House Appropriations Bills Address Cybersecurity and Technology Policy
States appeal dismissal of Facebook antitrust suit; UK's ICO starts consultation on alternative to adequacy decisions
At the end of July, the House of Representatives passed a package consisting of seven FY 2022 appropriations bills, including some of the bills that fund key agencies and programs with respect to technology. Today, we will dive into some of these bills, and it bears note the recent SolarWinds and Microsoft Exchange hacks shook up the House Appropriations Committee which is providing massive increases for a number of programs to secure networks and systems at United States (U.S.) agencies.
The “Financial Services and General Government Appropriations Act, 2022” (H.R.4345) funds and shape policy for the Federal Trade Commission (FTC), Federal Communications Commission (FCC), the Office of Management and Budget, and the new Office of the National Cyber Director (NCD). In the committee report, the committee hit some of the highlights of the bill:
§ Protecting Consumers.—The Committee is concerned about ongoing consumer protection issues, including hidden and emerging product safety incidents, market concentration, privacy and data security violations, and instances of financial fraud. Consequently, the Committee recommendation provides significant additional resources to agencies responsible for overseeing product safety, fair competition, unfair and deceptive trade practices, and financial markets. The recommendation provides $172,000,000—an increase of $37,000,000 over fiscal year 2021—for the Consumer Product Safety Commission to address chronic underfunding in recent years and to expand operational capabilities to match the safety challenges in an evolving marketplace. The Committee expects that these additional resources will also allow improved consumer education on hidden and emerging hazards, especially in relation to toys and other products that pose a disproportionate risk for children, including crumb rubber.
§ The Committee recommends $389,800,000—a $38,800,000 increase over fiscal year 2021—for the Federal Trade Commission (FTC). This additional funding will increase the FTC’s capabilities both to monitor mergers and acquisitions that could reduce competition or lead to higher prices, and to take enforcement action against companies that fail to take reasonable steps to secure customer data or that engage in other problematic trade practices. The Committee recommendation also increases resources to protect investors, facilitate capital formation, and combat market manipulation. To that end, the recommendation includes $1,999,663,000—an increase of $73,501,000 over fiscal year 2021—for the Securities and Exchange Commission to increase enforcement related to securities and financial fraud, monitoring of major market participants, compliance examinations, and investor education activities.
As the committee mentioned, the FTC would see another 10% year-over-year funding increase, in large part, because:
The Committee is highly concerned by increasing instances of fraudulent or deceptive data collection practices and other violations of consumer protection laws, as well as by increasing concentration in technology and other markets. The Committee provides the FTC with additional resources to increase both its enforcement of antitrust statutes and its capacity to investigate unfair, deceptive, and fraudulent business practices.
The committee provided the following additional direction for the FTC pertaining to shipping consumer goods outside the continental U.S., cryptocurrency, the right to repair, children’s privacy and the Children’s Online Privacy Protection Act Rule, and pirated and counterfeited goods in online marketplaces:
§ Non-Foreign Areas.—The Committee remains concerned that some companies and corporations engaged in interstate commerce are unwilling to ship products to Alaska, Hawaii, Puerto Rico, and the other U.S. territories, as is offered for the continental United States, or are only willing to ship to these areas at significantly higher rates. The Committee believes that these non-foreign areas must be afforded equal treatment to the other 48 states. The Committee requests the FTC to continue monitoring these inequalities in interstate commerce and to continue issuing relevant outreach and educational materials.
§ Cryptocurrency.—Cryptocurrencies are digital assets that use cryptography to secure or verify transactions. They are not created by a government or central bank, but they can be exchanged for U.S. dollars or other government-backed currencies. As consumer interest in cryptocurrencies has grown, so have scams such as deceptive investment and business opportunities, bait-and-switch schemes, and deceptively marketed mining machines. The Committee encourages the FTC to work with the Securities and Exchange Commission, other financial regulators, consumer groups, law enforcement, research organizations, and other public and private stakeholders to identify and investigate fraud related to cryptocurrencies market and discuss methods to empower and protect consumers. The Committee recommends that the FTC increase its engagement with stakeholders on this issue and that the FTC promptly publish any public education or consumer protection best practices developed from its activities on its website.
§ Consumer Right to Repair.—The Committee is aware of the FTC’s ongoing work examining how manufacturers, particularly mobile phone and car manufacturers, may limit repairs by consumers and repair shops, and how those limitations may increase costs, limit choice, and impact consumers’ rights under the Magnuson-Moss Warranty Act. The Committee appreciates the FTC’s timely and comprehensive report, ‘‘Nixing the Fix: An FTC Report to Congress on Repair Restrictions,’’ issued in May 2021. The report notes that ‘‘[t]o address unlawful repair restrictions, the FTC will pursue appropriate law enforcement and regulatory options, as well as consumer education, consistent with our statutory authority.’’ The Committee requests a briefing, within 120 days of enactment of this Act, on law enforcement, regulatory, and educational actions the agency has taken in relation to the Magnuson-Moss Warranty Act since the publication of that report, including an assessment of how repair restrictions might impact rural communities, communities of color, and indigenous communities.
§ Children’s Privacy.—The Committee is aware of the significant increase in online activity by children during the COVID 19 pandemic and is concerned that this may lead to a greater opportunity for bad actors to unlawfully gather and use children’s personal information. The Committee urges the FTC to prioritize investigations into potential violations of the Children’s Online Privacy Protection Act Rule (COPPA Rule) and to incorporate findings from new and recent cases relating to children’s privacy into its ongoing COPPA Rule review process. Not later than 120 days after the enactment of this Act, the FTC is directed to provide to the Committee a report detailing the current amount of resources and personnel focused on enforcing the COPPA Rule; the number of investigations into violations of the COPPA Rule in the past 5 years; and the types of relief obtained, if any, for any completed investigations.
§ Online Marketplaces.—The Committee encourages the FTC to in- crease enforcement efforts to stop the sale of counterfeit and pirated goods on online marketplaces.
The Federal Communications Commission (FCC) would get $14 million more in funds than the current year ($387.95 million vs. $374 million), and the committee is very focused on how the agency is helping (and could maybe help even more) in ensuring broadband is widely available:
§ Broadband Maps.—The Committee remains highly interested in implementation of the Broadband DATA Act (P.L. 116–130). The FCC is directed to provide an updated spend plan and status report on Broadband Data Act spending no later than 60 days after enactment of this Act.
§ Mapping Partnership with USPS.—The Committee notes that the FCC released a report in May 2021 on the feasibility of partnering with the United States Postal Service to facilitate the collection of mobile wireless broadband data, as required by the Broadband DATA Act. The report outlines several challenges but says that ‘‘the Commission is continuing to explore possible solutions to the issues.’’ The Committee encourages the FCC to continue its work to address these obstacles and create a feasible partnership that will help improve wireless mapping in rural and underserved communities across the country.
§ Broadband Access.—The Committee believes that deployment of broadband in rural and economically disadvantaged areas is a driver of economic development, jobs, and new educational opportunities. The Committee supports FCC efforts to judiciously allocate Universal Service Fund (USF) funds for these areas.
§ Rural Digital Opportunity Fund.—In the Rural Digital Opportunity Fund (RDOF) Phase I auction, 180 bidders won $9.2 billion over 10 years to provide broadband to more than 5 million locations in U.S. States and territories. The RDOF Phase I auction rep- resents an opportunity to bring broadband access to unserved rural communities across this country and to help close the digital divide in rural communities, but the Committee remains concerned about program implementation. The Committee expects the FCC to fully enforce its rules related to buildout requirements and performance tier commitments.
