Bipartisan Infrastructure Package: Drinking Water and The Grid
CNPD confirms €746 million fine of Amazon for GDPR violation; Australia's Information Commissioner reappointed; UK looks for follow on regulation to EU's NIS
Recently, the Senate passed the “Infrastructure Investment and Jobs Act” (H.R.3684), sending the bill to the House. This bill is teeming with technology funding and policy, the likes of which could alter United States (U.S.) policy in a number of realms for years to come. We looked at the broadband provisions in the last issue (see here), and today, we will examine the provisions and funding related to drinking water systems, the electric grid, and related technology.
The Senate included language and funding to address the vulnerabilities turned up by this year’s high-profile attack of a Florida drinking water facility. This sort of attack and the vulnerabilities many water facilities around the globe have is not new, for there was an attack in 2000 in Australia. Nonetheless, this year’s attack caught the attention of U.S. policymakers. The following provisions were largely pulled from the Senate Environment and Public Works Committee’s “Drinking Water and Wastewater Infrastructure Act of 2021” (S.914).
In Division E “Drinking Water and Wastewater Infrastructure,” the U.S. Environmental Protection Agency (EPA) is tasked with establishing the “Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program” under which the agency “shall award grants to eligible entities for the purpose of—
§ increasing resilience to natural hazards and extreme weather events; and
§ reducing cybersecurity vulnerabilities.
Those public water facilities eligible for such grants are those that serve a population of 10,000 or more. It bears emphasis this program appears to merely be authorized at $50 million a year over the next five fiscal years with no funds actually appropriated. This would be presumably up to the Appropriations Committees to address in annual bills.
The EPA would also need to “carry out a study that examines the state of existing and potential future technology, including technology that could address cybersecurity vulnerabilities, that enhances or could enhance the treatment, monitoring, affordability, efficiency, and safety of drinking water provided by a public water system.” After reporting to Congress, the EPA must establish a competitive grant program “for the purpose of identifying, deploying, or identifying and deploying technologies” that are advanced, including those pertaining to cybersecurity.
Public water systems that serve 100,000 and fewer people are eligible to apply, and the federal share is capped at 90% of costs. $10 million is authorized for each of the next five fiscal years but again not appropriated.
A new section is added to the “Safe Drinking Water Act” (42 U.S.C. 300g et seq.): “Cybersecurity Support For Public Water Systems.” The EPA must coordinate with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in developing “a prioritization framework to identify public water systems (including sources of water for those public water systems) that, if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public.” Within nine months of enactment, the “[EPA], in coordination with [CISA] and using existing authorities of the [EPA] and [CISA] for providing voluntary support to public water systems and the Prioritization Framework, shall develop a Technical Cybersecurity Support Plan for public water systems.” And yet, the section goes out the way to stress that nothing in this new program shall compel a public water system to comply with any EPA technical support. So, again, a voluntary program that offers increased resources and focus on cybersecurity that critical infrastructure owners and operators are free to disregard.
The EPA would moreover need to establish a new “Clean Water Infrastructure Resiliency and Sustainability Program” in order to “award grants to eligible entities for the purpose of increasing the resilience of publicly owned treatment works to a natural hazard or cybersecurity vulnerabilities.” Municipalities and state agencies can apply for funds and “shall use the grant funds for planning, designing, or constructing projects (on a system-wide or area-wide basis) that increase the resilience of a publicly owned treatment works to a natural hazard or cybersecurity vulnerabilities.” The EPA cannot pay for more than 75% of the project except for public water systems that serve 10,000 or fewer people and other criteria at which point the federal share can be as high as 90%. $25 million a year for five fiscal years is authorized but not appropriated for this new program.
The EPA must “develop best practices that may be implemented by State, Tribal, and local governments with respect to the collection of batteries to be recycled in a manner that—
§ to the maximum extent practicable, is technically and economically feasible for State, Tribal, and local governments;
§ is environmentally sound and safe for waste management workers; and
§ optimizes the value and use of material derived from recycling of batteries.”
$10 million would be made available for this program.
The EPA would need to stand up a program “to promote battery recycling through the development of—
§ voluntary labeling guidelines for batteries; and
§ other forms of communication materials for battery producers and consumers about the reuse and recycling of critical materials from batteries.”
And the EPA would receive $15 million for the voluntary labeling guidelines program.
There are numerous Department of Energy (DOE) technology provisions, most of which relate to the cybersecurity of the U.S. electric grid.
DOE would need to establish a new program for states to draft and implement State Energy Security Plans. Additionally, DOE can provide financial assistance for states “for the development, implementation, review, and revision of a State energy security plan that—
§ assesses the existing circumstances in the State; and
§ proposes methods to strengthen the ability of the State, in consultation with owners and operators of energy infrastructure in the State—
o to secure the energy infrastructure of the State against all physical and cybersecurity threats;
o to mitigate the risk of energy supply disruptions to the State; and
o to enhance the response to, and recovery from, energy disruptions; and
o to ensure that the State has reliable, secure, and resilient energy infrastructure.
Governors must submit annual reports that meet the department’s requirements, any necessary revisions to her state energy security plan and certification as to the need for these revisions. DOE and DHS are permitted to provide technical assistance to states.
The second section of the energy part of the bill deals with cybersecurity and supply chain risk management.
