Discover more from The Wavelength

An ex-lobbyist/current lawyer analyzes tech policy, politics, and law in the U.S., EU, and elsewhere. This includes privacy, data protection, antitrust, competition, surveillance, and other topics.

Bipartisan Infrastructure Package: Broadband

Apple will start searching for CSAM on devices and in the cloud; UK regulator says Facebook's acquisition of Giphy may violate competition law

Michael Kans

Aug 20, 2021

Share The Wavelength

Photo by Compare Fibre on Unsplash

Last week, the Senate passed the “Infrastructure Investment and Jobs Act” (H.R.3684), sending the bill to the House. As has been widely reported, Congressional Democratic Leadership is linking this bill with a forthcoming $3.5 trillion package “to enact the [White House’s] Build Back Better agenda.” Consequently, this bill will likely not pass before the other package does unless it fails to pass. Then Democrats would be faced with a dilemma, for the $3.5 trillion package is probably the only opportunity to enact President Joe Biden’s sweeping plans to address climate change, higher education, healthcare, and other Democratic policy priorities.

Putting aside the politics and probabilities, the Senate’s $1 trillion infrastructure package is chock full of cybersecurity and technology funding and programmatic provisions. However, given the breadth of programs and funding, today we will just look at the very extensive broadband programs that carry a purported price tag of $65 billion, $35 billion less than the White House and Democratic stakeholders wanted.

Nonetheless, the drafters of much of the broadband language decided against using the Federal Communications Commission (FCC) as the conduit and overseer for most of the funds. Instead, the Department of Commerce’s National Information and Telecommunications Administration (NTIA) will fill this role. There are likely a few reasons for this. First, Members have long wrangled with the agency just to get accurate maps of broadband coverage in the U.S. and over the definition of high-speed internet. There may not be a lot of patience or good feelings on Capitol Hill towards the FCC. Second, at present, the agency is deadlocked with 2 Democrats and 2 Republicans, and there have been no public signs as to when the Biden Administration will nominate a commissioner to tip the agency to the Democrats. Although a few theories have been floated as to why this is, including the White House not wanting to complicate passage of the infrastructure bill, infighting in the White House, giving acting Chair Jessica Rosenworcel a “try out,” and cross currents from Democratic stakeholders about a nominee. Third, the NTIA will be more answerable to the White House through the Secretary of Commerce and department senior officials. Moreover, Secretary Gina Raimondo has earned raves form key moderate Senators, and as a former governor she is presumably experienced in the view from a statehouse in trying to fulfill dictates from Washington.

The Senate folded provisions from the “Accessible, Affordable Internet for All Act” (H.R.1783/S.745) (see here for more detail on the bill as introduced) but reduced the overall funding from $94 billion to $65 billion, largely in the form of a new grant program the National Telecommunications and Information Administration (NTIA) would administer. The agency must establish within six months a ‘‘Broadband Equity, Access, and Deployment Program’’ to make grants to eligible entities, and $42.45 billion is authorized and appropriated for this program. The NTIA “shall provide technical support and assistance to eligible entities (a term defined to include only states, the District of Columbia and certain U.S. territories) to facilitate their participation in the Program, including by assisting eligible entities with—

(i) the development of grant applications under the Program;

(ii) the development of plans and procedures for distribution of funds under the Program; and

(iii) other technical support as determined by the [NTIA].

The NTIA is also charged with providing more general assistance to states for obtaining a Broadband Equity, Access, and Deployment Program grant, namely:

(i) to support the expansion of broadband, with priority for—

(I) expansion in rural areas; and
(II) eligible entities that consistently rank below most other eligible entities with respect to broadband access and deployment; and

(ii) regarding cybersecurity resources and programs available through Federal agencies, including the Election Assistance Commission, the Cybersecurity and Infrastructure Security Agency, the Federal Trade Commission, and the National Institute of Standards and Technology.

The NTIA would make grants based on a formula determined by the FCC’s broadband maps as required by the “Broadband DATA Act’’ (P.L. 116-130) (47 U.S.C. 642 et seq.). On 6 August, the FCC announced “a brand-new map showing mobile coverage and availability data in the U.S. from the country’s largest wireless providers.” The agency continued that “[t]his is the first public map showing updated mobile coverage released by the FCC and represents a significant improvement over other data previously published by the agency.” The FCC added the map “also serves as a public test of the standardized criteria developed to facilitate improved mapping under the Broadband DATA Act.” It is not clear whether this broadband map that features only data voluntarily submitted by the four biggest wireless carriers in the U.S. suffices to satisfy the Broadband DATA Act’s requirements. It bears note that the bill refers to broadband data maps and not a map, suggesting the FCC has some other maps to draft and publish. Consequently, NTIA may need to wait on the FCC’s completion of the broadband map mandated under the Broadband DATA Act to disburse the $42.45 billion in grant funding aimed at rural and underserved areas of the U.S. to close to digital divide. Or expediency and political pressure may encourage the NTIA to deem the 6 August map sufficient and proceed.

In any event, once the Broadband DATA Act maps are finished and published, the NTIA must allocate $4.245 billion to states with none receiving less than $100 million with the United States Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands dividing a total of $100 million. The NTIA needs to use a formula to distribute funds for this first tranche, and this formula requires:

§ “dividing the number of unserved locations in high-cost areas in the eligible entity by the total number of unserved locations in high-cost areas in the United States” and

§ Multiplying this number by $4.245 billion

The rest of these funds ($38.205 billion) will be distributed thorough a different formula:

§ “(i) dividing the number of unserved locations in the eligible entity by the total number of unserved locations in the United States; and”

§ Multiplying this number by $38.205 billion

Moreover, within six months of enactment the NTIA must issue a notice of funding opportunity for the Broadband Equity, Access, and Deployment Program and after states submit letters of intent, they can apply for planning grants, which could be no more than 5% of the second tranche of funds. In exchange for these planning funds, states will need to complete three-year action plans.

