A number of tech ballot initiatives were considered.
There were a number of significant technology measures put before voters in states in yesterday’s election. The most significant were in California as voters agreed to replace the “California Consumer Privacy Act” (CCPA) (AB 375) with a new privacy bill, voted for another technology-related ballot initiative, and rejected another one. In voting for Proposition 24, California voters chose to replace the recently effective CCPA with the “California Privacy Rights Act” (CPRA) (see herefor my analysis) that will largely be operative on 1 January 2023, meaning the CCPA will continue to be the law of California until then unless a federal privacy law is enacted that preempts all state laws.
California voters voted for Proposition 22 that would allow Uber, Lyft and other companies to “Classif[y] app-based drivers as “independent contractors,” instead of “employees,” and provide independent-contractor drivers other compensation, unless certain criteria are met.” This ballot initiative would essentially negate AB 5, legislation that codified a court ruling that created the presumption that a person hired by an employer is an employee and not a contractor. Uber and Lyft have been fighting enforcement of AB 5 in court.
Voters also rejected Proposition 25 that would have permitted a 2018 statute to take effect that would have abolished cash bail in California with a system that determines who gets bail on the basis of algorithms. Elsewhere, Michigan voters overwhelmingly voted to support Proposal 20-2. Require Warrant for Electronic Data that would change state law to make electronic communications data protected to the extent police would need to obtain a search warrant before accessing it. In Massachusetts, voters supported expanding a right to repair cars law that would require auto manufacturers to make available telematic data to third-party repair garages. This law is seen as a precursor of a similar right to repair hardware that could soon be placed on ballots throughout the United States.
In what may be the first such case, the former security officer for a company is charged with two federal crimes in hiding the details of a subsequent breach from an agency investigating a first breach.
The United States Attorney in Northern California has filed a criminal complaint against Uber’s former chief security officer for allegedly trying to conceal information from the Federal Trade Commission (FTC) in its investigation of a 2014 hack of the rise sharing company. Reportedly, former Uber Chief Security James Sullivan hid details on a 2016 hack from the FTC days after being deposed on the 2014 hack. This latter hack resulted in the personal information of 57 million people and 600,000 drivers, and Sullivan allegedly hid this breach from the leadership of Uber as well. The complaint hinted at other hacks the Uber hackers were able to execute, in large part, because Sullivan hushed up his company’s breach. This may be the first time the United States (U.S.) Department of Justice (DOJ) is seeking to hold criminally liable actions of an employee of a breached company and may be a means the U.S. government takes to prosecute those companies and employees that would hide or obscure hacks and other potentially negative events.
In the affidavit accompanying the complaint, a Federal Bureau of Investigation (FBI) agent asserted “when SULLIVAN learned that Uber’s systems had been hacked in approximately November 2016—approximately ten days after SULLIVAN had provided sworn testimony to the FTC—SULLIVAN engaged in a scheme to withhold and conceal from the FTC both the hack itself and the fact that the data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers.” Sullivan purportedly hid the breach from Uber’s new leadership and “instructed his team to keep knowledge of the 2016 Breach tightly controlled.” Thereafter, Sullivan “instructed the team that knowledge of the breach was to be disclosed outside the security team only on a need-to-know basis and the company was going to treat the incident under its “bug bounty” program…[and] arranged for its bug bounty vendor to pay the hackers $100,000, which at the time was by far the largest bounty that Uber had ever paid through the program.” Sullivan “further insisted that the hackers agree to sign non-disclosure agreements (“NDAs”) in exchange for the $100,000 bounty payment that would supplement the standard terms of Uber’s bug bounty program.”
The FBI agent added:
On November 21, 2017, Uber’s new CEO issued a press release stating that he had recently become aware of the details of the 2016 Breach. At approximately the same time, the 2016 Breach was disclosed to the FTC. By November 2017, Uber and the FTC had reached a tentative agreement resolving the FTC’s investigation, which included a draft complaint and consent order with various provisions Uber was required to comply with. The agreement was not yet final, and after the FTC learned of the 2016 Breach, it effectively withdrew from that tentative agreement.
In light of the new information regarding the 2016 Breach, the FTC effectively withdrew its previous settlement terms and added further requirements to the resolution with Uber. The revised draft complaint included a recitation of facts related to the 2016 Breach, and the revised draft consent order withdrew certain concessions it had made to Uber and added a new, affirmative notification provision regarding any future breaches. The FTC gave final approval to the revised Complaint and Consent Order on October 26, 2018.
The FBI agent claimed
[T]here is probable cause to believe that the defendant engaged in a cover-up intended to obstruct the lawful functions and official proceedings of the Federal Trade Commission. SULLIVAN intended that the cover-up would obscure from the proceedings before the FTC that Uber had been breached again in 2016 during the FTC’s pending proceedings. SULLIVAN further intended that the cover-up would obscure from the FTC’s proceedings that millions of additional individua ls had their personal data—kept by Uber—accessed and downloaded by hackers. It is my belief that SULLIVAN further intended to spare Uber and SULLIVAN negative publicity and loss of users and drivers that would have stemmed from disclosure of the hack and data breach.
I further believe that there is probable cause to believe that SULLIVAN was aware of the illegal hack of Uber in 2016. Despite that knowledge, SULLIVAN did not report the illegal hack to law enforcement. Additionally, SULLIVAN took it upon himself and Uber to conceal and disguise the hack from law enforcement and from the public. In so doing, SULLIVAN and Uber prevented law enforcement from apprehending the hackers. Had SULLIVAN and Uber promptly reported the illegal hack to law enforcement, the hacks of multiple additional large tech companies and the theft of the personal data of millions of additional customers and users may have been prevented. The illegal hack was not disclosed to the FTC, to law enforcement, and to the public until new management took over these decisions at Uber.
The DOJ charged Sullivan with obstruction of justice and misprison of a felony and he faces a total of eight years in prison, a $500,000 fine and other possible punishment if convicted.