The DOE must establish a program to enhance grid security through public-private partnerships in coordination with DHS and “the heads of other relevant Federal agencies, State regulatory authorities, industry stakeholders, and the Electric Reliability Organization” (i.e. the North American Electric Reliability Corporation) as DOE sees fit. DOE and its partners must carry out a program:
§ to develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;
§ to assist with threat assessment and cybersecurity training for electric utilities;
§ to provide technical assistance for electric utilities subject to the program;
§ to provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;
§ to advance, in partnership with electric utilities, the cybersecurity of third-party vendors that manufacture components of the electric grid;
§ to increase opportunities for sharing best practices and data collection within the electric sector; and
§ to assist, in the case of electric utilities that own defense critical electric infrastructure (as defined in section 215A(a) of the Federal Power Act (16 U.S.C. 824o–1(a))), with full engineering reviews of critical functions and operations at both the utility and defense infrastructure levels—
o to identify unprotected avenues for cyber-enabled sabotage that would have catastrophic effects to national security; and
o to recommend and implement engineering protections to ensure continued operations of identified critical functions even in the face of constant cyber attacks and achieved perimeter access by sophisticated adversaries.
DOE must report to Congress one year after enactment on the cybersecurity of electricity distribution systems. DOE is also charged with safeguarding any information it collects or is provided that could endanger the U.S. electric grid. Consequently, this information cannot be disclosed not even for Freedom of Information Act (FOIA) requests.
The DOE will establish a voluntary Energy Cyber Sense program in conjunction with DHS and the other federal agencies. This new program will be developed “to test the cybersecurity of products and technologies intended for use in the energy sector, including in the bulk-power system” and including “industrial control systems and operational technologies, such as supervisory control and data acquisition systems.” DOE must maintain a database of these products and the test results that “are integrated with Federal vulnerability coordination processes.” The agency will provide technical assistance to remedy vulnerabilities in tested products and technology. DOE must develop guidance based on its testing for the electric sector on buying products and technology and consider incentives to drive the use of the testing results in how products and technology are designed and built. Finally, if the DOE reasonably foresees the disclosure of information related to this program could jeopardizes the physical or cybersecurity of the energy sector, she can exempt such information from FOIA and other public disclosure laws.
The Federal Energy Regulatory Commission (FERC) must “conduct a study to identify incentive-based, including performance-based, rate treatments for the transmission and sale of electric energy subject to the jurisdiction of the Commission that could be used to encourage—
§ investment by public utilities in advanced cybersecurity technology; and
§ participation by public utilities in cybersecurity threat information sharing programs.”
One year after this study is finished, FERC must “establish, by rule, incentive-based, including performance-based, rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by public utilities for the purpose of benefitting consumers by encouraging” investment in advanced cybersecurity technology and the participation of public utilities in “cybersecurity threat information sharing programs.” FERC may also provide other incentives to reduce risks to defense critical electric infrastructure and “facilities of small or medium-sized public utilities with limited cybersecurity resources.”
The DOE must establish the “Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program” “to provide grants and technical assistance to, and enter into cooperative agreements with, eligible entities to protect against, detect, respond to, and recover from cybersecurity threats.” This new program’s objectives are:
§ to deploy advanced cybersecurity technologies for electric utility systems; and
§ to increase the participation of eligible entities in cybersecurity threat information sharing programs.
The entities eligible for this program are
(A) a rural electric cooperative;
(B) a utility owned by a political subdivision of a State, such as a municipally owned electric utility;
(C) a utility owned by any agency, authority, corporation, or instrumentality of 1 or more political subdivisions of a State;
(D) a not-for-profit entity that is in a partnership with not fewer than 6 entities described in subparagraph (A), (B), or (C); and
(E) an investor-owned electric utility that sells less than 4,000,000 megawatt hours of electricity per year.
DOE should prioritize grants and technical assistance to those entities with limited cybersecurity resources or own assets critical to the bulk power system or own defense critical electric infrastructure.
$250 million would be appropriated in $50 million chunks for each of the next five years.
DOE must carry out a program to enhance grid security to achieve the following (i.e., the “Cybersecurity for the Energy Sector Research, Development, and Demonstration Program”):
§ to develop advanced cybersecurity applications and technologies for the energy sector—
o to identify and mitigate vulnerabilities, including—
§ dependencies on other critical infrastructure;
§ impacts from weather and fuel supply;
§ increased dependence on inverter-based technologies; and
§ vulnerabilities from unpatched hardware and software systems; and
o to advance the security of field devices and third-party control systems, including—
§ systems for generation, transmission, distribution, end use, and market functions;
§ specific electric grid elements including advanced metering, demand response, distribution, generation, and electricity storage;
§ forensic analysis of infected systems;
§ secure communications; and
§ application of in-line edge security solutions;
§ to leverage electric grid architecture as a means to assess risks to the energy sector, including by implementing an all-hazards approach to communications infrastructure, control systems architecture, and power systems architecture;
§ to perform pilot demonstration projects with the energy sector to gain experience with new technologies;
§ to develop workforce development curricula for energy sector-related cybersecurity; and
§ to develop improved supply chain concepts for secure design of emerging digital components and power electronics.
$50 million a year is appropriated annually for five fiscal years.
