ePrivacy Exception Proposed

Late last month, a broad exception to the EU’s privacy regulations became effective.

My apologies. The first version of this post erroneously asserted the derogation to the ePrivacy Directive had been enacted. It has not, and this post has been re-titled and updated to reflect this fact.

As the European Union (EU) continues to work on enacting a modernized ePrivacy Directive (Directive 2002/58/EC) to complement the General Data Protection Regulation (GDPR), it proposed an exemption to manage a change in another EU law to sweep “number-independent interpersonal communications services” into the current regulatory structure of electronics communication. The policy justification for allowing a categorical exemption to the ePrivacy Directive is for combatting child sexual abuse online. This derogation of EU law is limited to at most five years and quite possibly less time if the EU can enact a successor to the ePrivacy Directive, an ePrivacy Regulation. However, it is unclear when this derogation will be agreed upon and enacted.

In September 2020, the European Commission (EC) issued “a Proposal for a Regulation on a temporary derogation from certain provisions of the ePrivacy Directive 2002/58/EC as regards the use of technologies by number-independent interpersonal communicationsservice providers for the processing of personal and other data for the purpose of combatting child sexual abuse online.” The final regulation took effect on 21 December 2020. However, the EC has also issued a draft of compromise ePrivacy Regulation, the results of extensive communications. The GDPR was enacted with an update of the ePrivacy Directive in mind.

In early December, an EU Parliament committee approved the proposed derogation but the full Parliament has not yet acted upon the measure. The Parliament needs to reach agreement with the Presidency of the Council and the European Commission. In its press release, the Civil Liberties, Justice and Home Affairs explained:

The proposed regulation will provide for limited and temporary changes to the rules governing the privacy of electronic communications so that over the top (“OTT”) communication interpersonal services, such as web messaging, voice over Internet Protocol (VoIP), chat and web-based email services, can continue to detect, report and remove child sexual abuse online on a voluntary basis.

Article 1 sets out the scope and aim of the temporary regulation:

This Regulation lays down temporary and strictly limited rules derogating from certain obligations laid down in Directive 2002/58/EC, with the sole objective of enabling providers of number-independent interpersonal communications services to continue the use of technologies for the processing of personal and other data to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services.

The EC explained the legal and policy background for the exemption to the ePrivacy Directive:

  • On 21 December 2020, with the entry into application of the European Electronic Communications Code (EECC), the definition of electronic communications services will be replaced by a new definition, which includes number-independent interpersonal communications services. From that date on, these services will, therefore, be covered by the ePrivacy Directive, which relies on the definition of the EECC. This change concerns communications services like webmail messaging services and internet telephony.
  • Certain providers of number-independent interpersonal communications services are already using specific technologies to detect child sexual abuse on their services and report it to law enforcement authorities and to organisations acting in the public interest against child sexual abuse, and/or to remove child sexual abuse material. These organisations refer to national hotlines for reporting child sexual abuse material, as well as organisations whose purpose is to reduce child sexual exploitation, and prevent child victimisation, located both within the EU and in third countries.
  • Child sexual abuse is a particularly serious crime that has wide-ranging and serious life-long consequences for victims. In hurting children, these crimes also cause significant and long- term social harm. The fight against child sexual abuse is a priority for the EU. On 24 July 2020, the European Commission adopted an EU strategy for a more effective fight against child sexual abuse, which aims to provide an effective response, at EU level, to the crime of child sexual abuse. The Commission announced that it will propose the necessary legislation to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect known child sexual abuse material and oblige them to report that material to public authorities by the second quarter of 2021. The announced legislation will be intended to replace this Regulation, by putting in place mandatory measures to detect and report child sexual abuse, in order to bring more clarity and certainty to the work of both law enforcement and relevant actors in the private sector to tackle online abuse, while ensuring respect of the fundamental rights of the users, including in particular the right to freedom of expression and opinion, protection of personal data and privacy, and providing for mechanisms to ensure accountability and transparency.

The EC baldly asserts the problem of child online sexual abuse justifies a loophole to the broad prohibition on violating the privacy of EU persons. The EC did note that the fight against this sort of crime is a political priority for the EC, one that ostensibly puts the EU close to the views of the Five Eyes nations that have been pressuring technology companies to end the practice of making apps and hardware encrypted by default.

The EC explained:

The present proposal therefore presents a narrow and targeted legislative interim solution with the sole objective of creating a temporary and strictly limited derogation from the applicability of Articles 5(1) and 6 of the ePrivacy Directive, which protect the confidentiality of communications and traffic data. This proposal respects the fundamental rights, including the rights to privacy and protection of personal data, while enabling providers of number-independent interpersonal communications services to continue using specific technologies and continue their current activities to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services, pending the adoption of the announced long- term legislation. Voluntary efforts to detect solicitation of children for sexual purposes (“grooming”) also must be limited to the use of existing, state-of-the-art technology that corresponds to the safeguards set out. This Regulation should cease to apply in December 2025.

The EC added “[i]n case the announced long-term legislation is adopted and enters into force prior to this date, that legislation should repeal the present Regulation.”

In November, the European Data Protections Supervisor (EDPS) Wojciech Wiewiorówski published his opinion on the temporary, limited derogation from the EU’s regulation on electronics communication and privacy. Wiewiorówski cautioned that a short-term exception, however well-intended, would lead to future loopholes that would ultimately undermine the purpose of the legislation. Moreover, Wiewiorówski found that the derogation was not sufficiently specific guidance and safeguards and is not proportional. Wiewiorówski argued:

  • In particular, he notes that the measures envisaged by the Proposal would constitute an interference with the fundamental rights to respect for private life and data protection of all users of very popular electronic communications services, such as instant messaging platforms and applications. Confidentiality of communications is a cornerstone of the fundamental rights to respect for private and family life. Even voluntary measures by private companies constitute an interference with these rights when the measures involve the monitoring and analysis of the content of communications and processing of personal data.
  • The EDPS wishes to underline that the issues at stake are not specific to the fight against child abuse but to any initiative aiming at collaboration of the private sector for law enforcement purposes. If adopted, the Proposal, will inevitably serve as a precedent for future legislation in this field. The EDPS therefore considers it essential that the Proposal is not adopted, even in the form a temporary derogation, until all the necessary safeguards set out in this Opinion are integrated.
  • In particular, in the interest of legal certainty, the EDPS considers that it is necessary to clarify whether the Proposal itself is intended to provide a legal basis for the processing within the meaning of the GDPR, or not. If not, the EDPS recommends clarifying explicitly in the Proposal which legal basis under the GDPR would be applicable in this particular case.
  • In this regard, the EDPS stresses that guidance by data protection authorities cannot substitute compliance with the requirement of legality. It is insufficient to provide that the temporary derogation is “without prejudice” to the GDPR and to mandate prior consultation of data protection authorities. The co-legislature must take its responsibility and ensure that the proposed derogation complies with the requirements of Article 15(1), as interpreted by the CJEU.
  • In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse.
  • Finally, the EDPS is of the view that the five-year period as proposed does not appear proportional given the absence of (a) a prior demonstration of the proportionality of the envisaged measure and (b) the inclusion of sufficient safeguards within the text of the legislation. He considers that the validity of any transitional measure should not exceed 2 years.

The Five Eyes nations (Australia, Canada, New Zealand, the United Kingdom, and the United States) issued a joint statement in which their ministers called for quick action.

In this statement, we highlight how from 21 December 2020, the ePrivacy Directive, applied without derogation, will make it easier for children to be sexually exploited and abused without detection – and how the ePrivacy Directive could make it impossible both for providers of internet communications services, and for law enforcement, to investigate and prevent such exploitation and abuse. It is accordingly essential that the European Union adopt urgently the derogation to the ePrivacy Directive as proposed by the European Commission in order for the essential work carried out by service providers to shield endangered children in Europe and around the world to continue.

Without decisive action, from 21 December 2020 internet-based messaging services and e-mail services captured by the European Electronic Communications Code’s (EECC) new, broader definition of ‘electronic communications services’ are covered by the ePrivacy Directive. The providers of electronic communications services must comply with the obligation to respect the confidentiality of communications and the conditions for processing communications data in accordance with the ePrivacy Directive. In the absence of any relevant national measures made under Article 15 of that Directive, this will have the effect of making it illegal for service providers operating within the EU to use their current tools to protect children, with the impact on victims felt worldwide.

As mentioned, this derogation comes at a time when the EC and the EU nations are trying to finalize and enact an ePrivacy Regulation. In the original 2017 proposal, the EC stated:

The ePrivacy Directive ensures the protection of fundamental rights and freedoms, in particular the respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector. It also guarantees the free movement of electronic communications data, equipment and services in the Union.

The ePrivacy Regulation is intended to work in concert with the GDPR, and the draft 2020 regulation contains the following passages explaining the intended interplay of the two regulatory schemes:

  • Regulation (EU) 2016/679 regulates the protection of personal data. This Regulation protects in addition the respect for private life and communications. The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. The provisions particularise Regulation (EU) 2016/679 as regards personal data by translating its principles into specific rules. If no specific rules are established in this Regulation, Regulation (EU) 2016/679 should apply to any processing of data that qualify as personal data. The provisions complement Regulation (EU) 2016/679 by setting forth rules regarding subject matters that are not within the scope of Regulation (EU) 2016/679, such as the protection of the rights of end-users who are legal persons. Processing of electronic communications data by providers of electronic communications services and networks should only be permitted in accordance with this Regulation. This Regulation does not impose any obligations on the end-user End-users who are legal persons may have rights conferred by Regulation (EU) 2016/679 to the extent specifically required by this Regulation
  • While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concerns new techniques that allow for tracking of online behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive 2002/58/EC should therefore be repealed and replaced by this Regulation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Guillaume Périgois on Unsplash

Further Reading, Other Developments, and Coming Events (14 December)

Further Reading

  • Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect” By David Sanger — The New York Times.; “Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce” By Ellen Nakashima and Craig Timberg — The Washington Post; “Suspected Russian hackers spied on U.S. Treasury emails – sources” By Chris Bing — Reuters. Apparently, Sluzhba vneshney razvedki Rossiyskoy Federatsii (SVR), the Russian Federation’s Foreign Intelligence Service, has exploited a vulnerability in SolarWinds’ update system used by many United States (U.S.) government systems, Fortune 500 companies, and the U.S.’ top ten largest telecommunications companies. Reportedly, APT29 (aka Cozy Bear) has had free reign in the email systems of the Departments of the Treasury and Commerce among other possible victims. The hackers may have also accessed a range of other entities around the world using the same SolarWind system. Moreover, these penetrations may be related to the recently announced theft of hacking tools a private firm, FireEye, used to test clients’ systems.
  • Hackers steal Pfizer/BioNTech COVID-19 vaccine data in Europe, companies say” By Jack Stubbs — Reuters. The European Union’s (EU) agency that oversees and approve medications has been hacked, and documents related to one of the new COVID-19 vaccines may have been stolen. The European Medicines Agency (EMA) was apparently penetrated, and materials related to Pfizer and BioNTech’s vaccine were exfiltrated. The scope of the theft is not yet known, but this is the latest in many attempts to hack into the entities conducting research on the virus and potential vaccines.
  • The AI Girlfriend Seducing China’s Lonely Men” By Zhang Wanqing — Sixth Tone. A chat bot powered by artificial intelligence that some men in the People’s Republic of China (PRC) are using extensively raises all sorts of ethical and privacy issues. Lonely people have turned to this AI technology and have confided their deepest feelings, which are stored by the company. It seems like a matter of time until these data are mined for commercial value or hacked. Also, the chatbot has run afoul of PRC’s censorship policies. Finally, is this a preview of the world to come, much like the 2013 film, Her, in which humans have relationships with AI beings?
  • YouTube will now remove videos disputing Joe Biden’s election victory” By Makena Kelly — The Verge. The Google subsidiary announced that because the safe harbor deadline has been reached and a sufficient number of states have certified President-elect Joe Biden, the platform will begin taking down misleading election videos. This change in policy may have come about, in part, because of pressure from Democrats in Congress about what they see as Google’s lackluster efforts to find and remove lies, misinformation, and disinformation about the 2020 election.
  • Lots of people are gunning for Google. Meet the man who might have the best shot.” By Emily Birnbaum — Protocol. Colorado Attorney General Phil Weiser may be uniquely qualified to lead state attorneys general on a second antitrust and anti-competition action against Google given his background as a law professor steeped in antitrust and his background in the Department of Justice and White House during the Obama Administration.

Other Developments

  • Cybersecurity firm, FireEye, revealed it was “attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack” according to CEO Kevin Mandia. This hacking may be related to vast penetration of United States (U.S.) government systems revealed over the weekend. Mandia stated FireEye has “found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security…[that] mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers.” Mandia claimed none of these tools were zero-day exploits. FireEye is “proactively releasing methods and means to detect the use of our stolen Red Team tools…[and] out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.
    • Mandia added:
      • Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly.
      • Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.
      • We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.    
  • The United States’ (U.S.) Department of Justice filed suit against Facebook for “tactics that discriminated against U.S. workers and routinely preferred temporary visa holders (including H-1B visa holders) for jobs in connection with the permanent labor certification (PERM) process.” The DOJ is asking for injunction to stop Facebook from engaging in the alleged conduct, civil penalties, and damages for workers harmed by this conduct.
    • The DOJ contended:
      • The department’s lawsuit alleges that beginning no later than Jan. 1, 2018 and lasting until at least Sept. 18, 2019, Facebook employed tactics that discriminated against U.S. workers and routinely preferred temporary visa holders (including H-1B visa holders) for jobs in connection with the PERM process. Rather than conducting a genuine search for qualified and available U.S. workers for permanent positions sought by these temporary visa holders, Facebook reserved the positions for temporary visa holders because of their immigration status, according to the complaint. The complaint also alleges that Facebook sought to channel jobs to temporary visa holders at the expense of U.S. workers by failing to advertise those vacancies on its careers website, requiring applicants to apply by physical mail only, and refusing to consider any U.S. workers who applied for those positions. In contrast, Facebook’s usual hiring process relies on recruitment methods designed to encourage applications by advertising positions on its careers website, accepting electronic applications, and not pre-selecting candidates to be hired based on a candidate’s immigration status, according to the lawsuit.
      • In its investigation, the department determined that Facebook’s ineffective recruitment methods dissuaded U.S. workers from applying to its PERM positions. The department concluded that, during the relevant period, Facebook received zero or one U.S. worker applicants for 99.7 percent of its PERM positions, while comparable positions at Facebook that were advertised on its careers website during a similar time period typically attracted 100 or more applicants each. These U.S. workers were denied an opportunity to be considered for the jobs Facebook sought to channel to temporary visa holders, according to the lawsuit. 
      • Not only do Facebook’s alleged practices discriminate against U.S. workers, they have adverse consequences on temporary visa holders by creating an employment relationship that is not on equal terms. An employer that engages in the practices alleged in the lawsuit against Facebook can expect more temporary visa holders to apply for positions and increased retention post-hire. Such temporary visa holders often have limited job mobility and thus are likely to remain with their company until they can adjust status, which for some can be decades.
      • The United States’ complaint seeks civil penalties, back pay on behalf of U.S. workers denied employment at Facebook due to the alleged discrimination in favor of temporary visa holders, and other relief to ensure Facebook stops the alleged violations in the future. According to the lawsuit, and based on the department’s nearly two-year investigation, Facebook’s discrimination against U.S. workers was intentional, widespread, and in violation of a provision of the Immigration and Nationality Act (INA), 8 U.S.C. § 1324b(a)(1), that the Department of Justice’s Civil Rights Division enforces. 
  • A trio of consumer authority regulators took the lead in coming into agreement with Apple to add “a new section to each app’s product page in its App Store, containing key information about the data the app collects and an accessible summary of the most important information from the privacy policy.” The United Kingdom’s UK’s Competition and Markets Authority (CMA), the Netherlands Authority for Consumers and Markets and the Norwegian Consumer Authority led the effort that “ongoing work from the International Consumer Protection and Enforcement Network (ICPEN), involving 27 of its consumer authority members across the world.” The three agencies explained:
    • Consumer protection authorities, including the CMA, became concerned that people were not being given clear information on how their personal data would be used before choosing an app, including on whether the app developer would share their personal data with a third party. Without this information, consumers are unable to compare and choose apps based on how they use personal data.
  • Australia’s Council of Financial Regulators (CFR) has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework “to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.”