§ Territorial Access to Broadband.—The Committee is concerned about disparities in access to communications services on Tribal lands and in territories. The Committee encourages the FCC to implement policies to increase broadband access and adoption in these areas. The Committee commends the FCC’s work in establishing the Uniendo, a Puerto Rico Fund, and the Connect U.S. Virgin Islands (USVI) Fund to make additional USF funding available to rebuild fixed and mobile voice and broadband networks damaged in the 2017 hurricane season. In September 2019, the FCC approved $950,000,000 in Stage 2 funding to improve, expand, and harden communications networks in Puerto Rico and the USVI. In the U.S. Virgin Islands, the FCC is allocating more than $180,000,000 over ten years in support fixed networks, and $4,000,000 over three years for mobile networks. The Committee supports these efforts and urges the FCC to expeditiously move forward with its funding commitments under these programs.
§ Tribal Access to Broadband.—The Committee urges the FCC to responsibly and efficiently take action to increase access to broadband on Tribal lands and supports consultation with Federally recognized Indian Tribes, Alaska Native villages and corporations, and entities related to Hawaiian home lands to help close the digital divide. The FCC is encouraged to use all available resources to increase funding for consultation with Federally recognized Indian tribes, Alaska Native villages, and entities related to Hawaiian home lands; other work by the Office of Native Affairs and Policy (ONAP); and associated work from other bureaus and offices in support of ONAP.
§ School Broadband.—The Committee believes that access to broadband is an important factor in student success in school. The coronavirus pandemic highlighted this issue, but it will continue for many students even after full-time remote learning ends. The Committee notes that Congress established a $7,171,000,000 Emergency Connectivity Fund in the American Rescue Plan Act of 2021 (P.L. 117–2) to help address this issue. The Committee directs the FCC to evaluate new or existing programs that could be used to permanently extend telecommunications and information services to students at locations other than schools and libraries. The Committee directs the FCC to provide a briefing on implementation of the Emergency Connectivity Fund and any findings from its evaluations no later than 120 days after the enactment of this Act.
The committee also directed the FCC on other policy areas, including telehealth, 5G, supply chain, cybersecurity, and municipal broadband:
§ Telehealth Funding.—The Committee notes that the Consolidated Appropriations Act, 2021 (P.L. 116–260) required that ‘‘To the extent feasible, the Commission shall ensure, in providing assistance under the COVID–19 Telehealth Program . . . that not less than 1 applicant in each of the 50 States and the District of Columbia has received funding from the Program since the inception of the Program, unless there is no such applicant eligible for such assistance in a State or in the District of Columbia.’’ The Committee is pleased that the FCC has decided to adopt rules that ‘‘seek to ensure that at least two applications with lead health care providers from every state, territory, and the District of Columbia receive Program funding, if such applications exist.’’ The Committee supports the FCC’s decision to include all territories of the United States in its rule adoption.
§ 5G Networks.—The Committee remains concerned about the digital divide and supports measures to bring broadband services to unserved and underserved communities as well as to address broadband affordability and adoption. The Committee also recognizes that ensuring the United States is the global leader in the 5G economy is an economic and national security imperative. The Committee supports policies to ensure that 5G technologies are developed domestically and among our allies, and that the United States leads the world in the deployment of multiple, facilities- based commercial 5G networks. To that end, the Committee supports a phased approach to making additional spectrum available for commercial licensed and unlicensed use. Additionally, the Committee supports the Commission’s efforts to make more mid-band spectrum available for auction and flexible commercial use. The Committee opposes efforts to use Federally allocated spectrum to create a national wholesale 5G network owned, operated, or controlled by the government and continues to support private sector efforts to deploy 5G.
§ 5G Supply Chain.—The Committee notes the importance of a secure 5G technology supply chain. The Committee encourages the FCC to investigate options for increasing supply chain diversity, bolstering competition in the 5G equipment market, and strengthening 5G network security via hardware and software solutions that use virtualization technology, open standard-based interfaces, and interoperable equipment.
§ USF Contribution Reform.—In recognition of the ongoing rapidly changing communications industry landscape, the Committee believes it is imperative that the FCC work with the Federal-State Joint Board on Universal Service on recommendations for USF modernization, including contribution reform to ensure the long-term sustainability and viability of the USF programs and resolve inequities in the current contributions structure.
§ Lifeline Participation.—According to Universal Service Administrative Company estimates, less than 30 percent of eligible households participate in the Lifeline program. The Committee encourages the FCC to expeditiously address all recommendations made in GAO Report 21–235 to increase consumer awareness of and improve user experience with Lifeline. The Committee also encourages the FCC to work with community-based organizations to conduct outreach in areas with large amounts of unserved eligible households about the availability of the Lifeline program.
§ Cybersecurity Certification and Labeling.—The Committee encourages the FCC’s Office of Engineering and Technology to begin assessing existing cybersecurity certifications pertinent to critical infrastructure and to develop further informational and technological resources, as needed, to inform consumer and critical infrastructure owner and operator purchasing decisions for secure information and communications technologies.
§ Cloud Migration.—The Committee recognizes the importance of cloud migration for continued FCC operations and cybersecurity. Throughout much of the last decade, the FCC has released plans for IT modernization and cloud migration with the intention of decreasing their data center footprint in accordance with the Data Center Optimization Initiative (DCOI) mandated by Federal Information Technology Acquisition Reform Act (P.L. 113–291). The FCC is directed to provide a report to Committee no later than 120 days after enactment of this Act on its plans for re-architecting legacy systems, moving to commercial cloud solutions, and complying with DCOI.
§ Municipal Broadband.—The Committee urges the FCC to study the role of municipal-owned networks in expanding broadband access to unserved and underserved communities.
For the White House’s OMB, the committee addressed the following:
§ Infrastructure-as-a-Service in Federal Procurement.—The Committee is aware that the procurement of information and communication technology (ICT) by Federal agencies is increasingly utilizing an infrastructure-as-a-service (IaaS) model where agencies no longer purchase outright computer hardware, peripherals, printers, servers, and software. The Committee notes the significant cost of ownership as well as important cybersecurity benefits of this IaaS acquisition model and encourages its continued and expanded use, but also recognizes the importance of facilitating small business competition for these ICT procurements. The Committee directs OMB to examine the government’s use of ICT IaaS procurements and the ability of small businesses to successfully compete for these types of contracts. OMB should report to the Committee within 120 days of enactment of this Act with suggestions on improvements to the IaaS procurement process to allow better com- petition for small businesses.
§ Office of Manufacturing and Industrial Innovation.—The Committee supports creation of an independent office within the Executive Office of the President dedicated to manufacturing and industrial innovation. Such an office would provide manufacturing and industrial perspectives and advice to the President, develop a strategic national manufacturing policy for the United States, and engage in a comprehensive survey and cross-administration management of efforts to ensure global leadership in manufacturing critical to the long-term economic health and national security of the United States. The Committee will work with OMB and other EOP offices to ensure that such an office is authorized and funded in a timely manner.
OMB gets tasked with reporting on the cyber posture of U.S. agencies, notably how well they are complying with a Trump Administration executive order:
Federal and Critical Infrastructure Cybersecurity.—In recent months, the nation’s information technology and critical infrastructure—which support global food supply chains, transportation systems, healthcare providers, and more—have been subject to a disturbing uptick in ransomware and cyberattacks. Executive Order 13800, issued on May 11, 2017, directs agency heads to implement several risk management and cybersecurity measures, including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. The Committee is concerned that agencies have not implemented these foundational cybersecurity measures, including the following risk-based vulnerability management practices: 1) discovering all assets connected to the agency’s network, 2) continuously assessing and monitoring these assets for cybersecurity vulnerabilities, 3) managing users to prevent exploitation from attackers, and 4) prioritizing remediation of identified cybersecurity vulnerabilities posing the greatest risk. OMB is directed to report, within 90 days of enactment of this Act, on the status of compliance with Executive Order 13800 by each applicable agency. The report shall identify risk management and cybersecurity compliance gaps and outline steps each agency must take to implement risk-based vulnerability management practices. The report shall include a timeline and cost estimates to meet the requirements set forth in Executive Order 13800.