When the NTIA can start handing out funds, states will need to navigate and complete a lengthy application process designed, no doubt, to ensure NTIA can ensure funds will be well used for the purposes of the act.

Be that as it may, when funding is doled out, states would then make competitive grants to subgrantees for

§ unserved service projects and underserved service projects;

§ connecting eligible community anchor institutions;

§ data collection, broadband mapping, and planning;

§ installing internet and Wi-Fi infrastructure or providing reduced-cost broadband within a multi-family residential building, with priority given to a residential building that—

o has a substantial share of unserved households; or
o is in a location in which the percentage of individuals with a household income that is at or below 150 percent of the poverty line applicable to a family of the size involved (as determined under section 673(2) of the Community Services Block Grant Act (42 U.S.C. 9902(2)) is higher than the national percentage of such individuals;

§ broadband adoption, including programs to provide affordable internet-capable devices; and

§ any use determined necessary by [NTIA] to facilitate the goals of the Program.

And so, obviously, these funds would be directed first and foremost to entities looking to bridge broadband gaps or limited service. There are other purposes for which entities could use funds, including for Wi-Fi infrastructure in multi-family residential buildings or for reduced price service.

Moreover, all subgrantees

§ shall adhere to quality-of-service standards, as established by [NTIA];

§ shall comply with prudent cybersecurity and supply chain risk management practices, as specified by [NTIA], in consultation with the Director of the National Institute of Standards and Technology and the Commission;

§ shall incorporate best practices, as defined by [NTIA], for ensuring reliability and resilience of broadband infrastructure; and

§ may not use the amounts to purchase or support—

o any covered communications equipment or service, as defined in section 9 of the Secure and Trusted Communications Networks Act of 2019 (47 U.S.C. 1608); or
o fiber optic cable and optical transmission equipment manufactured in the People’s Republic of China, except that [NTIA] may waive the application of this clause with respect to a project if the eligible entity that awards a subgrant for the project shows that such application would unreasonably increase the cost of the project.

The Senate is looking to further bake restrictions into U.S. telecommunications law and systems through the latter of these provisions. The FCC’s program to protect the U.S. telecommunications system against national security threats (mainly equipment and services from the PRC) bars the use of Universal Service Fund (USF) dollars from buying banned equipment and services. The above language would essentially extend this ban to the $42.45 billion in broadband grant funds. But it also expands the ban to include fiber optic cable and optical transmission equipment made in the PRC with the caveat that NTIA may waive this provision on the basis of increased costs, meaning there are not cheaper or equivalent options available.

The bill would also piggyback better broadband cybersecurity and supply chain risk management by conditioning the funds on meeting standards to be promulgated by NTIA, NIST, and the FCC. The same would be true of broadband infrastructure reliability and resilience.

States would need to award funds for broadband networks based on these criteria:

(i) shall award funding in a manner that—

(I) prioritizes unserved service projects;
(II) after certifying to [NTIA] that the eligible entity will ensure coverage of broadband service to all unserved locations within the eligible entity, prioritizes underserved service projects; and
(III) after prioritizing underserved service projects, provides funding to connect eligible community anchor institutions;

(ii) in providing funding under subclauses (I), (II), and (III) of clause (i), shall prioritize funding for deployment of broadband infrastructure for priority broadband projects;

(iii) may not exclude cooperatives, nonprofit organizations, public-private partnerships, private companies, public or private utilities, public utility districts, or local governments from eligibility for such grant funds; and

(iv) shall give priority to projects based on—

(I) deployment of a broadband network to persistent poverty counties or high-poverty areas;
(II) the speeds of the proposed broadband service;
(III) the expediency with which a project can be completed; and
(IV) a demonstrated record of and plans to be in compliance with Federal labor and employment laws.

So, the funds would be provided to projects that help unserved areas, then underserved areas, and finally to “eligible community anchor institutions” (a term that includes a number of institutions like schools, libraries, public housing organization, and others that lack gigabit-level broadband service.) But further preference would be given to “priority broadband projects” which are “designed to—

(i) provide broadband service that meets speed, latency, reliability, consistency in quality of service, and related criteria as the [NTIA] shall determine; and (ii) ensure that the network built by the project can easily scale speeds over time to—

(I) meet the evolving connectivity needs of households and businesses; and
(II) support the deployment of 5G, successor wireless technologies, and other advanced services.

As a result, the NTIA will almost certainly need to publish guidance or even more likely conduct a rulemaking to define the specifications that projects must meet in order to be “priority broadband projects.”

The eligible group of subgrantees would seem to include every possible stakeholder interested in receiving broadband funds. Nonetheless, additional priority would be given to those projects that would bring broadband to poor areas, the speed of the proposed service, how quickly the project can be reasonably completed, and the entity’s record of complying with federal labor and employment laws.

In sum, it appears the highest preference would go to projects to provide broadband to unserved areas with high levels of poverty for priority broadband projects.

For the deployment of broadband networks, subgrantees would need to match federal funds with 25% of the project costs except for high-cost areas and in some other cases. The non-federal match can come from a variety of sources, including recently funds leftover from COVID-19 appropriations packages.

The NTIA would also establish means to claw back funds from non-performing subgrantees in consultation with federal and state partners.

The NTIA and FCC would have two years to stand up a publicly website that:

(i) allows a consumer to determine, based on financial information entered by the consumer, whether the consumer is eligible—

(I) to receive a Federal or State subsidy with respect to broadband service; or
(II) for a low-income plan with respect to broadband service; and

(ii) contains information regarding how to apply for the applicable benefit described in clause (i).

Additionally, “[a] Federal entity, State entity receiving Federal funds, or provider of broadband service that offers a subsidy or low-income plan, as applicable, with respect to broadband service shall provide data to the [NTIA} in a manner and format as established by the [NTIA] as necessary.”

