Committee Starts Moving “Big Tech” Antitrust Bill
FCC establishes rules for $14.2 billion connectivity fund; State attorneys general appeal Facebook antitrust suit;
First, a bit of news. The Wavelength will transition to a paid product, but there will still be a free version available. The scope and shape of this change is still in the making but should be realized by January 2022.
The Senate Judiciary Committee has started consideration of the “American Innovation and Choice Online Act” (S.2992), a bill that would penalize big online platforms for preferencing their products and services to the detriment of competitors. The Federal Trade Commission (FTC), United States (U.S.) Department of Justice, and state attorneys general would get new powers to punish these companies. A similar bill was considered last year in the House Judiciary Committee along with five others, but tricky politics for House Democrats have stopped them from being brought to the House floor. It is not clear whether the politics are more favorable in the Senate, especially since a filibuster will almost certainly need to be surmounted. And even though the two parties can agree that companies like Amazon, Apple, Facebook, Google, and others pose problems, there may not be enough agreement on the proposed solution to reach the 60 vote threshold.
Nonetheless, many have taken issue with how a number of large technology firms treat third parties that offer services and products on their platforms. For example, Amazon is frequently charged with forcing third party sellers to buy extra services or see their products get de-prioritized in searches. Moreover, Amazon demands data from third party sellers on their products, and it has happened a number of times that Amazon has developed products to compete with those offered by third parties with the latter ultimately unable to compete with Amazon’s pricing and tactics. Google’s dominance in online search markets allow it to promote its products while utilizing algorithms that make competing products or services appear much lower in the search results. Apple and Google’s app stores are basically the only source from which one can download apps on to one’s iPhone or Android. Both companies are free to act as gatekeepers while also competing with outside app developers. Facebook has the same sort of power over third parties that offer services and products on the social media giant’s platform.
S.2992 would allegedly address these kinds of behavior, which may not run afoul of current U.S. antitrust and competition law. Upon introduction of the bill, the Senate Judiciary Committee’s Competition Policy, Antitrust, and Consumer Rights Subcommittee Chair Amy Klobuchar (D-MN) and her cosponsors claimed the bill would:
1. Set clear, effective rules to protect competition and users doing business on dominant online platforms, including:
1. Prohibiting dominant platforms from abusing their gatekeeper power by favoring their own products or services, disadvantaging rivals, or discriminating among businesses that use their platforms in a manner that would materially harm competition on the platform; and
2. Prohibiting specific forms of conduct that are harmful to small businesses, entrepreneurs, and consumers, but that do not have any pro-competitive benefit, including:
1. Preventing another business’s product or service from interoperating with the dominant platform or another business;
2. Requiring a business to buy a dominant platform’s goods or services for preferred placement on its platform;
3. Misusing a business’s data to compete against them; and
4. Biasing search results in favor of the dominant firm.
2. Give antitrust enforcers strong, flexible tools to deter violations and hold dominant platforms accountable when they cross the line into illegal behavior, including significant civil penalties, authority to seek broad injunctions, emergency interim relief, and potential forfeiture of executive compensation.
3. Prevent self-preferencing and discriminatory conduct by the most economically significant online platforms with large U.S. user bases which function as “critical trading partners” for online businesses. For such platforms, the rules target harmful conduct, allowing the platforms to innovate, do business, and engage in pro-consumer conduct, including protecting user privacy and safety, preventing unlawful behavior, and maintaining a secure online experience for users.
As mentioned, S.2992 follows a similar House bill. In June 2021, the House Judiciary Committee marked up and reported out six antitrust bills, one of which S.2992 resembles strongly: the “Ending Platform Monopolies Act” (H.R.3825) (although this is the version the committee sent to the full House.)
The chair of the Antitrust, Commercial and Administrative Law Subcommittee issued a press release at the time of the markup that provides a high level summary of the bills:
§ H.R. 3816, the “American Choice and Innovation Online Act” prohibits discriminatory conduct by dominant platforms, including a ban on self-preferencing and picking winners and losers online. The bill is sponsored by Antitrust Subcommittee Chairman David N. Cicilline (D-RI) and cosponsored by Rep. Lance Gooden (R-TX).
§ H.R. 3460, the “State Antitrust Enforcement Venue Act of 2021” ensures state attorneys general are able to remain in the court they select rather than having their cases moved to a court the defendant prefers. The bill is sponsored by Antitrust Subcommittee Ranking Member Ken Buck (R-CO) and cosponsored by Antitrust Subcommittee Chairman Cicilline (D-RI).