Note OMB must inform the committee about the timeline and costs of complying with the 2017 executive order. It is not a good commentary on U.S. government cybersecurity that the committee is worried that agencies have not complied with a four year old directive from the then President.
The new Office of the National Cyber Director (NCD) would get $18.75 million, $3.75 million more than the Administration asked for, and the committee is asking NCD Chris Inglis and his staff to outline how they will spend these funds and how they will operate alongside with and coordinate other federal cybersecurity stakeholders:
§ Cyber Coordination.—The Committee notes the increasing regularity of highly damaging cyberattacks, including attacks against critical U.S. infrastructure, and supports the creation of new Federal cyber policy expertise and capabilities. The Committee also notes that cyber policy functions are currently distributed among numerous Federal agencies and offices and seeks clarity on ONCD’s jurisdiction. The Committee directs ONCD to consult with OMB, the National Security Council, the Cybersecurity and Infrastructure Security Agency, the United States Intelligence Community, the Department of Defense, and other Federal departments and agencies, as appropriate, to ensure coordination of, and avoid unnecessary duplication of, the activities of the ONCD with the activities of other parts of the Federal government. The Committee directs ONCD to provide a briefing within 90 days of enactment of this Act outlining its spending plan for funding provided by this Act and delineating the specific responsibilities of ONCD in relation to other Federal departments and agencies.
The General Services Administration (GSA) received a directive on supply chain security as it relates to “commercial off-the-shelf supply chain management tools:”
§ Supply Chain Security Pilot.—There is growing consensus in the Federal government that increased measures need to be taken to better identify and effectively respond to threats to the Federal government’s information technology, networks, and supply chains. Commercial off-the-shelf supply chain tools have been developed to address supply chain issues such as understanding supply chains with precision, identifying cyber or other threats to them, and providing continuous critical information for when specific threats are identified. GSA should, as a matter of policy, consider using commercial off-the-shelf supply chain management tools to accomplish government supply chain monitoring missions. To support the critical monitoring of government supply chain programs, the Committee includes $4,000,000 above the fiscal year 2022 budget request to provide funding for demonstrations and contracts to test and evaluate the utility of commercial solutions for supply chain risk management for the Office of Information Technology Category within the GSA Federal Acquisition Service.
§ GSA’s Federal Acquisition Service has previously demonstrated similar technologies through its Information Technology Category but has been unable to transition these services into meaningful improvements to the Administration’s acquisition framework. The Committee further directs the Administrator of GSA to submit a strategy to Congress with the President’s fiscal year 2023 budget submission to Congress on how commercial off-the-shelf supply chain risk management tools has been implemented and how the program could be expanded to improve the Administration’s overall acquisition framework.
A GSA managed program that operates as a revolving fund other agencies can borrow from to modernize their information technology would see a modest bump above its current level of funding. However, the Biden Administration wanted $500 million for the Technology Modernization Fund (TMF), which is $450 million more than the committee decided upon. The TMF was recently given $1 billion in this year’s COVID stimulus package, which undoubtedly affected the House’s decision. Nonetheless, the committee stated:
§ The Committee recommends $50,000,000 for the TMF. The Committee encourages GSA and the TMF Board to prioritize and fund those projects that have the most significant impact on mission enhancement and that most effectively modernize citizen-facing services, including updating public facing websites, modernizing forms, and digitizing government processes.
§ The Committee notes that the TMF received $1,000,000,000 in funding in the American Rescue Plan Act of 2021 (P.L. 117–2). Additionally, GSA has noted they expect to allocate $250,000,000 in fiscal year 2021 and fiscal year 2022 for the TMF. The Committee supports additional funding requests in future fiscal years for the TMF.
The Election Assistance Commission (EAC) would get another $500 million for Election Security Grants, one of the primary means the U.S. government has used to address cybersecurity vulnerabilities in state and local election systems. The committee naturally has conditions its expects the agency and funds recipients to meet:
§ The bill requires States to use payments to replace direct-recording electronic (DRE) voting machines with voting systems that require the use of an individual, durable, voter-verified paper ballot, marked by the voter by hand or through the use of a non-tabulating ballot marking device or system, and made available for inspection and verification by the voter before the vote is cast and counted. Funds shall only be available to a State or local election jurisdiction for further election security improvements after a State has submitted a certification to the EAC that all DRE voting machines have been or are in the process of being replaced.
§ Funds shall be available to States for the following activities to improve the security of elections for Federal office: implementing a post-election, risk-limiting audit system that provides a high level of confidence in the accuracy of the final vote tally; maintaining or upgrading election-related computer systems, including voter registration systems, to address cyber vulnerabilities identified through DHS scans or similar assessments of existing election systems; facilitating cyber and risk mitigation training for State and local election officials; implementing established cybersecurity best practices for election systems; and other priority activities and in- vestments identified by the EAC, in consultation with DHS, to improve election security. The EAC shall define in the Notice of Grant Award the eligible investments and activities for which grant funds may be used by the States. The EAC shall review all proposed investments to ensure funds are used for the purposes set forth in the Notice of Grant Award.
§ The bill also requires that not less than 50 percent of the payment made to a State be allocated in cash or in-kind to local government entities responsible for the administration of elections for Federal office. Further, the bill requires States to submit semi-annual financial reports and annual progress reports to the EAC.
The Committee further directed the EAC on these issues:
§ Election Cybersecurity Support.—The Committee is concerned with the threat of election meddling from state and non-state actors through cyberattacks on election and voter registration systems. The Committee encourages EAC to work with NIST and the Department of Homeland Security (DHS) to strengthen coordination with and outreach to State and local election officials on cybersecurity best practices.
§ Grants for Innovations in Election Administration.—EAC is directed to assess the feasibility of establishing a competitive grant program for research and other innovative initiatives to improve election administration. Such initiatives may include (but are not limited to): combating the dissemination and public acceptance of misinformation about elections, using data analysis to evaluate the integrity of State systems, and identifying recommendations for voter registration, mail ballots, and official communications to modernize and fortify election systems. EAC is directed to brief the Committee not later than 90 days after enactment of this Act on its assessment.
The committee expresses concern about the growing amount of sensitive data the Securities and Exchange Commission (SEC) and market participants are storing:
§ Data Security.—It is critically important to both investors and the U.S. capital markets that the SEC fortify its cybersecurity threat detection, response, and mitigation process. The SEC is collecting an increasing amount of market-sensitive data and PII, including through Form N–PORT and the CAT. As a repository for sensitive market data and a likely target for those who wish to manipulate U.S. markets, the security of the CAT system and data is paramount. The Committee strongly supports the SEC’s efforts to strengthen and protect its information technology systems and systems it oversees maintained by the self-regulatory organizations, including the CAT system and EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system). The Committee also strongly urges the SEC, in its oversight of the Financial Industry Regulatory Authority, to ensure the CAT has adequate breach notification policies in place so affected participants are promptly notified of critical security events.
The Department of the Treasury must prioritize the cybersecurity of the financial services sector:
§ Cybersecurity in the Financial Services Sector.—The National Defense Authorization Act for Fiscal Year 2021 formally codified Sector Risk Management Agencies (SRMAs), which are responsible for managing engagement between the Federal government and private-sector entities within a given critical infrastructure sector. National resilience requires that the government and private sector be able to identify, assess, and mitigate risk across national critical infrastructure in order to withstand and quickly recover from an attack. As designated SRMA for the financial services sector, the Department of the Treasury is responsible for protecting the financial services sector and its customers from the devastating effects of cyberattacks. The Committee urges continued coordination to develop consistent and workable cybersecurity safeguards across the financial services sector, including within the payment processing and financial technology industries. The Committee expects the Department to prioritize the activities of the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) to improve communication and coordination with the financial services sector. OCCIP is directed to brief the Committee, within 90 days of enactment of this Act, on its collaborative efforts with the financial services sector to enhance cybersecurity controls and safeguards, and the proposed methods and tools to improve these efforts.
