COPPA Rewrite Released
Germany's competition authority opens investigation into Amazon; the EU Parliament calls on EC to rewrite the UK adequacy decisions; Legislation to tighten U.S. pipeline cybersecurity advances
Photo by Rene Bernal on Unsplash
A bipartisan pair of Senators propose to update and expand the United States (U.S.) privacy law that protects the privacy of children.
A refresh of U.S. privacy laws for children is floated.
Cocktail Party
A Democrat and Republican look to change perhaps one of the few areas of U.S. privacy law many Members can agree upon: privacy for children and teens. Republicans on the House Energy and Commerce recently substituted the mental well-being of children as their focus for issues related to the online world instead of their insistence that tech companies are biased against conservatives. Whether this new focus reflects the view of other Republicans is uncertain, and it is also unclear whether Republicans think legislative and regulatory changes are the answer.
Meeting
Senators Ed Markey (D-MA) and Bill Cassidy (R-LA) have reintroduced a rewrite of the federal privacy law for children. Even if this bill is not enacted or folded into broader privacy legislation, the primary enforcer of the existing privacy law may rewrite its regulations. Two years ago, Federal Trade Commission (FTC) asked for comments “on the effectiveness of the amendments the agency made to the Children’s Online Privacy Protection Rule (COPPA Rule) in 2013 and whether additional changes are needed.”
Geek Out
Markey and Cassidy have introduced their rewrite of the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. 6501 et. seq.) that would revamp and expand the statute that currently provides higher privacy protection for those aged 12 and under. They would change the mindset needed for a violation (i.e. the mens rea) from actual knowledge to constructive knowledge. Hence, the operator of a website or app could be liable for COPPA violations if they knew or should have known children and teens are using the service or product.
Markey and Cassidy also broaden COPPA by establishing a new protected class. Currently COPPA’s protections cover children 12 and under. They are proposing to add a new definition “minor” that covers teens who are 13, 14, and 15. Interestingly, Markey and Cassidy did not raise the age for children to include teems those age.
Of course, this bill is offered at a time when Members of each chamber of Congress are trying to agree on an overarching federal privacy regime. Conceivably, if a deal were reached, Markey and Cassidy’s bill could be added, especially since it does not have a private right of action, does not preempt state laws, and it rewrites an existing piece of federal law. However, there are provisions that would drive better security and privacy practices for devices that companies like Apple, Microsoft, Google, and others will likely oppose.
Markey and Senator Josh Hawley (R-MO) introduced a similar bill (S.748) two years ago, but it was never acted upon. Their press release describe a bill very similar to the one Markey and Cassidy have unveiled. Last year, Markey and Senator Richard Blumenthal (D-CT) introduced the “Kids Internet Design and Safety (KIDS) Act” (S.3411).
It also bears mention that the Federal Trade Commission, the primary agency that enforces COPPA, is in the midst of revisiting COPPA regulations for the first time since Barack Obama was President. In its July 2019 request for comments, the FTC explained it is posing “its standard regulatory review questions to determine whether the Rule should be retained, eliminated, or modified” and is asking “whether the 2013 revisions to the Rule have resulted in stronger protections for children and more meaningful parental control over the collection of personal information from children, and whether the revisions have had any negative consequences.” The FTC also wanted information related to “specific questions about the existing sections of the Rule, including:
Definitions,
Requirement that operators post notices of their privacy practices,
Methods of obtaining verifiable parental consent before collecting children's information,
Security requirements,
Parental right to review or delete children's information, and
Safe harbor provisions.”
The FTC held an October 2019 FTC workshop on its possible COPPA rewrite.
In general, under Markey and Cassidy’s bill, the “Children and Teens’ Online Privacy Protection Act,” (S.1628) COPPA would be rewritten and a passage from the bill function as a summary:
It is unlawful for an operator of a website, online service, online application, or mobile application directed to a child or minor, or an operator having constructive knowledge that personal information being collected is from a child or minor, to collect personal information from a child or minor in a manner that violates the regulations” the FTC must promulgate.
The bill would provide a new definition of disclosure that excludes targeted advertising from the carveout allowed if an operator gives the personal information of a child or minor to an entity that provides support for the service or website.