§ H.R. 3826, the “Platform Competition and Opportunity Act” prohibits acquisitions of competitive threats by dominant platforms, as well acquisitions that expand or entrench the market power of online platforms. The bill is sponsored by Rep. Hakeem Jeffries (D-NY) and cosponsored by Antitrust Subcommittee Ranking Member Buck (R-CO).
§ H.R. 3825, the “Ending Platform Monopolies Act” eliminates the ability of dominant platforms to leverage their control across multiple business lines to self-preference and disadvantage competitors in ways that undermine free and fair competition. The bill is sponsored by Rep. Pramila Jayapal (D-WA) and cosponsored by Rep. Lance Gooden (R-TX).
§ H.R. 3849, the “Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act” promotes competition online by lowering barriers to entry and switching costs for businesses and consumers through interoperability and data portability requirements. This bill is sponsored by Rep. Mary Gay Scanlon (D-PA) and cosponsored by Rep. Burgess Owens (R-UT).
§ H.R. 3843, the “Merger Filing Fee Modernization Act” updates filing fees for mergers for the first time in two decades to ensure that Department of Justice and Federal Trade Commission have the resources they need to aggressively enforce the antitrust laws. This bill is sponsored by Rep. Joe Neguse (D-CO) and cosponsored by Rep. Victoria Spartz (R-IN).
As you may recall, this was a contentious markup with a number of California House Democrats crossing the aisle to vote with almost all the Republicans on a number of key issues. In fact, without two Republicans voting to pass H.R.3825, it would have failed to leave the committee. However, the politics may be a little different in the Senate with S.2992, for over half the cosponsors are Republicans (Senate Judiciary Committee Ranking Member Chuck Grassley (R-IA) and Senators Lindsey Graham (R-SC), John Kennedy (R-LA), Cynthia Lummis (R-WY), Josh Hawley (R-MO), and Steve Daines (R-MT). Nonetheless, both Senators from California are not cosponsoring the measure even though both Senators Dianne Feinstein (D-CA) and Alex Padilla (D-CA) serve on the committee. And, lest anyone has forgotten, Apple, Facebook, and Google are headquartered in California, and during the House Judiciary markup, a California Democrat submitted a policy paper on how the legislation would adversely affect the state with respect to revenues and jobs.
Democrats are split on tech antitrust issues with California (and possibly Washington state) Members being opposed to measures that they think would hurt the companies that drive much of their states’ economies. Moreover, more moderate and conservative Democrats may hold ideological reservations about reviving antitrust and competition enforcement in the U.S., which has been on the wane over the last 40-50 years. Finally, most Members of the House Democratic Caucus share the belief with the White House, and incidentally the new leadership at the FTC and DOJ, that lax antitrust enforcement and the development of court doctrines have harmed the U.S. economy broadly and consumers, workers, and smaller companies in particular.
On the Republican side of the aisle, there is uniform support for legislation to rein in “Big Tech,” which may be said to be part of the party’s policy position given the increasingly regular focus Republicans on both sides of the Capitol and in the states have had on the negative and harmful effects of these companies. In his remarks on the bill last week at the first hearing to consider S.2992, Grassley sounded familiar themes and urged colleagues to vote for the bill. However, there is also resistance to broad antitrust legislation even to the extent some Republicans see “Big Tech” as a sector of the economy in need of legislative changes to even the playing field.
Turning to likely industry views on the bill, my guess is that positions in the technology world are split with larger entities opposing the bill and smaller and mid-sized entities possibly favoring language that would stop large platforms from leveraging their size and advantages against smaller competitors. Large companies in other fields who are nervously eyeing moves like Amazon’s leap into grocery stores with its purchase of Whole Foods may also favor legislation to blunt their economic advantages. I think it is fair to say Amazon, Facebook, and Google agree broadly with Apple’s submission to the committee on the six bills before the House Judiciary Committee that the bills would harm innovation and consumers.
Having laid the political and policy backdrop, S.2992 would apply to “covered platforms,” which is defined to include only the biggest online platforms like Amazon, Apple, Facebook, Google, and maybe a handful of others. The FTC and DOJ could only deem those companies as covered platforms if they have 50 million or more monthly active users, 100 million or more monthly active business users, has “net annual sales or a market capitalization greater than $550 billion” in the previous two years, and “is a critical trading partner for the sale or provision of any product or service offered on or directly related to the online platform.” And so, any potential covered platforms would need to meet those criteria, and not many currently do. Regarding the last prong, the bill defines a “critical trading partner” as “a person that has the ability to restrict or materially impede the access of—
(A) a business user to its users or customers; or
(B) a business user to a tool or service that it needs to effectively serve its users or customers.