Coming Events

  • On 15 December, the Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing titled “The Role of Private Agreements and Existing Technology in Curbing Online Piracy” with these witnesses:
    • Panel I
      • Ms. Ruth Vitale, Chief Executive Officer, CreativeFuture
      • Mr. Probir Mehta, Head of Global Intellectual Property and Trade Policy, Facebook, Inc.
      • Mr. Mitch Glazier, Chairman and CEO, Recording Industry Association of America
      • Mr. Joshua Lamel, Executive Director, Re:Create
    • Panel II
      • Ms. Katherine Oyama, Global Director of Business Public Policy, YouTube
      • Mr. Keith Kupferschmid, Chief Executive Officer, Copyright Alliance
      • Mr. Noah Becker, President and Co-Founder, AdRev
      • Mr. Dean S. Marks, Executive Director and Legal Counsel, Coalition for Online Accountability
  • The Senate Armed Services Committee’s Cybersecurity Subcommittee will hold a closed briefing on Department of Defense Cyber Operations on 15 December with these witnesses:
    • Mr. Thomas C. Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy, Office of the Under Secretary of Defense for Policy
    • Mr. Jeffrey R. Jones, Vice Director, Command, Control, Communications and Computers/Cyber, Joint Staff, J-6
    • Ms. Katherine E. Arrington, Chief Information Security Officer for the Assistant Secretary of Defense for Acquisition, Office of the Under Secretary of Defense for Acquisition and Sustainment
    • Rear Admiral Jeffrey Czerewko, United States Navy, Deputy Director, Global Operations, J39, J3, Joint Staff
  • The Senate Banking, Housing, and Urban Affairs Committee’s Economic Policy Subcommittee will conduct a hearing titled “US-China: Winning the Economic Competition, Part II” on 16 December with these witnesses:
    • The Honorable Will Hurd, Member, United States House of Representatives;
    • Derek Scissors, Resident Scholar, American Enterprise Institute;
    • Melanie M. Hart, Ph.D., Senior Fellow and Director for China Policy, Center for American Progress; and
    • Roy Houseman, Legislative Director, United Steelworkers (USW).
  • On 17 December the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force will convene for a virtual event, “Partnership in Action: Driving Supply Chain Security.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by stein egil liland from Pexels

Privacy Shield Hearing

The focus was on how the U.S. and EU can reach agreement on an arrangement that will not be struck down by the EU’s highest court.

Last week, the Senate Commerce, Science, and Transportation Committee held a hearing on the now invalidated European Union (EU)-United States (U.S.) Privacy Shield, a mechanism that allowed companies to transfer the personal data of EU residents to the U.S. The EU’s highest court struck down the adequacy decision that underpinned the system on the basis of U.S. surveillance activities and lack of redress that violated EU law. This is the second time in the decade the EU’s top court has invalidated a transfer arrangement, the first being the Safe Harbor system. Given the estimated billions, or even trillions, of dollars in value realized from data flows between the EU and U.S. there is keen interest on both sides of the Atlantic in finding a legal path forward. However, absent significant curtailment of U.S. surveillance and/or a significant expansion of the means by which EU nationals could have violations of their rights rectified, it would appear a third agreement may not withstand the inevitable legal challenges. Moreover, there are questions as to the legality of other transfer tools in light of the Court of Justice for the European Union’s decision in the case known as Schrems II, and the legality of some Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) may be soon be found in violation, too.

Consequently, a legislative fix, or some portion thereof, could be attached to federal privacy legislation. Hence, the striking down of Privacy Shield may provide additional impetus to Congress and the next Administration to reach a deal on privacy. Moreover, the lapsed reauthorization of some Foreign Intelligence Surveillance Act authorities may be another legislative opportunity for the U.S. to craft an approach amendable to the EU in order to either obtain an adequacy decision or a successor agreement to the Privacy Shield.

Chair Roger Wicker (R-MS) approached the issue from the perspective of international trade and the economic benefit accruing to businesses on both sides of the Atlantic. His opening remarks pertained less to the privacy and surveillance aspects of the CJEU’s ruling. Wicker appears to be making the case that the EU seems to misunderstand that redress rights in the U.S. are more than adequate, and the U.S.’ surveillance regime is similar to those of some EU nations. One wonders if the CJEU is inclined to agree with this position. Nonetheless, Wicker expressed hope that the EU and U.S. can reach “a durable and lasting data transfer framework…that provides meaningful data protections to consumers, sustains the free flow of information across the Atlantic, and encourages continued economic and strategic partnership with our European allies – a tall order but an essential order.” He worried about the effect of the CJEU’s ruling on SCCs. Wicker made the case that the EU and U.S. share democratic values and hinted that the ongoing talks in the committee to reach a federal data privacy law might include augmented redress rights that might satisfy the CJEU.

Ranking Member Maria Cantwell (D-WA) spoke very broadly about a range of issues related to data transfers and privacy. She stressed the importance of data flows in the context of larger trade relations. Cantwell also stressed the shared values between the U.S. and the EU and her hope that the two entities work “together on these very important national concerns, trade and technology, so that we can continue to improve economic opportunities and avoid moves towards protectionism.” She also called for federal privacy legislation but hinted that states should still be able to regulate privacy, suggesting her commitment to having a federal law be a floor for state laws. Cantwell also asserted that bulk surveillance, the likes of which the National security Agency has engaged in, may simply not be legal under EU law.

Deputy Assistant Secretary of Commerce for Services James Sullivan blurred the issues presented by Schrems II much like Cantwell did. The CJEU’s decision that focused on U.S. surveillance practices and the lack of meaningful recourse in the U.S. if an EU resident’s rights were violated was merged into a call for like-minded nations to unite against authoritarian nations. Sullivan distinguished between U.S. surveillance and the surveillance conducted by the People’s Republic of China (without naming the nation) and other regimes as if this should satisfy the EU as to the legality and propriety of U.S. treatment of EU personal data. Sullivan stated:

  • The Schrems II decision has created enormous uncertainties for U.S. companies and the transatlantic economy at a particularly precarious time. Immediately upon issuance of the ruling, the 5,400 Privacy Shield participants and their business partners in the EU could no longer rely on the Framework as a lawful basis for transferring personal data from Europe to the United States. Because neither the Court nor European data protection authorities provided for any enforcement grace period, Privacy Shield companies were left with three choices: (1) risk facing potentially huge fines (of up to 4 percent of total global turnover in the preceding year) for violating GDPR, (2) withdraw from the European market, or (3) switch right away to another more expensive data transfer mechanism.
  • Unfortunately, because of the Court’s ruling in the Privacy Shield context that U.S. laws relating to government access to data do not confer adequate protections for EU personal data, the use of other mechanisms like SCCs and BCRs to transfer EU personal data to the United States is now in question as well.
  • The objective of any potential agreement between the United States and the European Commission to address Schrems II is to restore the continuity of transatlantic data flows and the Framework’s privacy protections by negotiating targeted enhancements to Privacy Shield that address the Court’s concerns in Schrems II. Any such enhancements must respect the U.S. Government’s security responsibilities to our citizens and allies.
  • To be clear, we expect that any enhancements to the Privacy Shield Framework would also cover transfers under all other EU-approved data transfer mechanisms like SCCs and BCRs as well.
  • The Schrems II decision has underscored the need for a broader discussion among likeminded democracies on the issue of government access to data. Especially as a result of the extensive U.S. surveillance reforms since 2015, the United States affords privacy protections relating to national security data access that are equivalent to or greater than those provided by many other democracies in Europe and elsewhere.
  • To minimize future disruptions to data transfers, we have engaged with the European Union and other democratic nations in a multilateral discussion to develop principles based on common practices for addressing how best to reconcile law enforcement and national security needs for data with protection of individual rights.
  • It is our view that democracies should come together to articulate shared principles regarding government access to personal data—to help make clear the distinction between democratic societies that respect civil liberties and the rule of law and authoritarian governments that engage in the unbridled collection of personal data to surveil, manipulate, and control their citizens and other individuals without regard to personal privacy and human rights. Such principles would allow us to work with like-minded partners in preserving and promoting a free and open Internet enabled by the seamless flow of data.

Federal Trade Commission (FTC) Commissioner Noah Joshua Phillips stressed he was speaking in a personal capacity and not for the FTC. He extolled the virtues of the “free and open” internet model in the U.S. with the double implication that it is superior both to nations like the PRC and Russia but also the EU model. Phillips seemed to be advocating for talking the EU into accepting that the U.S.’s privacy regime and civil liberties are stronger than any other nation. Her also made the case, like other witnesses, that the U.S. data privacy and protection regulation is more similar to the EU than the PRC, Russia, and others. Phillips also sought to blur the issues and recast Privacy Shield in the context of the global struggle between democracies and authoritarian regimes. Phillips asserted:

  • First, we need to find a path forward after Schrems II, to permit transfers between the U.S. and EU. I want to recognize the efforts of U.S. and EU negotiators to find a replacement for Privacy Shield. While no doubt challenging, I have confidence in the good faith and commitment of public servants like Jim Sullivan, with whom I have the honor of appearing today, and our partners across the Atlantic. I have every hope and expectation that protecting cross-border data flows will be a priority for the incoming Administration, and I ask for your help in ensuring it is.
  • Second, we must actively engage with nations evaluating their approach to digital governance, something we at the FTC have done, to share and promote the benefits of a free and open Internet. There is an active conversation ongoing internationally, and at every opportunity—whether in public forums or via private assistance—we must ensure our voice and view is heard.
  • Third, we should be vocal in our defense of American values and policies. While we as Americans always look to improve our laws—and I commend the members of this committee on their important work on privacy legislation and other critical matters—we do not need to apologize to the world. When it comes to civil liberties or the enforcement of privacy laws, we are second to none. Indeed, in my view, the overall U.S. privacy framework—especially with the additional protections built into Privacy Shield—should certainly qualify as adequate under EU standards.
  • Fourth, as European leaders call to strengthen ties with the U.S., we should prioritize making our regimes compatible for the free flow of data. This extends to the data governance regimes of like-minded countries outside of Europe as well. Different nations will have different rules, but relatively minor differences need not impede mutually-beneficial commerce. We need not and should not purport to aim for a single, identical system of data governance. And we should remind our allies, and remind ourselves, that far more unites liberal democracies than divides us.
  • Fifth and finally, if we must draw lines, those lines should be drawn between allies with shared values—the U.S., Europe, Japan, Australia, and others—and those, like China and Russia, that offer a starkly different vision. I am certainly encouraged when I hear recognition of this distinction from Europe. European Data Protection Supervisor Wojciech Wiewiórowski recently noted that the U.S. is much closer to Europe than is China and that he has a preference for data being processed by countries that share values with Europe. Some here in the U.S. are even proposing agreements to solidify the relationships among technologically advanced democracies, an idea worth exploring in more detail

Washington University Professor of Law Neil Richards stressed that the Schrems II decision spells out how the U.S. would achieve adequacy: reforming surveillance and providing meaningful redress for alleged privacy violations. Consequently, FISA would need to be rewritten and narrowed and a means for EU residents to seek relief beyond the current Ombudsman system is needed, possibly a statutory right to sue. Moreover, he asserted strong data protection and privacy laws are needed and some of the bills introduced in this Congress could fit the bill. Richards asserted:

In sum, the Schrems litigation is a creature of distrust, and while it has created problems for American law and commerce, it has also created a great opportunity. That opportunity lies before this Committee –the chance to regain American leadership in global privacy and data protection by passing a comprehensive law that provides appropriate safeguards, enforceable rights, and effective legal remedies for consumers. I believe that the way forward can not only safeguard the ability to share personal data across the Atlantic, but it can do so in a way that builds trust between the United States and our European trading partners and between American companies and their American and European customers. I believe that there is a way forward, but it requires us to recognize that strong, clear, trust-building rules are not hostile to business interest, that we need to push past the failed system of “notice and choice,” that we need to preserve effective consumer remedies and state-level regulatory innovation, and seriously consider a duty of loyalty. In that direction, I believe, lies not just consumer protection, but international cooperation and economic prosperity.

Georgia Tech University Professor Peter Swire explained that the current circumstances make the next Congress the best possibility in memory to enact privacy legislation because of the need for a Privacy Shield replacement, passage of the new California Privacy Rights Act (Proposition 24), and the Biden Administration’s likely support for such legislation. Swire made the following points:

  1. The European Data Protection Board in November issued draft guidance with an extremely strict interpretation of how to implement the Schrems II case.
  2. The decision in Schrems II is based on EU constitutional law. There are varying current interpretations in Europe of what is required by Schrems II, but constitutional requirements may restrict the range of options available to EU and U.S. policymakers.
  3. Strict EU rules about data transfers, such as the draft EDPB guidance, would appear to result in strict data localization, creating numerous major issues for EU- and U.S.-based businesses, as well as affecting many online activities of EU individuals.
  4. Along with concerns about lack of individual redress, the CJEU found that the EU Commission had not established that U.S. surveillance was “proportionate” in its scope and operation. Appendix 2 to this testimony seeks to contribute to an informed judgment on proportionality, by cataloguing developments in U.S. surveillance safeguards since the Commission’s issuance of its Privacy Shield decision in 2016.
  5. Negotiating an EU/U.S. adequacy agreement is important in the short term.
  6. A short-run agreement would assist in creating a better overall long-run agreement or agreements.
  7. As the U.S. considers its own possible legal reforms in the aftermath of Schrems II, it is prudent and a normal part of negotiations to seek to understand where the other party – the EU – may have flexibility to reform its own laws.
  8. Issues related to Schrems II have largely been bipartisan in the U.S., with substantial continuity across the Obama and Trump administrations, and expected as well for a Biden administration.
  9. Passing comprehensive privacy legislation would help considerably in EU/U.S. negotiations.
  10. This Congress may have a unique opportunity to enact comprehensive commercial privacy legislation for the United States.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Dooffy Design from Pixabay

Schrems II Guidance

The agency that oversees the data protection of EU agencies has laid out its view on how they should comply with the GDPR after the EU-US Privacy Shield.

