Hong Kong, TikTok, the legal status of the South China Sea, and China’s efforts to dominate the 5G market. Beijing recognizes that all of these efforts might affect the presidential race.
RUSSIA – We assess that Russia is using a range of measures to primarily denigrate former Vice President Biden and what it sees as an anti-Russia “establishment.” This is consistent with Moscow’s public criticism of him when he was Vice President for his role in the Obama Administration’s policies on Ukraine and its support for the anti-Putin opposition inside Russia. For example, pro-Russia Ukrainian parliamentarian Andriy Derkach is spreading claims about corruption – including through publicizing leaked phone calls – to undermine former Vice President Biden’s candidacy and the Democratic Party. Some Kremlin-linked actors are also seeking to boost President Trump’s candidacy on social media and Russian television.
IRAN – We assess that Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections. Iran’s efforts along these lines probably will focus on on-line influence, such as spreading disinformation on social media and recirculating anti-U.S. content. Tehran’s motivation to conduct such activities is, in part, driven by a perception that President Trump’s reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change.
Evanina vowed to update Americans through future statements as needed.
In a statement, Pelosi and House Intelligence Committee Chair Adam Schiff (D-CA) expressed gratitude for the additional detail but took issue with the statement for implying through its structure that the risks each nation presents are equal. It would seem to make sense that Pelosi and Schiff are arguing that the Russian Federation is the biggest threat in light of its history in successfully spreading disinformation and misinformation in 2016 to benefit Trump and harm former Secretary of State Hillary Clinton. This assertion would also serve to rebut the notion that the PRC is the top threat given its placement as the first nation mentioned and Trump Administration rhetoric to this effect. Pelosi and Schiff asserted:
Today’s statement improves on the last by including more detail that American voters deserve to know, including about the actions of Kremlin-linked actors seeking to undermine Vice President Biden, and seeking to help President Trump. These details should help the public, Congress, and the presidential campaigns guard against foreign disinformation. And we are pleased that Mr. Evanina heeded our call to make additional details public about Russia’s malign interference campaign and Mr. Derkach’s role.
Unfortunately, today’s statement still treats three actors of differing intent and capability as equal threats to our democratic elections. Members of Congress have now been briefed on the specific threats facing the 2020 election, and we have been clear with the Intelligence Community that the American people must be provided with specific information that would allow voters to appraise for themselves the respective threats posed by these foreign actors, and distinguish these actors’ different and unequal aims, current actions, and capabilities. All of this can be done consistent with the need to protect sources and methods.
Unlike the first statement by Evanina on the 2020 election, Senate Intelligence Committee acting Chair Marco Rubio (R-FL) and Ranking Member Mark Warner (D-VA) released a joint statement in which they remarked:
NCSC Director Evanina’s statement today builds on and provides additional context to his previous statement two weeks ago. We thank him for providing this additional information to the American people, and we look forward to his continued engagement, along with other members of the Intelligence Community and the Administration, with the public over the next 87 days.
Evanina’s statement highlights some of the serious and ongoing threats to our election from China, Russia, and Iran. Everyone — from the voting public, local officials, and members of Congress — needs to be aware of these threats. And all of us should endeavor to prevent outside actors from being able to interfere in our elections, influence our politics, and undermine confidence in our democratic institutions.
In recent weeks, Evanina, other parts of the Intelligence Community, the FBI, and DHS have provided additional information and briefings to most members of Congress. We thank them for that engagement and encourage them to continue to make this information available. We believe more of the information that was made available in these briefings can, and at the appropriate time should, be shared with the voting public, and we encourage the Intelligence Community to do so in a manner that protects the sources and methods used to collect such information.
And we encourage political leaders on all sides to refrain from weaponizing intelligence matters for political gain, as this only furthers the divisive aims of our adversaries.
On 9 August, on Face The Nation, Trump’s National Security Adviser Robert O’Brien was asked about Evanina’s statement and claimed
it’s not just Russia…It’s- the Chinese don’t want the president re-elected. He’s been tougher on China than any president in history. And- and we’re standing up for the first time to the Chinese Communist Party and protecting Americans, protecting our IP, protecting our economy, protecting our- our vaccine data. And so there are a lot of people around the world that aren’t happy with America because they don’t share our values. And that shouldn’t be a surprise to anybody. And we’re going to take every action necessary to- to keep folks out, whether it’s China or Russia or Iran—
When asked about the assertion that the PRC wanted Trump to lose, O’Brien responded:
Well, well they- they’d like the- the president to lose. And- and China, like Russia, like Iran, have engaged in cyber-attacks and phishing and that sort of thing with respect to our election infrastructure, with respect to websites and that sort of thing. We’re- we’re aware of it and we’re- we’re taking steps to counter it. Whether it’s China or Russia or Iran, we’re not going to put up with it. And there will be severe consequences with any country that attempts to interfere with our free and fair elections, whether- whether their- their leaders prefer- prefer Joe Biden or prefer Donald Trump, it doesn’t matter. We’re Americans. We don’t- we’re not going to foreign countries deciding who our next president is going to be.
The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a risk assessment of mail-in voting “to support CISA efforts to help U.S., state, and local governments identify and mitigate vulnerabilities to mail-in voting infrastructure, and support physical security, cybersecurity, and operational resilience within the mail-in voting process.” CISA cautioned “[t]his document is not an endorsement of any election management practice.”
CISA reached these “key findings:”
All forms of voting –in this case mail-in voting –bring a variety of cyber and infrastructure risks. Risks to mail-in voting can be managed through various policies, procedures, and controls.
The outbound and inbound processing of mail-in ballots introduces additional infrastructure and technology, which increases the potential scalability of cyber attacks.Implementation of mail-in voting infrastructure and processes within a compressed timeline may also introduce new risk. To address this risk, election officials should focus on cyber risk management activities, including access controls and authentication best practices when implementing expanded mail-in voting.