The DOE would be given the discretion to develop and execute a cyber-resilience program to test agency response capabilities and coordination with the National Laboratories and other agencies. DOE could also investigate enhanced threat sharing with the Intelligence Community and other purposes designed to foster greater cyber-resilience. $50 million would be appropriated annually for the next five fiscal years.
DOE would need to put in place “an advanced energy security program to secure energy networks, including…electric networks…natural gas networks; and…oil exploration, transmission, and delivery networks.” The goal of this program is “to increase the functional preservation of electric grid operations or natural gas and oil operations in the face of natural and human-made threats and hazards, including electric magnetic pulse and geo-magnetic disturbances.” This program would also be authorized for annual appropriations of $50 million for the next five fiscal years.
DOE may, in its discretion, require any recipient of funds for the aforementioned programs to
§ …submit…a cybersecurity plan that demonstrates the cybersecurity maturity of the recipient in the context of the project for which that award or other funding was provided; and
§ establish a plan for maintaining and improving cybersecurity throughout the life of the proposed solution of the project.
The Senate then addresses supply chain issues, a policy area that has come to the fore in Washington following a number of recently successful supply chain attacks. The United States Geological Survey (USGS) would need to establish an Earth Mapping Resources Initiative “to accelerate efforts to carry out the fundamental resources and mapping mission of the” USGS. The DOE must “through an agreement with an academic partner, the design, construction, and build-out of a facility to demonstrate the commercial feasibility of a full-scale integrated rare earth element extraction and separation facility and refinery.” There are provisions directing the Department of the Interior to speed up the review of permitting for critical mineral production on federal lands.
The Senate sponsors are also interested in shoring up and fostering U.S. production of advanced batteries, a field in which the PRC is far ahead of the U.S. The Biden Administration conducted a review of U.S. supply chains, including a focus on advanced batteries, and then launched a number of initiatives based on its findings such as “immediate actions [the DOE] will take to make the U.S. more competitive in the battery market.”
On the heels of the White House’s actions, the DOE would be required to “establish within the Office of Fossil Energy a program, to be known as the “Battery Material Processing Grant Program” to make grants
§ to ensure that the United States has a viable battery materials processing industry to supply the North American battery supply chain;
§ to expand the capabilities of the United States in advanced battery manufacturing;
§ to enhance national security by reducing the reliance of the United States on foreign competitors for critical materials and technologies; and
§ to enhance the domestic processing capacity of minerals necessary for battery materials and advanced batteries.
The DOE would make grants to the following entities:
§ to carry out 1 or more demonstration projects in the United States for the processing of battery materials; (at least $50 million per grant)
§ to construct 1 or more new commercial-scale battery material processing facilities in the United States; (at least $100 million per grant) and
§ to retool, retrofit, or expand 1 or more existing battery material processing facilities located in the United States and determined qualified by the Secretary (at least $50 million per grant.)
$3 billion is appropriated for the “Battery Material Processing Grant Program” in $600 million amounts for each of the next five fiscal years.
In addition, the DOE will be tasked with establishing “within the Office of Energy Efficiency and Renewable Energy a “Battery Manufacturing and Recycling Grant Program,” the purpose of which “is to ensure that the United States has a viable domestic manufacturing and recycling capability to support and sustain a North American battery supply chain. Grants would be given to eligible entities:
§ to carry out 1 or more demonstration projects for advanced battery component manufacturing, advanced battery manufacturing, and recycling; (at least $50 million per grant)
§ to construct 1 or more new commercial-scale advanced battery component manufacturing, advanced battery manufacturing, or recycling facilities in the United States; (at least $100 million per grant)and
§ to retool, retrofit, or expand 1 or more existing facilities located in the United States and determined qualified by the Secretary for advanced battery component manufacturing, advanced battery manufacturing, and recycling (at least $50 million per grant.)
$3 billion is appropriated for the “Battery Material Processing Grant Program” in $600 million amounts for each of the next five fiscal years.
For both programs, DOE is to give priority in making grants to eligible entities located and operating in the U.S., owned by a U.S. entity, using U.S. or North American intellectual property and content, whether it will foster job creation in low and moderate income communities, helps replace jobs lost from the fossil fuels fields, partnership with Tribal entities, and the effect on greenhouse gas emissions, among others.
The ”Infrastructure Investment and Jobs Act” directs the DOE to “continue to carry out the Lithium-Ion Battery Recycling Prize Competition, an already existing program, and authorizes and appropriates $10 million to conduct Phase III.
The DOE would be tasked with establishing another battery program. The agency would need to “award multiyear grants to eligible entities for research, development, and demonstration projects to create innovative and practical approaches to increase the reuse and recycling of batteries, including by addressing” some of the following, among other considerations:
§ recycling activities;
§ the development of methods to promote the design and production of batteries that take into full account and facilitate the dismantling, reuse, recovery, and recycling of battery components and materials;
§ strategies to increase consumer acceptance of, and participation in, the recycling of batteries;
§ the extraction or recovery of critical minerals from batteries that are recycled;
$60 million would be authorized for this program, and the federal share of projects can be no more than 50%.
DOE would be mandated to award $50 million in “grants, on a competitive basis, to States and units of local government to assist in the establishment or enhancement of State battery collection, recycling, and reprocessing programs.”