The European Data Protection Supervisor (EDPS) has published a strategy detailing how European Union (EU) agencies and bodies should comply with the Court of Justice of the European Union’s (CJEU) ruling that struck down the EU-United States (U.S.) Privacy Shield (aka Schrems II) and threw into question the compliance of Standard Contractual Clauses (SCC) with EU law and the General Protection Data Regulation (GDPR). The EDPS has already started working with EU Institutions’, bodies, offices and agencies (EUIs) on the process of determining if their transfers of the personal data of people in the EU to the U.S. meets the CJEU’s judgement.

The EDPS makes clear most of the transfers by EUIs to the U.S. are on account of using U.S. information and communications technology (ICT) products and services, meaning U.S. multinationals like Microsoft, Google, and others. The EDPS has proposed a strategy that would first identify risks and then move to address them. It bears stressing that this strategy applies only to EUIs and not private sector controllers, but it is likely the European Data Protection Board (EDPB) and EU DPAs will take notice of the EDPS’ strategy on how to comply with Schrems II. However, the EDPS acknowledges that it is obliged to follow the EDPB’s lead and vows to change its strategy upon issuance of EDPB guidance on Schrems II and SCC. And yet, the EDPS explained that EUIs will need to report back on how they are implementing the steps in the strategy, particularly on those ongoing transfers to countries like the U.S. that have inadequate data protection laws, those transfers that have been suspended, and any transfers being conducted per derogations in the GDPR. On the basis of this feedback, the EDPS will “establish long-term compliance” in 2021.

It seems a bit backwards for the EDPS to task the EUIs with determining which transfers under SCC may proceed under the GDPR when it might be a more efficient process for the EDPS to take on this job directly and rule on the ICT services and providers, permitting all EUIs to understand which comply with EU law and which do not. However, the EDPS is exploring the possibility of determining the sufficiency of data protection in other nations, most likely, first and foremost the U.S., and then working with EU stakeholders to coordinate compliance with the CJEU’s ruling and the GDPR.

The EDPS claimed the CJEU “clarified the roles and responsibilitiesof controllers, recipients of data outside of the European Economic Area (EEA) (data importers) and supervisory authorities…[and] ruled the following:

  • The Court invalidated the Privacy Shield adequacy Decision and confirmed that the SCCs were valid providing that they include effective mechanisms to ensure compliance in practice with the “essentially equivalent” level of protection guaranteed within the EU by the General Data Protection Regulation (GDPR). Transfers of personal data pursuant to the SCCs are suspended or prohibited in the event of a breach of such clauses, or in case it is impossible to honour them.
  • The SCCs for transfers may then require, depending on the prevailing position of a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with the level of protection guaranteed within the EU.
  • In order to continue these data transfers, the Court stresses that before transferring personal data to a third country, it is the data exporters’ and data importers’ responsibility to assess whether the legislation of the third country of destination enables the data importer to comply with the guarantees provided through the transfer tools in place. If this is not the case, it is also the exporter and the importer’s duty to assess whether they can implement supplementary measures to ensure an essentially equivalent level of protection as provided by EU law. Should data exporters, after taking into account the circumstances of the transfer and possible supplementary measures, conclude that appropriate safeguards cannot be ensured, they are required to suspend or terminate the transfer of personal data. In case the exporter intends nevertheless to continue the transfer of personal data, they must notify their competent SA.
  • The competent supervisory authority is required to suspend or prohibit a transfer of personal data to a third country pursuant to the SCCs if, when considering the circumstances of that transfer, those clauses are not or cannot be complied with in the third country of destination and the protection of the data transferred under EU law cannot be ensured by other means.

EDPS explained:

The EDPS’ report on the 2017 survey entitled, Measuring compliance with data protection rules in EU institutions, provides evidence that there has been a significant rise in the number of transfers related to the core business of EUIs in recent years. This number is even higher now, due to the increased use of ICT services and social media. The EDPS’ own-initiative investigation into the use of Microsoft products and services by EUIs and subsequent recommendations in that regard confirms the importance to ensure a level of protection that is essentially equivalent as the one guaranteed within the EU, as provided by relevant data protection laws, to be interpreted in accordance with the EU Charter. In this context, the EDPS has already flagged a number of linked issues concerning sub-processors, data location, international transfers and the risk of unlawful disclosure of data – issues that the EUIs were unable to control and ensure proper safeguards to protect data that left the EU/EEA. The issues we raised in our investigation report are consistent with the concerns expressed in the Court’s Judgment, which we are assessing in relation to any processor agreed to by EUIs.

Regarding data flows to the U.S. quite possibly in violation of the GDPR and Schrems II, the EDPS:

  • Moreover, a majority of data flows to processors most probably happen because EUIs use service providers that are either based in the U.S. or that use sub-processors based in the U.S., in particular for ICT services, which fall under the scope of U.S. surveillance laws. Such companies have primarily relied on the Privacy Shield adequacy Decision to transfer personal data to the U.S. and the use of SCCs as a secondary measure.
  • Therefore, the present Strategy emphasizes the priority to address transfers of data by EUIs or on their behalf in the context of controller to process or contract and/or processor to sub-processor contracts, in particular towards the United States.

The EDPS is calling for “a twofold approach as the most appropriate:

(1) Identify urgent compliance and/or enforcement actions through a risk based approach for transfers towards the U.S. presenting high risks for data subjects and in parallel

(2) provide guidance and pursue mid-term case-by-case EDPS compliance and or enforcement actions for all transfers towards the U.S. or other third countries.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Pete Linforth from Pixabay

Further Reading, Other Developments, and Coming Events (4 November)

Further Reading

  • U.S. Cyber Command Expands Operations to Hunt Hackers From Russia, Iran and China” By Julian Barnes — The New York Times. The United States (U.S.) agency charged with offensive cyber operations sent teams around the world to undisclosed locations to work with partner nations to foil Russian, Chinese, and Iranian efforts to disrupt the U.S. election. It appears this exercise is more about building relations with partners in key regions and having personnel see first-hand the effect of constant cyber attacks, especially in regions targeted by the Russian Federation rather than the rationale offered by Cyber Command that “hunting forward” puts its people closer to the action. Considering this is cyberspace, does it really matter where personnel are?
  • U.S. undertook cyber operation against Iran as part of effort to secure the 2020 election” By Ellen Nakashima — The Washington Post. United States (U.S.) Cyber Command is out setting a narrative about how effective its operations against nations like Iran have been in protecting the election. Of course, one cannot prove this easily, so it is perhaps an open question as to the effectiveness of U.S. efforts. Nonetheless, this uncharacteristic openness may be on account of successful operations to foil and fend off efforts to disrupt the election, and it certainly reflects the U.S. security services’ desire to avoid 2016’s mistake of not going public with information so Americans would understand what is happening.
  •  “Europe and the US are drifting apart on tech. Joe Biden wouldn’t fix that.” By Nicholas Vincour — Politico EU. This rundown of the significant policy differences suggests the United States (U.S.) and the European Union (EU) will be at odds on major tech issues even under a Biden Administration that one can safely assume will return the U.S. to closer relations with the EU. Most of these differences transcend personality, however, suggesting structural and systemic reasons, which foretell continued friction.
  • What Big Tech has to gain—and lose—from a Biden presidency” By Mark Sullivan — Fast Company. This piece lays out how a Biden Administration might continue and discontinue Trump Administration policy if Joe Biden prevails in the election. One aspect this piece glosses over, however, is how the composition of Congress would inform a Biden Administration’s capability to achieve its policy goals on tech.
  • Robocalls Told at Least 800,000 Swing State Residents to “Stay Home” on Election Day. The FBI Is Investigating.” By Jack Gillum and Jeremy B. Merrill — ProPublica. Robocalls to more than 3 million people were made yesterday, urging them to stay home and stay safe. This is akin to voter suppression tactics that have been used for decades in the United States, but it is unlikely the culprit or true motive (if it was not intended as suppression) will ever be discovered given the ease of use, scale, and anonymity spoofing provides.

Other Developments

  • Australia’s Department of Home Affairs (Department) released for comment “Critical Technology Supply Chain Principles (the Principles)” that “are intended to assist organisations – including governments and businesses of all sizes – in making decisions about their suppliers.” The Department stated that “[t]he Principles also complement the Protecting Critical Infrastructure and Systems of National Significance reforms…[and] [t]ogether, these measures will help protect the supply of essential services that all Australians rely on.​​”
    • The Department stated:
      • Supply chains for critical technologies in Australia must be more resilient. Australia’s COVID-19 experience highlights the vulnerabilities of supply chains for products essential to the country. At the same time, the global technological landscape is evolving at an unprecedented pace and geostrategic competition is affecting how critical technologies are being developed and used.
      • The more dependent society becomes on technology, the less governments and organisations can rely on traditional habits and decision-making frameworks when it comes to their supply chains. Improving the management of critical technology supply chains specifically, across the economy will help build Australia’s resilience to future shocks, as well as address the inherent risks to our nation’s national security, economic prosperity and social cohesion. Advances in technology underpin our future prosperity, however they also expose our nation to more risks. Malicious actors can use critical technologies to harm our national security, and undermine our democracy. One way to address these risks is to consider the supply chains of critical technologies, and how these could be made more secure. Understanding the risks is the first step towards organisations of all sizes taking action to create diverse, trusted and secure supply chains.
      • That’s why the Australian Government is developing the Critical Technology Supply Chain Principles. These Principles will be non-binding and voluntary, and are intended to act as a tool to assist governments and businesses in making decisions about their suppliers and transparency of their own products. The Principles will help Australian business consider the unforeseen risks when developing critical technologies, building business resilience. The suggested Principles will be grouped under three pillars: security-by-design, transparency, and autonomy and integrity. The suggested Principles below align with guidance provided by the Australian Signals Directorate’s Australian Cyber Security Centre on supply chain risk management.
    • The Department provided an overview of the conceptual framework of the document:
      • Security should be a core component of critical technologies. Organisations should ensure they are making decisions that build in security from the ground-up.
        • 1. Understand what needs to be protected and why.
        • 2. Understand the security risks posed by your supply chain.
        • 3. Build security considerations into contracting processes that are proportionate to the level of risk (and encourage suppliers to do the same).
        • 4. Raise awareness of security within your supply chain
      • Transparency of technology supply chains is critical, both from a business perspective and a national security perspective.
        • 5. Know who suppliers are and build an understanding of security measures.
        • 6. Set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for your suppliers and encourage continuous improvement.
        • 7. Encourage suppliers to understand their supply chains, and be able to provide this information to consumers.
      • Knowing that your suppliers demonstrate integrity and are acting autonomously is fundamental to securing your supply chain.
        • 8. Consider the influence of foreign governments on suppliers and seek to ensure they operate with appropriate levels of autonomy.
        • 9. Consider if suppliers operate ethically, with integrity, and consistently with their human rights responsibilities.
        • 10. Build trusted, strategic relationships with suppliers
  • The United States’ (U.S.) Department of Justice (DOJ) announced that a member of a $100 million botnet conspiracy was sentenced to eight years in prison “for his role in operating a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground.” The DOJ stated:
    • Aleksandr Brovko, 36, formerly of the Czech Republic, pleaded guilty in February to conspiracy to commit bank and wire fraud. According to court documents, Brovko was an active member of several elite, online forums designed for Russian-speaking cybercriminals to gather and exchange their criminal tools and services. 
    • As reflected in court documents, from 2007 through 2019, Brovko worked closely with other cybercriminals to monetize vast troves of data that had been stolen by “botnets,” or networks of infected computers.  Brovko, in particular, wrote software scripts to parse botnet logs and performed extensive manual searches of the data in order to extract easily monetized information, such as personally identifiable information and online banking credentials.  Brovko also verified the validity of stolen account credentials, and even assessed whether compromised financial accounts had enough funds to make it worthwhile to attempt to use the accounts to conduct fraudulent transactions. 
    • According to court documents, Brovko possessed and trafficked over 200,000 unauthorized access devices during the course of the conspiracy. These access devices consisted of either personally identifying information or financial account details. Under the U.S. Sentencing Guidelines, the estimated intended loss in this case has been calculated as exceeding $100 million.
  • The Office of the Privacy Commissioner of Canada (OPC), Office of the Information and Privacy Commissioner of Alberta (OIPC AB) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) found that “Cadillac Fairview – one of North America’s largest commercial real estate companies – embedded cameras inside their digital information kiosks at 12 shopping malls across Canada and used facial recognition technology without their customers’ knowledge or consent.”  The Commissioners asserted:
    • The goal, the company said, was to analyze the age and gender of shoppers and not to identify individuals. Cadillac Fairview also asserted that shoppers were made aware of the activity via decals it had placed on shopping mall entry doors that referred to their privacy policy – a measure the Commissioners determined was insufficient.
    • Cadillac Fairview also asserted that it was not collecting personal information, since the images taken by camera were briefly analyzed then deleted. However, the Commissioners found that Cadillac Fairview did collect personal information, and contravened privacy laws by failing to obtain meaningful consent as they collected the 5 million images with small, inconspicuous cameras. Cadillac Fairview also used video analytics to collect and analyze sensitive biometric information of customers.
    • The investigation also found that:
      • Facial recognition software was used to generate additional personal information about individual shoppers, including estimated age and gender.
      • While the images were deleted, investigators found that the sensitive biometric information generated from the images was being stored in a centralized database by a third party.
      • Cadillac Fairview stated that it was unaware that the database of biometric information existed, which compounded the risk of potential use by unauthorized parties or, in the case of a data breach, by malicious actors.
  • The United States (U.S.) Department of Defense (DOD) published its “DOD Electromagnetic Spectrum Superiority Strategy” the purpose of which “is to align DOD electromagnetic spectrum (EMS) activities with the objectives of the 2017 National Security Strategy, the 2018 National Defense Strategy, and national economic and technology policy goals.” The DOD stated:
    • This Strategy embraces the enterprise approach required to ensure EMS superiority by integrating efforts to enhance near-term and long-term EMS capabilities, activities, and operations. The Strategy informs the Department’s domestic EMS access policies and reinforces the need to develop cooperative frameworks with other EMS stakeholders in order to advance shared national policy goals. The traditional functions of Electromagnetic Spectrum Management (EMSM) and Electromagnetic Warfare (EW)—integrated as Electromagnetic Spectrum Operations (EMSO)—are addressed within the document’s strategic goals. This 2020 Strategy builds upon the successes of and supersedes both the DOD’s 2013 EMS Strategy and 2017 EW Strategy.
    • The DOD concluded:
      • DOD faces rapidly increasing challenges to its historical EMS dominance due in part to increasingly complex EMOEs. Threats to DOD capabilities due to EMS vulnerabilities have become increasingly sophisticated and easily attainable. Commercial technology advancements are proliferating wireless devices and services that are eroding DOD’s freedom of action in the EMS. At the same time, the U.S. military has increasing spectrum requirements for the operations, testing, and training of advanced warfighting capabilities. Finally, DOD must exploit near-peer adversaries’ EMS vulnerabilities through advanced EW to offset their capacity overmatch.
      • To cope with these challenges and achieve the vision of Freedom of Action in the Electromagnetic Spectrum, the DOD will actively pursue the areas outlined herein. DOD will enhance the ability to plan, sense, manage, and control military operations with advanced EMS technologies to ensure EMS superiority. The Department will also proactively engage with spectrum policymakers and partners to ensure spectrum policies support U.S . capability requirements. DOD will perform the governance functions needed to ensure our efforts are aligned and coordinated to maximize the results of our efforts.
      • The NDS directs the Department to “determine an approach to enhancing the lethality of the joint force against high end competitors and the effectiveness of our military against a broad spectrum of potential threats.” Realization of the NDS requires DOD to actualize the vision of this DOD EMS Superiority Strategy by implementing its goals and objectives through an empowered EMS enterprise. Advancing how DOD conducts operations in the EMS, and generates EMS superiority, will be critical to the success of all future missions for the United States, its allies, and partners.