Integrity attacks on voter registration data and systems represent a comparatively higher risk in a mail-in voting environment when compared to an in-person voting environment. This is because the voter is not present at the time of casting the ballot and cannot help to answer questions regarding their eligibility or identity verification.
Operational risk management responsibility differs with mail-in voting and in-person voting processes. For mail-in voting, some of the risk under the control of election officials during in-person voting shifts to outside entities, such as ballot printers, mail processing facilities, and the United States Postal Service (USPS).
Physical access at election offices and warehouses represents a risk in a mail-in voting environment. Completed ballots are returned to the election office and must be securely stored for days or weeks before processing through voter authentication and tabulation processes. Managing risks to these processes requires implementing secure procedures for storage, access controls, and chain of custody, such as ballot accounting.
Inbound mail-in ballot processes and tabulation take longer than in-person processing, causing tabulation of results to occur more slowly and resulting in more ballots to tabulate following election night. Media, candidates, and voters should expect less comprehensive results on election night, which creates additional risk of electoral uncertainty and confidence in results.
Disinformation risk to mail-in voting infrastructure and processes is similar to that of in-person voting while utilizing different content. Threat actors may leverage limited understanding regarding mail-in voting processes to mislead and confuse the public.
Currently, five states (Colorado, Hawaii, Oregon, Utah, and Washington) automatically send every registered voter a ballot by mail. At least 21 other states have laws that allow at least some elections to be conducted by mail. In addition to the five states that send every voter a ballot, five states (Arizona, California, Montana, Nevada, and New Jersey) and the District of Columbia (D.C.) allow a voter to apply to receive a mail-in ballot permanently, so that voters do not have to apply each election.1 Currently, 34 states and D.C. allow any registered voter to request a mail-in ballot. T here are 16 states that require voters to have an excuse such as temporary absence from the voting district, illness, or disability or require voters to be of a certain age (typically 65+) to be eligible to receive a ballot by mail. Some states are recognizing COVID-19 as a valid excuse.
First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.
Speaking of which, the Technology Policy Update is being published daily during the week, and here are the Other Developments and Further Reading from this week.
Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Foreign Relations Committee Chair Jim Risch (R-ID), and Senators Chris Coons (D-DE) and John Cornyn (R-TX) wrote Secretary of Commerce Wilbur Ross and Secretary of Defense Mike Esper “to ask that the Administration take immediate measures to bring the most advanced digital semiconductor manufacturing capabilities to the United States…[which] are critical to our American economic and national security and while our nation leads in the design of semiconductors, we rely on international manufacturing for advanced semiconductor fabrication.” This letter follows the Trump Administration’s May announcement that the Taiwan Semiconductor Manufacturing Corporation (TSMC) agreed to build a $12 billion plant in Arizona. It also bears note that one of the amendments pending to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would establish a grants program to stimulate semiconductor manufacturing in the US.
Senators Mark R. Warner (D-VA), Mazie K. Hirono (D-HI) and Bob Menendez (D-NJ) sent a letter to Facebook “regarding its failure to prevent the propagation of white supremacist groups online and its role in providing such groups with the organizational infrastructure and reach needed to expand.” They also “criticized Facebook for being unable or unwilling to enforce its own Community Standards and purge white supremacist and other violent extremist content from the site” and posed “a series of questions regarding Facebook’s policies and procedures against hate speech, violence, white supremacy and the amplification of extremist content.”
The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published the Pipeline Cyber Risk Mitigation Infographic that was “[d]eveloped in coordination with the Transportation Security Administration (TSA)…[that] outlines activities that pipeline owners/operators can undertake to improve their ability to prepare for, respond to, and mitigate against malicious cyber threats.”
Representative Kendra Horn (D-OK) and 10 other Democrats introduced legislation “requiring the U.S. government to identify, analyze, and combat efforts by the Chinese government to exploit the COVID-19 pandemic” that was endorsed by “[t]he broader Blue Dog Coalition” according to their press release. The “Preventing China from Exploiting COVID-19 Act” (H.R.7484) “requires the Director of National Intelligence—in coordination with the Secretaries of Defense, State, and Homeland Security—to prepare an assessment of the different ways in which the Chinese government has exploited or could exploit the pandemic, which originated in China, in order to advance China’s interests and to undermine the interests of the United States, its allies, and the rules-based international order.” Horn and her cosponsors stated “[t]he assessment must be provided to Congress within 90 days and posted in unclassified form on the DNI’s website.”
The Supreme Court of Canada upheld the “Genetic Non-Discrimination Act” and denied a challenge to the legality of the statute brought by the government of Quebec, the Attorney General of Canada, and others. The court found:
The pith and substance of the challenged provisions is to protect individuals’ control over their detailed personal information disclosed by genetic tests, in the broad areas of contracting and the provision of goods and services, in order to address Canadians’ fears that their genetic test results will be used against them and to prevent discrimination based on that information. This matter is properly classified within Parliament’s power over criminal law. The provisions are supported by a criminal law purpose because they respond to a threat of harm to several overlapping public interests traditionally protected by the criminal law — autonomy, privacy, equality and public health.
The U.S.-China Economic and Security Review Commission published a report “analyzing the evolution of U.S. multinational enterprises (MNE) operations in China from 2000 to 2017.” The Commission found MNE’s operations in the People’s Republic of China “may indirectly erode the United States’ domestic industrial competitiveness and technological leadership relative to China” and “as U.S. MNE activity in China increasingly focuses on the production of high-end technologies, the risk that U.S. firms are unwittingly enabling China to achieve its industrial policy and military development objectives rises.”