The committee also directs the Department of the Treasury to address its own cybersecurity through a dramatic increase in funding::
§ The Cybersecurity Enhancement Account (CEA) is a dedicated account designed to identify and support Department-wide investments for critical IT improvements, including the systems identified as High Value Assets.
§ The Committee recommends $132,027,000 for the CEA. The recommendation includes $114,027,000 to support Department-wide efforts to address the impacts of the SolarWinds attack and to implement measures to minimize the impacts of such incidents in the future.
§ Quarterly Reports.—Within 60 days of enactment of this Act, the Department is directed to submit a plan for the obligation of funds by quarter for each CEA investment. The plan shall include prior year unobligated balances and delineate planned obligations by source year of appropriation. The plan shall also include anticipated unobligated balances at the close of the fiscal year and the planned obligation of carryover in future years, by quarter, until all funds are obligated. Treasury is directed to submit quarterly updates on this plan.
The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is directed to address business email compromise in the real estate sector and some misfires of automated technology designed to fight money laundering:
§ Business Email Compromise.—Email compromise fraud schemes generally entail criminal attempts to compromise the email ac- counts of victims to send fraudulent payment instructions to financial institutions or business associates in order to misappropriate funds or to assist in financial fraud. The Committee is concerned with the prevalence of such schemes in the real estate sector. FinCEN is directed to brief the Committee within 90 days of enactment of this Act on its ongoing efforts to combat and raise aware- ness of business email compromise scams, including joint activities conducted with the Department of Justice, Federal Bureau of Investigation, Federal Trade Commission, and other relevant agencies.
§ Automated Technology to Combat Money Laundering.—The Committee is aware of reports of Muslim Americans whose bank accounts have been suddenly and erroneously closed due to increased scrutiny by financial institutions. The Committee supports FinCEN’s work with Federal regulators and financial institutions to encourage innovative approaches to detect and combat money laundering and terrorist financing, including the use of artificial intelligence and machine learning technology. However, the Committee is concerned that such tools may contain implicit biases that result in discrimination against individuals based on race, religion, or culture. The Anti-Money Laundering Act of 2020 contained significant revisions to existing law to strengthen anti-money laundering programs, while also taking into account the potential effects of such programs on de-risking and financial inclusion. As the new mandates are implemented, the Department and FinCEN are urged to carefully consider the disparate impact that these tools and processes may have on certain individuals and groups.
The “Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2022” (H.R.4356) funds the U.S. Department of Agriculture’s (USDA) broadband programs, notably through the Rural Utilities Service (RUS). In the committee report, for the top-line of the USDA program that funds broadband development in rural areas, the committee explained:
§ For the Rural Electrification and Telecommunications Loans Program Account, the Committee provides a loan level of $7,195,000,000. In addition, the Committee provides $33,270,000 for administrative expenses.
§ Consumer Oriented Operating Loans.—Rural cooperative utilities, which are owned by consumers have suffered severe energy cost spikes due to winter storm Uri and other severe weather events. The Rural Utilities Service (RUS) is encouraged to offer financially feasible low interest loans and other financial incentives to cooperatives (and other non-profit electric utilities) to smooth the impact of severe weather related energy costs and to finance consumer-oriented energy efficiency measures which would provide relief to rural consumers as well as facilitate reductions in carbon pollution.
For the Broadband Program, the Committee provides an appropriation of $1,772,000 for a loan authorization level of $11,869,000. The Committee specifies the following projects and amounts to be funded in fiscal year 2022.
Earmarks returned this year (renamed “Community Project Funding,” for “That which we call a rose/by any other name would smell as sweet;” and the committee listed those broadband projects for which Members requested funds:
The committee continued:
§ Broadband and Tribal Colleges and Universities.—The Committee encourages the Secretary of Agriculture to explore opportunities to expand broadband for 1994 Institutions (as defined in Sec. 532 of the Equity in Educational Land-Grant Status Act of 1994 (7 U.S.C. 301 note) under the Rural Electrification Act of 1936 (7 U.S.C. 901 et seq.). Stronger efforts are needed to support expansion and maintenance of broadband connectivity, including, but not limited to, equipment costs, maintenance of broadband systems, broadband infrastructure expansion, and ongoing broadband operations expenses directly related to 1994 Institutions broadband systems.
§ Broadband Technologies.—he Committee awaits the report requested in H. Rpt. 116–646 detailing the progress of the ReConnect program, including technologies used and communities served.
§ Indian Country Broadband.—The Committee urges the USDA to responsibly and efficiently take action to increase access to broadband on rural Tribal lands and supports consultation with federally recognized Indian Tribes, Alaska Native villages and corporations, and entities related to Hawaiian homelands.
§ Open Access.—The Committee recognizes the value of open access broadband fiber infrastructure projects as well as the challenges these projects face in qualifying for federal funding and directs the USDA Rural Utilities Service (RUS) to support financially-feasible open access infrastructure projects that meet its program goals.
§ ReConnect Program.—The Committee provides an additional $800,000,000 for the ReConnect program to increase access to broadband connectivity in unserved and underserved rural communities, targeting areas of the country with the largest broadband coverage gaps, including those with mountainous terrain.
§ ReConnect Awards.—The Committee recognizes the importance of quickly closing the digital divide to economic development, especially in rural communities, and further recognizes how the COVID–19 pandemic has exacerbated existing digital disparities over the last year. Similarly, the Committee recognizes that the difficulties of operating in a pandemic can make the administration of broadband projects more difficult due to disruptions in workforce and supply chains. Therefore, the Committee encourages Rural Development to work to expeditiously disburse ReConnect funds once grants and loans are awarded. Additionally, the Committee encourages the Department to examine, and appropriately adjust and lower the collateral requirements within ReConnect Loan Agreements, Grant Agreements, or Loan/Grant Agreements to ensure greater Program access.
§ ReConnect Service Areas.—RUS Telecommunications Program funds should not be awarded in any areas, study areas or census blocks where a recipient of FCC High-Cost USF support is already subject to a buildout obligation of 25/3 Mbps or greater for fixed terrestrial broadband, except that RUS Telecommunication Program funds may be awarded in such areas to help finance construction of the network. This shall not apply in cases where the FCC has not provided for final approval of an award of such funds.
The “Energy and Water Development and Related Agencies Appropriations Act, 2022” (H.R.4549) funds the Department of Energy (DOE) and its various programs to help the cybersecurity of the U.S. electric grid and other energy programs. The committee report explains a number of these programs and what the committee wants to see in the coming fiscal year:
§ Benefits of Renewable and Clean Energy Technologies.—The Committee recognizes the significant impacts of the nation’s energy infrastructure on social, health, economic, and ecological outcomes, and that successful decarbonization efforts must consider these im- pacts in a holistic manner. Therefore, the Department is encouraged to expand its efforts to study the varied benefits of distributed, renewable, and clean energy technologies, including their potential to 1) address racial and economic inequality; 2) promote community health and well-being; 3) strengthen the climate and disaster resilience and cybersecurity of the nation’s energy infra- structure; and 4) increase democratic participation in the energy sector. Further, the Department is encouraged to examine how in- creased public and nonprofit ownership of distributed, renewable, or clean energy infrastructure, including federal, regional, municipal, and cooperative ownership of generation, distribution, and transmission, can employ accountability mechanisms to maximize the achievement of the described benefits, while also increasing planning capacity to accelerate the transition to a net-zero emissions economy. Finally, to conduct interdisciplinary research on these questions, the Department is encouraged to collaborate with other federal agencies, such as the Department of Health and Human Services, Department of Labor, Department of Commerce, Environmental Protection Agency, Department of the Interior, and Department of Homeland Security, including the Cybersecurity and Infrastructure Security Agency.