Coming Events

  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.
  • On 17 November, the Senate Judiciary Committee will reportedly hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by skeeze from Pixabay

Further Reading, Other Developments, and Coming Events (26 October)

Further Reading

  •  “Google is giving data to police based on search keywords, court docs show” By Alfred Ng — c|net. Google is responding to keyword warrants where prosecutors ask the company to provide IP addresses for all people who made a certain search within a geographical area during a certain time. In the case discussed in the piece (bizarrely witness intimidation of someone testifying against R. Kelly), a keyword warrant allowed them to locate a person who may have burned down someone’s house. It is likely this warrant will be challenged on Fourth Amendment grounds.
  • Google AI Tech Will Be Used for Virtual Border Wall, CBP Contract Shows” By Lee Fang and Sam Biddle — The Intercept. Google may again be wading into territory its labor force may find objectionable. The United States (U.S.) Customs and Border Protection (CBP) will use Google Cloud in its artificial intelligence-driven virtual fence on the U.S.-Mexico border. This may result in employee push back as it did in 2018 when this sort of internal pressure caused Google to walk away from a Department of Defense program, Project Maven. A whistleblower group ferreted out the fact that Google is contracting with CBP, which took some effort considering Google appears to be a subcontractor to a prime contractor.
  • Facebook Manipulated the News You See to Appease Republicans, Insiders Say” By Monika Bauerlein and Clara Jeffery — Mother Jones. In January 2018 Facebook changed its algorithm to try to address the growing toxicity during and after the 2016 election. The supposed solution was to remove untrustworthy information. However, the original test of this new algorithm led to deprioritizing many conservative sources that traffic in misinformation and slanted stories. This was deemed unacceptable from a political point of view, and the opposite was done. A number of liberal media organizations saw their traffic drop off a cliff.
  • Why A Gamer Started A Web Of Disinformation Sites Aimed At Latino Americans” By Kaleigh Rogers and Jaime Longoria — FiveThirtyEight. The reason why a gamer and YouTuber started fake sites aimed at Latinos was profit, nothing else.
  • Twitter and White House deny claims that researcher hacked Trump’s account” By Adi Robertson — The Verge. A Dutch researcher claims the password maga2020 got him into President Donald Trump’s Twitter account even though the White House and Twitter both deny the claim. There is a bizarre tweet Trump sent earlier this month that may, in fact, be the work of this researcher. In any event, he is being coy about whether he sent it or not.

Other Developments

  • The United Kingdom’s Information Commissioner’s Office (ICO) reduced its fine on British Airways (BA) to a ninth of the preliminary total for violations of the General Data Protection Regulation (GDPR). The ICO has levied a £20 million fine on the airline “for failing to protect the personal and financial details of more than 400,000 of its customers.” In July 2019, the ICO issued a notice of its intention to fine British Airways £183.39 million because the “[p]ersonal data of approximately 500,000 customers were compromised.” After BA made its case, the ICO reduced the fine to £30 million before knocking off another £10 million because of mitigating factors and a British government policy to ease up on businesses during the pandemic. Conceivably, the fine could have been much higher for the GDPR allows for fines of up to 4% of worldwide revenue, and in this case, for the period in question, BA had £12.26 billion in revenue. The ICO explained:
    • The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
    • Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
    • Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
    • The ICO found:
      • There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:
        • limiting access to applications, data and tools to only that which are required to fulfil a user’s role
        • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
        • protecting employee and third party accounts with multi-factor authentication.
      • Additional mitigating measures BA could have used are listed in the penalty notice.
      • None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.
      • Since the attack, BA has made considerable improvements to its IT security.
      • ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.
      • It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.
  • The Congressionally created Cyberspace Solarium Commission (CSC) issued a white paper “Building a Trusted ICT Supply Chain,” with its assessment as to why the United States (U.S.) no longer has a thriving technological industrial base and how it might again, which is nothing less than a matter of signal importance considering the growing dominance of the People’s Republic of China (PRC) in those fields. With the CSC releasing this white paper, it has become another player on the field in U.S. government policy circles proposing how the U.S. may protect its information and communications technology (ICT) supply chain against sabotage, malice, or control by an adversarial power. 
    • The CSC claimed:
      • United States lacks key industrial capacities crucial to the production of essential technologies, including fifth-generation (5G) telecommunications equipment. Among other factors, the willingness of countries such as China to subsidize and support their domestic industries has created the uneven playing field that hinders the competitiveness and, ultimately, the viability of U.S. companies in global markets. The resulting lack of industrial capacity has forced critical dependencies on companies that manufacture in adversary countries, such as China, where companies are beholden to Chinese national intelligence, national cybersecurity, and national security laws. While dependency on foreign production and foreign goods is not inherently bad—indeed, the United States relies on manufacturing and companies headquartered in partner countries such as Finland, Sweden, South Korea, and Taiwan—the U.S. government must emphasize the importance of trusted suppliers, and these dependencies pose three concrete risks to the security of the United States.
    • The CSC explained why fostering a supply chain for ICT in the U.S. will not be easy:
      • Three main challenges confront attempts to rebuild U.S. high-tech manufacturing capacity: (1) lack of patient funding capital, (2) high investment barriers to entry, and (3) standards and intellectual property barriers to entry. These challenges arise from the simple fact that the economics of the hardware industry are not as attractive as those of many other technology sectors. One of the major shortcomings of U.S. efforts to date to secure ICT supply chains is their failure to address how the United States got to this point, where ICT equipment manufacturing and production is a critical economic weakness. In order to craft an effective strategy to rebuild high-tech manufacturing and gain greater industrial independence, policymakers must first understand the challenges to reinvigorating the United States’ high-tech manufacturing industry. Only then can they comprehend why market forces have pushed U.S. high-tech industrial capacity to atrophy over the past two decades and recognize the issues that they must tackle in developing an industrial base strategy.
      • None of these barriers are insurmountable, but the reality is that the United States has lost much of its market share for the manufacture of electronics components and nearly all of its market share for the manufacture and assembly of finished electronics products. Nonetheless, a U.S. strategy to secure its ICT supply chain from all threats must include a plan to identify the key technologies and materials, and then attract more patient investment in hardware manufacturing, devise a method to retrain the atrophied muscles of production, and set the conditions to overcome barriers to entry posed by the constraints of standards and intellectual property.
    • The CSC “specifies a strategy to build trusted supply chains for critical ICT by:
      • Identifying key technologies and equipment through government reviews and public-private partnerships to identify risk.
      • Ensuring minimum viable manufacturing capacity through both strategic investment and the creation of economic clusters.
      • Protecting supply chains from compromise through better intelligence, information sharing, and product testing.
      • Stimulating a domestic market through targeted infrastructure investment and ensuring the ability of firms to offer products in the United States similar to those offered in foreign markets.
      • Ensuring global competitiveness of trusted supply chains, including American and partner companies, in the face of Chinese anti-competitive behavior in global markets.
    • The CSC also highlighted “five key and eight supporting recommendations to build trusted supply chains for critical ICT technologies:
      • Supply Chain 1: Congress should direct the executive branch to develop and implement an information and communication technologies industrial base strategy.
      • Supply Chain 2: Congress should direct the Department of Homeland Security, in coordination with the Department of Commerce, Department of Defense, Department of State, and other departments and agencies, to identify key information and communication technologies and materials through industry consultation and government review.
      • Supply Chain 3: Congress should direct the Department of Commerce, in consultation with the Department of Homeland Security, the Department of State, and the Department of Defense, to conduct a viability study of localities fit for economic clustering. It should fund the Department of Commerce, in consultation with the Department of Homeland Security, Department of State, and Department of Defense, to solicit competitive bids and applications from candidate states, municipalities, and localities for the designation of no fewer than three and no more than five critical technology manufacturing clusters.
        • Supply Chain 3.1: The federal government should commit significant and consistent funding toward research and development in emerging technologies.
        • Supply Chain 3.2: The federal government should, in partnership with partner and ally governments, develop programs to incentivize the movement of critical chip and technology manufacturing out of China.
        • Supply Chain 3.3: Congress should direct the President to conduct a study on the viability of a public-private national security investment corporation to attract private capital for investment in strategically important areas.
      • Supply Chain 4: The President should designate a lead agency to integrate and coordinate government ICT supply chain risk management efforts into an ongoing national strategy and to serve as the nexus for public-private partnerships on supply chain risk management.
        • Supply Chain 4.1: Congress should direct the President to construct or designate a National Supply Chain Intelligence Center.
        • Supply Chain 4.2: Congress should fund three Critical Technology Security Centers, selected and designated by DHS, in collaboration with the Department of Commerce, Department of Energy, Office of the Director of National Intelligence (ODNI), and Department of Defense.
      • Supply Chain 5: The Federal Communications Commission (FCC) should tie 5G infrastructure investment to open and interoperable standards and work with the Department of Defense and the National Telecommunications and Information Agency to facilitate the release of more mid-band spectrum in order to ensure a strong domestic market for telecommunications equipment.
        • Supply Chain 5.1: The U.S. Agency for International Development (USAID) should work with international partners to develop a digital risk impact assessment that highlights the risks associated with the use of untrusted technologies in implementing digitization and telecommunications infrastructure projects.
        • Supply Chain 5.2: Congress should ensure that the Export-Import Bank (EXIM), U.S. International Development Finance Corporation (DFC), and United States Trade Development Agency (USTDA) all operate in legal, regulatory, and funding environments conducive to successfully competing with Chinese state-owned and state-backed enterprises, including their ability to support investments from companies headquartered in partner and ally countries.
        • Supply Chain 5.3: USAID, DFC, and USTDA should develop and maintain a list of prohibited contractors and clients, including companies subject to the Chinese national security and national intelligence laws, that may not be used to implement USAID-, DFC-, and USTDA-funded projects.
  • The Federal Trade Commission (FTC) has reportedly met to review its anti-trust case against Facebook that could get filed as soon as next month. The FTC start looking into Facebook’s dominance in the social messaging market about the same time it handed down a $5 billion fire for the tech giant’s involvement with Cambridge Analytica that violated the 2012 consent decree. The anti-trust investigation is reportedly focused on Facebook’s acquisitions of WhatsApp and Instagram, two of the world’s largest messaging platforms. The FTC is reportedly focused on the effects of Facebook’s buying two potential competitors, WhatsApp and Instagram, and if the FTC succeeds in a suit against Facebook, the company may be forced to spin off those two entities. Moreover, New York Attorney General Tish James is leading a state investigation of Facebook that “focuses on Facebook’s dominance in the industry and the potential anticompetitive conduct stemming from that dominance.” This inquiry started over a year ago, and any timing on possible action is not clear. The European Commission is also reportedly looking at Facebook for anti-trust violations as media accounts indicated in late 2019.
    • The House Judiciary Committee argued in its recent report on competition in digital markets that “the strong network effects associated with Facebook has tipped the market toward monopoly such that Facebook competes more vigorously among its own products—Facebook, Instagram, WhatsApp, and Messenger—than with actual competitors.” In response to the House Judiciary Committee’s view on these deals, a Facebook spokesperson claimed “[a] strongly competitive landscape existed at the time of both acquisitions and exists today…[and] [r]egulators thoroughly reviewed each deal and rightly did not see any reason to stop them at the time.”
    • In February 2019, the German agency with jurisdiction over competition issued a decision that potentially could block Facebook from combining the personal data of Germans from other Facebook-owned entities such as Instagram and WhatsApp or from unrelated third-party sources. According to the Bundeskartellamt’s press release, the agency “has imposed on Facebook far-reaching restrictions in the processing of user data.”
  • A group of nations are proposing a third way to bridge the dual efforts of two United Nations (U.N.) groups to develop cyber norms. In the “The future of discussions on ICTs and cyberspace at the UN,” this group of nations propose to “explore establishment of a Programme of Action for advancing responsible State behaviour in cyberspace with a view to ending the dual track discussions (GGE/OEWG) and establishing a permanent UN forum to consider the use of ICTs by States in the context of international security.” They stressed “the urgent need for the international community to address the use of ICTs in the context of international peace and security.” France, Egypt, Argentina, Colombia, Ecuador, Gabon, Georgia, Japan, Morocco, Norway, Salvador, Singapore, the Republic of Korea, the Republic of Moldova, The Republic of North Macedonia, the United Kingdom, the EU and its member States submitted the proposal.
    • These nations argued:
      • Since 2018, two working groups and many initiatives have started under the auspices of the UN. We welcome the willingness of the international community to engage, and recognize that each of those initiatives has its own merits and specificities. Yet, they aim at tackling the same issues: advancing norms of responsible behaviour, understanding how international law concretely applies to cyberspace, developing CBMs and fostering capacity building. We consider that this situation, although evidencing the growing commitment of the international community to dedicating time and resources to the matters at hand, creates redundancies and, at times, can be counter-productive. It is therefore a cause for concern.
      • In the fall of 2019, the U.N. Group of Governmental Experts (GGE) and the U.N. Open-ended Working Group (OEWG) started meeting per U.N. resolutions to further consultative discussions on an international agreement or set of agreements on what is considered acceptable and unacceptable cyber practices. Previous efforts largely stalled over disagreements between a bloc led by the U.S. and its allies and nations like the People’s Republic of China (PRC), Russia, and others with a different view on acceptable practices. Notably, unlike 2010, 2013 and 2015, the 2017 U.N. GGE could not reach agreement on additional voluntary, non-binding norms on how nations should operate in cyberspace. The OEWG was advocated for by countries like Russia, the PRC, and others seen as being in opposition to some of the views propagated by the U.S. and its allies, notably on the issue of what kind of measures a nation may use inside its borders to limit internet usage for its citizens.
      • As explained in a 2018 U.N. press release, competing resolutions were offered to create groups “aimed at shaping norm-setting guidelines for States to ensure responsible conduct in cyberspace:”
        • the draft resolution “Developments in the field of information and telecommunications in the context of international security” (document A/C.1/73/L.27.Rev.1), tabled by the Russian Federation.  By the text, the Assembly would decide to convene in 2019 an open-ended working group acting on a consensus basis to further develop the rules, norms and principles of responsible behaviour of States.
        • the draft resolution “Advancing Responsible State Behaviour in Cyberspace in the Context of International Security” (document A/C.1/73/L.37), tabled by the United States…[that] would request the Secretary-General, with the assistance of a group of governmental experts to be established in 2019, to continue to study possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States.
  • The United Kingdom’s Information Commissioner’s Office (ICO) published a compulsory audit of the Department for Education (DfE) and found:
    • The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority.
    • The ICO explained:
      • The Commissioner’s Enforcement team ran a broad range investigation in 2019 following complaints from DefendDigitalMe and Liberty and their concerns around the National Pupil Database (NPD). The ICO met with key senior level data protection professionals at the DfE’s offices in London in November2019 where the possibilities of a consensual audit were discussed. However, due to the risks associated with the volume and types of personal data processed within the NPD as well as the ages of the data subjects involved, the Commissioner decided, in line with her own Regulatory Action Policy, to undertake a compulsory audit using her powers under section 146 of the DPA18.The Commissioner determined this approach would provide a comprehensive review of DfE data protection practices, governance and other key control measures supporting the NPD and internally held databases, using the framework of scope areas of audit as listed below. This would allow the Commissioner to identify any risk associated with the data processed and implications to the individual rights of over 21 million data subjects.
  • The European Commission (EC) announced it “made commitments offered by [United States firm] Broadcom legally binding under EU antitrust rules.” The EC started looking into the company in mid-2019 for supposedly abusive behavior that was harming players and people in the TV and modem chipset markets in the European Union.
    • The EC explained:
      • In June 2019, the Commission initiated proceedings into alleged abuse of dominance by Broadcom and at the same time issued a Statement of Objections seeking the imposition of interim measures. In October 2019, the Commission took a decision concluding that interim measures were necessary to prevent serious and irreparable damage to competition from occurring in the worldwide markets for SoCs for (i) TV set-top boxes, (ii) xDSL modems, (iii) fibre modems, as well as (iv) cable modems.
      • The Commission took issue with certain exclusivity or quasi-exclusivity and leveraging arrangements imposed by Broadcom in relation to SoCs for TV set top boxes, xDSL and fibre modems. The decision ordered Broadcom to stop applying these provisions contained in agreements with six of its main customers and ordered the implementation of interim measures applicable for a period of three years.
    • The EC asserted Broadcom has agreed to the following:
      • At European Economic Area (EEA) level, Broadcom will:
        • a) Not require or induce by means of price or non-price advantages an OEM to obtain any minimum percentage of its EEA requirements for SoCs for TV set-top boxes, xDSL modems and fibre modems from Broadcom; and
        • b) Not condition the supply of, or the granting of advantages for, SoCs for TV set-top boxes, xDSL modems and fibre modems on an OEM obtaining from Broadcom another of these products or any other product within the scope of the commitments (i.e. SoCs for cable modems, Front End Chips for set-top boxes and modems and/or Wi-Fi Chips for set-top boxes and modems).
      • At worldwide level (excluding China), Broadcom will:
        • a) Not require or induce an OEM by means of certain types of advantages to obtain more than 50% of its requirements for SoCs for TV set-top boxes, xDSL modems and fibre modems from Broadcom; and
        • b) Not condition the supply of, or the granting of advantages for, SoCs for TV set-top boxes, xDSL modems and fibre modems on an OEM obtaining from Broadcom more than 50% of its requirements for any other of these products, or for other products within the scope of the commitments.
      • The commitments also include specific provisions regarding incentives to bid equipment based on Broadcom products as well as certain additional clauses with regard to service providers in the EEA.

