Australia and UK Pass Bills To Reform Tech Regulation
EDPB issues guidance on territorial scope of GDPR; Ohio sues Facebook; Financial services entities will face new security incident reporting rule
First, a bit of news. The Wavelength will transition to a paid product, but there will still be a free version available. The scope and shape of this change is still in the making but should be realized by January 2022.
Second, some scheduling matters. The last issue of The Wavelength of 2021 should be probably be on or about 20 December events permitting, of course. Then we would resume in early 2022.
Photo by Graham Holtshausen on Unsplash
The Parliaments of Australia and the United Kingdom (UK) have passed bills that will reform regulation of critical infrastructure broadly in the former nation and the telecommunications field more narrowly with respect to the risk that foreign equipment and services pose to British networks (i.e., firms from the People’s Republic of China (PRC)).
The Australian Senate passed the “Security Legislation Amendment (Critical Infrastructure) Bill 2021,” the final stage of legislating before the Royal Assent that makes the bill law. This legislation would make Australia one of the first nations in the world that would allow the government to step in and take action on the systems and networks of critical cyber infrastructure in the event of significant cyber incidents. The government took pains to explain that such action would be rare or in emergency circumstances and only if the owner or operator was not cooperating fully. Canberra is reasoning that since cyber infrastructure is of critical importance to the well-being of Australia, the government should have the authority to step in and act if private sector entities cannot or will not. Still, this is one of the first instances where a national government is asserting such a broadly gauged right, The bill would also impose “positive” security obligations on critical infrastructure owners and operators, some of which are to be developed in follow on legislation the government of Prime Minister Scott Morrison is pledging to draft and introduce in the future.
In late October, Australia’s House of Representatives sent an amended “Security Legislation Amendment (Critical Infrastructure) Bill 2021” to the Senate. In the fall of 2020, the Department of Home Affairs (Home Affairs or Department) drafted and released for feedback legislation based, in large part, on input from a white paper published over the summer. In its press release, Home Affairs contended “[t]he Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure and systems of national significance.” Home Affairs stated “[a]s part of the next stage of development of these reforms, we are seeking views on:
§ the Exposure Draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill)
§ the Bill’s accompanying draft Explanatory Document
§ the Exposure Draft of the Intelligence Services Regulations 2020 (the Regulations)
§ the Regulations’ accompanying Explanatory Statement.
The Department explained “[t]he Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure…[and] [t]he Regulations support the operation of the Bill’s assistance and cooperation measures.” The government introduced the “Security Legislation Amendment (Critical Infrastructure) Bill 2020” in late December.
As the government summarized the bill in a Supplementary Explanatory Memorandum circulated in the days before the House passed the amended bill:
The government explained in a different memorandum issued a day later that its regulation of critical cyber infrastructure would tighten if the bill were to become law:
The government provided more detail about these security obligations and the assistance it may offer:
The bill has naturally changed in its journey through the Parliament. In late October, before the House passed the bill, the government put forward its amendments to the bill after the Parliamentary Joint Committee on Intelligence and Security (PJCIS) proposed a series of amendments in its late September report on the December 2020 bill. The government explained the amendments it was proposing:
Photo by Marko Pekić on Unsplash
But, as noted earlier, Australia is not the only nation to enact significant legislation to change how technology policy is made. The UK’s bill to tighten security on its telecommunications systems only lacks the Royal Assent to make it law. On 8 November, the UK’s House of Commons amended the “Telecommunications (Security) Bill” the House of Lords passed in late October. The House of Lords then agreed to these amendments on 15 November. The House of Lords provided a high-level summary of the bill:
If you want more detail and analysis, I wrote about the bill as it first came out of the House of Commons and then more recently after it first emerged from the House of Lords. As I wrote in May:
In terms of the policy backdrop, like many western nations, the UK is responding to the real or perceived threat that PRC telecommunications 5G equipment and services present. As I also wrote in May:
During this month’s debate in the House of Commons on changes made by the House of Lords to the bill, Minister of State for Media, Data, and Digital Infrastructure Julia Lopez laid out the government’s position on these changes. She said the government would accept the House of Lords’ amendment that installs a requirement that the procedure for codes of practice the Department of Culture, Digital, Media, and Sport (DCMS) may establish to guide telecommunications companies in complying with the new law. The changed language would mandate that it be submitted to Parliament before going into effect so that the body would have a chance to review and press for changes if it saw fit. However, Lopez said the government could not accept the House of Lords’ requirement that the government submit an annual report to Parliament on the result from its 5G diversification strategy. In relevant part, Lopez stated:
Lopez then went on to explain why the government could not accept a House of Lords amendment that would mandate that DCMS follow suit if another Five Eyes nation (Australia, Canada, New Zealand, or the U.S.) “bans the operation of a vendor of goods or services to public telecommunications providers in its country on security grounds.” She asserted that DCMS can already consider such Five Eyes’ actions under the bill, the government is currently consulting with Five Eyes on these matters, the British government’s need for flexibility in managing relations with non-Five Eyes’ nations, and finally because of the sometimes secretive nature of many decisions to ban a nation’s telecommunications services and equipment, it may not be apparently when such a ban is in place.