As mentioned, Markey and Cassidy’s bill would lower the level of knowledge necessary for a violation from actual knowledge to constructive knowledge. Moreover, as defined in the bill, most entities that are active in the personal data and data brokering worlds would be imputed to have constructive knowledge of a child or minor’s age, subjecting the entity to COPPA’s requirements and potential punishment for violations.
What is considered “personal information” under COPPA would be expanded. The new definition would include:
§ geolocation information;
§ information used for biometric identification, as defined in section 70123 of title 46, United States Code, of an individual;
§ information reasonably associated with or attributed to an individual;
§ information (including an internet protocol address) that permits the identification of—
o an individual; or
o any device used by an individual to directly or indirectly access the internet or an online service, online application, or mobile application; or
§ information concerning a child or minor or the parents of that child or minor (including any unique or substantially unique identifier, such as a customer number) that an operator collects online from the child or minor and combines with an identifier described in this paragraph (i.e. all the categories of information that are considered personal information under COPPA.)
The new definition would update COPPA and encompass a greater range of personal; information companies collect and process.
The definition for verifiable consent is revised to require free and unambiguous authorization before an operator can collect the personal information of a child or minor. Under current law, this is not required. The current definition merely requires authorization, but it need not be free and unambiguous.
The FTC would need to write and issue new COPPA regulations under the normal route most agencies use (i.e. notice and comment rulemaking under the Administrative Procedure Act) instead of the more cumbersome Moss-Magnuson rulemaking procedure the FTC must normally use. Notably, the FTC would need to craft regulations to guide operators in providing “clear and conspicuous notice in clear and plain language of—
§ the types of personal information the operator collects;
§ how the operator uses the information;
§ whether and why the operator discloses the information; and
§ the procedures or mechanisms the operator uses to ensure that personal information is not collected from children or minors except in accordance with the regulations promulgated under this paragraph.”
The FTC’s regulations would also need to detail how operators may
§ obtain verifiable consent for the collection, use, or disclosure of personal information of a child or minor;
§ provide to a parent whose child has provided personal information to the operator, upon request by and proper identification of the parent—
o a description of the specific types of personal information collected from the child by the operator;
o the opportunity at any time to delete personal information collected from the child; and
o a means that is reasonable under the circumstances for the parent to obtain any personal information collected from the child, if such information is available to the operator at the time the parent makes the request;
The new FTC COPPA regulations must also govern how operators
§ provide to a minor who has provided personal information to the operator, upon request by and proper identification of the minor—
o a description of the specific types of personal information collected from the minor by the operator;
o the opportunity at any time to delete personal information collected from the minor; and
o a means that is reasonable under the circumstances for the minor to obtain any personal information collected from the minor, if such in- formation is available to the operator at the time the minor makes the request;
The FTC would also need to write regulations barring operators from “condition[ing] participation in a game, or use of a website, service, or application, by a child or minor on the provision by the child or minor of more personal information than is reasonably required to participate in the game or use the website, service, or application.” Additionally, the FTC’s regulations must require operators “to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children and minors.”
The FTC would have to update the new COPPA regulations every four years, but given how quickly things change online, the agency might always be chasing the new trends and failing to implement regulations to address current risks to the privacy of children and teens.
The FTC must include language in its regulations barring operators from ending service for children or teens whose parents exercise the right to have their personal data deleted so long as doing so does not interfere with the app or service. This seems like a provision that will give rise to competing interpretations with the YouTubes and TikToks of the world reading it as expansively as possible to prevent children and teens from deleting their personal data.
The bill would expand the FTC’s authority to enforce the new COPPA regime to telecommunications companies otherwise regulated by the Federal Communications Commission (FCC). However, the FTC would not gain jurisdiction over the data collection and processing practices of non-profits with respect to children and teens.
Section 4 of the “Children and Teens’ Online Privacy Protection Act” articulates new Fair Information Practices Principles (FIPP):
§ Collection Limitation Principle. Companies should collect the personal information of children or minors if appropriate to the service, product, or relationship, or if required or authorized by law.
§ Data Quality Principle. “The personal information of a child or minor should be accurate, complete, and kept up-to-date to the extent necessary to fulfill” some of the purposes in the Purpose Specification Principle.