Coming Events

  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released its agenda:
    • Restoring Internet Freedom Order Remand. The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11-42)
    • Establishing a 5G Fund for Rural America . The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces. The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications . The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option . The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets. The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements. The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next-generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.
  • The Senate Commerce, Science, and Transportation Committee will hold a hearing on 28 October regarding 47 U.S.C. 230 titled “Does Section 230’s Sweeping Immunity Enable Big Tech Bad Behavior?” with testimony from:
    • Jack Dorsey, Chief Executive Officer of Twitter;
    • Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and 
    • Mark Zuckerberg, Chief Executive Officer of Facebook.
  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Isaac Struna on Unsplash

Russian Hacking Uncovered

The U.S. and UK announced Russian hacking, including attempts to derail the last few Olympic Games. The EU also announced unrelated cyber sanctions.

The United Kingdom’s Government Communications Headquarters’ (GCHQ) National Cyber Security Centre (NCSC) unveiled the Russian Federation’s military hacking of past Olympics and the scheduled but delayed Summer Olympics in Tokyo. Even though the NCSC did not speculate on Russian motivation, it is likely this was designed as payback for having been exposed for widespread doping and cheating at the 2014 Winter Olympics in Sochi, Russia.

The NCSC stated it “assesses with high confidence that these attacks were carried out by the GRU’s Main Centre for Specialist Technologies (GTsST), also known as Sandworm and VoodooBear.” The NCSC explained it “exposed malicious cyber activity from Russia’s GRU military intelligence service against organisations involved in the 2020 Olympic and Paralympic Games before they were postponed.”

The NCSC stated:

  • The activity involved cyber reconnaissance by the GRU targeting officials and organisations involved in the Games, which had been due to take place in Tokyo during the summer.
  • The incidents were the latest in a campaign of Russian malicious activity against the Olympic and Paralympic Games, with the UK also today revealing details of GRU targeting of the 2018 Winter Olympic and Paralympic Games in Pyeongchang, Republic of Korea.
  • In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games.
  • The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter.
  • The NCSC assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks. Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.

In concert with the NCSC’s announcement, the United States’ Department of Justice (DOJ) released grand jury indictments of six GRU hackers for the foiled Olympic hack and other attacks dating from nearly five years ago to the present around the world. In one of the attacks, three United States (U.S.) companies allegedly suffered $1 billion in losses. The DOJ noted that cybersecurity researchers bestowed various names on the hackers including: “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking,” and in the indictment, the DOJ claimed the object of the conspiracy “was to deploy malware and take other disruptive actions for the strategic benefit of Russia, through unauthorized access (“hacking”) of victim computers.”

In its press release, the DOJ stated that “[o]n Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.”

The DOJ asserted:

These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort. 

The DOJ stated

  • Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.  The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.
  • According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access  to victim computers (hacking). 

The DOJ stated “[a]s alleged, the conspiracy was responsible for the following destructive, disruptive, or otherwise destabilizing computer intrusions and attacks:

  • Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
  • French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments prior to the 2017 French elections;
  • Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
  • PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
  • PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
  • Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
  • Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.

The NCSC and the DOJ are, of course, continuing the standard play of naming and shaming, further portraying Russia as a multi-faceted threat to the democracies in Europe, the United States, and those in the Eastern Pacific region. The coordinated announcement also indicate further the degree to which these nations are working together to fend off Russian information operations and hacking, and such announcements also serve to rally even greater cooperation. In terms of why these indictments were handed down now given how long it has been clear Russia conducted many of these attacks, there are several possible motivations. Firstly, this may be not so subtle pushing back by the DOJ’s National Security Division and NCSC against top Trump Administration officials claiming the People’s Republic of China and Iran are the equals of Russia. For example, Director of National Intelligence (DNI) John Ratcliffe characterized Iran as the more serious threat to the 2020 Election even though unnamed officials said the exact opposite to media outlets. Second, it could be coincidental that the DOJ decided to seek these indictments and the purpose is, indeed, to put Russia on notice by detailing its widespread unparalleled hacking campaigns in an attempt to give governments around the world a full view of Russia’s intentions and activities. Moreover, as extensive as these allegations are, they omit the attempted Russian hacking about which the Federal Bureau of Investigation (FBI) warned U.S. critical cyber infrastructure owners and operators this past summer.

In a seemingly unrelated announcement, Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), “a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack” for the Triton malware in the Middle East and against U.S. electric companies. OFAC did not identify the attackers although it seems probable that it is GRU given the laundry list of attacks in the DOJ indictment.

OFAC asserted:

  • The Triton malware — known also as TRISIS and HatMan in open source reporting — was designed specifically to target and manipulate industrial safety systems. Such systems provide for the safe emergency shutdown of industrial processes at critical infrastructure facilities in order to protect human life. The cyber actors behind the Triton malware have been referred to by the private cybersecurity industry as “the most dangerous threat activity publicly known.”
  • In recent years, the Triton malware has been deployed against U.S. partners in the Middle East, and the hackers behind the malware have been reportedly scanning and probing U.S. facilities. The development and deployment of the Triton malware against our partners is particularly troubling given the Russian government’s involvement in malicious and dangerous cyber-enabled activities. Previous examples of Russia’s reckless activities in cyberspace include, but are not limited to: the NotPetya cyber-attack, the most destructive and costly cyber-attack in history; cyber intrusions against the U.S. energy grid to potentially enable future offensive operations; the targeting of international organizations such as the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency; and the 2019 disruptive cyber-attack against the country of Georgia.

The Council of the European Union (Council) also announced sanctions against a portion of the GRU and two of its hackers responsible for penetrating and exfiltrating information from Germany’s Bundestag and the attempted hack of  the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands. This is the second time the European Union has utilized its cyber sanction powers put in place in 2019 in “Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States.”

The Council explained:

  • Today’s sanctions consist of a travel ban and an asset freeze imposed on the individuals, and an asset freeze imposed on the body. In addition, EU persons and entities are forbidden from making funds available to those listed.
  • The Council’s decision means that a total of 8 persons and 4 entities and bodies have been targeted by restrictive measures in relation to cyber-attacks targeting the EU or its member states.
  • Sanctions are one of the options available in the Union’s framework for a joint diplomatic response to malicious cyber activities (the so-called cyber diplomacy toolbox), and are intended to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace.

The Council sanctioned the “85th Main Centre for Special Services (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU)” and two hackers. The Council contended:

  • In particular, military intelligence officers of the GTsSS took part in the cyber-attack against the German federal parliament (Deutscher Bundestag) which took place in April and May 2015 and the attempted cyber-attack aimed at hacking into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April 2018.
  • The cyber-attack against the German federal parliament targeted the parliament’s information system and affected its operation for several days. A significant amount of data was stolen and email accounts of several MPs as well as of Chancellor Angela Merkel were affected.

In late July, the EU imposed its first cyber sanctions under its Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (aka the cyber diplomacy toolbox) against six hackers and three entities from the Russian Federation, the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea for attacks against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, the malware attacks known as Petya and WannaCry, and Operation Cloud Hopper. The sanctions are part of the effort to levy costs on nations and actors that conduct cyber attacks. The EU explained:

  • The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
  • “WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.
  • “NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
  • “Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Victor Malyushev on Unsplash

Further Reading, Other Developments, and Coming Events (22 October)

Further Reading

  •  “A deepfake porn Telegram bot is being used to abuse thousands of women” By Matt Burgess — WIRED UK. A bot set loose on Telegram can take pictures of women and, apparently teens, too, and “takes off” their clothing, rendering a naked image of females who never took naked pictures. This seems to be the next iteration in deepfake porn, a problem that will surely get worse until governments legislate against it and technology companies have incentives to locate and take down such material.
  • The Facebook-Twitter-Trump Wars Are Actually About Something Else” By Charlie Warzel — The New York Times. This piece makes the case that there are no easy fixes for American democracy or for misinformation on social media platforms.
  • Facebook says it rejected 2.2m ads for breaking political campaigning rules” — Agence France-Presse. Facebook’s Vice President of Global Affairs and Communications Nick Clegg said the social media giant is employing artificial intelligence and humans to find and remove political advertisements that violate policy in order to avoid a repeat of 2016 where untrue information and misinformation played roles in both Brexit and the election of Donald Trump as President of the United States.
  • Huawei Fallout—Game-Changing New China Threat Strikes At Apple And Samsung” By Zak Doffman — Forbes. Smartphone manufacturers from the People’s Republic of China (PRC) appear ready to step into the projected void caused by the United States (U.S.) strangling off Huawei’s access to chips. Xiaomi and Oppo have already seen sales surge worldwide and are poised to pick up where Huawei is being forced to leave off, perhaps demonstrating the limits of U.S. power to blunt the rise of PRC technology companies.
  • As Local News Dies, a Pay-for-Play Network Rises in Its Place” By Davey Alba and Jack Nicas — The New York Times. With a decline and demise of many local media outlets in the United States, new groups are stepping into the void, and some are politically minded but not transparent about biases. The organization uncovered in this article is nakedly Republican and is running and planting articles at both legitimate and artificial news sites for pay. Sometimes conservative donors pay, sometimes campaigns do. Democrats are engaged in the same activity but apparently to a lesser extent. These sorts of activities will only erode further faith in the U.S. media.
  • Forget Antitrust Laws. To Limit Tech, Some Say a New Regulator Is Needed.” By Steve Lohr — The New York Times. This piece argues that anti-trust enforcement actions are plodding, tending to take years to finish. Consequently, this body of law is inadequate to the task of addressing the market dominance of big technology companies. Instead, a new regulatory body is needed along the lines of those regulating the financial services industries that is more nimble than anti-trust. Given the problems in that industry with respect to regulation, this may not be the best model.
  • “‘Do Not Track’ Is Back, and This Time It Might Work” By Gilad Edelman — WIRED. Looking to utilize the requirement in the “California Consumer Privacy Act” (CCPA) (AB 375) that requires regulated entities to respect and effectuate the use of a one-time opt-out mechanism, a group of entities have come together to build and roll out the Global Privacy Control. In theory, users could download this technical specification to their phones and computers, install it, use it once, and then all websites would be on notice regarding that person’s privacy preferences. Such a means would go to the problem turned up by Consumer Reports recent report on the difficulty of trying to opt out of having one’s personal information sold.
  • EU countries sound alarm about growing anti-5G movement” By Laurens Cerulus — Politico. 15 European Union (EU) nations wrote the European Commission (EC) warning that the nascent anti-5G movement borne of conspiracy thinking and misinformation threatens the Eu’s position vis-à-vis the United States (U.S.) and the People’s Republic of China (PRC). There have been more than 200 documented arson attacks in the EU with the most having occurred in the United Kingdom, France, and the Netherlands. These nations called for a more muscular, more forceful debunking of the lies and misinformation being spread about 5G.
  • Security firms call Microsoft’s effort to disrupt botnet to protect against election interference ineffective” By Jay Greene — The Washington Post. Microsoft seemingly acted alongside the United States (U.S.) Cyber Command to take down and impair the operation of Trickbot, but now cybersecurity experts are questioning how effective Microsoft’s efforts really were. Researchers have shown the Russian operated Trickbot has already stood up operations and has dispersed across servers around the world, showing how difficult it is to address some cyber threats.
  • Governments around the globe find ways to abuse Facebook” By Sara Fischer and Ashley Gold — Axios. This piece puts a different spin on the challenges Facebook faces in countries around the world, especially those that ruthlessly use the platform to spread lies and misinformation than the recent BuzzFeed News article. The new article paints Facebook as the well-meaning company being taken advantage of while the other one portrays a company callous to content moderation except in nations where it causes them political problems such as the United States, the European Union, and other western democracies.