The Federal Communications Commission (FCC) and Huawei filed their final briefs in their lawsuit before the United States Court of Appeals for the Fifth Circuit arising from the FCC’s designation of Huawei as a “covered company” for purposes of a rule that denies Universal Service Funds (USF) “to purchase or obtain any equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain.” Huawei claimed in its brief that “[t]he rulemaking and “initial designation” rest on the FCC’s national security judgments..[b]ut such judgments fall far afield of the FCC’s statutory authority and competence.” Huawei also argued “[t]he USF rule, moreover, contravenes the Administrative Procedure Act (APA) and the Due Process Clause.” The FCC responded in its filing that “Huawei challenges the FCC’s decision to exclude carriers whose networks are vulnerable to foreign interference, contending that the FCC has neither statutory nor constitutional authority to make policy judgments involving “national security”…[but] [t]hese arguments are premature, as Huawei has not yet been injured by the Order.” The FCC added “Huawei’s claim that the Communications Act textually commits all policy determinations with national security implications to the President is demonstrably false.”
European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski released his Strategy for 2020-2024, “which will focus on Digital Solidarity.” Wiewiórowski explained that “three core pillars of the EDPS strategy outline the guiding actions and objectives for the organisation to the end of 2024:
Foresight: The EDPS will continue to monitor legal, social and technological advances around the world and engage with experts, specialists and data protection authorities to inform its work.
Action: To strengthen the EDPS’ supervision, enforcement and advisory roles the EDPS will promote coherence in the activities of enforcement bodies in the EU and develop tools to assist the EU institutions, bodies and agencies to maintain the highest standards in data protection.
Solidarity: While promoting digital justice and privacy for all, the EDPS will also enforce responsible and sustainable data processing, to positively impact individuals and maximise societal benefits in a just and fair way.
Facebook released a Civil Rights Audit, an “investigation into Facebook’s policies and practices began in 2018 at the behest and encouragement of the civil rights community and some members of Congress.” Those charged with conducting the audit explained that they “vigorously advocated for more and would have liked to see the company go further to address civil rights concerns in a host of areas that are described in detail in the report” including but not limited to
A stronger interpretation of its voter suppression policies — an interpretation that makes those policies effective against voter suppression and prohibits content like the Trump voting posts — and more robust and more consistent enforcement of those policies leading up to the US 2020 election.
More visible and consistent prioritization of civil rights in company decision-making overall.
More resources invested to study and address organized hate against Muslims, Jews and other targeted groups on the platform.
A commitment to go beyond banning explicit references to white separatism and white nationalism to also prohibit express praise, support and representation of white separatism and white nationalism even where the terms themselves are not used.
More concrete action and specific commitments to take steps to address concerns about algorithmic bias or discrimination.
They added that “[t]his report outlines a number of positive and consequential steps that the company has taken, but at this point in history, the Auditors are concerned that those gains could be obscured by the vexing and heartbreaking decisions Facebook has made that represent significant setbacks for civil rights.”
The National Security Commission on Artificial Intelligence (NSCAI) released a white paper titled “The Role of AI Technology in Pandemic Response and Preparedness” that “outlines a series of investments and initiatives that the United States must undertake to realize the full potential of AI to secure our nation against pandemics.” NSCAI noted its previous two white papers:
Secretary of Defense Mark Esper announced that Chief Technology Officer Michael J.K. Kratsios has “been designated to serve as Acting Under Secretary of Defense for Research and Engineering” even though he does not have a degree in science. The last Under Secretary held a PhD. However, Kratsios worked for venture capitalist Peter Thiel who backed President Donald Trump when he ran for office in 2016.
The United States’ Department of Transportation’s Federal Railroad Administration (FRA) issued research “to develop a cyber security risk analysis methodology for communications-based connected railroad technologies…[and] [t]he use-case-specific implementation of the methodology can identify potential cyber attack threats, system vulnerabilities, and consequences of the attack– with risk assessment and identification of promising risk mitigation strategies.”
In a blog post, a National Institute of Standards and Technology (NIST) economist asserted cybercrime may be having a much larger impact on the United States’ economy than previously thought:
In a recent NIST report, I looked at losses in the U.S. manufacturing industry due to cybercrime by examining an underutilized dataset from the Bureau of Justice Statistics, which is the most statistically reliable data that I can find. I also extended this work to look at the losses in all U.S. industries. The data is from a 2005 survey of 36,000 businesses with 8,079 responses, which is also by far the largest sample that I could identify for examining aggregated U.S. cybercrime losses. Using this data, combined with methods for examining uncertainty in data, I extrapolated upper and lower bounds, putting 2016 U.S. manufacturing losses to be between 0.4% and 1.7% of manufacturing value-added or between $8.3 billion and $36.3 billion. The losses for all industries are between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion. The lower bound is 40% higher than the widely cited, but largely unconfirmed, estimates from McAfee.
The Government Accountability Office (GAO) advised the Federal Communications Commission (FCC) that it needs a comprehensive strategy for implementing 5G across the United States. The GAO concluded
FCC has taken a number of actions regarding 5G deployment, but it has not clearly developed specific and measurable performance goals and related measures–with the involvement of relevant stakeholders, including National Telecommunications and Information Administration (NTIA)–to manage the spectrum demands associated with 5G deployment. This makes FCC unable to demonstrate whether the progress being made in freeing up spectrum is achieving any specific goals, particularly as it relates to congested mid-band spectrum. Additionally, without having established specific and measurable performance goals with related strategies and measures for mitigating 5G’s potential effects on the digital divide, FCC will not be able to assess the extent to which its actions are addressing the digital divide or what actions would best help all Americans obtain access to wireless networks.
The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Time Guidance for Network Operators, Chief Information Officers, and Chief Information Security Officers” “to inform public and private sector organizations, educational institutions, and government agencies on time resilience and security practices in enterprise networks and systems…[and] to address gaps in available time testing practices, increasing awareness of time-related system issues and the linkage between time and cybersecurity.”
Fifteen Democratic Senators sent a letter to the Department of Defense, Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS), Federal Bureau of Investigations (FBI), and U.S. Cyber Command, urging them “to take additional measures to fight influence campaigns aimed at disenfranchising voters, especially voters of color, ahead of the 2020 election.” They called on these agencies to take “additional measures:”
The American people and political candidates are promptly informed about the targeting of our political processes by foreign malign actors, and that the public is provided regular periodic updates about such efforts leading up to the general election.