After the House of Commons passed its amended bill, the House of Lords acceded to the former’s view and accepted a bill that stripped out their language on submitting codes of practice to Parliament and heeding other Five Eyes nations.
It must be said there was opposition in both chambers to removing these provisions, and for a sampling of why, here is Lord Tim Clement-Jones rebutting the government’s arguments:
Other Developments
Photo by Daniels Joffe on Unsplash
§ The European Data Protection Board (EDPB) “adopted Guidelines on the interplay between Art. 3 and Chapter V GDPR” that clarify “the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V.” The EDPB stated:
o [T]he Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.
o The Guidelines specify three cumulative criteria that qualify a processing as a transfer: (1) the data exporter (a controller or processor) is subject to the GDPR for the given processing; (2) the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor); (3) the data importer is in a third country or is an international organisation.
o The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR under Art. 3 GDPR. However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer.
§ The European Data Protection Board (EDPB) adopted a Statement on the European Commission’s Digital Services Package and Data Strategy, in which “the EDPB highlights three types of overarching concerns regarding the Commission proposals that have been presented so far (the Data Governance Act (DGA), Digital Services Act (DSA) and Digital Markets Act (DMA) and the AI Regulation (AIR)):”
o 1) Lack of protection of individuals’ fundamental rights and freedoms;
o 2) Fragmented supervision;
o 3) Risks of inconsistencies.
o The EDPB added:
§ The EDPB and {European Data Protection Supervisor] EDPS have already issued joint opinions on the DGA and the AIR and the EDPS has issued opinions on the European Strategy for Data, the DMA and the DSA. In its statement, the EDPB reiterates its call for a ban on any use of AI for an automated recognition of human features in publicly accessible spaces and urges the co-legislator to consider a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking while the profiling of children should overall be prohibited.
§ The EDPB further highlights the risks of parallel supervision structures and strongly recommends each proposal to provide for an explicit legal basis for the effective cooperation and exchange of information between the competent supervisory authorities under each proposal and the data protection authorities.
§ In addition, the EDPB calls upon the Commission and the co-legislator to ensure that the proposals clearly state that they shall not affect or undermine the application of existing data protection rules and to ensure that these rules shall prevail whenever personal data are being processed, also in the context of the forthcoming proposal for a Data Act.
§ Following the fourth Paris Peace Forum, United States (U.S.) Vice President Kamala Harris met with French President Emmanuel Macron, after which Harris announced “a number of collaborative initiatives that the United States will undertake alongside France and other countries to address global issues and emerging threats,” including “expanded cooperation on space and support for efforts to advance international cooperation in cybersecurity.” Harris stated:
o The United States is committed to working alongside our allies and partners to advance cybersecurity and uphold established global norms in cyberspace. As part of these efforts, France is a vital partner to ensuring security and stability for our people, holding actors that threaten our national and economic security accountable, and setting the rules of the road for the 21st century.
o Paris Call for Trust and Security in Cyberspace: Vice President Harris is announcing the U.S. decision to support the Paris Call for Trust and Security in Cyberspace –a voluntary commitment to work with the international community to advance cybersecurity and preserve the open, interoperable, secure, and reliable Internet.
o The United States looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace. This includes working with likeminded countries to attribute and hold accountable States that engage in destructive, disruptive, and destabilizing cyber activity.
o The United States’ decision to support the Paris Call reflects the Biden-Harris Administration’s priority to renew and strengthen America’s engagement with the international community on cyber issues. The United States interprets the Paris Call consistent with our existing domestic and international obligations and commitments, including the importance we place on respecting human rights, freedom of expression and privacy.
o This announcement builds on the United States’ continuing work to improve cybersecurity for our citizens and business, including rallying G7 countries to hold accountable nations that harbor cyber criminals, supporting the update of NATO cyber policy for the first time in seven years, and the recent counter-ransomware engagement with over 30 countries around the world to accelerate international cooperation to combat cybercrime.