Other Developments

  • The United States (U.S.) Department of Justice’s (DOJ) Cyber-Digital Task Force (Task Force) issued “Cryptocurrency: An Enforcement Framework,” that “provides a comprehensive overview of the emerging threats and enforcement challenges associated with the increasing prevalence and use of cryptocurrency; details the important relationships that the Department of Justice has built with regulatory and enforcement partners both within the United States government and around the world; and outlines the Department’s response strategies.” The Task Force noted “[t]his document does not contain any new binding legal requirements not otherwise already imposed by statute or regulation.” The Task Force summarized the report:
    • [I]n Part I, the Framework provides a detailed threat overview, cataloging the three categories into which most illicit uses of cryptocurrency typically fall: (1) financial transactions associated with the commission of crimes; (2) money laundering and the shielding of legitimate activity from tax, reporting, or other legal requirements; and (3) crimes, such as theft, directly implicating the cryptocurrency marketplace itself. 
    • Part II explores the various legal and regulatory tools at the government’s disposal to confront the threats posed by cryptocurrency’s illicit uses, and highlights the strong and growing partnership between the Department of Justice and the Securities and Exchange Commission, the Commodity Futures Commission, and agencies within the Department of the Treasury, among others, to enforce federal law in the cryptocurrency space.
    • Finally, the Enforcement Framework concludes in Part III with a discussion of the ongoing challenges the government faces in cryptocurrency enforcement—particularly with respect to business models (employed by certain cryptocurrency exchanges, platforms, kiosks, and casinos), and to activity (like “mixing” and “tumbling,” “chain hopping,” and certain instances of jurisdictional arbitrage) that may facilitate criminal activity.    
  • The White House’s Office of Science and Technology Policy (OSTP) has launched a new website for the United States’ (U.S.) quantum initiative and released a report titled “Quantum Frontiers: Report On Community Input To The Nation’s Strategy For Quantum Information Science.” The Quantum Initiative flows from the “National Quantum Initiative Act” (P.L. 115-368) “to  provide  for  a  coordinated  Federal  program  to  accelerate  quantum  research  and  development  for  the  economic and national security of the United States.” The OSTP explained that the report “outlines eight frontiers that contain core problems with fundamental questions confronting quantum information science (QIS) today:
    • Expanding Opportunities for Quantum Technologies to Benefit Society
    • Building the Discipline of Quantum Engineering
    • Targeting Materials Science for Quantum Technologies
    • Exploring Quantum Mechanics through Quantum Simulations
    • Harnessing Quantum Information Technology for Precision Measurements
    • Generating and Distributing Quantum Entanglement for New Applications
    • Characterizing and Mitigating Quantum Errors
    • Understanding the Universe through Quantum Information
    • OSTP asserted “[t]hese frontier areas, identified by the QIS research community, are priorities for the government, private sector, and academia to explore in order to drive breakthrough R&D.”
  • The New York Department of Financial Services (NYDFS) published its report on the July 2020 Twitter hack during which a team of hacker took over a number of high-profile accounts (e.g. Barack Obama, Kim Kardashian West, Jeff Bezos, and Elon Musk) in order to perpetrate a cryptocurrency scam. The NYDFS has jurisdiction over cryptocurrencies and companies dealing in this item in New York. The NYDFS found that the hackers used the most basic means to acquire permission to take over accounts. The NYDFS explained:
    • Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account. Indeed, the Hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter’s Information Technology department. The extraordinary access the Hackers obtained with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences. Notably, the Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors.
    • The implications of the Twitter Hack extend far beyond this garden-variety fraud. There are well-documented examples of social media being used to manipulate markets and interfere with elections, often with the simple use of a single compromised account or a group of fake accounts.In the hands of a dangerous adversary, the same access obtained by the Hackers–the ability to take control of any Twitter users’ account–could cause even greater harm.
    • The Twitter Hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies. But our public institutions have not caught up to the new challenges posed by social media. While policymakers focus on antitrust and content moderation problems with large social media companies, their cybersecurity is also critical. In other industries that are deemed critical infrastructure, such as telecommunications, utilities, and finance, we have established regulators and regulations to ensure that the public interest is protected. With respect to cybersecurity, that is what is needed for large, systemically important social media companies.
    • The NYDFS recommended the cybersecurity measures cryptocurrency companies in New York should implement to avoid similar hacks, including its own cybersecurity regulations that bind its regulated entities in New York. The NYDFS also called for a national regulator to address the lack of a dedicated regulator of Twitter and other massive social media platforms. The NYDFS asserted:
      • Social media companies currently have no dedicated regulator. They are subject to the same general oversight applicable to other companies. For instance, the SEC’s regulations for all public companies apply to public social media companies, and antitrust and related laws and regulations enforced by the Department of Justice and the FTC apply to social media companies as they do to all companies. Social media companies are also subject to generally applicable laws, such as the California Consumer Privacy Act and the New York SHIELD Act. The European Union’s General Data Protection Regulation, which regulates the storage and use of personal data, also applies to social media entities doing business in Europe.
      • But there are no regulators that have the authority to uniformly regulate social media platforms that operate over the internet, and to address the cybersecurity concerns identified in this Report. That regulatory vacuum must be filled.
      • A useful starting point is to create a “systemically important” designation for large social media companies, like the designation for critically important bank and non-bank financial institutions. In the wake of the 2007-08 financial crisis, Congress established a new regulatory framework for financial institutions that posed a systemic threat to the financial system of the United States. An institution could be designated as a Systemically Important Financial Institution (“SIFI”) “where the failure of or a disruption to the functioning of a financial market utility or the conduct of a payment, clearing, or settlement activity could create, or increase, the risk of significant liquidity or credit problems spreading among financial institutions or markets and thereby threaten the stability of the financial system of the United States.”
      • The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions. The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach.
      • The designation of an institution as a SIFI is made by the Financial Stability Oversight Council (“FSOC”), which Congress established to “identify risks to the financial stability of the United States” and to provide enhanced supervision of SIFIs.[67] The FSOC also “monitors regulatory gaps and overlaps to identify emerging sources of systemic risk.” In determining whether a financial institution is systemically important, the FSOC considers numerous factors including: the effect that a failure or disruption to an institution would have on financial markets and the broader financial system; the nature of the institution’s transactions and relationships; the nature, concentration, interconnectedness, and mix of the institution’s activities; and the degree to which the institution is regulated.
      • An analogue to the FSOC should be established to identify systemically important social media companies. This new Oversight Council should evaluate the reach and impact of social media companies, as well as the society-wide consequences of a social media platform’s misuse, to determine which companies they should designate as systemically important. Once designated, those companies should be subject to enhanced regulation, such as through the provision of “stress tests” to evaluate the social media companies’ susceptibility to key threats, including cyberattacks and election interference.
      • Finally, the success of such oversight will depend on the establishment of an expert agency to oversee designated social media companies. Systemically important financial companies designated by the FSOC are overseen by the Federal Reserve Board, which has a long-established and deep expertise in banking and financial market stability. A regulator for systemically important social media would likewise need deep expertise in areas such as technology, cybersecurity, and disinformation. This expert regulator could take various forms; it could be a completely new agency or could reside within an established agency or at an existing regulator.
  • The Government Accountability Office (GAO) evaluated how well the Trump Administration has been implementing the “Open, Public, Electronic and Necessary Government Data Act of 2018” (OPEN Government Data Act) (P.L. 115-435). As the GAO explained, this statute “requires federal agencies to publish their information as open data using standardized, nonproprietary formats, making data available to the public open by default, unless otherwise exempt…[and] codifies and expands on existing federal open data policy including the Office of Management and Budget’s (OMB) memorandum M-13-13 (M-13-13), Open Data Policy—Managing Information as an Asset.”
    • The GAO stated
      • To continue moving forward with open government data, the issuance of OMB implementation guidance should help agencies develop comprehensive inventories of their data assets, prioritize data assets for publication, and decide which data assets should or should not be made available to the public.
      • Implementation of this statutory requirement is critical to agencies’ full implementation and compliance with the act. In the absence of this guidance, agencies, particularly agencies that have not previously been subject to open data policies, could fall behind in meeting their statutory timeline for implementing comprehensive data inventories.
      • It is also important for OMB to meet its statutory responsibility to biennially report on agencies’ performance and compliance with the OPEN Government Data Act and to coordinate with General Services Administration (GSA) to improve the quality and availability of agency performance data that could inform this reporting. Access to this information could inform Congress and the public on agencies’ progress in opening their data and complying with statutory requirements. This information could also help agencies assess their progress and improve compliance with the act.
    • The GAO made three recommendations:
      • The Director of OMB should comply with its statutory requirement to issue implementation guidance to agencies to develop and maintain comprehensive data inventories. (Recommendation 1)
      • The Director of OMB should comply with the statutory requirement to electronically publish a report on agencies’ performance and compliance with the OPEN Government Data Act. (Recommendation 2)
      • The Director of OMB, in collaboration with the Administrator of GSA, should establish policy to ensure the routine identification and correction of errors in electronically published performance information. (Recommendation 3)
  • The United States’ (U.S.) National Security Agency (NSA) issued a cybersecurity advisory titled “Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities,” that “provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks.” The NSA recommended a number of mitigations generally for U.S. entities, including:
    • Keep systems and products updated and patched as soon as possible after patches are released.
    • Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
    • Disable external management capabilities and set up an out-of-band management network.
    • Block obsolete or unused protocols at the network edge and disable them in device configurations.
    • Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
    • Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.
    • The NSA then proceeded to recommend specific fixes.
    • The NSA provided this policy backdrop:
      • One of the greatest threats to U.S. National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and Department of Defense (DOD) information networks is Chinese state-sponsored malicious cyber activity. These networks often undergo a full array of tactics and techniques used by Chinese state-sponsored cyber actors to exploit computer networks of interest that hold sensitive intellectual property, economic, political, and military information. Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts.
      • The same process for planning the exploitation of a computer network by any sophisticated cyber actor is used by Chinese state-sponsored hackers. They often first identify a target, gather technical information on the target, identify any vulnerabilities associated with the target, develop or re-use an exploit for those vulnerabilities, and then launch their exploitation operation.
  • Belgium’s data protection authority (DPA) (Autorité de protection des données in French or Gegevensbeschermingsautoriteit in Dutch) (APD-GBA) has reportedly found that the Transparency & Consent Framework (TCF) developed by the Interactive Advertising Bureau (IAB) violates the General Data Protection Regulation (GDPR). The Real-Time Bidding (RTB) system used for online behavioral advertising allegedly transmits the personal information of European Union residents without their consent even before a popup appears on their screen asking for consent. The APD-GBA is the lead DPA in the EU in investigating the RTB and will likely now circulate their findings and recommendations to other EU DPAs before any enforcement will commence.
  • None Of Your Business (noyb) announced “[t]he Irish High Court has granted leave for a “Judicial Review” against the Irish Data Protection Commission (DPC) today…[and] [t]he legal action by noyb aims to swiftly implement the [Court of Justice for the European Union (CJEU)] Decision prohibiting Facebook’s” transfer of personal data from the European Union to the United States (U.S.) Last month, after the DPC directed Facebook to stop transferring the personal data of EU citizens to the U.S., the company filed suit in the Irish High Court to stop enforcement of the order and succeeded in staying the matter until the court rules on the merits of the challenge.
    • noyb further asserted:
      • Instead of making a decision in the pending procedure, the DPC has started a second, new investigation into the same subject matter (“Parallel Procedure”), as widely reported (see original reporting by the WSJ). No logical reasons for the Parallel Procedure was given, but the DPC has maintained that Mr Schrems will not be heard in this second case, as he is not a party in this Parallel Procedure. This Paralell procedure was criticised by Facebook publicly (link) and instantly blocked by a Judicial Review by Facebook (see report by Reuters).
      • Today’s Judicial Review by noyb is in many ways the counterpart to Facebook’s Judicial Review: While Facebook wants to block the second procedure by the DPC, noyb wants to move the original complaints procedure towards a decision.
      • Earlier this summer, the CJEU struck down the adequacy decision for the agreement between the EU and (U.S. that had provided the easiest means to transfer the personal data of EU citizens to the U.S. for processing under the General Data Protection Regulation (GDPR) (i.e. the EU-U.S. Privacy Shield). In the case known as Schrems II, the CJEU also cast doubt on whether standard contractual clauses (SCC) used to transfer personal data to the U.S. would pass muster given the grounds for finding the Privacy Shield inadequate: the U.S.’s surveillance regime and lack of meaningful redress for EU citizens. Consequently, it has appeared as if data protection authorities throughout the EU would need to revisit SCCs for transfers to the U.S., and it appears the DPC was looking to stop Facebook from using its SCC. Facebook is apparently arguing in its suit that it will suffer “extremely significant adverse effects” if the DPC’s decision is implemented.
  • Most likely with the aim of helping British chances for an adequacy decision from the European Union (EU), the United Kingdom’s Information Commissioner’s Office (ICO) published guidance that “discusses the right of access [under the General Data Protection Regulation (GDPR)] in detail.” The ICO explained “is aimed at data protection officers (DPOs) and those with specific data protection responsibilities in larger organisations…[but] does not specifically cover the right of access under Parts 3 and 4 of the Data Protection Act 2018.”
    • The ICO explained
      • The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other supplementary information.
  • The report the House Education and Labor Ranking Member requested from the Government Accountability Office (GAO) on the data security and data privacy practices of public schools. Representative Virginia Foxx (R-NC) asked the GAO “to review the security of K-12 students’ data. This report examines (1) what is known about recently reported K-12 cybersecurity incidents that compromised student data, and (2) the characteristics of school districts that experienced these incidents.” Strangely, the report did have GAO’s customary conclusions or recommendations. Nonetheless, the GAO found:
    • Ninety-nine student data breaches reported from July 1, 2016 through May 5, 2020 compromised the data of students in 287 school districts across the country, according to our analysis of K-12 Cybersecurity Resource Center (CRC) data (see fig. 3). Some breaches involved a single school district, while others involved multiple districts. For example, an attack on a vendor system in the 2019-2020 school year affected 135 districts. While information about the number of students affected was not available for every reported breach, examples show that some breaches affected thousands of students, for instance, when a cybercriminal accessed 14,000 current and former students’ personally identifiable information (PII) in one district.
    • The 99 reported student data breaches likely understate the number of breaches that occurred, for different reasons. Reported incidents sometimes do not include sufficient information to discern whether data were breached. We identified 15 additional incidents in our analysis of CRC data in which student data might have been compromised, but the available information was not definitive. In addition, breaches can go undetected for some time. In one example, the personal information of hundreds of thousands of current and former students in one district was publicly posted for 2 years before the breach was discovered.
    • The CRC identified 28 incidents involving videoconferences from April 1, 2020 through May 5, 2020, some of which disrupted learning and exposed students to harm. In one incident, 50 elementary school students were exposed to pornography during a virtual class. In another incident in a different district, high school students were targeted with hate speech during a class, resulting in the cancellation that day of all classes using the videoconferencing software. These incidents also raise concerns about the potential for violating students’ privacy. For example, one district is reported to have instructed teachers to record their class sessions. Teachers said that students’ full names were visible to anyone viewing the recording.
    • The GAO found gaps in the protection and enforcement of student privacy by the United States government:
      • [The Department of] Education is responsible for enforcing Family Educational Rights and Privacy Act (FERPA), which addresses the privacy of PII in student education records and applies to all schools that receive funds under an applicable program administered by Education. If parents or eligible students believe that their rights under FERPA have been violated, they may file a formal complaint with Education. In response, Education is required to take appropriate actions to enforce and deal with violations of FERPA. However, because the department’s authority under FERPA is directly related to the privacy of education records, Education’s security role is limited to incidents involving potential violations under FERPA. Further, FERPA amendments have not directly addressed educational technology use.
      • The “Children’s Online Privacy Protection Act” (COPPA) requires the Federal Trade Commission (FTC) to issue and enforce regulations concerning children’s privacy. The COPPA Rule, which took effect in 2000 and was later amended in 2013, requires operators of covered websites or online services that collect personal information from children under age 13 to provide notice and obtain parental consent, among other things. COPPA generally applies to the vendors who provide educational technology, rather than to schools directly. However, according to FTC guidance, schools can consent on behalf of parents to the collection of students’ personal information if such information is used for a school-authorized educational purpose and for no other commercial purpose.
  • Upturn, an advocacy organization that “advances equity and justice in the design, governance, and use of technology,” has released a report showing that United States (U.S.) law enforcement agencies have multiple means of hacking into encrypted or protected smartphones. There have long been the means and vendors available in the U.S. and abroad for breaking into phones despite the claims of a number of nations like the Five Eyes (U.S., the United Kingdom, Australia, Canada, and New Zealand) that default end-to-end encryption was a growing problem that allowed those preying on children and engaged in terrorism to go undetected. In terms of possible bias, Upturn is “is supported by the Ford Foundation, the Open Society Foundations, the John D. and Catherine T. MacArthur Foundation, Luminate, the Patrick J. McGovern Foundation, and Democracy Fund.”
    • Upturn stated:
      • Every day, law enforcement agencies across the country search thousands of cellphones, typically incident to arrest. To search phones, law enforcement agencies use mobile device forensic tools (MDFTs), a powerful technology that allows police to extract a full copy of data from a cellphone — all emails, texts, photos, location, app data, and more — which can then be programmatically searched. As one expert puts it, with the amount of sensitive information stored on smartphones today, the tools provide a “window into the soul.”
      • This report documents the widespread adoption of MDFTs by law enforcement in the United States. Based on 110 public records requests to state and local law enforcement agencies across the country, our research documents more than 2,000 agencies that have purchased these tools, in all 50 states and the District of Columbia. We found that state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant. To our knowledge, this is the first time that such records have been widely disclosed.
    • Upturn argued:
      • Law enforcement use these tools to investigate not only cases involving major harm, but also for graffiti, shoplifting, marijuana possession, prostitution, vandalism, car crashes, parole violations, petty theft, public intoxication, and the full gamut of drug-related offenses. Given how routine these searches are today, together with racist policing policies and practices, it’s more than likely that these technologies disparately affect and are used against communities of color.
      • We believe that MDFTs are simply too powerful in the hands of law enforcement and should not be used. But recognizing that MDFTs are already in widespread use across the country, we offer a set of preliminary recommendations that we believe can, in the short-term, help reduce the use of MDFTs. These include:
        • banning the use of consent searches of mobile devices,
        • abolishing the plain view exception for digital searches,
        • requiring easy-to-understand audit logs,
        • enacting robust data deletion and sealing requirements, and
        • requiring clear public logging of law enforcement use.