DOE would administer a new “Battery Recycling and Second-Life Applications Program” that is, “a program of research, development, and demonstration of—
§ second-life applications for electric drive vehicle batteries that have been used to power electric drive vehicles; and
§ technologies and processes for final recycling and disposal of the [aforementioned] devices
The bill explains the purposes of this new program:
§ To improve the recycling rates and second-use adoption rates of electric drive vehicle batteries.
§ To optimize the design and adaptability of electric drive vehicle batteries to make electric drive vehicle batteries more easily recyclable.
§ To establish alternative supply chains for critical materials that are found in electric drive vehicle batteries.
§ To reduce the cost of manufacturing, installation, purchase, operation, and maintenance of electric drive vehicle batteries.
§ To improve the environmental impact of electric drive vehicle battery recycling processes.
$200 million is appropriated for this program.
Finally, the Department of Energy must submit to Congress “a report that assesses using digital tools and platforms as climate solutions, including—
§ artificial intelligence and machine learning;
§ blockchain technologies and distributed ledgers;
§ crowdsourcing platforms;
§ the Internet of Things;
§ distributed computing for the grid; and
§ software and systems.”
§ Luxembourg’s National Commission for Data Protection (CNPD) confirmed “that its restricted panel issued a decision on July 15th, 2021 regarding Amazon Europe Core S.à r.l within the European cooperation and consistency mechanism as foreseen by article 60 of the General Data Protection Regulation (GDPR)” in light of Amazon revealing the ruling. In a quarterly United States (U.S.) Securities and Exchange Commission (SEC) filing, Amazon revealed that CNPD fined the company more than $880 million for violating the General Data Protection Regulation, the largest fine to date. The CNPD continued:
o However, the national law on data protection binds the CNPD to professional secrecy (Article 42) and prevents it from commenting on individual cases.
o In addition, the full and clear publication of the decisions of the CNPD is considered as a supplementary sanction (Article 52). Therefore, it cannot publish any decision before the deadlines for appeals have expired.
o An appeal against the decisions of the CNPD can be made before the Administrative Tribunal, which rules on the merits of the case. The time limit for lodging an appeal is three months.
§ Australian Attorney-General Michaelia Cash reappointed Australian Information Commissioner and Privacy Commissioner Angelene Falk for another 3-year term lasting until August 2024. Cash stated:
o I am pleased to announce that Ms Angelene Falk has been reappointed as Australian Information Commissioner and Privacy Commissioner for a period of three years.
o Since her appointment in 2018, Ms Falk has effectively led the Office of the Australian Information Commissioner (OAIC). She has worked to increase the Australian public’s trust and confidence in the protection of personal information by promoting the understanding of privacy issues and effectively resolving privacy complaints and investigations.
o Under Ms Falk’s leadership, the OAIC has launched its first civil penalty proceedings for an interference with privacy, implemented the Consumer Data Right privacy safeguards, increased international regulatory cooperation and provided guidance on a range of privacy issues that have emerged throughout the course of the COVID-19 pandemic.
o On behalf of the Australian Government, I congratulate Ms Falk on her reappointment and thank her for her tireless work in these important roles.
o In her statement on being reappointed, Falk remarked:
§ This is a pivotal time for both privacy and freedom of information. Over the next 3 years we will uphold and advance these rights to enable citizens and businesses to safeguard personal information and harness its benefits, for individuals and the economy, while we encourage an open-by-design approach to information access across government.
§ This includes regulating the online environment and high privacy impact technologies, expanding the Consumer Data Right, advising on and implementing proposed reforms to the Privacy Act 1988, and increasing proactive publication of government held information.
§ In tackling the tasks ahead I look forward to continued national and international cooperation with privacy, information access, cybersecurity, online safety, and consumer protection regulators. I thank OAIC staff for their commitment and support as we serve the Australian community in the public interest.”
§ France’s Commission nationale de l'informatique et des libertés (CNIL) published “8 recommendations to enhance the protection of children online.” In its press release, CNIL stated:
o In 2018, the entry into force of the GDPR significantly changed the legal landscape by introducing, for the first time, specific provisions dedicated to children into European data protection law. In particular, they require age-appropriate information, provide for the reinforcement of their right to be forgotten and an ability to consent, under certain conditions, to the processing of their data (only over the age of 15 or with their parents for children under 15). They also call for particular vigilance with regard to the profiling of children. However, these texts have given rise to certain questions and a need for clarification, in particular to specify their practical implications and their relationship with national law, notably contract and family law.
o At the same time, there are increasing initiatives at the international level, as illustrated by the recent "General Comment on Children's Rights in the Digital Environment" of the UN or the actions of UNICEF, the OECD and the Council of Europe or the International Telecommunication Union (ITU). The European Data Protection Board (EDPB) and the European Network of Childhood Advocates (ENOC) have also started work on the subject. In parallel, several national data protection authorities have made this topic a priority, such as the "Age Code" of the UK ICO- and, the "14 core principles for a child-centred approach to data processing" of the Irish DPC.
o These recommendations follow a very successful public consultation (with over 700 contributions) and a survey conducted in 2020, but also in-depth legal analysis including active international monitoring.
o The CNIL wanted to understand children's perspectives and involve them in its reflection. In addition to the survey, which was carried out in 2020 among young people to find out more about their digital practices and their parents' perceptions of them, the CNIL has launched a series of workshops with children to gather their perceptions of privacy and data protection, and to create interfaces and information methods with them that they understand and which respect their rights.
o CNIL listed its recommendations:
§ Regulate the capacity of children to act online
§ Recommendation 1
§ Children represent one of the largest user groups of social networks. By creating an account and ticking a box to agree to the terms and conditions, they are in fact entering into a contract.