§ Ohio’s Attorney General Dave Yost has filed suit against Facebook “on behalf of the Ohio Public Employees Retirement System (OPERS) and Facebook investors” for allegedly violating “federal securities laws by purposely misleading the public about the negative effects its products have on the health and well-being of children and the steps the company has taken to protect the public.” Yost argued in his press statement:
o Facebook’s scheme was revealed in the Wall Street Journal in September and in internal documents and statements provided in October by a former Facebook employee who blew the whistle on Facebook, underscoring how the company "chooses profit over safety."
o Zuckerberg and other company officials, the lawsuit maintains, knew that they were making false statements regarding the safety, security and privacy of its platforms. Facebook admitted in those internal documents that "We are not actually doing what we say we do publicly."
o In roughly a month, those revelations caused a devaluation in Facebook’s stock of $54.08 per share, causing OPERS and other Facebook investors to lose more than $100 billion.
o Yost’s lawsuit not only seeks to recover that lost value but also demands that Facebook make significant reforms to ensure it does not mislead the public about its internal practices.
o The lawsuit isn’t the first action that Yost has taken against Facebook, which also owns Instagram. In May, he and 43 other attorneys general sent a letter to Zuckerberg urging him to halt his plans to introduce an Instagram app for kids.
o Although Facebook pulled the plug on the app, the whistleblower’s recent testimony before Congress made clear that Facebook never abandoned its goal to expand its user base by grooming kids to use Facebook’s products in the future.
o Through this lawsuit, Yost intends to reinforce that such improper targeting of children by the social media giant will not be tolerated.
o Yost plans to ask the court by Dec. 27, 2021 – the deadline for such motions – to appoint OPERS as the lead plaintiff in his Facebook securities fraud action. He welcomes other Facebook investors to join him in holding the company and its executives accountable.
o There is an existing lawsuit against Facebook with similar allegations that was filed earlier this year on behalf of a retail investor. That lawsuit defines an incorrect time period in which the harm by Facebook’s actions occurred and obscures the damage suffered by shareholders such as OPERS.
§ The Comptroller of the Currency (OCC), Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC) published “a final rule that requires a banking organization to notify its primary Federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.” The agencies explained “[t]he final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.” The agencies further explained:
o Under the final rule, a banking organization's primary Federal regulator must receive this notification as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. This requirement will help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic. The final rule separately requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. This separate requirement will ensure that a banking organization receives prompt notification of a computer-security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided by a bank service provider. This notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization and thus trigger the banking organization's own notification requirement.
§ New York City enacted a law limiting the use of automated means to make employment decisions. In relevant part, the new statute provides “it shall be unlawful for an employer or an employment agency to use an automated employment decision tool to screen a candidate or employee for an employment decision unless:
o 1. Such tool has been the subject of a bias audit conducted no more than one year prior to the use of such tool; and
o 2. A summary of the results of the most recent bias audit of such tool as well as the distribution date of the tool to which such audit applies has been made publicly available on the website of the employer or employment agency prior to the use of such tool.
§ California Attorney General Rob Bonta announced a proposed settlement with Amazon arising from his suit “to end harmful labor practices that concealed COVID-19 case numbers from workers and to provide key information on workplace protections in line with California’s “right-to-know” law, Assembly Bill 685 (AB 685).” Bonta claimed:
o Throughout the pandemic, Amazon, as asserted in the complaint, failed to adequately notify warehouse workers and local health agencies of COVID-19 case numbers, often leaving them in the dark and unable to effectively track the spread of the virus. As part of the stipulated judgment, Amazon will modify its COVID-19 notifications to workers and local health agencies, submit to monitoring regarding its COVID-19 notifications, and pay $500,000 toward further enforcement of California’s consumer protection laws.
o Enacted as part of the state’s broad efforts to protect the public from the coronavirus, AB 685 requires employers to notify workers of COVID-19 cases at their worksites, provide employees with information on COVID-19-related benefits and protections, share their disinfection and safety plan, and report COVID-19 cases to local health agencies. AB 685, as enacted under California Labor Code section 6409.6, works to safeguard the right of California workers to make informed decisions on whether to take additional precautions — like seeking out testing, quarantining, or staying home — after being notified of a potential workplace exposure. Fundamentally, the law aims to ensure that workers across the state have the tools they need to protect their health and, ultimately, the health of their communities.