Obviously, how courts apply this definition will be crucial, for much will hinge on how restricting or materially impeding a company’s access of a company to customers on a covered platform or the tools and services the platform offers to serve customers or make money.
The FTC and DOJ would jointly designate covered platforms on the basis of the above criteria in writing in the Federal Register that would remain in effect for seven years. The agencies could also remove this designation if a covered platform files a request showing it no longer qualifies. Both agencies would have to agree before the designation is removed. If they opt not to remove such a designation, there is no available recourse “if supported by evidence.”
Covered platforms would be barred from a number of practices they currently engage at risk of civil and potential personal financial liability for its leaders.
The civil liability is very significant with the ceiling being 15% of “total revenue” for the period of the violation. To put this into perspective, had the FTC obtained a 15% fine from Facebook for the Cambridge Analytica violations, the company would have turned over much more than $5 billion, possibly as much as $20 billion using back of the envelope math.
The FTC, DOJ, or state attorneys general could also seek a range of injunctive relief to “prevent, restrain, or prohibit violations of this Act.” It is not immediately clear to me whether this is intended to or could even be read to include monetary damages like restitution or disgorgement of the type the FTC can no longer seek under Section 13(b) of the FTC Act. The Supreme Court of the United States seems unlikely to read such language expansively given its holding in AMG Capital Management v. FTC.
Finally, the CEOs and other corporate officers of repeat offender covered platforms may be forced to forfeit “any compensation received by that person during the 12 months preceding or following the filing of a complaint for an alleged violation of this Act.” A court could order this if there is a “pattern or practice of violating this Act.”
Moreover, the FTC could litigate on its own to enforce the new regime.
In terms of what covered platforms could no longer do, the bill splits the list into two lists of prohibited activities. In the first tranche, we find the following conduct made illegal: platforms could not preference their own products and services; platforms could not limit or abridge a third parties’ products or services in competition with the covered platforms; and platforms could not apply their terms of services discriminatorily among different third parties. Additionally, in order for a violation to occur, each of the above acts would also need to materially harm competition on the platform. Going to the bill’s actual language, large online platforms could no longer:
(1) unfairly preference the covered platform operator’s own products, services, or lines of business over those of another business user on the covered platform in a manner that would materially harm competition on the covered platform;
(2) unfairly limit the ability of another business user’s products, services, or lines of business to compete on the covered platform relative to the covered platform operator’s own products, services, or lines of business in a manner that would materially harm competition on the covered platform; or
(3) discriminate in the application or enforcement of the covered platform’s terms of service among similarly situated business users in a manner that may materially harm competition on the covered platform.
In the second tranche of illegal acts, covered platforms could no longer:
§ Restrict or bar businesses from the same operating systems, hardware and software the platform’s products and services can use;
§ Tie access or preferred treatment for businesses to buying other services or products from the covered platform;
§ Use the data of businesses doing business of the covered platform to the benefit of the latter’s products and services;
§ Stop businesses from accessing their data on the covered platform, especially in cases where the business may want to port these data to another platform;
§ Prevent users of a covered platform from uninstalling reloaded apps or software or change a default setting unless the security of functioning of the platform would be harmed;
§ Rank its own offerings above competitors through a search function if a fair, neutral search and ranking system would not return such a result; or
§ Retaliate against businesses or users that allege violations to law enforcement agencies.
Again the actual language states that such platforms could not:
(1) materially restrict or impede the capacity of a business user to access or interoperate with the same platform, operating system, hardware or software features that are available to the covered platform operator’s own products, services, or lines of business that compete or would compete with products or services offered by business users on the covered platform;
(2) condition access to the covered platform or preferred status or placement on the covered platform on the purchase or use of other products or services offered by the covered platform operator that are not part of or intrinsic to the covered platform itself;
(3) use non-public data that are obtained from or generated on the covered platform by the activities of a business user or by the interaction of a covered platform user with the products or services of a business user to offer, or support the offering of, the covered platform operator’s own products or services that compete or would compete with products or services offered by business users on the covered platform;
(4) materially restrict or impede a business user from accessing data generated on the covered platform by the activities of the business user, or through an interaction of a covered platform user with the business user’s products or services, such as by establishing contractual or technical restrictions that prevent the portability of the business user's data by the business user to other systems or applications;
(5) unless necessary for the security or functioning of the covered platform, materially restrict or impede covered platform users from un-installing software applications that have been preinstalled on the covered platform or changing default settings that direct or steer covered platform users to products or services offered by the covered platform operator;
(6) in connection with any covered platform user interface, including search or ranking functionality offered by the covered platform, treat the covered platform operator’s own products, services, or lines of business more favorably relative to those of another business user than they would be treated under standards mandating the neutral, fair, and non-discriminatory treatment of all business users; or
(7) retaliate against any business user or covered platform user that raises concerns with any law enforcement authority about actual or potential violations of State or Federal law.