§ Encourage children to exercise their rights
§ Recommendation 2
§ There are several legal and practical reasons why children should be allowed to exercise their own digital rights.
§ Support parents with digital education
§ Recommendation 3
§ Parents are key when it comes to the digital education of children. But they need to be given ways to help them protect their rights, while respecting their best interests.
§ Seek parental consent for children under 15
§ Recommendation 4
§ The law does to a certain degree accept a child's consent to the processing of data, accompanied by parental consent when the child is under 15.
§ Promote parental controls that respect the child's privacy and best interests
§ Recommendation 5
§ Parental controls are a tool for protecting children online. However, the CNIL calls for vigilance when it comes to certain very intrusive features.
§ Strengthen the information and rights of children by design
§ Recommendation 6
§ Everyone, even children, must be properly informed about how their data is used. This information should be age-appropriate and accessible.
§ Check the age of the child and parental consent while respecting the child's privacy
§ Recommendation 7
§ Checking a child's age and parental permission is a complex but crucial issue: how can we protect children if we cannot identify them or know who has parental authority?
§ Provide specific safeguards to protect the interests of the child
§ Recommendation 8
§ Strengthening the rights of children should also involve specific protection measures by design on the websites, services and apps they are likely to use.
§ The United Kingdom’s Department for Digital, Culture, Media & Sport (DCMS) is calling “for views on amending the incident reporting framework for digital service providers within the Network & Information Systems (NIS) regulations.” DCMS explained:
o This document sets out the government’s approach to rectify an EU-Exit related deficiency in the Network and Information Systems legislation surrounding incident reporting thresholds for digital service providers.
o These thresholds are enshrined in the Network and Information Systems Regulations 2018 (NIS Regulations) and the European Commission Implementing Regulation 151/2018, which together set out the rules for the application of the NIS Regulations in regards to digital service providers.
o This call for views seeks feedback on the government’s proposal to move incident reporting thresholds from legislation to [the Information Commissioner’s Office] (ICO) guidance.
o DCMS outlined London’s proposed approach:
§ 4.1 The Government is proposing to lay a statutory instrument to amend the NIS Regulations and Commission Implementing Regulation 151/2018.
§ 4.2 The proposal is to revoke Article 4 from the UK retained version of Commission Implementing Regulation 151/2018 (which sets out the thresholds) and allow the Information Commissioner’s Office, as the Competent Authority for digital service providers, to set the thresholds at a more appropriate level through guidance. The Information Commissioner’s Office has agreed to subject the new thresholds that they will propose to further consultation with relevant digital service providers.
§ 4.3 Having the incident reporting thresholds in guidance is consistent with the approach taken by other NIS competent authorities in the UK, and will allow the Information Commissioner’s Office to develop thresholds that are appropriate and proportionate to the UK.
§ Senators Richard Blumenthal (D-CT), Marsha Blackburn (R-TN), and Amy Klobuchar (D-MN) introduced the “Open App Markets Act,” (S.2710) that they argued “would set fair, clear, and enforceable rules to protect competition and strengthen consumer protections within the app market.”
o Two companies, Google and Apple, have gatekeeper control of the two dominant mobile operating systems and their app stores that allow them to exclusively dictate the terms of the app market, inhibiting competition and restricting consumer choice.
o Mobile devices are central to consumers’ economic, social, and civic lives, and the mobile app market is a significant part of the digital economy. In 2020 alone, U.S. consumers spent nearly $33 billion in mobile app stores, downloading 13.4 billion apps.
o According to numerous reports, including testimony provided in a Senate Judiciary Antitrust Subcommittee hearing held in April and chaired by Klobuchar, both Apple and Google have appeared to use their powerful gatekeeper control to stifle competition in the app store market. For example, Apple has prevented the creation of third-party app stores on iPhones, required that apps exclusively use their own expensive payment system, and penalized app developers for telling users about discounted offers. These strict terms close off avenues of competition and drive up prices for consumers. Startups also face serious challenges when Big Tech gatekeepers are able to prioritize their own apps to the disadvantage of others, make use of competitors’ confidential business information, and block developers from using features on a consumers’ phone.
o The Open App Markets Act would protect developers’ rights to tell consumers about lower prices and offer competitive pricing; protect sideloading of apps; open up competitive avenues for startup apps, third party app stores, and payment services; make it possible for developers to offer new experiences that take advantage of consumer device features; give consumers more control over their devices; prevent app stores from disadvantaging developers; and set safeguards to continue to protect privacy, security, and safety of consumers.