§ Blockchain for Energy Procurement and Traceability.—Public, open-source decentralized technologies like blockchain are being used in various markets worldwide to develop new digital plat- forms for renewable energy procurement and help the companies, cities, and other renewable energy buyers meet their voluntary procurement goals. These digital solutions built with decentralized technologies may help simplify, reduce costs, and enhance the traceability of renewable energy trading and reporting among market participants. These solutions may also help expand access to more market participants. The Department is directed to coordinate research about the opportunity and needs for new digital solutions built with public, open-source decentralized technologies to promote renewable energy procurement, market access, and market growth.
The DOE’s Cybersecurity, Energy Security, and Emergency Response (CESER) program would receive $177 million, some $24 million less than the Biden Administration requested but $21 million more than its FY 2021 funding. The committee has a number of policy directions to CESER:
§ The Cybersecurity, Energy Security, and Emergency Response program leads the Department’s efforts to secure the nation’s energy infrastructure against all hazards, reduce the risks of and impacts from cyber events and other disruptive events, and assist with restoration activities. A reliable and resilient power grid is critical to the nation’s economic competitiveness and leadership.
§ Additional direction related to Department-wide crosscutting initiatives is provided under the heading Crosscutting Initiatives in the front matter of Department of Energy.
§ The Department is directed to include an itemization of funding levels below the control point in future budget submissions.
§ The nation continues to face global cybersecurity threats from nations such as Iran, Russia, and North Korea that have launched documented cyberattacks on the country. Because of their unique location and geography, island states and territories host a disproportionate amount of our national security and defense forces, putting island states and territories and the electric grid infrastructure at risk. Remote island communities also face the added burden of not being able to integrate with mainland infrastructure and are excluded from designations and programs such as the Defense Critical Electrical Infrastructure, which may otherwise afford these communities with additional resources. The Committee encourages the Department to work with electric cooperatives, public utility districts, investor-owned utilities, and municipal utilities serving island communities to plan and build out needed cybersecurity infrastructure. The Department is directed to submit to the Committee not later than 180 days after enactment of this Act a report assessing the current vulnerabilities of island communities and how the Department can provide resources and technical assistance to mitigate vulnerabilities.
§ In light of documented cyber targeting of utilities, including by state actors, the Committee encourages the Department to incorporate pilot programs with private sector participants to demonstrate active defense cybersecurity protection.
§ The Committee is concerned about the substantial and growing threat from cybersecurity attacks to the electrical grid. The Committee supports the Department’s efforts to identify and develop defenses for these new cyber threats, including developing proof of concept algorithms that can be tested across a full range of attacks in both testbed and real environments. The recommendation provides not less than $2,000,000 for digital twin projects to enable essential collaborator participation and their integration into the effort.
§ The recommendation provides up to $20,000,000 for the Cyber Testing for Resilient Industrial Control System (CyTRICS) program.
§ Risk Management Technology and Tools.—The recommendation provides up to $10,000,000 for consequence-driven cyber-informed engineering and $4,000,000 for university-based research and development of scalable cyber-physical platforms for resilient and secure electric power systems that are flexible, modular, self-healing, and autonomous. This activity should be conducted in coordination with the Office of Electricity.
§ The recommendation provides not less than $5,000,000 to conduct a demonstration program of innovative technologies, such as technologies for monitoring vegetation management, to improve grid resiliency from wildfires.
§ The recommendation includes not less than $2,000,000 to continue the establishment of a network of university-based, regional energy cybersecurity centers. The centers should address interrelated research and development challenges of cybersecurity and critical energy infrastructure and develop a trained, globally competitive workforce. The centers should be distributed regionally across the country to leverage regional utilities, national laboratories, and regulatory bodies and take into account the distinctive characteristics of each region’s electricity system, network of oil and gas infrastructure, and workforce expertise. The Department is directed to coordinate these activities with the Office of Electricity and the Office of Energy Efficiency and Renewable Energy.
§ Response and Restoration.—The Committee places a high priority on ensuring the protection of the electric grid against cyberattacks and extreme weather events. The Response and Restoration pro- gram coordinates a national effort to secure the U.S. energy infra- structure against all hazards, reduce impacts from disruptive events, and assist industry with restoration efforts. The program delivers a range of capabilities including energy sector emergency response and recovery, including emergency response of a cyber nature; near-real-time situational awareness and information sharing about the status of the energy systems to improve risk management; and analysis of evolving threats and hazards to energy infra- structure.
§ Information Sharing, Partnerships, and Exercises.—The Information Sharing, Partnerships, and Exercises program supports energy sector security and resilience through coordination with government and industry partners. This program provides technical assistance that incorporates exercises to strengthen federal, regional, state, tribal, and territorial abilities to work together to prepare for and mitigate the effects of an energy sector emergency and focuses on training the next generation workforce on energy sector risks.
The “Department of the Interior, Environment, and Related Agencies Appropriations Act, 2022” (H.R.4372) contains a funding increase for cybersecurity. The Environmental Protection Agency (EPA) would receive a massive boost in cybersecurity funding on a percentage basis as part of a larger trend this year, quite likely because the spate of successful penetrations of U.S. government systems by Russian and Chinese hackers:
§ Homeland Security.—The Committee recommends $40,388,000, $4,655,000 above the enacted level and equal to the request. The Committee is aware of reports of cyber intrusions into critical water infrastructure and notes the continuing vulnerability of the water sector to cyberthreats. The Agency is directed to periodically brief the Committee on the actions it is taking to protect against this and other threats.
Of course, the EPA funding bump is due to an attack on a Florida drinking water system earlier this year.
The ”Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriations Act, 2022” (H.R.4502) and its committee report contain some technology items. The Department of Health and Human Services (HHS) would get a significant increase in funding, but the committee tells the agency to shutter an existing program so as to avoid duplication:
§ The Committee provides $159,116,000, an increase of $101,296,000, for information technology cybersecurity in the Office of the Chief Information Officer and HHS-wide to strengthen the Department’s cybersecurity posture. The Committee does not include funding to continue HHS Protect, as capabilities shall no longer be duplicated at the Departmental level or shall be delegated to the appropriate operating division.
The National Institutes of Health (NIH) would also see a significant funding increase to aid its cybersecurity:
§ Cybersecurity.—The Committee includes an increase of $100,000,000 to support expanded cybersecurity efforts at NIH, as requested in the fiscal year 2022 budget. Funding will enhance Security Operations Center functions, expand threat mitigation and incident response capabilities, implement important architectural improvements to the NIH network, and implement tools and technologies to allow real time monitoring of activity across a variety of sources.
The committee tasks the Secretary of Health and Human Services with examining and reporting on the effect of social media “and negative social and individual outcomes:”
§ Report on the Effects of Social Media Use.—The Committee continues to support efforts by the Secretary to investigate whether there is a relationship between the use of social media and negative social and individual outcomes, including clinical and undiagnosed depression; self-harm, such as suicide, attempted suicide, and suicidal ideation; harm to others; cyber bullying; chronic anxiety; or social isolation. Such investigation should consider the role of content and presentation in social media that is linked to negative outcomes, as well as the design of algorithms to prioritize user engagement. In addition, the report should include consideration of the following questions: what type of content drives user participation on these platforms; how is that content most frequently presented to users on these platforms; and does that presentation lead to negative physical, mental or emotional health outcomes; what types of emotions characterize social media interactions; how do these companies design their algorithms to engage users; and is that design prioritizing engagement over user well-being. The Committee encourages the Secretary to provide a report within 90 days of enactment of this Act on the continued progress in this research area.
§ The Committee is concerned that many legislative branch agencies continue to store critical data on Capitol Hill and in the Alternate Computing Facility which does not meet high physical security standards or Tier III data center requirements and has had a history of system failures and outages. The Committee directs each legislative branch agency to utilize available contract vehicles to expeditiously secure agency data in facilities that have been third-party certified to meet Tier III standards and geographically located outside of the National Capitol Region (NCR). Additionally, the Committee directs each legislative branch agency to provide the Committees an action plan within 60 days of enactment of this Act which details a schedule, cost and implementation plan to secure agency data in a certified Tier III facility by January 31, 2022.