§ Purpose Specification Principle. Companies must disclose the purposes of data collection to parents and minors before the personal information is collected. Moreover, any use or disclosure thereafter should only be:
o To fulfill a transaction requested by the minor or parent of the child
o In “support for the internal operations of the website, service, or application, as described in section 312.2 of title 16, Code of Federal Regulations” except for targeted advertising
o To comply with legal processes
o For those purposes the company disclosed before a parent of a child or a minor consented to
§ Retention Limitation Principle. Personal data should not be held any longer than necessary to complete the purpose for which it was collected and should be disposed of.
§ Security Safeguards Principle. “The personal information of a child or minor should be protected by reasonable and appropriate security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.”
§ Openness Principle. A company should be open about “about developments, practices, and policies with respect to the personal information of a child or minor.” Companies should also allow parents of children and minors to contact the company, determine whether it has personal information, obtain the personal information, and challenge the accuracy of personal information and if such challenge prevails to have the information deleted, completed, or corrected.
§ Individual Participation Principle. A company must get consent from a minor or a parent of a child before it can use or disclose information in ways aside and apart from the Purpose Specification Principle.
§ Racial And Socioeconomic Profiling. The personal information of a child or minor shall not be used to direct content to the child or minor, or a group of individuals similar to the child or minor, on the basis of race, socioeconomic factors, or any proxy thereof.
Section 5 introduces a “Digital Marketing Bill Of Rights For Minors” that provides a safe harbor for operators to collect the personal information of minors (but not children) if they use the new FIPP. The FTC would need to write regulations to implement these new provisions, notably “regulations further defining the FIPP.”
Section 6 makes it “unlawful for an operator of a website, online service, online application, or mobile application to use, disclose to third parties, or compile personal information of a child for purposes of targeted marketing” if a child is using a site, app or service, such company has constructive knowledge that personal information is being collected from children, or the site, app, or service is directed to children. The same is true for minors except a company can lawfully engage in targeted advertising to minors if it obtains verifiable consent. The FTC would also be tasked with promulgating regulations for this section.
It shall also be illegal “for an operator to make publicly available through a website, online service, online application, or mobile application content or information that contains or displays personal information of children or minors in a manner that violates” specified requirements, including having a mechanism that eliminates or erases personal information.
Section 8 borrows conceptually from the “Cyber Shield Act” (H.R.4792/S.2664) in establishing Privacy Dashboards. Markey has introduced the Cyber Shield Act over the last few Congresses that would require the labeling of Internet of Things (IOT) devices to inform people of how secure (or not), IOT devices are as a way to drive better security. The same principle is used for Privacy Dashboards. This section provides:
§ A manufacturer of a connected device directed to a child or minor shall prominently display on the packaging for the connected device a standardized and easy-to-understand privacy dashboard, detailing whether, what, and how personal information of a child or minor is—
o collected from the connected device;
o transmitted from the connected device;
o retained on the connected device;
o retained by the manufacturer or affiliated person;
o used by the manufacturer or affiliated person; and
o protected.
Consequently, parents and minors could determine which devices (smartphones, laptops, and tablets) offer the best privacy protecting features, including cybersecurity, control over personal information, the type of information collected, and others. The FTC would also promulgate regulations to implement this portion of the bill.
As if this were not enough for electronics manufacturers to hate, the bill would also bar anyone from selling “a connected device unless the connected device meets appropriate cybersecurity and data security standards established by the” FTC. The agency would establish such standards through regulation that will:
§ create cybersecurity and data security standards for different subsets of connected devices based on the varying degrees of—
o cybersecurity and data security risk associated with each subset of connected device;
o sensitivity of information collected, stored, or transmitted by each subset of connected device; and
o functionality of each subset of connected device;
§ consider incorporating, to the extent practicable, existing cybersecurity and data security standards; and
§ ensure that the cybersecurity and data security standards—
§ are consistent with Fair Information Practice Principles....and
§ promote data minimization.
Moreover, the operators of sites, apps, and services directed to children must treat all users as children pending FTC regulations.
Two years after passage, the FTC must submit to Congress “a report on the processes of platforms that offer mobile and online applications for ensuring that, of those applications that are directed to children or minors, the applications operate in accordance with” the act, regulations., and other statutes designed to protect the privacy of children and minors.