§ Amazon and GoPro unsealed “a jointly filed lawsuit against seven individuals and two entities (the “defendants”) for counterfeiting GoPro’s popular camera accessories, including the floating hand grip, “The Handler,” and the “3-Way” grip, extension arm, and tripod mount.” The companies stated that “[t]he defendants attempted to offer the infringing products in Amazon’s store, violating Amazon’s policies, infringing on GoPro’s trademarks, and breaking the law.” Amazon and GoPro stated:
o The lawsuit was filed in the United States District Court for the Western District of Washington and alleges that the nine defendants used GoPro’s registered trademarks without authorization to deceive customers about the authenticity and origin of the products and create a false affiliation with GoPro. Amazon closed the defendants’ selling accounts and proactively refunded the impacted customers.
o Amazon strictly prohibits infringing and counterfeit products in its store, and in 2020, Amazon invested more than $700 million and employed more than 10,000 people to proactively protect its store from fraud, counterfeit, and abuse. Amazon uses industry-leading tools to verify potential sellers’ identities and ensure product listings are authentic, and Amazon’s proprietary systems analyze hundreds of unique data points to verify information provided by potential sellers. In 2020, only 6% of attempted new seller account registrations passed Amazon’s robust verification processes and listed products for sale. In addition, fewer than 0.01% of all products sold on Amazon received a counterfeit complaint from customers
o In June 2020, Amazon launched its Counterfeit Crimes Unit, a global team dedicated to pursuing counterfeiters and holding them accountable to the fullest extent of the law, including by working through the court system and in partnership with law enforcement.Amazon has filed a series of lawsuits against counterfeiters, including a suit against individuals using social media to promote and facilitate the sale of counterfeits, as well as joint lawsuits with apparel manufacturer HanesBrands, Italian luxury brands Valentino and Ferragamo, cosmetics brand KF Beauty, family travel accessory brand JL Childress, cooler manufacturer YETI, family-owned-and-operated card game company Dutch Blitz, and global board game publisher Asmodee.
§ The European Parliament’s Think Tank issued a briefing titled “European Union data challenge,” and the Think Tank explained:
o As the discussion on governance of industrial data intensifies, especially after the adoption of the proposal on the Data Governance Act and in the wake of the European Data Act, the question of what is exactly industrial data remains unanswered. The notion of industrial data is not defined in any of the legal documents or legislative proposals, and the reference to it is a fairly recent development. In the past, a more clear-cut term ‘machine-generated data’ was used that potentially allowed for an easier definition and delimitation of this type of data from other data. The 2017 Communication ‘Building a European data economy’ defines with a high degree of precision that machine-generated data are those ‘created without the direct intervention of a human by computer processes, applications or services, or by sensors processing information received from equipment, software or machinery, whether virtual or real’. Therefore, machine-generated data may be created across all industrial sectors, including transport, energy, healthcare, manufacturing, ICT and others, but they go beyond data created in relation to narrowly understood industrial processes.
o The Think Tank reached these findings:
§ The exponential growth and importance of data generated in industrial settings have attracted the attention of policymakers aiming to create a suitable legal framework for its use. While the term ‘industrial data’ has no clear definition, such data possess certain distinctive characteristics: they are a subset of big data collected in a structured manner and within industrial settings; they are frequently proprietary and contain various types of sensitive data.
§ The General Data Protection Regulation (GDPR) rules remain of great relevance for such data, as personal data is difficult to be filtered out from mixed datasets and anonymisation techniques are not always effective. The current and planned rules relevant for business to business (B2B) sharing of industrial data exhibit many shortcomings. They lack clarity on key issues (e.g. mixed datasets), increase the administrative burden for companies, yet not always provide the data protection that businesses need. They do not provide an additional value proposition for B2B data sharing and hinder it in some cases.
§ While this situation warrants policy intervention, both the instrument and its content should be carefully considered. Instead of a legal instrument, soft law could clarify the existing rules; model terms and conditions could be developed and promoted and data standardisation and interoperability efforts supported.
§ National Institute of Standards and Technology’s (NIST) researchers “found that children are learning best practices, such as memorizing passwords, but are demonstrating a gap between their knowledge of good password practices and their behavior” in a new research paper according to the agency’s press release. NIST explained:
o The researchers surveyed more than 1,500 kids from ages 8 to 18 who attended schools across the South, Midwest and Eastern regions of the U.S. Teachers administered two versions of the survey, one for third to fifth graders and the other for sixth to 12th graders. Each survey featured the same questions but had different age-appropriate language.
o On the plus side, results from the study showed that kids are learning best practices on passwords, such as limiting their writing of passwords on paper, keeping their passwords private, and logging out after online sessions. They’re also not burdened with a lot of passwords as adults are, with kids on average reporting they have two passwords for school and two to four for home.
o The passwords that kids created often consisted of concepts reflecting the current state of their lives. Passwords referenced sports, video games, names, animals, movies, titles (such as “princess”), numbers and colors. Examples included “yellow,” “doggysafesecure” and “PrincessFrog248.”
o Password strength increased from elementary to high school students. Examples of stronger passwords among middle and high school students included “dancingdinosaursavrwhoop164” and “Aiken_bacon@28.”
o But despite the evidence that kids are learning best practices, they also demonstrated bad password habits. They tended to reuse passwords, a habit that increased in frequency from elementary to high school students, and shared their passwords with their friends. “For adolescents, an important part of building friendships is building trust, which is shown with sharing secrets. Their perspective is that sharing passwords is not risky behavior,” said Choong.
o The study also shed light onto what kids thought about passwords. The survey asked, “Why do people need passwords?” The answers were different for younger and older kids. Elementary students said safety was the primary reason, while for middle and high school students, privacy became more a more dominant answer.
o Another notable finding was that younger kids relied on family support for creating and maintaining their passwords at home. This suggests that families play a central role in establishing best practices and that parents affect kids’ behavior with passwords.