Coming Events

  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications – The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • The Senate Commerce, Science, and Transportation Committee will hold a hearing on 28 October regarding 47 U.S.C. 230 titled “Does Section 230’s Sweeping Immunity Enable Big Tech Bad Behavior?” with testimony from:
    • Jack Dorsey, Chief Executive Officer of Twitter;
    • Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and 
    • Mark Zuckerberg, Chief Executive Officer of Facebook.
  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Mehmet Turgut Kirkgoz from Pixabay

Five Eyes Again Lean On Tech About Encryption

In the latest demand, the usual suspects are joined by two new nations in urging tech to stop using default encryption and to essentially build backdoors.

The Five Eyes (FVEY) intelligence alliance plus two Asian nations have released an “International Statement: End-To-End Encryption and Public Safety,” which represents the latest FVEY salvo in their campaign against technology companies using default end-to-end encryption. Again, the FVEY nations are casting the issues presented by encryption through the prism of child sexual abuse, terrorism, and other horrible crimes in order to keep technology companies on their proverbial policy backfoot. For, after all, how can the reasonable tech CEO argue for encryption when it is being used to commit and cover up unspeakable crimes.

However, in a sign that technology companies may be facing a growing playing field, India and Japan joined the FVEY in this statement; whether this is a result of the recent Quadrilateral Security Dialogue is unclear, but it seems a fair assumption given that two of the FVEY nations, the United States and Australia make up the other two members of the Quad. And, of course, the United Kingdom, Canada, and New Zealand are the three other members of the FVEY.

In the body of the statement, FVEY, Japan, and India asserted:

  • We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cyber security.  It also serves a vital purpose in repressive states to protect journalists, human rights defenders and other vulnerable people, as stated in the 2017 resolution of the UN Human Rights Council.  Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems. 
  • Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.  We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions:
    • Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
    • Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
    • Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

So, on the one hand, these nations recognize the indispensable role encryption plays in modern communications and in the fight against authoritarian regimes and “do not support counter-productive and dangerous approaches that would materially weaken or limit security systems.” But, on the other hand, “[p]articular implementations of encryption technology” is putting children at risk and letting terrorism thrive. Elsewhere in the statement we learn that the implementation in question is “[e]nd-to-end encryption that precludes lawful access to the content of communications in any circumstances.”

And, so these nations want companies like Facebook, Apple, Google, and others to take certain steps that would presumably maintain strong encryption but would allow access to certain communications for law enforcement purposes. These nations propose “[e]mbed[ding] the safety of the public in systems designs,” which is a nice phrase and wonderful rhetoric, but what does this mean practically? Companies should not use default encryption? Perhaps. But, let’s be honest about second order effects if American tech companies dispensed with default encryption. Sophisticated criminals and terrorists understand encryption and will still choose to encrypt their devices, apps, and communications, for in this scenario the devices and apps would no longer be encrypted as the default. Rather, people would have to go to the time and trouble of figuring out how to do this. . To be fair, neophyte and careless criminals and terrorists may not know to do so, and their communications would be fairly easy to acquire.

Another likely second order effect is that apps and software offering very hard to break encryption will no longer be made or legally offered in FVEY nations. Consequently, the enterprising individual interested in encryption that cannot be broken or tapped by governments will seek and likely find such technology through a variety of means produced in other countries. It is unlikely encryption will get put back in the bottle because FVEY and friends want it so.

Moreover, given the current technological landscape, the larger point here is that building backdoors into encryption or weakening encryption puts legitimate, desirable communications, activities, and transactions at greater risk of being intercepted. Why would this be so? Because it would take less effort and computing power to crack a weaker encryption key.

But, sure, a world in which my midnight snacking does not lead to weight gain would be amazing. And so it is with the FVEY’s call for strong encryption they could essentially defeat as needed. Eventually, the keys, technology, or means would be leaked or stolen as has happened time and time again. Most recently, there was a massive exfiltration of the Central Intelligence Agency’s (CIA) Vault 7 hacking tools and sources and methods. It would only be a matter of time before the tools to defeat encryption were stolen or compromised.

Perhaps there is a conceptual framework or technology that would achieve the FVEY’s goal, but, at present, it will entail tradeoffs that will make people less secure in their online communications. And, in the defense of the FVEY, they are proposing to “[e]ngage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.” Again, very nice phraseology that does not tell us much.

Of course, the FVEY nations are calling for access under proper authorization. However, in the U.S. that might not even entail an adversarial process in a court, for under the Foreign Intelligence Surveillance Act (FISA), there is no such process in the secret proceedings. Additionally, in the same vein, the phrase “subject to strong safeguards and oversight” is downright comical if the U.S. system is to be the template given the range of shortcomings and failures of national security agencies in meeting U.S. law relating to surveillance.

The FVEY, Japan, and India conclude with:

We are committed to working with industry to develop reasonable proposals that will allow technology companies and governments to protect the public and their privacy, defend cyber security and human rights and support technological innovation.  While this statement focuses on the challenges posed by end-to-end encryption, that commitment applies across the range of encrypted services available, including device encryption, custom encrypted applications and encryption across integrated platforms.  We reiterate that data protection, respect for privacy and the importance of encryption as technology changes and global Internet standards are developed remain at the forefront of each state’s legal framework.  However, we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security.  We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.

More having one’s cake and eating it, too. They think strong encryption is possible with the means of accessing encrypted communications related to crimes. This seems to be contrary to expert opinion on the matter.

As mentioned, this is not the FVEY’s first attempt to press technology companies. In October 2019, the U.S., the UK, and Australia sent a letter to Facebook CEO Mark Zuckerberg “to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.” These governments claimed “[w]e support strong encryption…[and] respect promises made by technology companies to protect users’ data…[but] “[w]e must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity.” The officials asserted that “[c]ompanies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes.”

In summer 2019 the FVEY issued a communique in which it urged technology companies “to include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.” Interestingly, at that time, these nations lauded Facebook for “approaches like Mark Zuckerberg’s public commitment to consulting Governments on Facebook’s recent proposals to apply end-to-end encryption to its messaging services…[and] [t]hese engagements must be substantive and genuinely influence design decisions.” It begs the question of what, if anything, changed since this communique was issued and the recent letter to Zuckerberg. In any event, this communique followed the Five Eyes 2018 “Statement of Principles on Access to Evidence and Encryption,“ which articulated these nations’ commitment to working with technology companies to address encryption and the need for law enforcement agencies to meet their public safety and protection obligations.

In Facebook’s December 2019 response, Facebook Vice President and WhatsApp Head Will Cathcart and Facebook Vice President and Messenger Head Stan Chudnovsky stated “[c]ybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere…[and] [t]he ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm.”

Moreover, one of the FVEY nations has enacted a law that could result in orders to technology companies to decrypt encrypted communications. In December 2018, Australia enacted the “Telecommunications and Other Legislation (Assistance and Access) Act 2018” (TOLA). As the Office of Australia’s Information Commissioner (OAIC) wrote of TOLA, “[t]he powers permitted under the Act have the potential to significantly weaken important privacy rights and protections under the Privacy Act…[and] [t]he encryption technology that can obscure criminal communications and pose a threat to national security is the same technology used by ordinary citizens to exercise their legitimate rights to privacy.”

This past summer, Australia’s Independent National Security Legislation Monitor (INSLM) issued its report on “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” (TOLA). The Parliamentary  Joint  Committee on Intelligence and Security had requested that the INSLM review the statute, and so INSLM engaged in a lengthy review, including input from the public. As explained in the report’s preface, the “INSLM independently reviews the operation, effectiveness and implications of national  security  and  counter-terrorism  laws;  and  considers  whether  the  laws  contain  appropriate  protections  for  individual  rights,  remain  proportionate  to  terrorism or national security threats, and remain necessary.”

INSLM claimed

In this report I reject the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other. Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection. Essentially this can be done by updating traditional safeguards to meet those same technological challenges – notably, those who are trusted to authorise intrusive search and surveillance powers must be able to understand the technological context in which those powers operate, and their consequences. If, but only if, the key recommendations I set out in this report in this regard are adopted, TOLA will be such a law.

The European Union may have a different view, however. In a response to a Minister of the European Parliament’s letter, the European Data Protection Board (EDPB) articulated its view that any nation that implements an “encryption ban” would endanger its compliance with the General Data Protection Regulation (GDPR) and possibly result in companies domiciled in those countries not being able to transfer and process the personal data of EU citizens. However, as always, it bears note the EDPB’s view may not carry the day with the European Commission, Parliament, and courts.

The EDPB stated

Any ban on encryption or provisions weakening encryption would undermine the GDPR obligations on the  concerned  controllers  and  processors  for  an  effective  implementation  of  both  data  protection principles and the appropriate technical and organisational measures. Similar considerations apply to transfers to controllers or processors in any third countries adopting such bans or provisions. Security measures are therefore specifically mentioned among the elements   the   European Commission must take into account when assessing the adequacy of the level of protection in a third country. In the absence of such a decision, transfers are subject to appropriate safeguards or maybe based on derogations; in any case the security of the personal data has to be ensured at all times.

The EDPB opined “that any encryption ban would seriously undermine compliance with the GDPR.” The EDPB continued, “[m]ore specifically, whatever the instrument used,  it would represent a major  obstacle in recognising a level of protection essentially equivalent to that ensured by the applicable  data protection law in the EU, and would seriously question the ability of the concerned controllers and processors to comply with the security obligation of the regulation.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay

Further Reading, Other Developments, and Coming Events (5 October)