§ The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) issued the “Federal Government Cybersecurity Incident and Vulnerability Response Playbooks” per direction under “Executive Order (EO) 14028: Improving the Nation's Cybersecurity.” CISA stated:
o The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.
o FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.
o Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.
§ The United States (U.S.) General Services Administration’s (GSA) Technology Transformation Services (TTS) “announced the 14 projects selected to receive funding in FY21 under the $150 million provided by the American Rescue Plan Act of 2021.” GSA identified the projects:
o Recover:
o Automating Farmers’ Debt Relief Processes
o Investing in Cloud Adoption and Reuse
o Putting the User at the Forefront of COVID Rental Relief
o Assisting Families Eligible for the Child Tax Credit
o Creating a Consistent Search Experience
o Rebuild:
o Verifying Income for Public Benefits
o Streamlining Identity Verification
o Creating Inclusive Design Patterns
o Reimagine:
o Reimaging USAGov as the Front Door to Government
o Increasing Voter Information and Access
o Locating Child Care Services
o Bridging the Gap to Wifi Access
§ The United States’ (U.S.) Department of Defense (DOD)published an advanced notice of proposed rulemaking that “provides updated information on DOD's way forward for the approved Cybersecurity Maturity Model Certification (CMMC) program changes, designated as “CMMC 2.0.” The DOD stated:
o CMMC 2.0 builds upon the initial CMMC framework to dynamically enhance Defense Industrial Base (DIB) cybersecurity against evolving threats. The CMMC framework is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors and provide assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at a level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats. Under the CMMC program, DIB contractors will be required to implement certain cybersecurity protection standards, and, as required, perform self-assessments or obtain third-party certification as a condition of DoD contract award.
o CMMC 1.0 was designed to protect FCI and CUI shared with and handled by DoD contractors and subcontractors on non-federal contractor information systems. CMMC 1.0 involved five progressively advanced levels of cybersecurity standards and required that DIB contractors undergo a certification process to demonstrate compliance with the CMMC cybersecurity standards at a given level.
o In March 2021, the Department initiated an internal assessment of CMMC 1.0 implementation that was informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment of CMMC engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation. This review resulted in “CMMC 2.0,” which updates the program structure and the requirements to streamline and improve implementation of the CMMC program.
o The changes reflected in the CMMC 2.0 framework will be implemented through the rulemaking process. DoD will pursue rulemaking in both: (1) Title 32 of the Code of Federal Regulations (CFR); and, (2) title 48 CFR, to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods.
o Publication of title 32 and title 48 CFR rules will implement DoD's requirements for the updated CMMC version 2.0, which include various modifications from CMMC 1.0.
§ United States (U.S.) Senators Brian Schatz (D-HI), Sherrod Brown (D-OH), and Ron Wyden (D-OR), Elizabeth Warren (D-MA), Jack Reed (D-RI), Chris Van Hollen (D-MD), and Ben Ray Luján (D-NM) wrote the Consumer Financial Protection Bureau (CFPB) and urged “to take concrete steps to reform the credit reporting industry.” They argued:
o In an industry that affects all Americans so directly, even a small error rate means tens of millions of people can be denied jobs or housing through no fault of their own. As a result of simple mistakes, consumers may pay more for credit or be denied loans altogether; they might face obstacles applying for a job, getting a mortgage, or renting an apartment. These impacts can persist for years, putting innocent people in positions that are nearly impossible to resolve. Furthermore, these errors can exacerbate the racial wealth gap: according to new research from your agency, consumers residing in majority Black neighborhoods are twice as likely to have disputes appear on their credit reports compared to consumers in white neighborhoods. This is a disparity the CFPB observed across every credit category, including auto loans, student loans, and credit cards.