And yet, in spite of all these prohibited acts, covered platforms are not required “to divulge, license, or otherwise grant the use of the covered platform operator’s intellectual property, trade or business secrets, or other confidential proprietary business processes to a business user.” I wonder if the lawyers of such platforms would make the case that conduct alleged to be illegal would run afoul of this limitation and how a court might adjudicate such a defense.
What’s more, covered platforms could assert a few different affirmative defenses that would defeat a violation of the two lists of illegal activities. Regarding the first above list, covered platforms could defeat an enforcement action if it proved the violation was necessary to:
o prevent a violation of, or comply with, Federal or State law;
o protect safety, user privacy, the security of non-public data, or the security of the covered platform; or
o maintain or enhance the core functionality of the covered platform.
But the covered platform must also show the action was narrowly tailored and not pre-textual. This latter limitation on the use of this defense is most likely intended to bar expansive claims about the needs to protect user safety, privacy, data, or a platform’s core functionality. All of those concepts are so elastic that one can easily imagine the stellar legal talent the biggest tech firms could retain fashioning plausible defenses.
Regarding the second tranche, covered platforms have an additional option. If they can show the ostensibly illegal activity did not and would not cause “material harm to the competitive process by restricting or impeding legitimate activity by business users.” Like much of the rest of the bill, how courts construe this defense will determine how widely or narrowly this defense will apply. In this second tranche, covered platforms will also be able to assert the same defenses as the first trance.
The FTC, DOJ, or state attorneys general would need to prove violations by a preponderance of the evidence (aka the more likely than not standard), which is the lowest evidentiary threshold for a party to meet. Covered platforms would have the same threshold for proving its defenses.
If a covered platform wishes to appeal an enforcement action, the case will go straight to the U.S. Court of Appeals for the District of Columbia.
In terms of implementation, the FTC would need to conduct a rulemaking to define the term “data” under the act. The FTC and DOJ must “jointly issue guidelines outlining policies and practices, relating to agency enforcement of this Act, including policies for determining the appropriate amount of a civil penalty to be sought…, with the goal of promoting transparency, deterring violations, and imposing sanctions proportionate to the gravity of individual violations.”
§ United States (U.S.) Federal Communications Commission “voted to formally adopt a Report and Order and Further Notice that provides detailed guidance for the Affordable Connectivity Program, a $14.2 billion federal initiative that offers qualifying households discounts on their internet service bills and an opportunity to receive a discount on a computer or tablet from participating providers” per the agency’s press release. The FCC asserted:
o The Affordable Connectivity Program will provide eligible households with discounts of up to $30 a month for broadband service, and up to $75 a month if the household is on Tribal lands. It also will provide a one-time discount of up to $100 on a computer or tablet for eligible households.
o Under the law, the Affordable Connectivity Program is open to households that meet one of the following criteria: have incomes at or below 200% of federal poverty guidelines; participate in certain assistance programs, such as Lifeline, Medicaid, SNAP, federal public housing assistance, WIC, or SSI, Tribal specific programs such as Bureau of Indian Affairs General Assistance, Tribal TANF, or Food Distribution Program on Indian Reservations; households with kids receiving free and reduced-price lunch or school breakfast; Pell grant recipients; or if they meet eligibility criteria for a participating provider’s existing low-income program.
o The Affordable Connectivity Program also includes notable pro-consumer initiatives such as the requirement for participating providers to allow the consumer to apply the benefit to a much greater array of broadband plans; protections against the use of credit checks or existing debt to prohibit enrollment in the program; the prohibition on certain inappropriate sales agent practices such as upselling or downselling; and measures to reduce the likelihood of bill shock, and to disallow restrictions on consumers who want to switch providers or even just broadband service offerings.