The bill establishes inside the FTC “a division to be known as the Youth Privacy and Marketing Division” headed by a Director to be appointed by the FTC Chair. This new division “shall be responsible for addressing, as it relates to this Act and the amendments made by this Act—
§ the privacy of children and minors; and
§ marketing directed at children and minors.”
Violations of the COPPA rewrite would be treated as violations of rules barring an unfair or deceptive practice, allowing the agency to seek more than $43,000 per violation even for first time offenses. Moreover, courts would be allowed to exceed tis per violation cap if it is found “appropriate to deter violations of this Act and regulations prescribed under this Act.”
The FTC may approve “self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons” after a notice and comment proceeding if the agency determines such guidelines meet the requirements of these sections of the bill:
§ Section 5. Digital Marketing Bill of Rights for Minors.
§ Section 6. Targeted marketing to children or minors.
§ Section 7. Removal of content.
§ Section 8. Privacy dashboard for connected devices for children and minors.
§ Section 9. Prohibition on sale of connected devices for children and minors that fail to meet appropriate cybersecurity and data security standards.
Compliance with guidelines approved by the FTC would create safe harbors for operators against violations.
Additionally, the FTC would need to draft regulations to “provide incentives for self-regulation by covered operators to implement the protections afforded children and minors, as applicable, under the regulatory requirements described” in the above listed sections. In doing so, the agency must
§ establish criteria for the approval of guidelines that will ensure that a covered operator provides substantially the same or greater protections for children and minors, as applicable, as those contained in the regulations issued under the applicable section; and
§ require that any report or documentation required to be submitted to the Commission by a covered operator or requesting entity will be published on the internet website of the Commission.
Other Developments
Photo by Claudio Schwarz | @purzlbaum on Unsplash
§ Germany’s competition regulator, the Bundeskartellamt, has opened proceedings against Amazon based on powers granted to the agency in a January 2021 law. The Bundeskartellamt explained it “initiated a proceeding against Amazon based on the new rules for large digital companies,” the second since “the 10th amendment to the German Competition Act (GWB Digitalisation Act) came into force.” In late January, the Bundeskartellamt initiated proceedings into Facebook and its subsidiary Oculus. The agency further explained:
o In January 2021 the 10th amendment to the German Competition Act (GWB Digitalisation Act) came into force. A key new provision set forth in Section 19a GWB now enables the authority to intervene earlier and more effectively, in particular against the practices of large digital companies. The Bundeskartellamt can prohibit companies which are of paramount significance for competition across markets from engaging in certain anti-competitive practices. Examples of conduct which could be prohibited under the new provision include the self-preferencing of a group’s own services, the “penetration” of non-dominated markets by way of non-performance based anti-competitive means, such as tying or bundling strategies, or creating or raising barriers to market entry by processing data relevant for competition.
o The Bundeskartellamt is also currently conducting two proceedings against Amazon based on the abuse control rules which were already in place before the latest amendment to the competition law. In one proceeding the authority is examining to what extent Amazon is influencing the pricing of sellers on Amazon Marketplace by means of price control mechanisms and algorithms. In a second proceeding it is examining to what extent agreements between Amazon and brand manufacturers, including Apple, which exclude third-party sellers from selling brand products on Amazon Marketplace constitute a violation of competition rules.
§ The European Parliament passed a resolution calling on the European Commission (EC) to rewrite its adequacy decisions regarding data transfers to the United Kingdom (UK). The Parliament also rejected a resolution that would have declared the UK’s data protection regime to be essentially equivalent to the European Union’s (EU). In its press release, the Parliament stated:
o In a resolution passed on Friday (344 votes in favour, 311 against and 28 abstaining), MEPs ask the Commission to modify its draft decisions on whether or not UK data protection is adequate and data can safely be transferred there, bringing them in line with the latest EU court rulings and responding to concerns raised by the European Data Protection Board (EDPB) in its recent opinions. The EDPB considers that UK bulk access practices, onward transfers and its international agreements need to be clarified further. The resolution states that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.
o Before the vote, MEPs debated the UK adequacy decision and the “Schrems II” resolution on EU-US data flows. Several political groups emphasised the need for strong data rights in Europe and the dangers of mass surveillance, with others arguing that the UK has a high level of data protection, and that adequacy decisions help businesses and facilitate cross-border crime-prevention.