o Specifically, we ask that you evaluate persistent errors in credit reporting and how CRAs consistently fail to resolve these errors, especially by failing to devote sufficient personnel and resources for dispute resolution—a shortcoming the CFPB could use its supervisory authority to remedy. You should also consider creating an ombudsperson position at the CFPB to facilitate the dispute resolution process and help ensure accuracy. CRAs engage in concerning practices that contribute to inaccuracies, including using partial Social Security numbers to match data from an information furnisher to a consumer’s file. We were encouraged by CFPB’s recent advisory opinion affirming that the practice of matching consumer records solely through the matching of names is illegal. Any additional action the CFPB takes could, with appropriate privacy and security measures, also require nationwide CRAs to instead match all nine digits of a consumer’s Social Security number. We also ask that you consider requiring nationwide CRAs to perform periodic accuracy audits on information furnishers. Additionally, we ask that you review the potential to codify provisions of the nationwide CRAs’ settlement with state attorneys general that delayed reporting of medical debt for six months and removed debts paid by insurance. Finally, algorithmic bias presents a risk of amplifying racial disparities in credit reporting, and a failure to provide reports in Spanish and other languages can impact consumers with limited English proficiency. We request that you require CRAs to address these concerns to ensure the credit reporting system equitably serves all consumers.
§ The United States (U.S.) Department of Commerce issued a fact sheet on the funding and programs it will oversee that were enacted as part of the “Infrastructure Investment and Jobs Act” (P.L. 117-58):
o The Bipartisan Infrastructure Deal allocates $65 billion to expand broadband in communities across the U.S., create more low-cost broadband service options, subsidize the cost of service for low-income households, and provides funding to address the digital equity and inclusion needs in our communities.
o The Bipartisan Infrastructure Deal gives NTIA responsibility for the following broadband programs:
§ $42.45 billion in grants to states (including the District of Columbia and Puerto Rico), and territories focused on funding high-speed broadband deployment to households and businesses that currently lack access to such services. Each state will receive a minimum of $100 million, and each territory will receive a minimum of $20 million, for broadband expansion and/or affordability. The remaining money will be allocated by need, primarily based on the number of household and business locations in that state or territory that are unserved by highspeed broadband. States will be required to work with broadband providers to ensure that each broadband provider that receives funding offers at least one affordable service plan. The Department of Commerce will work closely with the FCC to determine exactly where the unserved locations are, and with states and territories to fund projects that will help us reach universal broadband access.
§ $2 billion for Tribal broadband grants, which is more than double the funding for NTIA’s existing Tribal Broadband Connectivity Program. The Commerce Department’s current $980 million Tribal Broadband Connectivity Program has received over $5 billion dollars in funding requests for broadband deployment and affordability projects, demonstrating the significant need for funding to expand access to and adoption of broadband service on Tribal lands. Although, other broadband funds provided by the Bipartisan Infrastructure Deal can be used on tribal lands, by providing tribal governments with access to $2 billion in dedicated broadband funds, the Act gives tribes the opportunity to determine how best to meet the broadband needs of their own communities.
§ $2.75 billion to fund Digital Equity. Digital exclusion carries a high societal and economic cost; reduces economic opportunity, educational achievement, positive health outcomes, social inclusion, and civic engagement; and exacerbates existing wealth and income gaps. The Digital Equity Act, which was included as a part of the Bipartisan Infrastructure Deal provides NTIA with funding for three grant programs to promote digital inclusion and equity for communities that lack the skills, technologies and support needed to take advantage of broadband connections. NTIA will provide states with digital equity planning grants. NTIA will also implement a formula-based state grant program and a competitive grant program with funds available to accelerate the adoption of broadband through digital literacy training, workforce development, devices access programs, and other digital inclusion measures.
§ $1 billion for middle-mile connections to build a high-speed backbone for communities, businesses, and anchor institutions. Through this new program, NTIA will make grants on a technology-neutral, competitive basis to eligible entities for the construction, improvement, or acquisition of middle mile infrastructure.