§ The United States (U.S.) Senate passed an amended version of the “State and Local Government Cybersecurity Act of 2021” (S.2520). Now the bill goes to the House. The report accompanying the bill from committee provides a summary:
o S. 2520, the State and Local Government Cybersecurity Act of 2021, amends the Homeland Security Act of 2002 to help State, local, Tribal, and territorial (SLTT) entities enhance their cybersecurity. The bill codifies and strengthens the cybersecurity relationship between the Multi-State Information Sharing and Analysis Center (MS–ISAC) and the Department of Homeland Security (DHS). It authorizes DHS to work with MS–ISAC to assist SLTT entities by conducting cybersecurity exercises, sharing information to increase situational awareness and prevent incidents, and coordinating effective implementation of cybersecurity tools, products, resources, policies, and guidelines. The bill also directs DHS to report to Congress on any services that the Cybersecurity and Infrastructure Security Agency (CISA), directly or indirectly through the MS–ISAC, provides to SLTT entities.
§ 48 state attorneys general appealed a dismissal of their antitrust suit against Facebook. They claimed in their press statement that “that the court was wrong to dismiss their case as time-barred, and made additional legal and factual errors.” They added that “[o]ver the last decade, Facebook, now known as Meta, illegally acquired competitors in a predatory manner and cut or conditioned services to smaller threats — depriving users of the benefits of competition and reducing privacy protections and services along the way — all in an effort to boost its bottom line through increased advertising revenue.”
§ The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) and Office for Artificial Intelligence (AI) stated that “[t]he Alan Turing Institute, supported by the British Standards Institution (BSI) and the National Physical Laboratory (NPL), will pilot a new UK government initiative to lead in shaping global technical standards for AI.” The agencies added:
o The Alan Turing Institute selected to lead pilot of a new AI Standards Hub supported by the British Standards Institution and National Physical Laboratory
o Hub is part of the National AI Strategy and will aim to increase UK contribution to development of global AI technical standards
o Comes as new research finds more than 1.3 million UK businesses will use AI by 2040 and spending on AI is expected to reach more than £200 billion by the same date
§ France’s Commission Nationale de l'Informatique et des Libertés (CNIL) is opening a consultation on its draft position on so-called "intelligent" or "augmented" video devices in places open to the public. The agency said these devices are likely to be used by all types of actors, public and private, in particular in the street or places open to the public to meet various objectives such as improving the safety of people or property, the analysis of the attendance of a place or advertising operations. CNIL stated this draft position does not concern biometric recognition devices, including facial recognition.
§ The United Kingdom’s Information Commissioner’s Office (ICO) reminded interested parties that the consultation on “the draft journalism code of practice about processing personal data for the purposes of journalism” will close on 24 January. The ICO stated:
o This is a statutory code under section 124 of the Data Protection Act 2018.
o The draft code provides practical guidance to help individuals understand data protection law and comply effectively with its requirements. The code does not concern press conduct or standards in general.
o The code will be most helpful to media organisations and staff with data protection responsibilities, including lawyers, data protection officers and senior editorial staff. We will develop complementary resources to support more day-to-day journalism and smaller organisations.
o The draft code builds on the ‘Data protection and journalism: a guide for the media’ published in 2014 following industry engagement. It takes into account the responses from our initial call for views in 2019.
o We are also seeking views on a draft economic impact assessment. Your responses will help us understand the code’s practical impact on organisations and individuals.
§ The European Union Agency for Cybersecurity (ENISA) published a report titled “Interoperable EU Risk Management Framework” that is “primarily designed to assess the existing risk management frameworks and methodologies in order to identify those with the most prominent interoperable features.” ENISA flagged the following key outcomes:
o the identification of fully developed national and sectorial risk management frameworks and methodologies and their components;
o the identification of specific features such as national or international scope, target sectors, size of target audience, maturity, compliance with relevant standards, compatibility with EU regulation and legislation, etc.
o the development of a methodology for the assessment of the interoperability potential of the identified frameworks based on a set of factors such as risk identification, risk assessment and risk treatment;
o the application of the methodology to identify frameworks with a higher interoperability potential.
§ United States (U.S.) Federal Communications Commission Chair Jessica Rosenworcel has circulated “New Data Breach Reporting Requirements” to her fellow commissioners “that would begin the process of strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI)” as asserted in her statement. She added that “[t]he updates would better align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors.” Rosenworcel added:
o The proposal outlines several updates to current FCC rules addressing telecommunications carriers’ breach notification requirements. These include:
§ Eliminating the current seven business day mandatory waiting period for notifying customers of a breach;
§ Expanding customer protections by requiring notification of inadvertent breaches; and
§ Requiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.
§ The United Kingdom’s (UK) National Cyber Security Centre (NCSC) announced that its “Cyber Essentials will adopt a new tiered pricing structure” “in what will be the biggest overhaul of the scheme’s technical controls since its launch in 2014.”