§ The Council of the European Union has issued a progress report on its working party to review the European Commission’s (EC) Digital Markets Act. The Council stated:
o Even though Member States have reserved their positions pending the ongoing discussions, the Presidency has identified a general support among the Member States for the level of ambition of the proposal, its overall objectives and the need for swift approval. In particular, the Presidency has recognised broad support for (i) the need to find a fair balance between speedy and flexible procedures, on one hand, and legal certainty of the measures, on the other; (ii) the combination of quantitative and qualitative thresholds for designating gatekeepers and (iii) the importance of effective investigative instruments, supported by effective sanctions. 13.Basedon the discussions at Working Party level held so far, the Presidency identifies the following main issues from a political and legal point of view, which will require further work in the negotiations:
§ Role of Member States in the enforcement of the DMA
§ Delegated acts
§ Scope, legal basis and interplay of DMA with other legislation
§ Designation of gatekeepers, obligations and regulatory dialogue
§ Other issues:
· Whether some obligations should factor in the gatekeepers’ ecosystems;
· Duration of market investigations and the threshold for systematic non-compliance remedies;
· Scope and threshold for interim measures.
§ House Science, Space, and Technology Chair Eddie Bernice Johnson (D-TX) and Ranking Member Frank Lucas (R-OK) sent a letter to Secretary of Energy Jennifer Granholm “to request a briefing on the Colonial Pipeline Company ransomware attack.” They argued:
o As the Sector Risk Management Agency for the energy sector,2the Department of Energy (DOE) plays a vital role in securing critical energy infrastructure from cyberattacks. This responsibility includes using the agency’s specialized expertise to assist critical infrastructure owners and operators with mitigating threats, assessing sector risks, and supporting security incident management for the energy sector. DOE’s knowledge of our energy sector and the nuanced challenges facing various energy assets uniquely positions it to confront this emerging threat to our national security. Though pipeline cybersecurity implicates multiple federal entities such as the Department of Homeland Security’s Transportation Security Administration and Cybersecurity and Infrastructure Security Agency, the Federal Energy Regulatory Commission, and the National Institute of Standards and Technology, these threats demand robust and efficient coordination, both among federal entities and with other stakeholders within the energy sector. While DOE recently announced a “100 day plan” to address cybersecurity risks for the United States electric system, we seek additional information on how DOE’s current and forthcoming cybersecurity activities incorporate energy resources transmitted via pipelines.
§ The United States Government Accountability Off ice (GAO) issued its annual report on fragmentation, overlap, and duplication and highlighted the following technology programs:
o New Fragmentation, Overlap, and Duplication Areas Identified in This Report
§ Category Management: The Office of Management and Budget should further its Category Management initiative to improve how agencies buy common goods and services by taking such actions as addressing its data management challenges and establishing additional performance metrics to help save the federal government billions of dollars over the next 5 years, as well as potentially eliminate duplicative contracts.
§ Employment-Related Identity Fraud: The Internal Revenue Service and Social Security Administration should better manage fragmentation to identify potentially fraudulent wages, more effectively manage benefit programs, and enhance revenue.
§ Federal Cybersecurity Requirements and Assessments of States: By improving coordination of fragmented cybersecurity requirements and related assessment programs for state agencies, federal agencies could potentially minimize the burden on states and save millions of dollars in associated federal and state costs.
§ Federal IT Contract Duplication: Agencies can realize savings of potentially millions to hundreds of millions of dollars by ensuring that their efforts to reduce duplicative information technology contracts are fully aligned with key Office of Management and Budget category management principles and practices and are informed by analyses of agency spending on products and services.
o New Cost Savings and Revenue Enhancement Opportunities Identified in This Report
§ Federal Agencies’ Telecommunication Transition Planning Practices: Federal agencies could save tens of millions of dollars on telecommunications by analyzing their requirements to help identify areas that could be optimized and services that could be shared across agencies.
o New Actions Added to Existing Areas in 2021
§ Weapon Systems Acquisition Programs: In October 2020, GAO identified one new action for the Army to make informed decisions related to weapon systems modernization to better manage fragmentation involving certain agreements for prototype projects.