The Senate has also set a very high bar for any legal challenges of any NTIA decisions. First, the federal court in Washington DC is the only court that can hear such cases, and it must rule for the NTIA unless:

§ the decision was procured by corruption, fraud, or undue means;

§ there was actual partiality or corruption in the Assistant Secretary; or

§ the Assistant Secretary was guilty of—

o misconduct in refusing to review the administrative record; or
o any other misbehavior by which the rights of any party have been prejudiced.

In short, unless NTIA engaged in illegal behavior or a flagrant disregard of administrative claims, its decisions in the $42.45 billion broadband program cannot be challenged.

The FCC’s remit and authority under the “Broadband DATA Act” would be changed. Broadband providers would be required to provide the information and data the agency needs to create broadband maps. The FCC would also be required to commence a proceeding on how the agency is to achieve universal service for broadband goals in light of passage of the act. The FCC would need to report to Congress on how its efficiency in achieving universal service could be improved. The FCC is moreover tasked with establishing an online mapping tool within 18 months “to provide a locations overview of the overall geographic footprint of each broadband infrastructure deployment project funded by the Federal Government.”

The bill removes limits on the “Tribal Broadband Connectivity Program” established in the “Consolidated Appropriations Act, 2021” (P.L.116–260), and $2 billion more is appropriated for this program. The NTIA is in the process of disbursing the $980 million made available for FY 2021.

The “Infrastructure Investment and Jobs Act” includes another broadband bill, the “Digital Equity Act of 2021” (H.R.1841/S.2018) would establish the State Digital Equity Capacity Grant and the Digital Equity Competitive Grant Programs and provide $2.75 billion in total for them.

The NTIA would establish the State Digital Equity Capacity Grant Program

§ the purpose of which is to promote the achievement of digital equity, support digital inclusion activities, and build capacity for efforts by States relating to the adoption of broadband by residents of those States;

§ through which the Assistant Secretary shall make grants to States in accordance with the requirements of this section; and

§ which shall ensure that States have the capacity to promote the achievement of digital equity and support digital inclusion activities.

States would select an entity to administer the program, and those eligible for this task include a range of entities such as the state government itself, a political subdivision, a Tribal government, foundation, corporation, an educational agency and others.

Each state that wants to participate would need to draft a State Digital Equity Plan that, among other components, identifies obstacles to full digital equity, goals to promote inclusion among a number of groups, and the interplay of digital equity and other state planning processes for health, labor, education, and others. The NTIA shall award planning grants to states to execute their equity plans. Two years after the process of making planning grants starts, NTIA would start awarding state capacity grants to implement states’ digital equity plans and other measures to increase digital inclusion. A total of $600 million is provided for the two grant programs with $60 million being for planning grants. The bill outlines a formula for the distribution of the funds: 50% will be provided based on a state’s population in proportion to the U.S. population; 25% will be given based on the number of people in covered populations (i.e. those groups among whom there is less digital engagement such as the elderly and people who are learning English); and 25% based on the comparative lack of broadband availability and adoption in proportion to the broadband availability and adoption in all eligible states. NTIA may terminate and redistribute grant funds if states fail to use the proceeds in the ways they have agreed to.

The NTIA would also establish the Digital Equity Competitive Grant Program “the purpose of which is to award grants to support efforts to achieve digital equity, promote digital inclusion activities, and spur greater adoption of broadband among covered populations.” Those entities eligible for this grant are similar to those that can receive state capacity grants under the State Digital Equity Plan. When considering applications for this grant program, the NTIA “shall, to the extent practicable, consider—

§ whether an application shall, if approved—

o increase internet access and the adoption of broadband among covered populations to be served by the applicant; and
o not result in unjust enrichment;

§ the comparative geographic diversity of the application in relation to other eligible applications; and

§ the extent to which an application may duplicate or conflict with another program.”

The grants will support at least one of the following:

§ To develop and implement digital inclusion activities that benefit covered populations.

§ To facilitate the adoption of broadband by covered populations in order to provide educational and employment opportunities to those populations.

§ To implement, consistent with the purposes of this title—

o training programs for covered populations that cover basic, advanced, and applied skills; or
o other workforce development programs.

§ To make available equipment, instrumentation, networking capability, hardware and software, or digital network technology for broadband services to covered populations at low or no cost.

§ To construct, upgrade, expend, or operate new or existing public access computing centers for covered populations through community anchor institutions.

§ To undertake any other project and activity that the Assistant Secretary finds to be consistent with the purposes for which the Program is established.

This grant program will require at least a 10% non-federal match and perhaps even more, for the language in the bill caps the federal portion at 90% and suggests NTIA could reduce the federal share even further at its discretion. NTIA may grants waivers for the non-federal share, however.

$1.25 billion is provided for the Digital Equity Competitive Grant Program, 5% of which may be kept by NTIA to finance administration, 5% of which shall go to grants or agreements with Indian Tribes, Alaska Native entities, and Native Hawaiian organizations, and 1% of which shall go to the United States Virgin Islands, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, and any other territory or possession of the United States that is not a State.

The “Infrastructure Investment and Jobs Act” establishes another broadband development program. The NTIA “shall establish a program under which the [NTIA] makes grants on a technology-neutral, competitive basis to eligible entities for the construction, improvement, or acquisition of middle mile infrastructure.” $1 billion is provided for this new program, and the purpose of this program is:

§ to encourage the expansion and extension of middle mile infrastructure to reduce the cost of connecting unserved and underserved areas to the backbone of the internet (commonly referred to as the ‘‘last mile’’); and

§ to promote broadband connection resiliency through the creation of alternative network connection paths that can be designed to prevent single points of failure on a broadband network.