§ The United States (U.S.) National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) published for comment “Draft NISTIR 83491 Methodology for Characterizing Network Behavior of Internet of Things Devices” and explained:
o Securing a network is a complex task made more challenging when Internet of Things (IoT) devices are connected to it. NISTIR 8349 demonstrates how to use device characterization techniques and the supporting open source tool MUD-PD to describe the communication requirements of IoT devices in support of the Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD) project. Manufacturers and network administrators can use the techniques and tools described in the report for capturing network communications from IoT devices, analyzing network captures, and generating MUD files to help ensure IoT devices perform as intended.
§ The Citizen Lab and Access Now “confirmed 35 cases of journalists and members of civil society whose phones were successfully infected with NSO’s Pegasus spyware between July 2020 and November 2021” in El Salvador. The investigation was conducted jointly with “in collaboration with Frontline Defenders, SocialTIC, and Fundación Acceso.” Citizen Lab stated that it “is not conclusively attributing the attacks to a particular government customer of NSO Group, however there is a range of circumstantial evidence pointing to a strong El Salvador government nexus.”
§ The United States (U.S.) Federal Communications Commission (FCC), the Department of Labor, Department of Education, and National Telecommunications and Information Administration (NTIA) announced “the members of a cross-agency working group that will collaborate to identify the current and future needs of the telecommunications industry workforce, including the safety of that workforce.” The agencies stated “[t]he Infrastructure Investment and Jobs Act directed the FCC Chair to work in partnership with the Secretary of Labor to establish an interagency working group that will ultimately prepare a report to Congress on its recommendations to address the needs of the telecommunications industry, including the safety of its workforce” by mid-January 2023.
§ The World Economic Forum issued its Global Risks
Report 2022 and identified digital and cybersecurity issues among the world’s most pressing:
o Growing dependency on digital systems—intensified by COVID-19—has altered societies. Over the last 18 months, industries have undergone rapid digitalization, workers have shifted to remote working where possible, and platforms and devices facilitating this change have proliferated. At the same time, cybersecurity threats are growing—in 2020, malware and ransomware attacks increased by 358% and 435% respectively—and are outpacing societies’ ability to effectively prevent or respond to them. Lower barriers to entry for cyberthreat actors, more aggressive attack methods, a dearth of cybersecurity professionals and patchwork governance mechanisms are all aggravating the risk.
o Attacks on large and strategic systems will carry cascading physical consequences across societies, while prevention will inevitably entail higher costs. Intangible risks—such as disinformation, fraud and lack of digital safety—will also impact public trust in digital systems. Greater cyberthreats will also hamper cooperation between states if governments continue to follow unilateral paths to control risks. As attacks become more severe and broadly impactful, already-sharp tensions between governments impacted by cybercrime and governments complicit in their commission will rise as cybersecurity becomes another wedge for divergence—rather than cooperation—among nation-states.
§ In an open letter, “a coalition of scientists, medical professionals, professors, and science communicators spanning a wide range of fields such as microbiology, immunology, epidemiology, and neuroscience and we are calling on Spotify to take action against the mass-misinformation events which continue to occur on its platform.” They noted:
o On Dec. 31, 2021, the Joe Rogan Experience (JRE), a Spotify-exclusive podcast, uploaded a highly controversial episode featuring guest Dr. Robert Malone (#1757). The episode has been criticized for promoting baseless conspiracy theories and the JRE has a concerning history of broadcasting misinformation, particularly regarding the COVID-19 pandemic. By allowing the propagation of false and societally harmful assertions, Spotify is enabling its hosted media to damage public trust in scientific research and sow doubt in the credibility of data-driven guidance offered by medical professionals. JRE #1757 is not the only transgression to occur on the Spotify platform, but a relevant example of the platform’s failure to mitigate the damage it is causing.
§ “Microsoft Warns of Destructive Cyberattack on Ukrainian Computer Networks” By David Sanger — The New York Times. Microsoft warned on Saturday evening that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine that appeared to be waiting to be triggered by an unknown actor. In a blog post, the company said that on Thursday — around the same time government agencies in Ukraine found that their websites had been defaced — investigators who watch over Microsoft’s global networks detected the code. “These systems span multiple government, nonprofit and information technology organizations, all based in Ukraine,” Microsoft said.
§ “Ukraine says evidence points to Russia being behind cyber-attack.” — The Guardian. Ukraine has said it has “evidence” Russia was behind a massive cyber-attack that knocked out key government websites last week, while Microsoft warned the hack could be far worse than first thought. Tensions are at an all-time high between Ukraine and Russia, which Kyiv accuses of having massed troops on its border before a possible invasion. Some analysts fear the cyber-attack could be the prelude to a military attack.