§ to help the Office of Management and Budget improve data center consolidation and optimization reporting. GAO also identified four new actions to help federal agencies meet data center cost savings and optimization goals, which could result in hundreds of millions of dollars in savings.
§ The House Homeland Security Committee marked up and reported out over a dozen bills at two sessions last week (here and here), some of which were in direct response to the Colonial Pipeline ransomware attack.
o H.R. 1833, the “DHS Industrial Control Systems Capabilities Enhancement Act of 2021” To amend the Homeland Security Act of 2002 to provide for the responsibility of the Cybersecurity and Infrastructure Security Agency to maintain capabilities to identify threats to industrial control systems, and for other purposes.
o H.R. 2980, The “Cybersecurity Vulnerability Remediation Act” To amend the Homeland Security Act of 2002 to provide for the remediation of cybersecurity vulnerabilities, and for other purposes.
o H.R. 3138, The “State and Local Cybersecurity Improvement Act” To amend the Homeland Security Act of 2002 to authorize a grant program relating to the cybersecurity of State and local governments, and for other purposes.
o H.R. 3223, The “CISA Cyber Exercise Act” To amend the Homeland Security Act of 2002 to authorize a grant program relating to the cybersecurity of State and local governments, and for other purposes.
o H.R. 3243, The “Pipeline Security Act” To codify the Transportation Security Administration's responsibility relating to securing pipelines against cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines, and for other purposes.
o H.R. 3264, The “Domains Critical to Homeland Security Act” To amend the Homeland Security Act of 2002 to require research and development to identify and evaluate the extent to which critical domain risks within the United States supply chain pose a substantial threat to homeland security, and for other purposes.
§ The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) has published the government response’s to the consultation on the National Data Strategy. The DCMS stated:
o This update provides an overview and analysis of key findings from the consultation, which took place between the 9th of September and the 9th of December 2020. We received over 250 consultation responses from a wide range of respondents — spanning technology companies (including both tech giants and SMEs), to members of the public, academic institutions, think-tanks, civil society and public sector organisations.
o Respondents generally welcomed our framing of data as a strategic asset that should be used for economic and social benefit and tended to agree that the strategy identified the right pillars and missions in order to make the most of the opportunities presented by better data use. Respondents broadly agreed that data use should not just be considered as a threat to be managed, but also embraced as an opportunity to drive productivity and innovation across the economy, fuel scientific research, revolutionise the public sector and create a fairer and more prosperous society for all. Respondents also highlighted the potential for data use to support wider government priorities, such as those set out in the Integrated Review of Security, Defence, Development and Foreign Policy, as well as our ambitions to build back better, transition to net zero and to level up the UK’s regions. This perspective was complemented by numerous case studies highlighting responsible data use throughout the coronavirus pandemic showcasing the value of data use for public good.
o However, respondents also stressed the need to ensure that the data revolution works for everyone, everywhere. This included drawing attention to specific challenges around incorrect or inappropriate uses of data (often expressed as data bias), digital inclusion and connectivity, as well as the need for all citizens to have the appropriate skills to operate and thrive in a data-driven economy. With this in mind, respondents highlighted the importance of continued stakeholder engagement. This will help bring in diverse perspectives from across industry, academia, civil society and the wider public to support implementation and inform future policy development.
o Above all, respondents’ feedback confirmed that maintaining a high level of public support for data use will be key to unlocking the power of data. Creating a trustworthy data regime that maintains high data protection standards and enables responsible data use will ensure that the benefits of the data revolution are felt by all people, in all places.
§ A United Nations’ (UN) ad hoc committee has convened to work on a cybercrime treaty. The UN issued a note explaining setting out “the logistical and procedural aspects for the organizational session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes.” The UN also made available other documents for the meeting. The UN provided background on the meeting:
o Through its resolution 74/247, adopted on 27 December 2019, the General Assembly, inter alia, took note of Commission on Crime Prevention and Criminal Justice resolution 26/4 of 26 May 2017, in which the Commission expressed appreciation for the work done by the Expert Group to Conduct a Comprehensive Study on Cybercrime and requested the Expert Group to continue its work, with a view to examining options to strengthen existing responses and propose new national and international legal or other responses to cybercrime, and in this regard reaffirmed the role of the United Nations Office on Drugs and Crime (UNODC).