The NTIA will be able to make grants to further build middle mile infrastructure to the following entities:

a State, political subdivision of a State, Tribal government, technology company, electric utility, utility cooperative, public utility district, telecommunications company, telecommunications cooperative, nonprofit foundation, non-profit corporation, nonprofit institution, non-profit association, regional planning counsel, Native entity, or economic development authority

NTIA is to prioritize applications from eligible entities that do two or more of the following:

§ The eligible entity adopts fiscally sustainable middle mile strategies.

§ The eligible entity commits to offering non-discriminatory interconnect to terrestrial and wireless last mile broadband providers and any other party making a bona fide request.

§ The eligible entity identifies specific terrestrial and wireless last mile broadband providers that have—

o expressed written interest in interconnecting with middle mile infrastructure planned to be deployed by the eligible entity; and
o demonstrated sustainable business plans or adequate funding sources with respect to the interconnect described in clause (i).

§ The eligible entity has identified supplemental investments or in-kind support (such as waived franchise or permitting fees) that will accelerate the completion of the planned project.

§ The eligible entity has demonstrated that the middle mile infrastructure will benefit national security interests of the United States and the Department of Defense.

Moreover,

A project shall be eligible for a middle mile grant if, at the time of the application, the [NTIA] determines that the proposed middle mile broadband network will be capable of supporting retail broadband service.

Finally, under the Middle Mile Infrastructure Grant Program, the U.S. government cannot pay for more than 70% of a project, and so the applicant must finance at least 30%.

Another COVID-19 relief program from the “Consolidated Appropriations Act, 2021” (P.L.116–260) is refashioned and extended. The “Benefit For Broadband Service During Emergency Period Relating To COVID-19” would become the “Affordability Connectivity” program. $14.2 billion will be given to the FCC for this program that reimburses internet service providers mainly for providing low cost service to certain households. There are provisions that would revise some aspects of the program, including language for ISPs to recover more costs for providing service in high-cost areas on Tribal lands. Moreover, providers must allow eligible people to choose any of the ISP’s regularly offered plans and cannot require a credit check. Moreover, when a customer subscribes or renews a subscription, the ISP must tell them about the Affordability Connectivity program and how to enroll. Additionally, the FCC will need to promulgate rules to protect consumers from a number of ISP practices, including inappropriate upselling or downselling, inappropriate requirements that customers using this benefit sign on for extended contracts, inappropriate restrictions on switching ISPs while using the benefit, and “similar restrictions that amount to unjust and unreasonable acts or practices that undermine the purpose, intent, or integrity of the Affordable Connectivity Program.”

The FCC will need to certify it has disbursed all benefit funds distributed under the predecessor program before it can start handing out the new funds. Additionally, eligibility will be increased by making households earning up to 200% of the Federal Poverty Guidelines and through revising upward other criteria. However, the per-month dollar amount for households would decrease from $50 to $30.

One year after enactment of the “Infrastructure Investment and Jobs Act,” the FCC must promulgate “regulations to require the display of broadband consumer labels, as described in the Public Notice of the Commission issued on April 4, 2016 (DA 16–357), to disclose to consumers information regarding broadband internet access service plans. During the Trump Administration FCC, in repealing the Obama Administration’s FCC’s net neutrality rules, it also rolled back broadband labeling rules. Recently, Consumer Reports’ Digital Lab announced an effort to bootstrap broadband labeling. The organization stated that “along with a coalition of partners, is embarking on an ambitious project called Broadband Together to investigate the state of internet access in the U.S…[and] will analyze thousands of consumer ISP bills from across the country to better understand what factors determine why and how ISPs charge the prices they do, and what information is and is not included in monthly bills.”

Within two years, the FCC must also “adopt final rules to facilitate equal access to broadband internet access service, taking into account the issues of technical and economic feasibility presented by that objective, including—

§ preventing digital discrimination of access based on income level, race, ethnicity, color, religion, or national origin; and

§ identifying necessary steps for the Commissions to take to eliminate discrimination described in paragraph (1).”

The bill also includes the “Telecommunications Skilled Workforce Act” (H.R.1032/S.163) that establishes a “Telecommunications Interagency Working Group” “to address the workforce needs of the telecommunications industry, including the safety of that workforce.” This Task Force would develop and make recommendations to Congress. In a related directive, the Department of Labor and the FCC must:

issue guidance on how States can address the workforce needs and safety of the telecommunications industry, including guidance on how a State workforce development board established under section 101 of the Workforce Innovation and Opportunity Act (29 U.S.C. 3111) can—

(1) utilize Federal resources available to States to meet the workforce needs of the telecommunications industry;
(2) promote and improve recruitment in workforce development programs in the telecommunications industry; and
(3) ensure the safety of the telecommunications workforce, including tower climbers.

The “Infrastructure Investment and Jobs Act” expands qualified private activity bonds (PAB) to include broadband projects as a means of fostering private sector investment. These provisions are based on the “Rural Broadband Financing Flexibility Act” (S.1676), and the Joint Committee on Taxation has estimated this would cost $566 million in lost revenue, and at least one summary is claiming it will provide $600 million in broadband projects. For those not versed in PABs (like me), here is a handy summary the Internal Revenue Service issued:

Interest on State and local government bonds is taxable if the bonds are private activity bonds (bonds issued to finance private activities not specifically authorized by Congress) unless the bond is a qualified private activity bond provided for in the Code.

The bill defines “qualified broadband projects” as “any project which—

§ is designed to provide broadband service solely to 1 or more census block groups in which more than 50 percent of residential households do not have access to fixed, terrestrial broadband service which delivers at least 25 megabits per second downstream and at least 3 megabits service upstream, and

§ results in internet access to residential locations, commercial locations, or a combination of residential and commercial locations at speeds not less than 100 megabits per second for downloads and 20 megabits for second for uploads, but only if at least 90 percent of the locations provided such access under the project are locations where, before the project, a broadband service provider—

o did not provide service, or
o did not provide service meeting the minimum speed requirements described in subparagraph (A).

There are other requirements in using a PAB to finance a qualified broadband project, too.