§ “The FTC is reportedly investigating Meta’s VR division for antitrust violations” By Adi Robertson — The Verge. The US Federal Trade Commission and at least three states are investigating Meta for antitrust violations in its virtual reality division, according to Bloomberg. The report says the FTC and attorneys general from New York, Tennessee, and North Carolina began speaking last year with third-party VR developers who have concerns about Meta’s business practices. It’s one of multiple probes into Meta’s dominance in the small but growing market of VR.
§ “FBI Officials Clarify What the Bureau Wants in Cyber Incident Reporting Bill” By Mariam Baksh — Nextgov. The need for legislation requiring companies to report cybersecurity incidents to the government is obvious, but it should be tweaked to explicitly include the FBI, according to officials from the law enforcement agency. Last year the House passed incident reporting legislation that would require reports to the Cybersecurity and Infrastructure Security Agency 72 hours after an incident, but corresponding legislation failed to make it into the annual “must-pass” National Defense Authorization Act. The FBI expressed concern with some of the language in the bill but lawmakers said it was mostly just a matter of running out of time on the clock to clear the provisions with all the relevant committees of jurisdiction.
§ “Big Tech foes launch ‘campaign-style’ initiative to push for antitrust legislation” By Cat Zakrzewski — The Washington Post. Tech giants in the past decade have funneled hundreds of millions of dollars into lobbying, advertising, polling and research to advance their political interests in Washington. Now some of their top adversaries are forming a plan to use that same playbook to press Congress to pass bills that would place new limits on how they wield power over their rivals.
§ “Google’s chief executive signed off on deal at center of antitrust case, states say.” By David McCabe — The New York Times. Google’s chief executive approved an agreement with Facebook at the heart of an antitrust lawsuit that 16 states and Puerto Rico have lodged against the search giant, according to a portion of the complaint revealed on Friday. The lawsuit, led by the Texas attorney general, Ken Paxton, argues that Google has obtained and abused a monopoly over the network of technology used to deliver ads online.
§ “Former Google scientist says the computers that run our lives exploit us — and he has a way to stop them” By Steven Zeitchik — The Washington Post. As artificial intelligence lays claims to growing parts of our social and consumer lives, it’s supposed to eliminate all the creeping flaws humans introduce to the world. The reality, of course, is quite different. From Facebook algorithms that learn how to stoke anger to facial recognition apps that don’t recognize people of color, AI frequently offers less of an improvement on the status quo than an insidious reinforcement of it. Now a Silicon Valley upstart says he has a fresh approach to the problem. Alan Cowen, a former Google data scientist with a background in psychology, has created a research company, Hume AI, and a companion not-for-profit that he says can help make the whole messy business of AI more empathetic and human.
§ “US airline officials warn of ‘catastrophic’ crisis in aviation with new 5G service” By Edward Helmore — The Guardian. US airline chiefs have warned that the introduction of a new 5G service could cause US commerce to “grind to a halt” due to possibly grounding a significant number of aircraft and might “strand tens of thousands of Americans overseas”. Warnings of an impending “catastrophic” crisis in aviation came in a letter sent to White House National Economic Council director Brian Deese, transportation secretary Pete Buttigieg, Federal Aviation Administration (FAA) administrator Steve Dickson and Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel, Reuters reported Monday.
§ “The Former NSA Official Vying to Steer Biden’s Cyber Policy” By William Turton — Bloomberg. Anne Neuberger, the Biden administration’s Deputy National Security Advisor for Cyber and Emerging Technology, organized a virtual summit on ransomware for Oct. 13, 2021. She invited representatives from about 30 countries and the European Union, but no one from several of the key U.S. agencies handling cybersecurity, including the Department of State, the Cybersecurity and Infrastructure Security Agency, and the newly created Office of the National Cyber Director.
§ “California judge rules Google’s confidentiality agreements break labor law” By Nitasha Tiku, Reed Albergotti and Gerrit De Vynck — The Washington Post. A California judge ruled this week that the confidentiality agreements Google requires its employees to sign are too broad and break the state’s labor laws, a decision that could make it easier for workers at famously secret Big Tech firms to speak openly about their companies.
§ “How the Pentagon enlisted ethical hackers amid the Log4j crisis” By Martin Matishak — The Record. The Pentagon last month pivoted an ongoing bug bounty program to track down Log4j vulnerabilities on potentially thousands of public-facing military websites, the first time the Defense Department marshaled the ethical hacker community to tackle an emerging digital crisis.