§ Senators Brian Schatz (D-HI), Thom Tillis (R-NC), John Cornyn (R-TX), and Richard Blumenthal (D-CT) introduced the “Better Cybercrime Metrics Act” (S.2629) that “will improve data collection on cybercrimes, giving law enforcement and policy makers more tools to understand the size and scope of cybercrime in the United States.” Representatives Abigail Spanberger (D-VA), Blake Moore (R-UT), Andrew Garbarino (R-NY), and Sheila Jackson Lee (D-TX) introduced a companion bill in the House, H.R.4977. Spanberger, Moore, Garbarino, and Jackson Lee asserted “the Better Cybercrime Metrics Act would improve federal cybercrime metrics by:
o Requiring the Government Accountability Office to report on the effectiveness of current cybercrime mechanisms and highlight disparities in reporting data between cybercrime data and other types of crime data,
o Requiring that the National Crime Victimization Survey incorporate questions related to cybercrime in its survey instrument,
o Requiring the U.S. Department of Justice to contract with the National Academy of Sciences to develop a taxonomy for cybercrime that can be used by law enforcement, and
o Ensuring that the National Incident Based Reporting System - or any successor system - include cybercrime reports from federal, state, and local officials.”
§ The Federal Trade Commission (FTC) “announced that staff have submitted a comment urging the Board of Governors of the Federal Reserve System (the Fed) to clarify and strengthen the implementation of debit card fee and routing reforms to the Electronic Fund Transfer Act (EFTA) made under the Dodd-Frank Wall Street Reform Act of 2010 (Dodd-Frank).” The agency further asserted:
o According to a 2019 study, Americans use debit cards almost twice as often as credit cards. Merchants, including millions of small businesses, must pay fees to card issuers, usually banks, and card networks like Visa and Mastercard, in order to accept debit cards. But merchants cannot select low-fee networks unless the issuer enables those networks. Typically, merchants work with payment processing companies to ensure that they get paid. When merchants pay high fees to accept payments, this can lead to price hikes for customers.
o In the Dodd-Frank Act, Congress amended EFTA to promote competition among debit card networks by requiring debit card issuers to enable at least two networks so that merchants have a choice for routing electronic debit transactions. The Fed has rulemaking authority to implement these provisions, and the FTC enforces these rules with respect to card networks.
o While mobile and electronic payments have been on the rise since 2010, the COVID-19 pandemic has accelerated that growth, with merchants and consumers shifting increasingly to ecommerce and digital marketplaces. As the Fed’s proposed rule recognizes, issuers do not provide sufficient options to merchants for these types of payments. The FTC staff endorsed the proposed rulemaking by the Fed which clarifies that a 2011 regulation applies both to transactions in which a physical debit card is used, and to “card-not-present transactions” that occur without use of a physical card, such as pay-by-phone or other electronic payments.
o The FTC staff also called for rules that would prohibit debit card networks from exploiting an issuer’s position by paying incentives to that issuer based on how electronic debit transactions are routed by merchants using that issuer’s debit cards. According to the FTC staff comment, the Fed should “adopt revisions that ensure that debit card networks do not create incentives for issuers to evade Regulation II’s clear mandate that there be two unaffiliated networks available for each type of debit transaction, with each network a commercially reasonable alternative for merchants.” This addition would ensure that networks do not overburden merchants or consumers.
o The FTC staff submitted its comment in response to the Federal Reserve’s proposal to amend Regulation II and clarify that Regulation II applies to card-not-present transactions as well as card-present transactions, issued on May 13, 2021.
o The Commission vote authorizing the staff comment to the Federal Reserve was 3-2. Commissioners Noah Joshua Phillips and Christine S. Wilson voted no
§ “Rumble, a YouTube rival popular with conservatives, will pay creators who ‘challenge the status quo’” By Drew Harwell — The Washington Post. A fast-growing YouTube rival popular with conservative influencers has a new strategy to expand its online audience: Paying hundreds of thousands of dollars to well-known media personalities it says work to “challenge the status quo.” The Toronto-based upstart Rumble said Thursday that it has struck deals with former U.S. congresswoman Tulsi Gabbard, the journalist firebrand Glenn Greenwald and others who had committed to posting their videos first to the site.
§ “Google Bans Location Data Firm Funded by Former Saudi Intelligence Head” By Joseph Cox — Vice’s Motherboard. Google has banned SafeGraph, a location data firm whose investors include a former head of Saudi intelligence, Motherboard has learned. The ban means that any apps working with SafeGraph had to remove the offending location gathering code from their apps. SafeGraph markets its data to government entities and a wide range of industries, but it also sells the data on the open market to essentially anyone.
§ “What China Expects From Businesses: Total Surrender” By Li Yuan — The New York Times. When Pony Ma, head of the Chinese internet powerhouse Tencent, attended a group meeting with Premier Li Keqiang in 2014, he complained that many local governments had banned ride-sharing apps installed on smartphones. Mr. Li immediately told a few ministers to investigate the matter and report back to him. He then turned to Mr. Ma and said, “Your example vividly demonstrates the need to improve the relationship between the government and the market.”