Members of Congress and congressional staff are appropriately and adequately briefed on continued findings and analysis involving election related foreign disinformation campaigns and the work of each agency and department to combat these campaigns.
Findings and analysis involving election related foreign disinformation campaigns are shared with civil society organizations and independent researchers to the maximum extent which is appropriate and permissible.
Secretary Esper and Director Ratcliffe implement a social media information sharing and analysis center (ISAC) to detect and counter information warfare campaigns across social media platforms as authorized by section 5323 of the Fiscal Year 2020 National Defense Authorization Act.
Director Ratcliffe implement the Foreign Malign Influence Response Center to coordinate a whole of government approach to combatting foreign malign influence campaigns as authorized by section 5322 of the Fiscal Year 2020 National Defense Authorization Act.
The Information Technology and Innovation Foundation (ITIF) unveiled an issue brief “Why New Calls to Subvert Commercial Encryption Are Unjustified” arguing “that government efforts to subvert encryption would negatively impact individuals and businesses.” ITIF offered these “key takeaways:”
Encryption gives individuals and organizations the means to protect the confidentiality of their data, but it has interfered with law enforcement’s ability to prevent and investigate crimes and foreign threats.
Technological advances have long frustrated some in the law enforcement community, giving rise to multiple efforts to subvert commercial use of encryption, from the Clipper Chip in the 1990s to the San Bernardino case two decades later.
Having failed in these prior attempts to circumvent encryption, some law enforcement officials are now calling on Congress to invoke a “nuclear option”: legislation banning “warrant-proof” encryption.
This represents an extreme and unjustified measure that would do little to take encryption out of the hands of bad actors, but it would make commercial products less secure for ordinary consumers and businesses and damage U.S. competitiveness.
The White House released an executive order in which President Donald Trump determined “that the Special Administrative Region of Hong Kong (Hong Kong) is no longer sufficiently autonomous to justify differential treatment in relation to the People’s Republic of China (PRC or China) under the particular United States laws and provisions thereof set out in this order.” Trump further determined “the situation with respect to Hong Kong, including recent actions taken by the PRC to fundamentally undermine Hong Kong’s autonomy, constitutes an unusual and extraordinary threat, which has its source in substantial part outside the United States, to the national security, foreign policy, and economy of the United States…[and] I hereby declare a national emergency with respect to that threat.” The executive order would continue the Administration’s process of changing policy to ensure Hong Kong is treated the same as the PRC.
President Donald Trump also signed a bill passed in response to the People’s Republic of China (PRC) passing legislation the United States and other claim will strip Hong Kong of the protections the PRC agreed to maintain for 50 years after the United Kingdom (UK) handed over the city. The “Hong Kong Autonomy Act” “requires the imposition of sanctions on Chinese individuals and banks who are included in an annual State Department list found to be subverting Hong Kong’s autonomy” according to the bill’s sponsor Representative Brad Sherman (D-CA).
Representative Stephen Lynch, who chairs House Oversight and Reform Committee’s National Security Subcommittee, sent letters to Apple and Google “after the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI) confirmed that mobile applications developed, operated, or owned by foreign entities, including China and Russia, could potentially pose a national security risk to American citizens and the United States” according to his press release. He noted in letters sent by the technology companies to the Subcommittee that:
Apple confirmed that it does not require developers to submit “information on where user data (if any such data is collected by the developer’s app) will be housed” and that it “does not decide what user data a third-party app can access, the user does.”
Google stated that it does “not require developers to provide the countries in which their mobile applications will house user data” and acknowledged that “some developers, especially those with a global user base, may store data in multiple countries.”
Lynch is seeking “commitments from Apple and Google to require information from application developers about where user data is stored, and to make users aware of that information prior to downloading the application on their mobile devices.”
Minnesota Attorney General Keith Ellison announced a settlement with Frontier Communications that “concludes the three major investigations and lawsuits that the Attorney General’s office launched into Minnesota’s major telecoms providers for deceptive, misleading, and fraudulent practices.” The Office of the Attorney General (OAG) stated
Based on its investigation, the Attorney General’s Office alleged that Frontier used a variety of deceptive and misleading practices to overcharge its customers, such as: billing customers more than they were quoted by Frontier’s agents; failing to disclose fees and surcharges in its sales presentations and advertising materials; and billing customers for services that were not delivered.
The OAG “also alleged that Frontier sold Minnesotans expensive internet services with so-called “maximum speed” ratings that were not attainable, and that Frontier improperly advertised its service as “reliable,” when in fact it did not provide enough bandwidth for customers to consistently receive their expected service.”
The first topic concerns the grounds a data subject can rely on for a delisting request sent to a search engine provider pursuant to Article 17.1 GDPR.
The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR.
The Australian Competition & Consumer Commission (ACCC) “is seeking views on draft Rules and accompanying draft Privacy Impact Assessment that authorise third parties who are accredited at the ‘unrestricted’ level to collect Consumer Data Right (CDR) data on behalf of another accredited person.” The ACCC explained “[t]his will allow accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers.” In a March explanatory statement, the ACCC stated “[t]he CDR is an economy-wide reform that will apply sector-by-sector, starting with the banking sector…[and] [t]he objective of the CDR is to provide individual and business consumers (consumers) with the ability to efficiently and conveniently access specified data held about them by businesses (data holders), and to authorise the secure disclosure of that data to third parties (accredited data recipients) or to themselves.” The ACCC noted “[t]he CDR is regulated by both the ACCC and the Office of the Australian Information Commissioner (OAIC) as it concerns both competition and consumer matters as well as the privacy and confidentiality of consumer data.” Input is due by 20 July.