The Department of Agriculture’s Rural Utilities Service’s Distance Learning, Telemedicine, and Broadband Program would be given $2 billion in additional funding for broadband loans and grants subject to extensive conditions spelled out in the bill, including coordination with the NTIA and FCC.

Other Developments

Photo by Dainis Graveris on Unsplash

§ Apple announced “new child safety features in three areas, developed in collaboration with child safety experts:

o   First, new communication tools will enable parents to play a more informed role in helping their children navigate communication online. The Messages app will use on-device machine learning to warn about sensitive content, while keeping private communications unreadable by Apple.
o   Next, iOS and iPadOS will use new applications of cryptography to help limit the spread of CSAM online, while designing for user privacy. CSAM detection will help Apple provide valuable information to law enforcement on collections of CSAM in iCloud Photos.
o   Finally, updates to Siri and Search provide parents and children expanded information and help if they encounter unsafe situations. Siri and Search will also intervene when users try to search for CSAM-related topics.
o   Apple made the following materials available to explain these changes in policy:
§ Expanded Protections for Children — Frequently Asked Questions (PDF)
§ Expanded Protections for Children — Technology Summary (PDF)
§ Security Threat Model Review of Apple’s Child Safety Features (PDF)
§ Presentation at USENIX Security Symposium by Ivan Krstic and Erik Neuenschwander (Video)
§ CSAM Detection — Technical Summary (PDF)
§ Apple PSI System — Security Protocol and Analysis (PDF)

§ The Center for Democracy & Technology (CDT) articulated its belief that Apple’s above announcement “will threaten the security and privacy of its users and ultimately imperil secure messaging around the world.” CDT added:

o Apple describes these new policies as an effort to protect children, which is unquestionably an important and worthy goal. Proliferation of child sexual abuse material (CSAM) is an abhorrent crime against which firm action is required. However, CDT is deeply concerned that Apple’s changes in fact create new risks to children and all users, and mark a significant departure from long-held privacy and security protocols.

§ Privacy International (PI) argued Apple’s “plans risk opening the door to mass surveillance around the world while arguably doing little to improve child safety.” PI asserted:

o   As one of the world’s biggest tech companies, the decisions Apple make matter. This is a clear signal to every government around the world that Apple - and inevitably their entire industry - have the technology and the will to carry out mass surveillance. By opening the floodgates, even for something as important as protecting children, Apple and the rest of the industry will inevitably be unable to resist doing the same for other reasons and for other governments.
o   While these plans are ostensbily aimed at improving child safety in the US, it is undeniable that the same technical approach an be widened to include other categories of images and content. Indeed, it has already been applied for counter-terrorism purposes, and there are consistent calls for tech companies to use such an approach to identify copyright infringments.
o   At the same time as opening the doors for global mass surveillance, such client-scanning technology will also arguably do little to improve child safety. It is an approach that is easily to circumvent: criminals will either simply not use iCloud, or over time be able to produce false negatives by modifying content to ‘game’ the scanning techniques to avoid detection. Conversely, such an approach could also result in false positives, allowing malicious actors to create images or other content in ways that the scanning technology misclassifies it as child sexual abuse. This is something that can be of particular interest for those wishing to silent whistleblowers, investigative journalists or political opponents, by simply sending them illegal content. In short, client-side scanning weakens the security of communications and opens the door to abuses.

§ The United Kingdom’s (UK) Competition and Markets Authority (CMA) “has provisionally found Facebook’s merger with Giphy will harm competition between social media platforms and remove a potential challenger in the display advertising market.” The CMA cautioned that if its “competition concerns are ultimately confirmed, it could require Facebook to unwind the deal and sell off Giphy in its entirety.” The CMA made available the following materials: Provisional Findings, Summary of provisional findings, Notice of provisional findings, and Remedies notice. The CMA summarized its findings:

o Impact on social media platforms
§ Following an in-depth investigation, the CMA has provisionally found that Facebook’s takeover of Giphy will negatively impact competition between social media platforms.
§ Millions of posts every day on social media sites now include a GIF. Any reduction in the choice or quality of these GIFs could significantly affect how people use these sites and whether or not they switch to a different platform, such as Facebook. As most major social media sites that compete with Facebook use Giphy GIFs, and there is only one other large provider of GIFs – Google’s Tenor – these platforms have very little choice.
§ The CMA provisionally found that Facebook’s ownership of Giphy could lead it to deny other platforms access to its GIFs. Alternatively, it could change the terms of this access – for example, Facebook could require Giphy customers, such as TikTok, Twitter and Snapchat, to provide more user data in order to access Giphy GIFs. Such actions could increase Facebook’s market power, which is already significant. The CMA’s analysis suggests that Facebook’s platforms – Facebook, WhatsApp, and Instagram – account for over 70% of the time people spend on social media and are accessed at least once a month by 80% of all internet users.
o Impact on digital ‘display’ advertising
§ Before the merger, Giphy was offering innovative paid advertising in the US, which had the potential to compete with Facebook’s own display advertising services. This allowed companies – including customers such as Dunkin’ Donuts and Pepsi – to promote their brands through visual images and GIFs.
§ The CMA found that, prior to the deal, Giphy was considering expanding its advertising services to other countries, including the UK. This would have brought a new player into the advertising market and a potential challenger to Facebook. It would also have encouraged greater innovation from others in the market, including social media sites and advertisers. However, Facebook terminated Giphy’s paid advertising partnerships following the deal, meaning an important source of potential competition has been lost.
§ This is particularly concerning given Facebook’s existing market power in display advertising – as part of its assessment, the CMA found that Facebook had a share of around 50% of the £5.5 billion display advertising market in the UK.