§ The United States (U.S.) Environmental Protection Agency (EPA) released the 2021 National Recycling Strategy, which focuses, in part, on electronic waste:
§ United States (U.S.) House Financial Services Committee Ranking Member Patrick McHenry (R-NC) introduced the “Ransomware and Financial Stability Act” (H.R.5936). McHenry claimed “[b]y deterring hackers and setting commonsense guiderails for financial institutions to respond to ransomware attacks, this legislation will protect the critical financial infrastructure that makes daily economic activity possible.” He claimed the bill does the following:
o Focuses the Government’s Deterrence Efforts on Critical Financial Infrastructure
§ Limits the bill’s scope to Financial Market Utilities, large securities exchanges, and certain technology service providers essential for banks’ core processing services.
o Gives These Critical Institutions a Roadmap When Attacked
§ Requires covered entities to notify the Treasury Department before making a ransomware payment.
§ Deters hackers by prohibiting large ransomware payments in excess of $100,000 unless law enforcement provides a Ransomware Payment Authorization or the President determines a waiver is in the U.S. national interest.
o Provides Legal Clarity When Responding to Attacks
§ Ensures confidentiality of information when covered institutions notify authorities of a ransomware attack.
§ Gives clarity to financial institutions, including ransomware payment processors, by creating a safe harbor when they assess a cybersecurity attack or comply with a Ransomware Payment Authorization.
§ None of your business (noyb) “filed a GDPR complaint against Grindr – a dating app for gay, bi, trans and queer people, where many users share very personal and even explicit sexual details.” noyb contended:
o Instead of authenticating against the data that users have provided, like the email and password – Grindr requires users to identify in maybe the most grotesque way imaginable: Users have to hold up a piece of paper with their email address, as well as their passport – all while balancing their phone to take a selfie. This is not just absurd, but also a violation of the GDPR.
o Exercising fundamental rights must be facilitated by companies. In this case, the complainant represented by noyb, is a Grindr user who was trying to understand more about how Grindr uses his data. Grindr surprisingly denied access to his personal data because the user did not send a selfie holding his passport and a piece of paper with his e-mail address on it.
o When “Hunk_69” has to become Richard Smith to claim his rights: Companies like Grindr make the registration process simple and fast – not only to comply with data minimization, but also because using Grindr in a supposedly anonymous way is part of the promise to users. Especially when the service is often used with anonymized pictures and using pseudonyms, not having to show an ID to open an account is part of the service – after all, even the logo of Grindr is a mask.
o However, when a user tries to exercise their rights to find out what personal data the company has on them, Grindr requires them to suddenly take off the mask and even show a government issued ID, which is not only inconsistent with the principle of data minimization, but with the entire product.
§ The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) floated a possible cybersecurity rules for some information technology (IT) providers. DCMS explained:
o IT service providers could be required to follow new cyber security rules such as the National Cyber Security Centre’s Cyber Assessment Framework as part of new proposals to help British businesses manage the growing cyber threat.
o Other plans to protect the country’s digital supply chains include new procurement rules to ensure the public sector buys services from firms with good cyber security and plans for improved advice and guidance campaigns to help businesses manage security risks.
o The move follows a consultation by the Department for Digital, Culture, Media and Sport (DCMS) to enhance the security of digital supply chains and third party IT services, which are used by firms for things such as data processing and running software.
o It comes as new research of chairs, CEOs and directors of Britain’s top companies shows the majority (91 per cent up from 84 per cent in 2020) see cyber threats as a high or very high risk to their business, but nearly a third of leading firms are not taking action on supply chain cyber security, with only 69 per cent saying their organisation actively manages supply chain cyber risks.
o Today’s government’s response to the call for views shows there is industry support for developing new or updated legislation, with 82 per cent of respondents agreeing legislation could be an effective or a somewhat effective solution.
o The government will now develop more detailed policy proposals and it is currently carrying out a review of the laws and measures which encourage firms to improve their cyber security and will launch a new national cyber strategy later this year.
Further Reading
Photo by Bithin raj on Unsplash
§ “Apple’s Privacy Mythology Doesn’t Match Reality” By Albert Fox Cahn and Evan Selinger — WIRED. In 2021, Apple has cast itself as the world’s superhero of privacy. Its leadership insists, “Privacy has been central to our work … from the very beginning” and that it’s a “fundamental human right.” Its new advertising even boasts that privacy and the iPhone are the same things.
§ “Blacklisted Israeli Surveillance Company Linked To Middle Eastern Hacks, Denies Knowing Whom Customers Spy On” By Thomas Brewster — Forbes. Israeli surveillance companies are under fire for providing tools to repressive regimes. Now, one of four spyware and cyber businesses blacklisted by the U.S. says it is legally obliged to remain in the dark about its customers’ activities, after researchers link it to attacks on swaths of websites in what are feared to be attempted hacks of government officials, journalists and dissidents.