Coming Events

  • On 6 October, the House Administration Committee’s Elections Subcommittee will hold a virtual hearing titled “Voting Rights and Election Administration: Combatting Misinformation in the 2020 Election.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The House Intelligence Committee released an unclassified executive summary of “The China Deep Dive: A Report on the Intelligence Community’s Capabilities and Competencies with Respect to the People’s Republic of China.” In a press release, the committee “found that “the United States’ (U.S.) Intelligence Community (IC) has not sufficiently adapted to a changing geopolitical and technological environment increasingly shaped by a rising China and the growing importance of interlocking non-military transnational threats, such as global health, economic security, and climate change.” The committee further claimed “[a]bsent a significant realignment of resources, the U.S. government and intelligence community will fail to achieve the outcomes required to enable continued U.S. competition with China on the global stage for decades to come, and to protect the U.S. health and security.”
    • The committee stated that while its “review was scoped to assess the IC’s efforts against the China target, some of its findings address not merely China, but also broader issues foundational to the IC’s structure and continued ability to operate in a 21st century environment—an environment shaped by the ravages of COVID-19.”
    • The committee made the following findings:
      • Intelligence Community [REDACTED] compete with China. Absent a significant realignment of resources, the U.S. government will fail to achieve the outcomes required to enable U.S. competition with China on the global stage.
      • The Intelligence Community places insufficient emphasis and focus on “soft,” often interconnected long-term national security threats, such as infectious diseases of pandemic potential and climate change, and such threats’ macroeconomic impacts on U.S. national security. This could jeopardize the future relevance of the Intelligence Community’s analysis to policymakers on certain long-range challenges, particularly given the growing importance of these policy challenges to decision-makers and the public and the devastating impact of the current pandemic on U.S. national life.
      • The Intelligence Community has failed to fully achieve the integration objectives outlined in the 2004 Intelligence Reform and Terrorism Prevention Act (IRTPA) for targets and topics unrelated to counterterrorism.
      • The Intelligence Community is struggling to adapt to the increasing availability and commodification of data, [REDACTED].
      • The increasing pace of global events, fueled by the rise of social media and mobile communications, will continue to stress the IC’s ability to provide timely and accurate analysis within customers’ decision-making window.
      • The future successful application of artificial intelligence, machine learning, and other advanced analytic techniques will be integral enablers for the U.S. national security enterprise. Conversely, there is a high degree of strategic risk associated with stasis and a failure to modernize.
      • Existing intelligence requirement prioritization mechanisms [REDACTED] particularly with respect to decision-makers outside of the Department of Defense.
    • The committee made the following recommendations broadly about the IC:
      • The Committee recommends the creation of a bipartisan, bicameral congressional study group to evaluate the current organization of and authorities provided to the intelligence community, with the express goal of making necessary reforms to the National Security Act of 1947 and the Intelligence Reform and Preventing Terrorism Act (IRPTA) of 2004.
      • The Executive Branch, in consultation with congressional intelligence and appropriations committees, must undertake a zero-based review of all intelligence program expenditures, assess the programs’ continued relevance to forward-looking mission sets, such as the increased relevance of “soft” transnational threats and continued competition with China, and take immediate corrective action to align taxpayer resources in support of strategic requirements.
      • An external entity should conduct a formal review of the governance of open-source intelligence (OSINT) within the intelligence community, and submit to congressional intelligence and appropriations committees a proposal to streamline and strengthen U.S. government capabilities.
      • The Office of the Director of National Intelligence (ODNI) should identify shared artificial intelligence and machine learning (AI/ML) use cases across the intelligence community and use the its coordinating and budgetary authorities to consolidate spending, expertise, and data around shared community-wide AI/ML capabilities.
    • Specific to the People’s Republic of China, the committee stated
      • ODNI should strengthen its ability to effectively track [REDACTED]
      • The IC should [REDACTED] existing intelligence collection prioritization frameworks, particularly to inform resource allocation decisions.
      • The IC should formalize and broaden programs designed to mentor the next generation of China analysts. Agencies should leverage best practices from across the community, and develop internal Senior Steering Groups to prioritize investments in specific China-focused programs.
      • The IC should conduct a review of security clearance adjudication policies surrounding [REDACTED]
      • If an officer possesses critical skills relevant to China mission-set, such as proficiency in Mandarin Chinese, the Intelligence Community should [REDACTED]
      • The IC should engage in a dialogue with the U.S. Department of Education on the requirements for the future of the U.S. national security workforce.
      • The Intelligence Community should codify and nurture cadres of officers with China-focused expertise [REDACTED]
      • The U.S. should expand its diplomatic, economic, and defense presence in the Indo-Pacific region, to include in the Pacific Island Countries and Southeast Asia.
      • The IC should consider developing a series of reskilling programs to leverage existing talent and expertise previously cultivated in counterterrorism programs.
      • The IC should streamline China-focused reporting across regional areas of responsibility.
      • The IC should leverage lessons learned from providing support to the counterterrorism mission in order to identify ways in which it can embed real-time support to customers, especially those located outside of the Department of Defense, such as the Department of State, the United States Trade Representative, or U.S. health and disaster preparedness agencies.
      • In recognition of the growing importance of economic and policy agencies to the overall success of the U.S. government’s approach to China, the intelligence community should develop plans to increase analytic support to, or otherwise ensure consistent, agile communications and appropriate interactions with, non-traditional agencies, such as the Department of Commerce, the Department of Homeland Security, the National Science Foundation, the Department of Education, and U.S. public health agencies.
  • The United States (U.S.), Australia, India, and Japan convened a virtual session of the Quadrilateral Security Dialogue (aka The Quad) late last month ahead of in person talks in Tokyo set for tomorrow. The renewal of this diplomatic relationship is being portrayed by the People’s Republic of China (PRC) as “an anti-China frontline,” a “mini-NATO,” and a reflection of the U.S.’ “Cold War mentality” according to the PRC’s Vice Foreign Minister. Nonetheless, the four nations issued a statement indicating the “four democracies discussed ways to work together to respond to the COVID-19 pandemic, promote transparency and counter disinformation, and protect the rules-based order the region has long enjoyed,” a statement that includes some pokes at the PRC. First, obviously the PRC is not a democracy and is in the process of cracking down on democracy in Hong Kong. Second, the PRC’s government is not renowned for its transparency and is coming to be one of the world’s foremost purveyors of disinformation online. Third, the U.S. has been arguing since the Obama Administration that the PRC is violating the rules and norms that have ensured prosperity and peace in the Pacific and Indian Oceans since World War II. Not surprisingly, the PRC sees this order as having been established by the U.S. and largely for its benefit.
    • The four nations added:
      • Noting the importance of digital connectivity and secure networks, the officials discussed ways to promote the use of trusted vendors, particularly for fifth generation (5G) networks. They explored ways to enhance coordination on counterterrorism, maritime security, cyber security, and regional connectivity, as well as quality infrastructure based upon international best practices, such as the G20 Principles for Quality Infrastructure Investment. Participants also highlighted the need to improve supply chains in sectors including critical minerals, medical supplies, and pharmaceuticals.
      • The officials reaffirmed their countries’ strong support for ASEAN centrality and ASEAN-led regional architecture. They explored ways to work together in the Mekong sub-region, in the South China Sea, and across the Indo-Pacific to support international law, pluralism, regional stability, and post-pandemic recovery efforts.
    • Again, many of these policy goals and problems are arising because of PRC actions, at least according to The Quad The U.S. and its allies have been fighting the PRC’s 5G push and have accused the PRC of stepping up its cyber activities, including espionage.
    • Moreover, Japan created and advocated what eventually became the G20 Principles for Quality Infrastructure Investment as a policy counterpoint to the PRC’s Silk Belt and Road initiative that has resulted in massive aid from and indebtedness to Beijing in the developing world.
    • The Quad’s work, alongside bilateral relationships in the region, could well coalesce into an informal alliance against the PRC, an outcome that would likely help Washington achieve some of its professed policy goals.
  • Representative Jennifer Wexton (D-VA) and Senator Mazie K. Hirono (D-HI) introduced the “COVID-19 Disinformation Research and Reporting Act” (H.R.8395/S.4732) that “would examine the role of disinformation and misinformation on the public response to COVID-19 and the role that social media has in promoting the spread of false information” per their press release. The bill would require the “National Academies of Sciences, Engineering, and Medicine to conduct a study on the current understanding of the spread of COVID–19-related disinformation and misinformation on the internet and social media platforms.”
    • Wexton and Hirono asserted:
      • Disinformation and misinformation can be particularly dangerous during public health emergencies like COVID-19. This kind of false information can erode trust in science, government officials, and medical and public health experts. Disinformation and misinformation can also make it harder to get accurate and important materials to vulnerable communities, particularly once a vaccine becomes available. The internet and social media have made it easier to spread fake medical information such as unproven treatments for COVID-19.
    • The National Academies of Science, Engineering, and Medicine would need to submit a report to Congress, including “potential strategies to mitigate the dissemination and negative impacts of COVID–19-related disinformation and misinformation (and specifically the dissemination of disinformation and misinformation on social media),” which would likely have utility in fighting other disinformation and misinformation spread online. In fact, the sponsors may be using the current pandemic as the rationale to pass a bill that may otherwise be opposed. It is not hard to imagine the opposition from many on the right if Wexton, Hirono and their cosponsors had proposed legislation to study online extremism and hate in the United States, resulting in a report on how the U.S. might mitigate these phenomena given the role extremists and white supremacists have played in the Republican Party under President Donald Trump.
    • The bill is being sponsored by other Democrats in each chamber but no Republicans.
  • Senate Majority Whip John Thune (R-SD) and 18 Republican colleagues sent President Donald Trump a letter “to express our concerns about a Request For Information (RFI) released by the Department of Defense (DOD) that contradicts the successful free-market strategy you have embraced for 5G.” Late last month, The United States Department of Defense (DOD) released a  RFI on the possibility of the agency sharing its prized portions of electromagnetic spectrum with commercial providers to speed the development and adoption of 5G in the United States. The Senators argued:
    • Rather than rely on private industry and market forces to foster multiple, facilities-based 5G networks, the RFI seeks information on a government-managed process for 5G networks.
    • Nationalizing 5G and experimenting with untested models for 5G deployment is not the way the United States will win the 5G race.  While we recognize the need for secure communications networks for our military, we are concerned that such a proposal threatens our national security.  When bad actors only need to penetrate one network, they have a greater likelihood of disrupting the United States’ communications services.
  • The Department of Defense (DOD) implemented a new rule designed to drive better cybersecurity among United States (U.S.) defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the Cybersecurity Maturity Model Certification (CMMC) Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often misaligned incentives present in third party certification schemes.
  • Nonetheless, the DOD explained this is “an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DOD Assessment Methodology and CMMC framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DOD supply chain.
  • The DOD added
    • This rule amends DFARS subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting, to implement the National Institute of Standards and Technology (NIST) Special Publication 800-171 DOD Assessment Methodology. The new coverage in the subpart directs contracting officers to verify in the Supplier Performance Risk System (SPRS) that an offeror has a current NIST SP 800-171 DOD Assessment on record, prior to contract award, if the offeror is required to implement NIST SP 800-171 pursuant to DFARS clause 252.204-7012. The contracting officer is also directed to include a new DFARS provision 252.204-7019, Notice of NIST SP 800-171 DOD Assessment Requirements, and a new DFARS clause 252.204-7020, NIST SP 800-171 DOD Assessment Requirements, in solicitations and contracts including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of COTS items.
    • This rule adds a new DFARS subpart, Subpart 204.75, CMMC, to specify the policy and procedures for awarding a contract, or exercising an option on a contract, that includes the requirement for a CMMC certification. Specifically, this subpart directs contracting officers to verify in SPRS that the apparently successful offeror’s or contractor’s CMMC certification is current and meets the required level prior to making the award.
  • The House Republican’s China Task Force (CTF) released its final report with its recommendations on how the United States (U.S.) should change its policies to counter the People’s Republic of China (PRC), which includes a slew of technology-related recommendations.
    • The CTF asserted:
      • Since the establishment of diplomatic relations with the PRC more than 40 years ago, the United States has sought to draw the PRC into the community of nations as a responsible stakeholder. U.S. leaders pursued a strategy of engagement based on the assumption that expanding the bilateral economic relationship with the PRC would advance the U.S. national interest and lead the Chinese Communist Party (CCP) to change. This engagement strategy often turned a blind eye to the CCP’s human rights violations, economic malfeasance, expansionist aggression, and empty promises, as well as the CCP’s deep commitment to a hostile Communist ideology that drives this malign behavior. This strategy has, simply put, failed.
    • The CTF made these recommendations:
      • Supply Chain Security
        • Better securing our medical and national security supply chains by:
        • Providing aggressive, smart, and targeted tax incentives to accelerate our research and development (R&D) and production of crucial medicines, medical supplies, ingredients, tests, and vaccines;
        • Creating a grant program necessary to catalyze domestic production of important technologies and designing tax incentives to secure U.S. supply of advanced semiconductors; and
        • Overhauling the federal permitting process for mineral development and prioritizing advancements in mineral refining so neither industry nor the Defense Industrial Base are reliant on the CCP.
      • National Security
        • Working with the DoD to modernize force structure, posture, operational concepts, and acquisitions in order to deter CCP aggression in the Indo-Pacific and around the world.
        • Ensuring modernization of all three legs of the nuclear triad as well as development and fielding of conventional capabilities critical to counter the PLA in the Indo-Pacific, including ground-launched cruise and ballistic missiles.
        • Underscoring the need for a minimum three to five percent real growth in the defense budget per year in order to deter and defeat the PLA and other key adversaries.
        • Increasing focus on how the U.S. military protects space capabilities and carrying out space exploration goals by leveraging private sector investments.
        • Cutting off material support of CCP military industrial base companies, including divestment from companies with ties to the CCP’s military.
        • Safeguarding the U.S. electoral process and the integrity of our elections with various measures, including the identification of foreign malign actors and ensuring any individuals who engage in interference are inadmissible for entry to the U.S. or deportable if already present.
        • Providing more resources for investigations, criminal prosecutions, and other actions against CCP sponsored IP theft in addition to closing loopholes the CCP has exploited in our visa system.
        • Enhancing federal counterintelligence capabilities and bolstering Mandarin language capacity.
      • Technology
        • Taking a whole-of-government approach to assess the security risks posed by the PRC in 5G networks and increasing cooperation between the U.S. and its allies and partners in identifying and countering them.
        • Supporting the formation of a new D-10 group of leading democracies to develop and deploy 5G and subsequent generations and establishing a reimbursement program for companies to remove equipment from their communications networks that poses a national security risk.
        • Securing international leadership in the technologies of tomorrow, including AI, quantum, 5G, and autonomous vehicles.
        • Sanctioning PRC telecommunications companies engaged in economic or industrial espionage and any PRC entity that tries to hack COVID-19 researchers working on a vaccine.
      • Economics and Energy
        • Ensuring no U.S. taxpayer dollars support any PRC state- owned enterprises.
        • Harmonizing export control policies with our partners and allies to keep critical technologies, including semiconductor manufacturing equipment and R&D, from our adversaries.
        • Applying heightened scrutiny for investments in U.S. companies or operations from the PRC.
        • Strengthening trade relationships with our allies to establish U.S. standards and counter the PRC’s influence.
        • Pursuing trade policies that deter and protect against the PRC’s theft of IP.
        • Enforcing reciprocal treatment of PRC investment into the U.S. to restore symmetry in bilateral investment rules.
        • Ensuring PRC companies are held to the same financial disclosure standards as American companies when listing on U.S. stock exchanges.
        • Working to deepen our trade ties with Taiwan and resolving specific outstanding trade issues so the Administration can take steps to launch trade agreement negotiations once those issues are addressed.
        • Strengthening the Development Finance Corporation, Export Import Bank, and other government efforts to more robustly counter the CCP’s Belt and Road Initiative and debt trap diplomacy.
        • Continuing to advance U.S. energy security in order to be a global counter against the PRC, particularly on the nuclear energy front.
      • Competitiveness
        • Doubling the funding of basic science and technology research over the next 10 years.
        • Increasing coordination and funding for STEM education to create a more capable, skilled workforce.
        • Strengthening the protection of sensitive research at America’s colleges and universities and leading research institutions which includes restricting all federal employees and contractors from participating in foreign talent programs.
        • Requiring colleges and universities to annually report all donations from the PRC.

Further Reading

  • In U.S.-China Tech Feud, Taiwan Feels Heat From Both Sides” By Raymond Zhong — The New York Times. Not surprisingly, this island nation (or renegade province according to the People’s Republic of China (PRC)) is being squeezed in the trade war between the United States (U.S.) and the PRC. The main factor that has led to its central role is the Taiwan Semiconductor Manufacturing Company (TSMC), which produces many of the semiconductors needed by both nations. However, with the U.S. tightening ever further the PRC’s access to this technology, Taiwan’s place in the technology world becomes ever more important. Many in. Taiwan see this technological prowess as a bulwark against a PRC-style takeover as in Hong Kong.
  • Beautiful, perk-filled and mostly empty: What the future holds for tech’s billion-dollar headquarters” By Heather Kelly — The Washington Post. Understandably, COVID-19 has caused many large companies to rethink their real estate footprint. Tech is no different as some companies have told workers to stay home until well into next year. Might the pandemic mark a paradigm shift and companies will require much less building and office space? Or will top companies continue their trend of building company towns of sorts?
  • Ad Tech Could Be the Next Internet Bubble” By Gilad Edelman — WIRED. This deep dive into the online advertising world peels back some of the fictions that have kept this multi-billion-dollar black box running. The question is what would happen to the world economy if it crashes?
  • What the antitrust proposals would actually mean for tech” By Emily Birnbaum — Protocol. This article surveys the waterfront on current antitrust proposals before Congress to address large technology companies.
  • Now You Can Use Instagram to Chat With Friends on Facebook Messenger” By Mike Issac — The New York Times. In a move sure not to make friends among those convinced Facebook is monopolistic, the platform has crossed a Rubicon of sorts by combining messaging platforms. Facebook is now allowing those using Messenger and Instagram to message users on the other platform. Soon, this will also be the case with WhatsApp. Critics claim Facebook is doing this to make the company harder to break up in an antitrust action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by mohamed Hassan from Pixabay