§ Cloud Technologies: The Chief Administrative Officer (CAO) is encouraged to continue to investigate and pilot various cloud service options that will provide House offices with greater accessibility to their files, enhanced collaboration tools, and more storage. The Committee supports standardizing cloud services to strengthen the House’s security posture and provide Member offices additional support and cost savings.
§ Combatting Cyberattacks: The Committee notes that the CAO is charged with combatting cyberattacks that could disrupt the House’s ability to perform its constitutional duties. Accordingly, the recommendation includes funding in fiscal year 2022 to continue to strengthen cyber defenses from sophisticated actors and encourages the CAO to explore a Zero Trust security model based on the National Institute of Standards and Technology standards as one of the tools to use against novel threat actors.
§ Digital Workspace Technologies: The Committee recognizes that the use of digital workspace technologies in Member offices can increase user productivity, enhance cybersecurity, and allow workforce flexibility for both Congressional staff and Members of Congress. The Committee continues to encourage the exploration of multi-factor authentication solutions to strengthen the cybersecurity posture of all legislative offices, including strategies and programs that reduce the total life cycle costs of traditional legacy workspace infrastructure.
The committee included increased funding for two Congressional agencies to give the body better understanding of and insight into technology issues:
§ The Committee notes the interest among some Members during the past several years to reinstitute the Office of Technology Assessment (OTA), which was defunded in 1995. In fiscal year 2019 the Committee instructed the National Academy of Public Administration (NAPA) to conduct a study to determine the best way to increase Congress’s access to needed in-depth analysis of fast-breaking technology developments. The NAPA report, released in November, 2019, recommended strengthening the capacity of the Government Accountability Office (GAO) and Congressional Research Service (CRS) in technology assessment rather than restarting OTA. The Committee is pleased with both CRS and the GAO’s efforts to increase the depth and breadth of its capacity to provide research and policy analysis on current and emerging legislative issues related to science and technology (S&T) and Federal uses and oversight of S&T.
§ CRS is encouraged to continue to hire additional staff for their specialized teams working on science and technology issues expanding its capacity and expertise to allow CRS to meet the growing need of Congress for timely, complex, and multidisciplinary analysis of policy issues related to these rapidly changing technologies, the effects of Federal government in oversight of such technologies, and the effects of the Federal government S&T policies across all sectors. CRS is also encouraged to increase outreach efforts to make Members and congressional staff more aware of the resources it provides related to S&T issues Congress is examining.
§ Additionally, in 2019 the GAO established a Science, Technology Assessment, and Analytics (STAA) team to better address the evolving and time-sensitive needs of Congress. The Committee encourages the GAO to continue to strengthen its STAA S&T team and the Innovation Lab to increase the depth, breadth, and diversity of knowledge available to meet congressional needs.
§ As a result, the bill provides the full request for CRS and GAO to strengthen S&I programs. The Committee will continue to review the work of CRS and the GAO to see if other steps are needed in the future.
The committee had many directions and requirements for the Department of Veterans Affairs’ (VA) troubled Electronic Health Record Modernization in the “Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2022” (H.R.4355) and the committee report:
§ VA Electronic Health Record Modernization (EHRM).—After at least a decade of Congressional encouragement to DOD and VA to develop a single electronic health record (EHR), VA finalized a contract in 2018 to acquire the same EHR system that DOD is adopting. The bill includes $2,637,000,000 for EHRM and continues strict quarterly reporting of timelines, performance milestones, costs, implementation, and change management. The bill also continues the requirement for GAO to review EHRM implementation so that Congress can be informed of any problems at a point where they can be promptly and economically addressed.
§ The Veterans Electronic Health Record is a unified account designed to manage the effort to develop an interoperable electronic health record system that will access seamlessly the records of Veterans in the VA system and those of the Department of Defense and of community providers. The VA system is the same as the one chosen by DOD and is planned to be rolled out with the same timeline and geographic areas as DOD in order to realize cost efficiency savings.
§ The bill provides an increase of $10,000,000 above the fiscal year 2021 level to support VA’s on-going efforts to deploy the new electronic health record system. Within the total funding, the bill includes $1,416,498,000 for the electronic health record contract, $276,705,000 for program management, and $943,797,000 for infra- structure support. Funding is made available for three years due to the uncertainty of the timing of obligations for this substantial effort.
§ This account is intended to be the single source of funding within VA for the electronic health record effort. No authority is provided for funds from other VA accounts to be transferred into this account nor for funds from this account to be transferred out to other accounts. Consistent with the effort to centralize financial management of the development of the electronic health record, the Committee continues to direct the Department to manage this effort at the headquarters level in the Office of the Deputy Secretary.
§ The bill continues language requiring the Secretary to submit a quarterly report to the Committees on Appropriations of both Houses of Congress detailing obligations, expenditures, and deployment strategy by facility. VA is directed to continue quarterly briefings on performance milestones, costs, and changes to implementation and management plans, and to provide an accurate up-to-date deployment schedule each quarterly briefing. Additionally, the Committee directs the Department to provide updates on plans and efforts to integrate community care providers into the new EHR system. Such updates should be submitted concurrently with the quarterly reports.
§ In addition, bill language is included requiring notice to and approval from the Committees on Appropriations of both Houses of Congress on any changes to the deployment schedule. Should there be any deviation from the deployment schedule, the Committee directs the Department to formally submit in writing a proposed up- dated deployment schedule within 7 days of notification to the Committees of any potential Change, and prior to implementation of the updated deployment schedule. The Committee repeats the fiscal year 2020 directive for GAO to perform quarterly performance reviews of the VA electronic health record deployment. It is expected that this quarterly reporting will provide the Committees and VA with timely information to properly oversee this effort and address important issues.
§ Cybersecurity for Electronic Health Records and Blockchain Technology.—Recognizing the ongoing challenges of sharing data between MHS GENESIS and the Department’s EHRM initiative, the Committee encourages the Department to continue prioritizing efforts to protect Veterans’ sensitive information when implementing EHRM, and recommends the Department consider emerging technologies, such as blockchain technology, if future requirements drive a need to modify VA’s security architecture and technical solutions. The Committee understands that the Department is undertaking a pilot to study the use of blockchain technology to share data and looks forward to the results of the pilot being shared with the Committee.
§ Transparency on EHRM Third-Party Application Review.—The Committee continues to encourage VA to ensure that the new EHRM initiative provides an open architecture that allows a governance and oversight process for administering access and support to deploy third-party applications, components, and application programming interfaces. The Committee encourages the Department and the Federal Electronic Health Record Modernization Program Office to ensure the standards and evaluation criteria for commercially available software, tools and products that advance interoperability and seamless care are readily available for review, such as on the EHRM webpage.
The committee also weighed in on the security of telehealth communications:
§ Encrypted Communications for Telehealth.—In coordination with the Veterans Health Administration and Office of Electronic Health Records Modernization, the Office of Information Technology is directed to utilize the best technologies, such as end-to-end encrypted communications with zero-trust architecture, that can reliably serve Veterans and healthcare providers.