Office of the Inspector General (OIG) for the Department of the Interior (Interior) found that even though the agency spends $1.4 billion annually on cybersecurity “[g]uarding against increasing cybersecurity threats” remains one of Interior’s top challenges. The OIG asserted Interior “continues to struggle to implement an enterprise information technology (IT) security program that balances compliance, cost, and risk while enabling bureaus to meet their diverse missions.”
In a summary of its larger investigation into “Security over Information Technology Peripheral Devices at Select Office of Science Locations,” the Department of Energy’s Office of the Inspector General (OIG) that “identified weaknesses related to access controls and configuration settings” for peripheral devices (e.g. thumb drives, printers, scanners and other connected devices) “similar in type to those identified in prior evaluations of the Department’s unclassified cybersecurity program.”
The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee Ranking Member John Katko (R-NY) “a comprehensive national cybersecurity improvement package” according to his press release, consisting of these bills:
The “Cybersecurity and Infrastructure Security Agency Director and Assistant Directors Act:” This bipartisan measure takes steps to improve guidance and long-term strategic planning by stabilizing the CISA Director and Assistant Directors positions. Specifically, the bill:
Creates a 5-year term for the CISA Director, with a limit of 2 terms. The term of office for the current Director begins on date the Director began to serve.
Elevates the Director to the equivalent of a Deputy Secretary and Military Service Secretaries.
Depoliticizes the Assistant Director positions, appointed by the Secretary of the Department of Homeland Security (DHS), categorizing them as career public servants.
The “Strengthening the Cybersecurity and Infrastructure Security Agency Act of 2020:” This measure mandates a comprehensive review of CISA in an effort to strengthen its operations, improve coordination, and increase oversight of the agency. Specifically, the bill:
Requires CISA to review how additional appropriations could be used to support programs for national risk management, federal information systems management, and public-private cybersecurity and integration. It also requires a review of workforce structure and current facilities and projected needs.
Mandates that CISA provides a report to the House and Senate Homeland Committees within 1-year of enactment. CISA must also provide a report and recommendations to GSA on facility needs.
Requires GSA to provide a review to the Administration and House and Senate Committees on CISA facilities needs within 30-days of Congressional report.
The “CISA Public-Private Talent Exchange Act:” This bill requires CISA to create a public-private workforce program to facilitate the exchange of ideas, strategies, and concepts between federal and private sector cybersecurity professionals. Specifically, the bill:
Establishes a public-private cyber exchange program allowing government and industry professionals to work in one another’s field.
Expands existing private outreach and partnership efforts.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is ordering United States federal civilian agencies “to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours.” CISA stated “[t]he software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.” CISA Director Christopher Krebs explained “due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.”
The United States (US) Department of State has imposed “visa restrictions on certain employees of Chinese technology companies that provide material support to regimes engaging in human rights abuses globally” that is aimed at Huawei. In its statement, the Department stated “Companies impacted by today’s action include Huawei, an arm of the Chinese Communist Party’s (CCP) surveillance state that censors political dissidents and enables mass internment camps in Xinjiang and the indentured servitude of its population shipped all over China.” The Department claimed “[c]ertain Huawei employees provide material support to the CCP regime that commits human rights abuses.”
Earlier in the month, the US Departments of State, Treasury, Commerce, and of Homeland Security issued an “advisory to highlight the harsh repression in Xinjiang.” The agencies explained
Businesses, individuals, and other persons, including but not limited to academic institutions, research service providers, and investors (hereafter “businesses and individuals”), that choose to operate in Xinjiang or engage with entities that use labor from Xinjiang elsewhere in China should be aware of reputational, economic, and, in certain instances, legal, risks associated with certain types of involvement with entities that engage in human rights abuses, which could include Withhold Release Orders (WROs), civil or criminal investigations, and export controls.
The United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), United States’ National Security Agency (NSA) and the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on a Russian hacking organization’s efforts have “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.” The agencies named APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’), “a cyber espionage group, almost certainly part of the Russian intelligence services,” as the culprit behind “custom malware known as ‘WellMess’ and ‘WellMail.’”
This alert follows May advisories issued by Australia, the US, and the UK on hacking threats related to the pandemic. Australia’s Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre (ACSC) issued “Advisory 2020-009: Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services” that asserted “APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally.” CISA and NCSC issued a joint advisory for the healthcare sector, especially companies and entities engaged in fighting COVID-19. The agencies stated that they have evidence that Advanced Persistent Threat (APT) groups “are exploiting the COVID-19 pandemic as part of their cyber operations.” In an unclassified public service announcement, the Federal Bureau of Investigation (FBI) and CISA named the People’s Republic of China as a nation waging a cyber campaign against U.S. COVID-19 researchers. The agencies stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.”
an updated title to be more inclusive of the variety of workers who perform cybersecurity work,
definition and normalization of key terms,
principles that facilitate agility, flexibility, interoperability, and modularity,
introduction of competencies,
Representatives Glenn Thompson (R-PA), Collin Peterson (D-MN), and James Comer (R-KY) sent a letter to Federal Communications Commission (FCC) “questioning the Commission’s April 20, 2020 Order granting Ligado’s application to deploy a terrestrial nationwide network to provide 5G services.”
The European Commission (EC) is asking for feedback on part of its recently released data strategy by 31 July. The EC stated it is aiming “to create a single market for data, where data from public bodies, business and citizens can be used safely and fairly for the common good…[and] [t]his initiative will draw up rules for common European data spaces (covering areas like the environment, energy and agriculture) to:
make better use of publicly held data for research for the common good
support voluntary data sharing by individuals
set up structures to enable key organisations to share data.
The United Kingdom’s Parliament is asking for feedback on its legislative proposal to regulate Internet of Things (IoT) devices. The Department for Digital, Culture, Media & Sport explained “the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative.” The Department is also “developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation.” The Department also touted the publishing of the European Telecommunications Standards Institute’s (ETSI) “security baseline for Internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes.”