§ “Mark Zuckerberg and Sheryl Sandberg’s Partnership Did Not Survive Trump” By Sheera Frenkel and Cecilia Kang — The New York Times. Sheryl Sandberg knew she’d be asked about the attacks on the Capitol. For the past week, the country had been reeling from the violence in Washington, and with each passing day, reporters were uncovering more of the footprint left behind by the rioters on social media. Speaking to the cameras rolling in her sun-filled Menlo Park, Calif., garden, Ms. Sandberg confronted this question, one she’d prepared for: Could Facebook have acted sooner to help prevent this?
§ “Big Tech Thought It Had A Billion Users In The Bag. Now It Might Be Forced To Make Hard Choices To Get Them.” By Pranav Dixit — BuzzFeed News. For more than 30 years, Manjul, who goes by his first name only, has skewered leaders from every Indian government in acerbic political cartoons splashed across the country’s biggest news publications and, in recent years, on social media. But until June, no one had ever threatened the titan of editorial cartooning. So when he saw an email from Twitter’s legal department in his inbox in June, he was surprised.
§ “US recruits social media influencers to reach vaccine skeptics and dispel myths” — The Guardian. As a police sergeant in a rural town, Carlos Cornejo isn’t the prototypical social media influencer. But his Spanish-language Facebook page with 650,000 followers was exactly what Colorado leaders were looking for as they recruited residents to try to persuade the most vaccine-hesitant. Cornejo, 32, is one of dozens of influencers, ranging from busy moms and fashion bloggers to African refugee advocates and religious leaders, getting paid by the state to post vaccine information in hopes of stunting a troubling summer surge of Covid-19.
§ “Inside the Secret Codes Hackers Use to Outwit Ransomware Cops” By Shannon Vavra — The Daily Beast. They used to be a safe space for hackers to coordinate attacks, but with online forums worried about unwanted attention from law enforcement, many have banned ransomware posts. And—as is usually the case in the whack-a-mole game of hacking—cybercriminals are finding a way around the new restrictions: a coded language to bypass suspicion. By the end of May, multiple hacking forums announced they were banning ransomware hackers and their advertisements following Russian cyberattacks against fuel supplier Colonial Pipeline and meat supplier JBS. Several forum administrators cited the amount of attention the ransomware attacks were getting as a reason to clamp down on those sorts of advertisements. And President Joe Biden warned in May that the U.S. wasn’t ruling out retaliatory cyberattacks against a ransomware gang behind the latest offensive against a massive fuel pipeline in the U.S.
§ “Facebook unveils tools to protect Afghan people who fear becoming Taliban targets” By Katie Collins — c/net. As many Afghans hurry to hide their social media profiles out of fear the profiles will make them targets for Taliban violence, Facebook is launching new tools to help them delete their digital footprints. The move comes just days after the Taliban reclaimed Kabul, the Afghan capital, on Sunday, and announced they'd be taking power in the country for the first time in 20 years.
§ “On Roblox, Kids Learn It’s Hard to Earn Money Making Games” By Cecilia D'Anastasio — WIRED. Roblox has become a video game titan, in recent years dominating the world of kids’ gaming and earning $454 million in revenue last quarter alone. A new report argues that success is built on exploiting young game developers, many of them children, who are making content for the game. As a platform, Roblox provides gamers the tools to both create and play an almost unfathomable array of “experiences,” from climbing an enormous stairway to running a restaurant to escaping a prison. Tens of millions of these games live on Roblox’s browser—hundreds of times more titles than exist on Steam. Every day, 43 million people play those games, mostly kids. Some of the most popular experiences have received billions of visits and earn their developers millions annually.
§ “How The Daily Wire Uses Facebook’s Targeted Advertising to Build Its Brand” By Corin Faife — The Markup. Ben Shapiro, co-founder of The Daily Wire, a conservative media company, has mastered Facebook’s complex algorithms like no one else, posting links to stories from his publication that rank among the top 10 best performing posts on Facebook day after day after day. What’s the key to his success? As a recent NPR analysis shows, The Daily Wire’s sensationalist headlines garner a ton of engagement on a platform that rewards explosive content. But The Daily Wire is also a sophisticated user of Facebook’s advertising targeting tools to pinpoint users likely to be receptive to its outrage-driven brand of conservative content, The Markup has found.
§ “NSA Awards Secret $10 Billion Contract to Amazon” By Frank Konkel — Nextgov. The National Security Agency has awarded a secret cloud computing contract worth up to $10 billion to Amazon Web Services, Nextgov has learned. The contract is already being challenged. Tech giant Microsoft filed a bid protest on July 21 with the Government Accountability Office two weeks after being notified by the NSA that it had selected AWS for the contract. The contract’s code name is “WildandStormy,” according to protest filings, and it represents the second multibillion-dollar cloud contract the U.S. intelligence community—made up of 17 agencies, including the NSA—has awarded in the past year.
§ 1 September
o The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).
§ 30 September
o The Federal Communications Commission (FCC) will hold an open meeting. No agenda has been announced as of yet.