o In the same resolution, the General Assembly decided to establish an open-ended ad hoc intergovernmental committee of experts, representative of all regions, to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes, taking into full consideration existing international instruments and efforts at the national, regional and international levels on combating the use of information and communications technologies for criminal purposes, in particular the work and outcomes of the open-ended intergovernmental Expert Group to Conduct a Comprehensive Study on Cybercrime
Further Reading
§ “DHS to issue first-ever cybersecurity regulations for pipelines after Colonial hack” By Ellen Nakashima and Lori Aratani — The Washington Post. The Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry for the first time in an effort to prevent a repeat of a major computer attack that crippled nearly half the East Coast’s fuel supply this month — an incident that highlighted the vulnerability of critical infrastructure to online attacks. The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past.
§ “Credit Card Ads Were Targeted by Age, Violating Facebook’s Anti-Discrimination Policy” By Corin Faife and Alfred Ng — The Markup. “Get the credit card that plants a tree with every purchase,” prompts the text of a Facebook ad for Aspiration’s Zero credit card (tagline: One Card. Zero Footprint). The ad was visible to people of any gender based anywhere in the U.S., but the advertiser asked that Facebook not show it to anyone under 25.
§ “Israel Is a Cyber Superpower But Chooses Bombs to Fight Hackers in Gaza” By Emanuel Maiberg and Lorenzo Franceschi-Bicchierai — Vice. One way Israel describes itself as an exceptional Middle Eastern nation is with its technological prowess. It produces mountains of scientific research, Nobel laureates, and, as Motherboard has reported over the years, is a major cybersecurity player globally, both because of its government operations and booming private sector, which exports everything from network security products to hacking tools from firms like NSO Group and Cellebrite.
§ “App used by emergency services under scrutiny” By Jane Wakefield — The BBC. Questions have been raised about a digital addressing system which divides the world up into three-by- three-metre squares to pinpoint someone's location. What3Words (W3W) gives each square a unique three-word address, and the app is used by 100 UK emergency services.
§ “Telecom Italia looking to drop Huawei from Italy 5G network – sources” By Elvira Pollina and Supantha Mukherjee — Reuters. Telecom Italia (TLIT.MI) is looking to cancel a contract with Huawei (HWT.UL) for supplying equipment to build part of the telecom firm's 5G network in Italy, three sources close to the matter said on Thursday.
§ “‘A Perfect Positive Storm’: Bonkers Dollars for Big Tech” By Shira Ovide — The New York Times. In the Great Recession more than a decade ago, big tech companies hit a rough patch just like everyone else. Now they have become unquestioned winners of the pandemic economy.
§ “Microsoft discloses ‘BadAlloc’ bugs affecting smart devices, industrial gear” By Catalin Cimpanu — The Record. One of Microsoft’s bug hunting teams has discovered 25 vulnerabilities impacting a broad spectrum of smart IoT devices and industrial equipment.
§ “Scammers Are Hacking Target’s Gig Workers and Stealing Their Money” by Lauren Kaori Gurley — Vice. On the morning of March 28, a gig worker near Tampa, Florida, was shopping an order for Shipt, Target's delivery platform, when he received an email from "Shipt Support" asking him to reset his password.
§ “Hooked” By Lucy Carter, Lesley Robinson, Laura Gartry and Alex Palmer, Four Corners and Digital Story Innovation Team — ABC News. In late 2020, Four Corners launched a crowdsourced investigation into video gaming and received more than 3,000 responses. Many gamers told us how much they enjoyed playing, but others raised concerns about how focused gaming had become on profiting from them. Games played on mobiles, consoles and computers have become extremely sophisticated, often with artificial intelligence and data collection built into the platform. Gaming researchers are warning that gamers often don’t know “how much the game is actually playing them”. “Many of these games are using machine learning, they’re tracking what players are doing using people’s information and within their social network, to make very strong predictions about how people will behave,” said Daniel King, a clinical psychologist from Flinders University.
§ “Conflict with China a ‘high likelihood’, says top Australian general” By Nick McKenzie and Anthony Galloway — The Sydney Morning Herald. One of the nation’s top military commanders told his troops that Beijing is already engaged in “grey zone” warfare against Australia and they must plan for the high likelihood this may spill over into actual conflict in the future.