Facebook issued a white paper, titled “CHARTING A WAY FORWARD: Communicating Towards People-Centered and Accountable Design About Privacy,” in which the company states its desire to be involved in shaping a United States privacy law (See below for an article on this). Facebook concluded:
Facebook recognizes the responsibility we have to make sure that people are informed about the data that we collect, use, and share.
That’s why we support globally consistent comprehensive privacy laws and regulations that, among other things, establish people’s basic rights to be informed about how their information is collected, used, and shared, and impose obligations for organizations to do the same, including the obligation to build internal processes that maintain accountability.
As improvements to technology challenge historic approaches to effective communications with people about privacy, companies and regulators need to keep up with changing times.
To serve the needs of a global community, on both the platforms that exist now and those that are yet to be developed, we want to work with regulators, companies, and other interested third parties to develop new ways of informing people about their data, empowering them to make meaningful choices, and holding ourselves accountable.
While we don’t have all the answers, there are many opportunities for businesses and regulators to embrace modern design methods, new opportunities for better collaboration, and innovative ways to hold organizations accountable.
Four Democratic Senators sent Facebook a letter “about reports that Facebook has created fact-checking exemptions for people and organizations who spread disinformation about the climate crisis on its social media platform” following a New York Times article this week on the social media’s practices regarding climate disinformation. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars. Senators Elizabeth Warren (D-WA), Tom Carper (D-DE), Sheldon Whitehouse (D-R.I.) and Brian Schatz (D-HI) argued “[i]f Facebook is truly “committed to fighting the spread of false news on Facebook and Instagram,” the company must immediately acknowledge in its fact-checking process that the climate crisis is not a matter of opinion and act to close loopholes that allow climate disinformation to spread on its platform.” They posed a series of questions to Facebook CEO Mark Zuckerberg on these practices, requesting answers by 31 July.
A Canadian court has found that the Canadian Security Intelligence Service (CSIS) “admittedly collected information in a manner that is contrary to this foundational commitment and then relied on that information in applying for warrants under the Canadian Security Intelligence Service Act, RSC 1985, c C-23 [CSIS Act]” according to a court summary of its redacted decision. The court further stated “[t]he Service and the Attorney General also admittedly failed to disclose to the Court the Service’s reliance on information that was likely collected unlawfully when seeking warrants, thereby breaching the duty of candour owed to the Court.” The court added “[t]his is not the first time this Court has been faced with a breach of candour involving the Service…[and] [t]he events underpinning this most recent breach were unfolding as recommendations were being implemented by the Service and the Attorney General to address previously identified candour concerns.” CSIS was found to have illegally collected and used metadata in a 2016 case ion its conduct between 2006-2016. In response to the most recent ruling, CSIS is vowing to implement a range of reforms. The National Security and Intelligence Review Agency (NSIRA) is pledging the same.
The United Kingdom’s National Police Chiefs’ Council (NPCC) announced the withdrawal of “[t]he ‘Digital device extraction – information for complainants and witnesses’ form and ‘Digital Processing Notice’ (‘the relevant forms’) circulated to forces in February 2019 [that] are not sufficient for their intended purpose.” In mid-June, the UK’s data protection authority, the Information Commissioner’s Office (ICO) unveiled its “finding that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” This withdrawal was also due, in part, to a late June Court of Appeal decision.
A range of public interest and advocacy organizations sent a letter to Speaker of the House Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) noting “there are intense efforts underway to do exactly that, via current language in the House and Senate versions of the FY2021 National Defense Authorization Act (NDAA) that ultimately seek to reverse the FCC’s recent bipartisan and unanimous approval of Ligado Networks’ regulatory plans.” They urged them “not endorse efforts by the Department of Defense and its allies to veto commercial spectrum authorizations…[and][t]he FCC has proven itself to be the expert agency on resolving spectrum disputes based on science and engineering and should be allowed to do the job Congress authorized it to do.” In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”
The European Data Protection Supervisor (EDPS) rendered his opinion on the European Commission’s White Paper on Artificial Intelligence: a European approach to excellence and trust and recommended the following for the European Union’s (EU) regulation of artificial intelligence (AI):
applies both to EU Member States and to EU institutions, offices, bodies and agencies;
is designed to protect from any negative impact, not only on individuals, but also on communities and society as a whole;
proposes a more robust and nuanced risk classification scheme, ensuring any significant potential harm posed by AI applications is matched by appropriate mitigating measures;
includes an impact assessment clearly defining the regulatory gaps that it intends to fill.
avoids overlap of different supervisory authorities and includes a cooperation mechanism.
Regarding remote biometric identification, the EDPS supports the idea of a moratorium on the deployment, in the EU, of automated recognition in public spaces of human features, not only of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, so that an informed and democratic debate can take place and until the moment when the EU and Member States have all the appropriate safeguards, including a comprehensive legal framework in place to guarantee the proportionality of the respective technologies and systems for the specific use case.
The Bundesamt für Verfassungsschutz (BfV), Germany’s domestic security agency, released a summary of its annual report in which it claimed:
The Russian Federation, the People’s Republic of China, the Islamic Republic of Iran and the Republic of Turkey remain the main countries engaged in espionage activities and trying to exert influence on Germany.
The ongoing digital transformation and the increasingly networked nature of our society increases the potential for cyber attacks, worsening the threat of cyber espionage and cyber sabotage.
The intelligence services of the Russian Federation and the People’s Republic of China in particular carry out cyber espionage activities against German agencies. One of their tasks is to boost their own economies with the help of information gathered by the intelligence services. This type of information-gathering campaign severely threatens the success and development opportunities of German companies.
To counteract this threat, Germany has a comprehensive cyber security architecture in place, which is operated by a number of different authorities. The BfV plays a major role in investigating and defending against cyber threats by detecting attacks, attributing them to specific attackers, and using the knowledge gained from this to draw up prevention strategies. The National Cyber Response Centre, in which the BfV plays a key role, was set up to consolidate the co-operation between the competent agencies. The National Cyber Response Centre aims to optimise the exchange of information between state agencies and to improve the co-ordination of protective and defensive measures against potential IT incidents.