§ The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced “the standup of the Joint Cyber Defense Collaborative (JCDC)…a new agency effort to lead the development of cyber defense operations plans, and to execute those plans in coordination with partners from the federal interagency, private sector, and state, local, tribal, territorial (SLTT) government stakeholders to drive down risk before an incident and to unify defensive actions should an incident occur.” CISA explained:

o   CISA is establishing the JCDC to integrate unique cyber capabilities across multiple federal agencies, many state and local governments, and countless private sector entities to achieve shared objectives. Specifically, the JCDC will:
§ Design and implement comprehensive, whole-of-nation cyber defense plans to address risks and facilitate coordinated action;
§ Share insight to shape joint understanding of challenges and opportunities for cyber defense;
§ Implement coordinated defensive cyber operations to prevent and reduce impacts of cyber intrusions; and
§ Support joint exercises to improve cyber defense operations.
o   The initial industry partners that are participating in the JCDC include Amazon Web Services, AT&T, CrowdStrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks, and Verizon. This is only the beginning, as the JCDC will strive to include private sector and SLTT partners from across sectors as our focus areas expand. Government partners include the Department of Defense, U.S. Cyber Command, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation and the Office of the Director of National Intelligence, with Sector Risk Management Agencies joining the effort as we move forward.
o   In recent months, various major cyber incidents have had an impact on our critical infrastructure community and caused downstream consequences to Americans that rely on it for everyday functions. The federal government, SLTT governments, and the private sector work tirelessly to strengthen our defensive posture, but none of us can do it alone. As a community, the JCDC will deploy innovation, collaboration, and imagination to protect American businesses, government agencies, and our people against cyber intrusions.

§ The European Consumer Organisation (BEUC) “filed a complaint (with the European Commission and the European network of consumer authorities) against WhatsApp for multiple breaches of EU consumer rights” according to their press release. BEUC asserted:

o   The complaint is first due to the persistent, recurrent and intrusive notifications pushing users to accept WhatsApp’s policy updates. The content of these notifications, their nature, timing and recurrence put an undue pressure on users and impair their freedom of choice. As such, they are a breach of the EU Directive on Unfair Commercial Practices.
o   In addition, the complaint highlights the opacity of the new terms and the fact that WhatsApp has failed to explain in plain and intelligible language the nature of the changes. It is basically impossible for consumers to get a clear understanding of what consequences WhatsApp’s changes entail for their privacy, particularly in relation to the transfer of their personal data to Facebook and other third parties. This ambiguity amounts to a breach of EU consumer law which obliges companies to use clear and transparent contract terms and commercial communications.
o   WhatsApp’s conduct is aggravated by the fact that it keeps pushing users to accept a privacy policy which is currently under scrutiny by the European Data Protection Authorities for breaches of EU data protection law.3 BEUC’s consumer law complaint is separate from this ongoing scrutiny but we also call on the data protection authorities to speed up their investigations. We urge the European network of consumer authorities and the network of data protection authorities to work in close cooperation on these issues.

§ The White House’s Office of Science and Technology Policy (OSTP) announced it “will develop clear and effective implementation guidance for [ National Security Presidential Memorandum (NSPM-33)], working in close partnership with the National Security Council staff, fellow Cabinet agencies, and other federal agencies through the National Science and Technology Council.” The OSTP explained:

o During its final week in office, the previous administration issued a National Security Presidential Memorandum (NSPM-33) to “strengthen protections of United States Government-supported R&D against foreign government interference and exploitation” while “maintaining an open environment to foster research discoveries and innovation that benefit our nation and the world.”
o NSPM-33 implementation guidance will address three major areas:
§ Disclosure Policy — ensuring that federally-funded researchers provide their funding agencies and research organizations with appropriate information concerning external involvements that may bear on potential conflicts of interest and commitment;
§ Oversight and Enforcement — ensuring that federal agencies have clear and appropriate policies concerning consequences for violations of disclosure requirements and interagency sharing of information about such violations; and,
§ Research Security Programs — ensuring that research organizations that receive substantial federal R&D funding (greater than $50 million annually) maintain appropriate research security programs.

§ Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS) and Senate Minority Whip and Communications, Media, and Broadband Subcommittee Ranking Member John Thune (R-SD) wrote Federal Communications Commission (FCC) Acting Chair Jessica Rosenworcel “to request a status update on the agency’s long-form application review process for the Rural Digital Opportunity Fund (RDOF) Phase I auction, which awarded $9.2 billion over ten years to over 300 bidders to deploy high-speed broadband to over 5.2 million unserved homes and businesses in 49 states.” Wicker and Thune argued:

o   Today, we write to request a status update on the FCC’s long-form application review process. This application review process is critical to ensuring that winning bidders are capable of fulfilling their legal, technical, and financial obligations under the program and can deliver broadband services to rural areas as promised. Notably, the FCC cannot authorize money to winners until it reviews and approves a given provider’s long-form application.
o   We fully support a thorough review of long-form applications and expect the FCC to do so in a timely and transparent manner. Indeed, in January 2021, we joined a letter to then-FCC Chairman Ajit Pai requesting that the agency properly vet winning bidders in a public manner, and that it consider opportunities for public input on the applications. Despite these requests, the FCC’s review process remains unclear. Months have passed since winners submitted their long-form applications, and the agency has remained almost entirely silent about the status of its review and plans to authorize money to winning bidders.
o   Although we recognize the complexity of this process, the FCC’s prolonged evaluation of long-form applications must become more transparent and efficient. Each day that the Commission spends vetting long-form applications is another day that unserved Americans go without the high-speed broadband that is essential to everyday life. We urge the FCC to move quickly to finish this process and begin authorizing support to winning bidders.