§ The Federal Communications Commission (FCC) announced “its first steps to move forward with funding new broadband deployments across the country through the Rural Digital Opportunity Fund” and that “it is ready to authorize over $311 million in broadband funding across 36 states through the Rural Digital Opportunity Fund.” The FCC further asserted “[a]t the same time, the agency took steps to clean up issues with the program’s design originating from its adoption in 2020.” The FCC also announced
o By this Public Notice, the Rural Broadband Auctions Task Force, Wireline Competition Bureau, and the Office of Economics and Analytics announce that certain Rural Digital Opportunity Fund (Auction 904) winning bidders have notified us that they do not intend to pursue some or all of their winning bids. In addition, in some cases, winning bidders assigned their winning bids to related entities and those assignees have notified us that they do not intend to pursue some or all of the winning bids they have been assigned.
o By this Public Notice, the Rural Broadband Auctions Task Force, Wireline Competition Bureau (Bureau), and the Office of Economics and Analytics announce they are ready to authorize Rural Digital Opportunity Fund (Auction 904) support for the Auction 904 winning bids identified in Attachment A of this Public Notice. To be authorized to receive the total 10-year support amounts listed in Attachment A, the long-form applicants identified in that attachment are required to submit acceptable irrevocable stand-by letter(s) of credit and Bankruptcy Code opinion letter(s) from their legal counsel for each state where they have winning bids that are ready to be authorized in accordance with the instructions provided below by the applicable deadline
o In this Order, the Wireline Competition Bureau, in conjunction with the Rural Broadband Auctions Task Force and the Office of Economics and Analytics, partially deny petitions submitted by AB Indiana LLC and LTD Broadband LLC that seek waiver of the June 7, 2021 deadline requiring each Rural Digital Opportunity Fund Phase I auction (Auction 904) long-form applicant to demonstrate, with appropriate documentation, that it has been designated as an eligible telecommunications carrier (ETC) in each of the geographic areas for which it seeks to be authorized for Auction 904 support. Consistent with the Commission’s direction in the Rural Digital Opportunity Fund Order, we find that these entities failed to engage in good faith efforts to pursue and obtain the required ETC designation from the states for which we deny their petitions.
§ The states that brought an antitrust action against Facebook a United States court dismissed have appealed. Recently, the Federal Trade Commission split along party lines in voting to file an amended complaintagainst Facebook in its federal antitrust case. In late June, the United States District Court for the District of Columbia dismissed the antitrust suits the Federal Trade Commission (FTC) and 48 state attorneys general brought against Facebook. The court granted Facebook’s motion to dismiss against the FTC because it failure to makes its case under Section 2 of the Sherman Antitrust Act that Facebook “has monopoly power in the market for Personal Social Networking (PSN) Services.” In the case the states brought, the court granted Facebook’s motion to dismiss because the attorneys general filed it so long after the company acquired Instagram and WhatsApp and its alleged conduct that denied other messaging apps the opportunity to work in an interoperable fashion with Facebook’s.
§ The United Kingdom’s (UK) Information Commissioner’s Office (ICO) “has launched a public consultation on its draft international data transfer agreement (IDTA) and guidance.” The ICO stated:
o When organisations send personal information to a country outside the UK, they must ensure people’s data protection rights continue to be protected. An IDTA is a contract that organisations can use when transferring data to countries not covered by adequacy decisions.
o The IDTA will replace the current standard contractual clauses (SCCs) to take into account the binding judgment of the European Court of Justice in a case commonly known as ‘Schrems II’. The ruling required organisations to carry out further diligence when making a transfer of personal data outside of the UK to countries without an adequacy decision.
o The consultation is split into three sections, offering a selection of proposals and options to consider.
§ Proposal and plans for updates to guidance on international transfers.
§ Transfer risk assessments.
§ The international data transfer agreement.
o The ICO is also asking for views on any relevant privacy rights, legal, economic or policy considerations and implications. Responses will help the regulator understand the practical impact of proposed approaches on organisations.
o The new IDTA will support the UK’s digital economy by continuing to enable the global flow of people’s information with the safeguards of high standards of data protection.
o Our recent investigation into the TECNO Y2 showed that at least one TECNO phone is currently on sale with an operating system that hasn’t received updates since 2013. We are concerned because this is leaving users vulnerable to hundreds of well-known and serious exploits.
o The Y2 was discontinued by TECNO in November 2019, but PI have found examples of the TECNO Y2 phone being sold in stores with this extremely outdated operating system as recently as 2020. And we have found it and similar devices by TECNO using Android 4.4 available online in 2021. This means that even though a person would be buying the phone brand new, its operating system could be over 7 years out of date, and incredibly insecure.
o The TECNO Y2 is also sold with pre-installed apps that users can not uninstall but are, nonetheless, using up space on their device.
o We are writing to ask you to make the below changes urgently:
§ TECNO should ship phones with a supported version of the Android operating system.
§ TECNO should do their best to support the longevity of their devices and therefore combat e-waste. They must tell consumers, at the point of sale, how long their device will be supported, provide regular updates to the device, and notify users when continuing to use a device poses a risk to their privacy or security.
§ TECNO should minimise the amount of bloatware, superfluous apps and other extras that come pre-installed on their phones. Whenever bloatware is included, it should exist in the user partition and therefore be visible to and removable by the user.
§ After the New York Timesreported on a report Facebook did not want to issue on content on the platform for the first quarter of the year, the company released the report on a weekend evening and then the link expired. Other entities are now hosting the report (here and here). Facebook spokesperson Andy Stone claimed on Twitter: “On the question of the unreleased report from earlier this year and why we held it. We ended up holding it because there were key fixes to the system we wanted to make.”
o Facebook officially released the second quarter report titled “Widely Viewed Content Report: What People See on Facebook” and asserted:
§ The content that’s seen by the most people isn’t necessarily the content that also gets the most engagement. Read more about how engagement — the likes, shares, and comments a Page or post generates — doesn’t equate to its reach, the number of people who actually see it.
§ The majority (57%) of posts that people see is from their family and friends, in line with changes we made in the past so that content from friends and family makes up a larger portion of News Feed.
§ Fewer than 13% of content views were on posts with links, and the top-viewed news domains account for only 0.31% of all content views in News Feed. Of those outlets, mainstream media dominate by views. We’ve explained before why only a small portion of News Feed is news.
§ This report sheds light on the kinds of posts and Pages that are actually the most widely viewed — with many of the most-viewed Pages focused on sharing content about pets, cooking, family, and relatable viral content.
§ The European Data Protection Board (EDPB) issued “Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities.” The EDPB explained:
o The European Data Protection Board (EDPB) received a request from the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) of the European Parliament to share some statistics on resources made available by Member States to the supervisory authorities (SA) from the European Economic Area (EEA) and on enforcement actions by the SAs. The EDPB already gathered in the past similar information in the context of a Report in 2019 about the GDPR implementation made at the request of the LIBE Committee and the contribution of the GDPR evaluation made in 2020 at the request of the European Commission.
§ The White House Office of Science and Technology Policy (OSTP) and National Science Foundation (NSF) have issued a request for information and extended a previously issued one in order to inform the Biden Administration’s artificial intelligence policy making. The agencies stated:
o On July 23, 2021, the Office of Science and Technology Policy (OSTP) and the National Science Foundation (NSF) published in the Federal Register a document entitled “Request for Information (RFI) on an Implementation Plan for a National Artificial Intelligence Research Resource” and invited comments to inform the work of the National Artificial Intelligence Research Resource (NAIRR) Task Force (“Task Force”). The Task Force has been directed by Congress to develop an implementation roadmap for a shared research infrastructure that would provide Artificial Intelligence (AI) researchers and students across scientific disciplines with access to computational resources, high-quality data, educational tools, and user support. In response to requests by prospective commenters that they would benefit from additional time to adequately consider and respond to the RFI, OSTP and NSF have determined that an extension of the comment period until October 1, 2021, is appropriate.