“Trump confirms cyberattack on Russian trolls to deter them during 2018 midterms” – The Washington Post. In an interview with former George W. Bush speechwriter Marc Thiessen, President Donald Trump confirmed he ordered a widely reported retaliatory attack on the Russian Federation’s Internet Research Agency as a means of preventing interference during the 2018 mid-term election. Trump claimed this attack he ordered was the first action the United States took against Russian hacking even though his predecessor warned Russian President Vladimir Putin to stop such activities and imposed sanctions at the end of 2016. The timing of Trump’s revelation is interesting given the ongoing furor over reports of Russian bounties paid to Taliban fighters for killing Americans the Trump Administration may have known of but did little or nothing to stop.
“Germany proposes first-ever use of EU cyber sanctions over Russia hacking” – Deutsche Welle. Germany is looking to use the European Union’s (EU) cyber sanctions powers against Russia for its alleged 2015 16 GB exfiltration of data from the Bundestag’s systems, including from Chancellor Angela Merkel’s office. Germany has been alleging that Fancy Bear (aka APT28) and Russia’s military secret service GRU carried out the attack. Germany has circulated its case for sanctions to other EU nations and EU leadership. In 2017, the European Council declared “[t]he EU diplomatic response to malicious cyber activities will make full use of measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures…[and] [a] joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.”
“Wyden Plans Law to Stop Cops From Buying Data That Would Need a Warrant” – VICE. Following on a number of reports that federal, state, and local law enforcement agencies are essentially sidestepping the Fourth Amendment through buying location and other data from people’s smartphones, Senator Ron Wyden (D-OR) is going to draft legislation that would seemingly close what he, and other civil libertarians, are calling a loophole to the warrant requirement.
“Amazon Backtracks From Demand That Employees Delete TikTok” – The New York Times. Amazon first instructed its employees to remove ByteDance’s app, TikTok, on 11 July from company devices and then reversed course the same day, claiming the email had been erroneously sent out. The strange episode capped another tumultuous week for ByteDance as the Trump Administration is intensifying pressure in a number of ways on the company which officials claim is subject to the laws of the People’s Republic of China and hence must share information with the government in Beijing. ByteDance counters the app marketed in the United States is through a subsidiary not subject to PRC law. ByteDance also said it would no longer offer the app in Hong Kong after the PRC change in law has extended the PRC’s reach into the former British colony. TikTok was also recently banned in India as part of a larger struggle between India and he PRC. Additionally, the Democratic National Committee warned staff about using the app this week, too.
“California investigating Google for potential antitrust violations” – Politico. California Attorney General Xavier Becerra is going to conduct his own investigation of Google aside and apart from the investigation of the company’s advertising practices being conducted by virtually every other state in the United States. It was unclear why Becerra opted against joining the larger probe launched in September 2019. Of course, the Trump Administration’s Department of Justice is also investigating Google and could file suit as early as this month.
“How May Google Fight an Antitrust Case? Look at This Little-Noticed Paper” – The New York Times. In a filing with the Australian Competition and Consumer Commission (ACCC), Google claimed it does not control the online advertising market and it is borne out by a number of indicia that argue against a monopolistic situation. The company is likely to make the same case to the United States’ government in its antitrust inquiry. However, similar arguments did not gain tractions before the European Commission, which levied a €1.49 billion for “breaching EU antitrust rules” in March 2019.
“Who Gets the Banhammer Now?” – The New York Times. This article examines possible motives for the recent wave of action by social media platforms to police a fraction of the extreme and hateful speech activists and others have been asking them to take down for years. This piece makes the argument that social media platforms are businesses and operate as such and expecting them to behave as de facto public squares dedicated to civil political and societal discourse is more or less how we ended up where we are.
“TikTok goes tit-for-tat in appeal to MPs: ‘stop political football’ – The Australian. ByteDance is lobbying hard in Canberra to talk Ministers of Parliament out of possibly banning TikTok like the United States has said it is considering. While ByteDance claims the data collected on users in Australia is sent to the US or Singapore, some experts are arguing just to maintain and improve the app would necessarily result in some non-People’s Republic of China (PRC) user data making its way back to the PRC. As Australia’s relationship with the PRC has grown more fraught with allegations PRC hackers infiltrated Parliament and the Prime Minister all but saying PRC hackers were targeting hospitals and medical facilities, the government in Canberra could follow India’s lead and ban the app.
“Calls for inquiry over claims Catalan lawmaker’s phone was targeted” – The Guardian. British and Spanish newspapers are reporting that an official in Catalonia who favors separating the region from Spain may have had his smartphone compromised with industrial grade spyware typically used only by law enforcement and counterterrorism agencies. The President of the Parliament of Catalonia Roger Torrent claims his phone was hacked for domestic political purposes, which other Catalan leaders argued, too. A spokesperson for the Spanish government said “[t]he government has no evidence that the speaker of the Catalan parliament has been the victim of a hack or theft involving his mobile.” However, the University of Toronto’s CitizenLab, the entity that researched and claimed that Israeli firm NSO Group’s spyware was deployed via WhatsApp to spy on a range of journalists, officials, and dissidents, often by their own governments, confirmed that Torrent’s phone was compromised.
“How Facebook Handles Climate Disinformation” – The New York Times. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars.
“UK selling spyware and wiretaps to 17 repressive regimes including Saudi Arabia and China” – The Independent. There are allegations that the British government has ignored its own regulations on selling equipment and systems that can be used for surveillance and spying to other governments with spotty human rights records. Specifically, the United Kingdom (UK) has sold £75m to countries non-governmental organizations (NGO) are rated as “not free.” The claims include nations such as the People’s Republic of China (PRC), the Kingdom of Saudi Arabia, Bahrain, and others. Not surprisingly, NGOs and the minority Labour party are calling for an investigation and changes.