§ “‘Ghostwriter’ Looks Like a Purely Russian Op—Except It's Not” By Lily Hay Newman — WIRED. For at least four years, the hacking and disinformation group known has Ghostwriter has plagued countries in Eastern Europe and the Baltics. Given its methods—and its anti-NATO and anti-US messages—the widely held assumption has been that Ghostwriter is yet another Kremlin-led campaign. The European Union even declared at the end of September that some member states have “associated” Ghostwriter “with the Russian state.” As it turns out, that's not quite right. According to the threat intelligence firm Mandiant, Ghostwriter's hackers work for Belarus.
§ “Bad Santa: Amazon, Facebook top Mozilla's naughty list of privacy-crushing gifts” By Jonathan Grieg — ZDNet. Mozilla has released the latest edition of its *Privacy Not Included shopping guide, aiming to provide holiday buyers with a concrete list of how the most popular items handle privacy issues. Mozilla researchers spent over 950 hours examining 151 popular connected gifts, identifying 47 that had what they called "problematic privacy practices." The worst, according to Mozilla, include Facebook Portal, Amazon Echo , NordicTrack Treadmill and other workout tools.
§ “Evil Corp: 'My hunt for the world's most wanted hackers'” By Joe Tidy — BBC. Many of the people on the FBI's cyber most wanted list are Russian. While some allegedly work for the government earning a normal salary, others are accused of making a fortune from ransomware attacks and online theft. If they left Russia they'd be arrested - but at home they appear to be given free rein.
§ “A look under the hood of the most successful streaming service on the planet” By Catie Keck — The Verge. As hundreds of thousands of households worldwide tapped into Netflix’s Squid Game last month, viewers may have taken something fairly extraordinary for granted. Netflix didn’t buckle under the unprecedented demand for the dystopian drama that would become its most successful title to date — even as other services have struggled to keep their products sturdy under less demanding circumstances.
§ “Amazon wages secret war on Americans' privacy, documents show” By Jeffrey Dastin, Chris Kirkham and Aditya Kalra — Reuters. In recent years, Amazon.com Inc has killed or undermined privacy protections in more than three dozen bills across 25 states, as the e-commerce giant amassed a lucrative trove of personal data on millions of American consumers.
§ “Germany Inc.’s China syndrome” By Matthew Karnitschnig and Laurenz Gehrke — Politico EU. German business is getting queasy about China. For decades, German industry — an early mover in the Chinese market — looked the other way amid Beijing's human rights abuses, as managers and engineers from the likes of Siemens and Volkswagen helped transform the country into Germany's largest trading partner. But as Chinese leader Xi Jinping tightens the country’s surveillance state, threatens neighbors and takes on an increasingly belligerent tone with the West, Germany’s China strategy, shaped to serve the needs of its export industry, is looking increasingly unsustainable.
§ “How Big Tech Is Pitching Digital Elder Care to Families” By Colin Lecher — The Markup. In the summer of 2020, as the COVID-19 pandemic locked many inside their homes, seniors quickly became some of the most isolated. Especially susceptible to the virus, and still without a vaccine, older adults found themselves unable to visit with loved ones they relied on. Some tech companies stepped in with an offer to help.
§ “Google warns customers about antitrust bills” By Margaret Harding McGill — Axios. Google on Thursday warned some customers that antitrust bills targeting the tech giant could jeopardize the services small businesses rely on.
§ “Apple’s App Privacy Report launches into beta to show you what your apps are up to” By Sarah Perez — Tech Crunch. Apple has now launched a beta version of its “App Privacy Report,” a new feature that aims to provide iOS users with details about how often their everyday apps are requesting access to sensitive information, and where that information is being shared. The feature was first introduced at Apple’s Worldwide Developer Conference in June, amid other privacy-focused improvements, including tools to block tracking pixels in emails, a private VPN and more. Apple explained at the time the new report would include details about an app’s access to user data and sensors, including the user’s location, photos, contacts and more, as well as a list of domains that the app contacts.