§ Earlier this month, Virginia’s Joint Commission on Technology and Science’s Consumer Data Protection Act Workgroup met per this agenda to further its role in implementing the “Virginia Consumer Data Protection Act” (VCDPA) (HB 2307 / SB 1392). The new privacy statute decreed that this committee “shall review the provisions of this act and issues related to its implementation.” Moreover, “[t]he Chairman of the Joint Commission on Technology and Science shall submit the work group's findings, best practices, and recommendations regarding the implementation of this act to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.” Public comments were submitted, and the office of Governor Ralph Northam submitted a presentation on administrative considerations and made the following recommendations:
o Increased Protections for Children (Automatic Opt-Out)
§ The administration recommends the consideration of an automatic opt-out for minors be implemented
· Colorado’s and California’s consumer data protection laws contain relevant provisions, and consumer protection experts recommend it
· It would only apply to persons known to be children by data controllers or processors
o Increased Protections for Children (Authorization Process)
§ VCDPA could define the process by which the utilization of data from a minor may be authorized
· Under the Colorado Privacy Act (CPA,) controllers are prohibited from processing personal data concerning a child under the age of 13 “without first obtaining consent from the child’s parent or lawful guardian” (CPA, SB 21-190, pg. 25, 2021)
§ The language provided in the CPA offers a good model that could be adopted into the VCDPA
o General Opt-Out
§ The Administration suggests the consideration of a clause granting Virginia consumers the right to a universal opt-out mechanism
§ As written currently, VCDPA grants consumers the right to opt out of the processing of personal data for:
· Targeted advertising
· The sale of personal data
· Profiling in furtherance of decisions that produce legal or similarly significant effects
§ Language similar to that in the Colorado Privacy Act (CPA) regarding an authorized agent opt-out could be adopted
· Under CPA, consumers have the right to “authorize another person, acting on the consumer’s behalf, to opt out of the processing of the consumer’s personal data... including through a technology indicating the consumer’s intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting” (Colorado Privacy Act, SB 21-190, pg. 18, 2021)
o OAG Reporting Structure
§ The workgroup may consider a provision that would create an annual report from OAG on enforcement actions
§ The report might also:
· Identify shortcomings encountered related to consumer
· Provide recommendations for more effective enforcement
· Provide data on usage, opt-out frequency, etc.
§ An annual report could provide a clear roadmap for businesses on what activities are impermissible, and confidence for consumers in the privacy of their data
o Public Record Processors
§ The workgroup may consider offering clarity to public record processors in the Definitions section of the bill
§ Public record processors, such as Lexis Nexis, Westlaw, etc. offer critical services to government, research institutes, law enforcement, and the general public
§ Given their role as an aggregator of publicly available information, an exemption or modification should be considered for this
§ “Vigilante app Citizen is paying people to livestream crime scenes and emergencies” By Jmaes Vincent — The Verge. Citizen, an app dedicated to blasting users with notifications about emergencies and crime scenes in their area, has been paying people to film its content. The company has been recruiting “field team members” via online job listings, offering applicants $200 to $250 a day if they can track down and livestream events in their local area. These events could range from “child reported missing, to house fire, to anything else,” says the listing, with workers expected to interview witnesses and police officials.
§ “Apple, AMD, and Intel shift priorities as chip shortages continue” By Jim Salter — Ars Technica. 2021's infamous chip shortages aren't only affecting automakers. In a post-earnings conference call Tuesday, Apple CEO Tim Cook said, "We'll do everything we can to mitigate whatever circumstances we're dealt"—a statement that likely means the company will ration its chip supplies, prioritizing the most profitable and in-demand items such as iPhones and AirPods, at the expense of less profitable and lower-demand items.
§ “T-Mobile confirms it will shut down Sprint’s LTE network next year” By Allison Johnson — The Verge. As reported by Light Reading and confirmed to The Verge, T-Mobile has committed to a June 30, 2022 shutdown date for Sprint’s LTE network. It’s an expected move as T-Mobile continues to absorb Sprint’s network and customers into its own base, and comes six months after its contentious planned January 1, 2022 shutdown of Sprint’s 3G CDMA network. A third of Sprint customers have already been moved onto the T-Mobile network, according to T-Mobile. The company expects to be able to migrate the remaining two thirds by that mid-2022 deadline, according to CFO Peter Osvaldik’s remarks at an investor conference last month. Some of those customers will likely need new devices that are compatible with T-Mobile LTE and VoLTE, though the company has had no shortage of enticing 5G phone offers lately. T-Mobile says it will reach out to all customers who will need a new SIM card or device to stay connected, but if you’re curious whether your device is compatible you can run an IMEI check on T-Mobile’s website.
§ “Facebook Acquisition Review Shows EU’s New Antitrust Power” By Daniel Michaels — The Wall Street Journal. Facebook Inc. has hit a new obstacle in Europe in its planned takeover of a small New York-based startup, showing how antitrust muscle-flexing is increasingly affecting deals an ocean away. With a new interpretation of an old law, European Union competition regulators have given themselves sweeping authority to review merger cases that previously would have escaped their notice, sparking outcry from companies and their lawyers that the change will cause confusion in deal-making.
§ “Google+ class action starts paying out $2.15 for G+ privacy violations” By Ron Amadeo — Ars Technica. Who remembers the sudden and dramatic death of Google+? Google's Facebook competitor and "social backbone" was effectively dead inside the company around 2014, but Google let the failed service hang around for years in maintenance mode while the company spun off standalone products. In 2018, The Wall Street Journal reported that Google+ had exposed the private data of "hundreds of thousands of users" for years, that Google knew about the problem, and that the company opted not to disclose the data leak for fear of regulatory scrutiny. In the wake of the report, Google was forced to acknowledge the data leak, and the company admitted that the "private" data of 500,000 accounts actually wasn't private. Since nobody worked on Google+ anymore, Google's "fix" for the bug was to close Google+ entirely. Then the lawsuits started.
§ “Location-Data Broker X-Mode to Be Bought by Digital Envoy” By Byron Tau and Patience Haggin — The Wall Street Journal. The location-data broker X-Mode Social Inc., which was kicked off the Apple and Google platforms last year over its national-security work with the U.S. government, is being acquired, the company told The Wall Street Journal. X-Mode will become part of the Atlanta-based IP intelligence company Digital Envoy Inc., both companies are set to announce this week. As part of the merger, X-Mode will be rebranded as Outlogic and its chief executive, Joshua Anton, will join Digital Envoy as chief strategy officer. The purchase price and other terms of the acquisition aren’t being disclosed. X-Mode was based in the suburbs of Washington but abandoned its office space during the pandemic and went fully remote.
§ “Only Facebook knows the extent of its misinformation problem. And it’s not sharing, even with the White House.” By Elizabeth Dwoskin, Cat Zakrzewski, and Tyler Pager — The Washington Post. In tense meetings between Facebook executives and White House officials tasked with fighting the pandemic in recent months, Biden’s team begged the social network giant for something only Facebook possessed: its data. Facebook’s vast data trove could be crucial to understanding how medical misinformation has spread rampantly on the company’s platforms — and more importantly, to overcoming the skepticism about vaccines that had arisen from it, according to three administration officials who spoke on the condition of anonymity to discuss sensitive matters. Discussions came to a head last month, whenPresident Biden fell short of his vaccination goals and said platforms like Facebook were “killing people.” (He subsequently backed away from the comment.)
§ “This Russian Cyber Mogul Planned To Take His Company Public. Then America Accused It Of Hacking For Putin’s Spies.” By Thomas Brewster — Forbes. The city was under siege. Hackers had knocked out its electricity and oil production, caused an explosion at a gas station and dropped a shipping container on a barge at the port. The carnage was contained, though, occuring in a model city, an ersatz modern metropolis in miniature. It was make-believe cyberwar - a contest between “red team” hackers and “blue team” defenders - set up in a conference venue at a Moscow hotel, and watched over by Yury Maksimov, the 43-year-old majority owner of Positive Technologies, which had hosted the competition for a decade.
§ 1 September
o The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).
o The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee will hold a hearing titled “Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021.”
§ 3 September
o Australia’s Parliamentary Joint Committee on Corporations and Financial Services will hold a hearing on its inquiry into Mobile payment and digital wallet financial services and a hearing on its inquiry into Regulation of the use of financial services such as credit cards and digital wallets for online gambling in Australia
§ 7 September
o The California Privacy Protection Agency Board hold a public meeting.
§ 8 September
o Australia’s Select Committee on Australia as a Technology and Financial Centre will hold a hearing on its inquiry.
o The California Privacy Protection Agency Board hold a public meeting.
§ 30 September
o The Federal Communications Commission (FCC) will hold an open meeting. No agenda has been announced as of yet.