“Google sued for allegedly tracking users in apps even after opting out” – c/net. Boies Schiller Flexner filed suit in what will undoubtedly seek to become a class action suit over Google’s alleged continuing to track users even when they turned off tracking features. This follows a suit filed by the same firm against Google in June, claiming its browser Chrome still tracks people when they switch to incognito mode.
“Secret Trump order gives CIA more powers to launch cyberattacks” – Yahoo! News. It turns out that in addition to signing National Security Presidential Memorandum (NSPM) 13 that revamped and eased offensive cyber operations for the Department of Defense, President Donald Trump signed a presidential finding that has allowed the Central Intelligence Agency (CIA) to launch its own offensive cyber attacks, mainly at Russia and Iran, according to unnamed former United States (US) officials according to this blockbuster story. Now, the decision to commence with an attack is not vetted by the National Security Council; rather, the CIA makes the decision. Consequently, there have been a number of attacks on US adversaries that until now have not been associated with the US. And, the CIA is apparently not informing the National Security Agency or Cyber Command of its operations, raising the risk of US cyber forces working at cross purposes or against one another in cyberspace. Moreover, a recently released report blamed the lax security environment at the CIA for a massive exfiltration of hacking tools released by Wikileaks.
“Facebook’s plan for privacy laws? ‘Co-creating’ them with Congress” – Protocol. In concert with the release of a new white paper, Facebook Deputy Chief Privacy Officer Rob Sherman sat for an interview in which he pledged the company’s willingness to work with Congress to co-develop a national privacy law. However, he would not comment on any of the many privacy bills released thus far or the policy contours of a bill Facebook would favor except for advocating for an enhanced notice and consent regime under which people would be better informed about how their data is being used. Sherman also shrugged off suggestions Facebook may not be welcome given its record of privacy violations. Finally, it bears mention that similar efforts by other companies at the state level have not succeeded as of yet. For example, Microsoft’s efforts in Washington state have not borne fruit in the passage of a privacy law.
“Deepfake used to attack activist couple shows new disinformation frontier” – Reuters. We are at the beginning of a new age of disinformation in which fake photographs and video will be used to wage campaigns against nations, causes, and people. An activist and his wife were accused of being terrorist sympathizers by a university student who apparently was an elaborate ruse for someone or some group looking to defame the couple. Small errors gave away the ruse this time, but advances in technology are likely to make detection all the harder.
“Biden, billionaires and corporate accounts targeted in Twitter hack” – The Washington Post. Policymakers and security experts were alarmed when the accounts of major figures like Bill Gates and Barack Obama were hacked yesterday by some group seeking to sell bitcoin. They argue Twitter was lucky this time and a more ideologically motivated enemy may seek to cause havoc, say on the United States’ coming election. A number of experts are claiming the penetration of the platform must have been of internal controls for so many high profile accounts to be taken over at the same time.
“TikTok Enlists Army of Lobbyists as Suspicions Over China Ties Grow” – The New York Times. ByteDance’s payments for lobbying services in Washington doubled between the last quarter of 2019 and thirst quarter of 2020, as the company has retained more than 35 lobbyists to push back against the Trump Administration’s rhetoric and policy changes. The company is fighting against a floated proposal to ban the TikTok app on national security grounds, which would cut the company off from another of its top markets after India banned it and scores of other apps from the People’s Republic of China. Even if the Administration does not bar use of the app in the United States, the company is facing legislation that would ban its use on federal networks and devices that will be acted upon next week by a Senate committee. Moreover, ByteDance’s acquisition of the app that became TikTok is facing a retrospective review of an inter-agency committee for national security considerations that could result in an unwinding of the deal. Moreover, the Federal Trade Commission (FTC) has been urged to review ByteDance’s compliance with a 2019 settlement that the company violated regulations protecting the privacy of children that could result in multi-billion dollar liability if wrongdoing is found.
“Why Google and Facebook Are Racing to Invest in India” – Foreign Policy. With New Delhi banning 59 apps and platforms from the People’s Republic of China (PRC), two American firms have invested in an Indian giant with an eye toward the nearly 500 million Indians not yet online. Reliance Industries’ Jio Platforms have sold stakes to Google and Facebook worth $4.5 billion and $5.7 billion that gives them prized positions as the company looks to expand into 5G and other online ventures. This will undoubtedly give a leg up to the United States’ online giants in vying with competitors to the world’s second most populous nation.
““Outright Lies”: Voting Misinformation Flourishes on Facebook” – ProPublica. In this piece published with First Draft, “a global nonprofit that researches misinformation,” an analysis of the most popular claims made about mail voting show that many of them are inaccurate or false, thus violating the platforms terms of services yet Facebook has done nothing to remove them or mark them as inaccurate until this article was being written.
“Inside America’s Secretive $2 Billion Research Hub” – Forbes. Using contract information obtained through Freedom of Information requests and interviews, light is shined on the little known non-profit MITRE Corporation that has been helping the United States government address numerous technological problems since the late 1950’s. The article uncovers some of its latest, federally funded projects that are raising eyebrows among privacy advocates: technology to life people’s fingerprints from social media pictures, technology to scan and copy Internet of Things (IoT) devices from a distance, a scanner to read a person’s DNA, and others.
“The FBI Is Secretly Using A $2 Billion Travel Company As A Global Surveillance Tool” – Forbes. In his second blockbuster article in a week, Forbes reporter Thomas Brewster exposes how the United States (US) government is using questionable court orders to gather travel information from the three companies that essentially provide airlines, hotels, and other travel entities with back-end functions with respect to reservations and bookings. The three companies, one of whom, Sabre is a US multinational, have masses of information on you if you have ever traveled, and US law enforcement agencies, namely the Federal Bureau of Investigation, is using a 1789 statute to obtain orders all three companies have to obey for information in tracking suspects. Allegedly, this capability has only been used to track terror suspects but will now reportedly be used for COVID-19 tracking.