§ “Russia arrests 14 alleged members of REvil ransomware gang, including hacker U.S. says conducted Colonial Pipeline attack” By Robyn Dixon and Ellen Nakashima — The Washington Post. Russia’s domestic security agency on Friday arrested 14 alleged members of the REvil ransomware gang, including a hacker that U.S. officials say executed May’s Colonial Pipeline attack, and announced that it had eliminated the group at Washington’s request. “We welcome reports that the Kremlin is taking law enforcement steps to address ransomware emanating from [within] its border,” a senior administration official said in a background briefing with reporters Friday, speaking on the condition of anonymity because of the matter’s sensitivity.
§ “Ransomware warning: Cyber criminals are mailing out USB drives that install malware” By Liam Tung — ZDNet. A cybercrime group has been mailing out USB thumb drives in the hope that recipients will plug them into their PCs and install ransomware on their networks, according to the FBI. The USB drives contain so-called 'BadUSB' attacks. They were sent in the mail through the United States Postal Service and United Parcel Service. One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon.
§ 17-28 January
o The United Nations (UN) Ad hoc committee established by General Assembly resolution 74/247 will meet. The UN explained:
§ Through its resolution 74/247, the General Assembly decided to establish an open-ended ad hoc intergovernmental committee of experts, representative of all regions, to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes, taking into full consideration existing international instruments and efforts at the national, regional and international levels on combating the use of information and communications technologies for criminal purposes, in particular the work and outcomes of the open-ended intergovernmental Expert Group to Conduct a Comprehensive Study on Cybercrime.
§ 18 January
o The United Kingdom’s (UK) House of Commons’ Digital, Culture, Media and Sport Sub-committee on Online Harms and Disinformation will hold a “Formal meeting (oral evidence session): Online safety and online harms” as part of its Online safety and online harms inquiry.
§ 19 January
o The United States (U.S.) House Science, Space, and Technology Committee will markup legislation, including:
§ The “Bioeconomy Research and Development Act of 2021” (H.R. 4521)
§ The “Promoting Digital Privacy Technologies Act” (H.R. 847)
§ 20 January
o The United States (U.S.) Federal Trade Commission (FTC) will hold an open meeting with this tentative agenda:
§ Staff Presentation on Identity Theft and Available Resources for Consumers: Staff will present on the identity theft program, recent trends consumers have reported, and the resources available at IdentityTheft.gov and RobodeIdentidad.gov. The presentation will also highlight the upcoming initiatives during Identity Theft Awareness Week
o The United States (U.S.) House Energy and Commerce Committee’s Oversight and Investigations Subcommittee will hold a hearing titled “Cleaning Up Cryptocurrency: The Energy Impacts of Blockchains.”
o The United States (U.S.) House Oversight and Reform Committee’s Government Operations Subcommittee will hold a hearing titled “FITARA 13.0.”
o The United States (U.S.) House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee will hold a hearing titled “Securing Democracy: Protecting Against Threats to Election Infrastructure and Voter Confidence.”
§ 27 January
o The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting with this agenda:
§ Empowering Broadband Consumers Through Transparency. The Commission will consider a Notice of Proposed Rulemaking that would propose to require that broadband internet access service providers display, at the point of sale, labels to disclose to consumers certain information about their prices, introductory rates, data allowances, broadband speeds, and management practices, among other things. (CG Docket No. 22-2)
§ Connecting Tribal Libraries. The Commission will consider a Report and Order that would amend the definition of library in the Commission’s rules to clarify that Tribal libraries are eligible for support through the E-Rate Program. (CC Docket No. 02-6)
§ Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Report and Order to update outmoded political programming rules. (MB Docket No. 21-293)
§ Facilitating Better Use of ‘White Space’ Spectrum. The Commission will consider a Second Order on Reconsideration and Order resolving pending issues associated with white space devices and the white spaces databases, enabling unlicensed white space devices to continue operating efficiently while protecting other spectrum users. (ET Docket Nos. 04-186, 14-165)
§ Updating Equipment Authorization Rules. The Commission will consider a Notice of Proposed Rulemaking that would propose to update existing equipment authorization rules to reflect more recent versions of the technical standards that are incorporated by reference and incorporate by reference a new technical standard so that our equipment authorization system can continue to keep pace with technology developments. (ET Docket Nos. 21-363, 19-48)
§ Restricted Adjudicatory Matter. The Commission will consider a restricted adjudicatory matter.
§ National Security Matter. The Commission will consider a national security matter.
§ Enforcement Bureau Action. The Commission will consider an enforcement action.
§ 22 February
o The European Data Protection Board will hold a plenary meeting.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”