§ “Election officials don't need to report cyber incidents to the feds. That could soon change.” By AJ Vicens — cyberscoop. Security personnel charged with the challenging and high-stakes work of protecting election systems from digital threats might soon have another task on their to-do list: reporting any cyber incidents to the federal government. That’s if election technology, designated critical infrastructure in 2017, falls under proposed rules requiring critical infrastructure owners and operators to notify federal officials about cyber incidents, such as attempted hacks and ransomware attacks.
§ “Google and Facebook’s Ad Empires” By Shira Ovide — The New York Times. Google and Facebook love to talk about the cutting-edge stuff that they’re working on. Metaverse! Driverless cars! Cloud! Artificial intelligence! The reality, though, is that these tech companies are rich and powerful because they are the biggest sellers of advertising in the world. They do essentially the same thing that William Randolph Hearst did a century ago: They draw our attention to try to sell us yoga pants. (OK, Hearst’s newspapers probably didn’t have ads for leggings.)
Coming Events
Photo by Noah Buscher on Unsplash
§ 30 November
o The Senate Homeland Security & Governmental Affairs Committee will hold a roundtable titled “FedRAMP Reform: Recommendations to Reduce Burden, Enhance Security, and Address Inefficiencies in the Government Cloud Authorization Process.”
§ 1 December
o The United States (U.S.) Senate’s Commerce, Science, and Transportation Committee plans to vote on the nominations of acting Federal Communications Commission Chair Jessica Rosenworcel for another term to chair the FCC and Alvaro Bedoya to be a Commissioner on the Federal Trade Commission. The committee will also consider the nominations of Gigi Sohn to be an FCC Commissioner and Alan Davidson to be the Assistant Secretary of Commerce for Communications and Information who heads the National Telecommunications and Information Administration (NTIA).
o The United States (U.S.) House of Representatives’ Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled “Holding Big Tech Accountable: Targeted Reforms to Tech’s Legal Immunity” that will focus on the following bills:
§ The "Protecting Americans from Dangerous Algorithms Act" (H.R. 2154)
§ The "Civil Rights Modernization Act of 2021" (H.R. 3184)
§ The "Safeguarding Against Fraud, Exploitation, Threats, Extremism, and Consumer Harms Act" or the "SAFE TECH Act" (H.R. 3421)
§ The "Justice Against Malicious Algorithms Act of 2021" (H.R. 5596)
§ 2 December
o The United States (U.S.) House of Representatives’ Intelligence Committee’s Strategic Technologies and Advanced Research Subcommittee will hold a closed hearing titled “How the Intelligence Community is Using and Defending Against AI.”
o The United States (U.S.) House of Representatives’ Transportation and Infrastructure Committee will hold a hearing titled “The Evolving Cybersecurity Landscape: Federal Perspectives on Securing the Nation's Infrastructure.”
o United States (U.S.) House of Representatives’ Science, Space, and Technology Committee will hold a hearing titled “Ensuring American Leadership in Microelectronics.”
§ 8 December
o The United States (U.S.) National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board (ISPAB) will hold an open meeting with this tentative agenda:
§ Briefing from NIST on recent activities from the Information Technology Laboratory,
§ Board Discussion on Executive Order 14028, Improving the Nation's Cybersecurity (May 12, 2021) deliverables and impacts to date,
§ Discussion on Agency Responsibilities for Cybersecurity Risk Management,
§ Presentation from NIST on Cybersecurity Metrics and Measurements,
§ Briefing from NIST on the Post Quantum Program,
§ Briefing from the Office of Management and Budget on recent cybersecurity policies,
§ Public Comments.
§ 9 December
o The United States (U.S.) National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board (ISPAB) will hold an open meeting with this tentative agenda:
§ Briefing from NIST on recent activities from the Information Technology Laboratory,
§ Board Discussion on Executive Order 14028, Improving the Nation's Cybersecurity (May 12, 2021) deliverables and impacts to date,
§ Discussion on Agency Responsibilities for Cybersecurity Risk Management,
§ Presentation from NIST on Cybersecurity Metrics and Measurements,
§ Briefing from NIST on the Post Quantum Program,
§ Briefing from the Office of Management and Budget on recent cybersecurity policies,
§ Public Comments.
o The United States (U.S.) National Institute of Standards and Technology (NIST) will hold an online workshop titled “Cybersecurity Labeling for Consumer IoT and Software: Executive Order Update and Discussion.”
§ 14 December
o The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting.
§ 16-17 June 2022
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”