§ The National Institute of Standards and Technology (NIST) released “a new draft cybersecurity white paper – Planning for a Zero Trust Architecture: A Starting Guide for Administrators, which provides a high-level overview of the NIST Risk Management Framework (NIST RMF) and how it can help in developing and implementing a zero trust architecture.” In the draft, NIST stated:

o   Zero trust (ZT) is the set of principles upon which information technology architectures are planned, deployed, and operated. ZT uses a holistic view that considers all potential risks to a given mission or business process and how they are mitigated. As such, there is no single specific infrastructure implementation or architecture, but it depends on the workflow (i.e., part of the enterprise mission) being analyzed and the resources that are used in performing that workflow. Zero trust strategic thinking can be used to plan and implement an enterprise IT infrastructure, which then could be said to be a zero trust architecture (ZTA).
o   Enterprise administrators and system operators need to be involved in the planning and deployment for a ZTA to be successful. ZTA planning requires input and analysis from system and workflow owners as well as professional security architects. Zero trust cannot be imposed from above onto an existing workflow but needs to be integrated into all aspects of the enterprise. This paper introduces some of the concepts in the NIST Risk Management Framework (RMF) to administrators and operators. The RMF lays out a set of processes and tasks that is integrated into enterprise risk analysis, planning, development, and operations. Administrators who may normally not perform the tasks detailed in the RMF may find that they will need to become familiar with them as they migrate to a ZTA.
o   NIST Special Publication 800-207 gives a conceptual framework for zero trust. While not comprehensive to all information technology it can be used as a tool to understand and develop a ZTA for an enterprise. NIST SP 800-207 also provides an abstract logical architecture that can be used to map solutions and gaps upon.

§ The United States (U.S.) Federal Deposit Insurance Corporation’s (FDIC) Office of the Inspector General (OIG) issued an audit titled “Security and Management of Mobile Devices.” The OIG stated:

o   The Federal Deposit Insurance Corporation (FDIC) deploys nearly 4,600 smartphones and
more than 150 tablets to its employees and contractor personnel to support its business
operations and communications. Although these mobile devices offer opportunities to
improve business productivity, they also introduce the risk of cyber threats that could
compromise sensitive FDIC data. The FDIC must implement proper controls to ensure that it effectively manages its inventory of mobile devices and the associated expenditures.
o   The FDIC uses a cloud-based mobile device management (MDM) solution to secure and
manage its smartphones and tablets. The MDM solution performs a number of important
functions, such as connecting mobile devices to the FDIC’s network, monitoring the security and configuration settings on the devices, and erasing sensitive FDIC data on the devices when users report them as lost or stolen.
o   The audit found that the FDIC had not established or implemented effective controls and
practices to secure and manage its mobile devices in three of the nine areas assessed
because the controls and practices did not comply with relevant Federal or FDIC
requirements and guidance. Specifically, the audit determined that:
§ FDIC policies, procedures, and guidance were outdated and did not reflect current
business practices pertaining to mobile devices, and they did not address key
elements recommended by the National Institute of Standards and Technology
(NIST). For example, FDIC policies did not address the Bring Your Own Device
(BYOD) program nor the risks associated with personal use of FDIC-furnished mobile
devices, such as downloading and using non-work related applications, and texting,
messaging, and video.
§ The FDIC did not conduct Control Assessments of the MDM solution annually in order to ensure that controls were effective and operating as intended.
§ FDIC Logging and Monitoring practices were not guided by written procedures and did not provide for adequate separation of duties.
o   Controls and practices in the areas of Awareness Training, Billing Analysis, and Configuration Management were partially effective because they complied with some, but not all, relevant security requirements and guidelines. For example, the FDIC did not develop written procedures for testing software updates to its mobile devices or complete testing of software updates before allowing users to download and install them.
o   The FDIC implemented effective controls and practices in the areas of Asset Management,
Incident Response, and Data Protection.

§ The High Court of Delhi directed the government’s lawyers to take instructions on a petition filed about data breaches in India. The Free Software Movement of India (FSMI) had filed a petition asking for government action per the law:

o   The Petitioner is General Secretary of FSMI (Free Software Movement of India). FSMI is a national coalition of various regional and sectoral free software movements operating in different parts of India.
o   The Petitioner has filed this Petition praying for a direction to Respondent No.2 Computer Emergency Respondent Team -India (“CERT-In”) , which an office attached to the
Respondent No.1, Union of India, for acting on the representation of the Petitioner and commence investigation and review of the recent data breaches of BigBasket, Domino’s, MobiKwik and Air India (all of which are mobile and/or online web applications collecting personal information
from India's residents for providing services). The data breaches have compromised sensitive personal and financial information of millions of users of these services.
o   The Petitioner wrote to the CERT-In on 11.11.2020, 30.03.2021, 21.04.2021, and on 22.05.2021 urging it to investigate the data breaches and update the citizens on what had transpired at Domino’s, MobiKwik, BigBasket and AirIndia as mandated by the CERT-In Rules as notified under S. 70B of the IT Act, 2000. The citizen charter of CERT-In lays down that the CERT-In shall acknowledge the grievances received by it, and that it shall redress the grievances within one month from the data of receipt of grievance. However, there was no response or acknowledgement of Petitioner’s emails and letters.

§ The European Parliament Think Tank issued a briefing on “Artificial Intelligence in smart cities and urban mobility” and reached these key findings:

o   Artificial Intelligence (AI) enabling smart urban solutions brings multiple benefits, including more efficient energy, water and waste management, reduced pollution, noise and traffic congestions. Local authorities face relevant challenges undermining the digital transformation from the technological, social and regulatory standpoint, namely (i) technology and data availability and reliability, the dependency on third private parties and the lack of skills; (ii) ethical challenges for the unbiased use of AI; and (iii) the difficulty of regulating interdependent infrastructures and data, respectively. To overcome the identified challenges, the following actions are recommended:
o   EU-wide support for infrastructure and governance on digitalisation, including high performance computing, integrated circuits, CPUs and GPU’s, 5G, cloud services, Urban Data Platforms, enhancing efficiency and ensuring at the same time unbiased data collection.
o   Inclusion of urban AI in EU research programs addressing data exchange, communication networks and policy on mobility and energy, enhancing capacity building initiatives, also through test and experimentation facilities.
o   Harmonising AI related policies in the EU, taking into account the context specificity: necessary research.
o   Adoption of innovative procurement procedures, entailing requirements for technical and
ethically responsible AI.