§ “India doesn't name Huawei among participants in 5G trials” — Reuters. India will allow mobile carriers to carry out 5G trials with equipment makers including Ericsson, Nokia, and Samsung's network unit, the government said on Tuesday, but did not name China's Huawei among the participants.
§ “Preparing for a World of Holocaust Deepfakes” By Claire Leibowicz — Tablet. The problem with the most pernicious lies is that they are often based on elements of truth. In a now-famous image known as the Ivanhorod Einsatzgruppen photograph, six huddling Jews were captured on film while being menaced by a rifle-wielding German soldier in Ukraine. Taken in 1942 by an unknown individual, the image was intercepted by the Polish resistance and eventually made its way into public view after the war, providing a chilling personal window into the horrors of the Holocaust.
§ “The global chip shortage is a much bigger problem than everyone realised. And it will go on for longer, too” By Daphne Leprince-Ringuet — ZDNet. "Out of stock": the frustrating warning has made its way to an increasing number of phones and laptop manufacturers' websites over the past year, often leading to long waiting lists for consumers wishing to get their hands on shiny new electronics. At the heart of the problem is a global shortage of semiconductors, which is not showing signs of coming to an end anytime soon. Worse still, it is likely to trickle down to the production of everyday products that have little in common, at first glance, with high-end technologies. Think children's toys or microwaves.
§ “Peloton’s leaky API let anyone grab riders’ private account data” By Zack Whittaker — Tech Crunch. Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data. My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.
Coming Events
Photo by Danny Howe on Unsplash
§ On 25 May, the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint hearing titled “SolarWinds and Beyond: Improving the Cybersecurity of Software Supply Chains” with these witnesses:
o Mr. Matthew Scholl, Chief, Computer Security Division of the Information Technology Laboratory, National Institute of Standards and Technology (NIST)
o Dr. Trey Herr, Director, Cyber Statecraft Initiative, Atlantic Council
o Ms. Katie Moussouris, Founder and CEO, Luta Security
o Mr. Vijay D’Souza, Director, Information Technology and Cybersecurity, Government Accountability Office (GAO)
§ The Senate Appropriations Committee’s Commerce, Justice, Science Subcommittee will hold a hearing on the Department of Commerce’s FY 2022 budget request on 26 May.
§ On 26 May, the Senate Appropriations Committee’s Homeland Security Subcommittee will hold a hearing on the Department of Homeland Security’s FY 2022 budget request.
§ The House Financial Services Committee’s Oversight and Investigations Subcommittee will hold a 27 May hearing titled “Consumer Credit Reporting: Assessing Accuracy and Compliance” with these witnesses:
o Ms. Beverly Anderson, President, Global Consumer Solutions, Equifax
o Ms. Sandy Anderson, Senior Vice President, Strategy and Operations, Experian Credit Services
o Mr. John Danaher, Executive Vice President, Consumer Interactive at TransUnion
o Ms. Rebecca Kuehn, Partner, Hudson Cook
o Ms. Chi Chi Wu, Staff Attorney, National Consumer Law Center (NCLC)
§ On 27 May, the House Judiciary Committee’s Courts, Intellectual Property, and the Internet Subcommittee will hold a hearing titled “The SHOP SAFE Act: Stemming the Rising Tide of Unsafe Counterfeit Products Online.”
§ On 27 May, the House Science, Space, and Technology Committee will hold a hearing titled “Overview of the Science and Energy Research Enterprise of the U.S. Department of Energy” with Secretary of Energy Jennifer Granholm.
§ The House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will markup the bill to restore the Federal Trade Commission’s Section 13(b) powers, the “Consumer Protection and Recovery Act” (H.R.2668) on 27 May.
§ On 2-3 June, the National Institute of Standards and Technology (NIST) will hold a virtual workshop “to enhance the security of the software supply chain and to fulfill the President’s Executive Order (EO) on improving the Nation’s Cybersecurity, issued on May 12, 2021.”
§ On 9 June, the House Homeland Security Committee will hold a hearing on the Colonial Pipeline ransomware attack with the company’s CEO.
§ On 17 June the Senate Appropriations Committee will hold a hearing on the Department of Defense’s FY 2022 budget request.
§ On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.