§ Singapore’s Smart Nation and Digital Government Office (SNDGO) “published the second update on the Government’s personal data protection efforts,” “a key recommendation made by the Public Sector Data Security Review Committee (PSDSRC) in November 2019, to enhance transparency on how the Government uses and secures citizen data. SNDGO stated:

o   The number of government data incidents rose from 75 in FY2019 to 108 in FY2020. While the number of data incidents reported has increased by 44%, there has been a downward trend in their severity – none of these incidents were assessed to be of high severity, and all incidents were addressed within 48 hours. The increase in data incidents reported correlates with trends seen in the private sector and globally, as the exchange and usage of data grows. The increase also reflects increased awareness and improved understanding among public officers to report all data incidents, regardless of scale or impact.
o   Out of the 108 government data incidents in FY2020, 6 were detected as a result of public reports made to the Government Data Security Contact Centre (GDSCC). The Centre was set up in April 2020 for members of the public to report data incidents involving government data or government agencies, and seeks to strengthen the Government’s capabilities to detect data incidents.
o   Public officers found to have made unauthorised use or disclosure of government data will be held accountable. In 2021, several individuals had been charged under the Official Secrets Act (OSA) for the unauthorised disclosure of information related to Singapore’s response to COVID-19.
o   As of 31 March 2021, the Government has implemented 21 of the 24 initiatives arising from the five key recommendations by the PSDSRC. The 3 initiatives that have been implemented since 1 October 2020 are:
§ The Data Privacy Protection Capability Centre (DPPCC): This centre was set up within GovTech in December 2020 to deepen the Government’s expertise in data privacy protection technologies. It will provide expert advice to agencies, and monitor emerging data privacy protection risks and recommend solutions to mitigate these risks.
§ Advanced Data Protection Technical Measures: Since its inception, the DPPCC has begun studying and implementing advanced technical measures to protect data in Government systems. An example is the de-identification modules to protect sensitive personal data and maintain data privacy, while enabling data to be used.
§ Amendments to the Personal Data Protection Act (PDPA): The amendments came into effect on 1 February 2021. These amendments strengthen the data protection accountability of non-Government entities and non-public officers who handle Government data. Punitive measures were introduced to hold these individuals accountable for the reckless handling, or intentional mishandling, of personal data.
o   The remaining 3 of the 24 initiatives are technical measures, which require significant re-architecting of technical systems and more time to develop. The Government is on track to complete these initiatives as planned, by end-2023.

§ The Federal Trade Commission (FTC) revealed that “that Aristotle International, Inc. (Aristotle) has been removed from the list of self-regulatory organizations that police for compliance with the Children’s Online Privacy Protection Act (COPPA).” The agency stated “[o]perators of websites and online services that paid Aristotle fees to participate in its self-regulatory program can no longer receive favorable regulatory treatment.”

o   As part of its oversight of the COPPA Safe Harbor program, the FTC warned Aristotle earlier this year that the agency was concerned Aristotle may not have sufficiently monitored its member companies to ensure they were complying with its guidelines, as required by the COPPA Rule. After receiving an inadequate response from Aristotle, FTC staff told Aristotle that it planned to recommend that the Commission revoke its approval of the company’s safe harbor program. On June 1, Aristotle notified Commission staff that it was withdrawing from the COPPA safe harbor program.
o   Aristotle was one of seven FTC-approved Safe Harbor organizations and is the first to be removed from the list of FTC-approved children’s privacy self-regulatory programs since the COPPA Rule went into effect two decades ago. The COPPA Rule requires that operators of commercial websites and online services directed to children under the age of 13, or general-audience websites and online services that knowingly collect personal information from children under 13, notify parents about their information practices and obtain verifiable parental consent before collecting, using, or disclosing any personal information from children under the age of 13.
o   Organizations such as Aristotle operate self-regulatory COPPA “safe harbor” programs that certify compliance with the FTC’s COPPA Rule. In order to get FTC approval to operate their programs, such organizations must have guidelines that provide the same or greater protections for children as the COPPA Rule. They also must have an effective and mandatory mechanism in place to conduct independent assessments of member organizations’ compliance with the program guidelines. Companies certified as members of a safe harbor program are deemed to be in compliance with the COPPA Rule. The Commission approved Aristotle to operate a COPPA Safe Harbor program in 2012.

§ Computer Emergency Response Team (CERT) New Zealand (NZ) “says the majority of ransomware attacks occur through poorly configured remote access systems, which businesses use to allow staff to access systems from outside the office.” CERT NZ stated:

o   While there are a range of these in use, one of the most commonly used is Remote Desktop Protocol (RDP), with over 2,500 identified in New Zealand. RDP has a number of weaknesses, which means when it is used over the internet it can be exploited by attackers, and is a leading contributor to the ransomware incidents that CERT NZ receives.
o   CERT NZ is partnering with internet service providers to contact organisations that use internet-exposed RDP to provide advice on how they can make remote working more secure.
o   As RDP is often exploited by attackers to gain access to an organisation’s network, CERT NZ recommends organisations consider other options to enable remote working, such as a virtual private network (VPN). Good VPN solutions support two-factor authentication, which adds an extra layer of security, and are designed to be used over the internet.
o   More broadly, CERT NZ is concerned about the growing impact ransomware attacks are having on New Zealand.
o   CERT NZ has seen an increase in ransomware reports in the second quarter of 2021 (April to June), compared to the first quarter of the year. Reaching a total of 30 reports, this is the highest number of ransomware reports made to CERT NZ within one quarter.
o   CERT NZ will soon be releasing more guidance for organisations about how to protect themselves against ransomware.