The EARN IT Act Returns
First, the Wavelength will transition to a paid product, but there will still be a free version available. The transition to a subscription model starts on 10 February.
Photo by Nguyễn Sơn Tùng from Pexels
A tweaked version of the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2022” (EARN IT Act) (S.3538/H.R.6544) has been released and is set to be marked up in the Senate Judiciary Committee. The new bill tracks closely to a bill of the same name that was reported unanimously out of the Senate Judiciary Committee in 2020 (see here and here for more detail and analysis on the legislation in 2020.) Broadly speaking, this bill would peel back protection under 47 U.S.C. 230 (Section 230) for online platforms that are not taking certain steps to find and remove child sexual abuse material (CSAM). Proponents argue that platforms are not doing enough to find and take down CSAM and without legal immunity, they would have greater incentive to improve efforts. Critics, and there are many of the EARN IT Act, claim that the bill will drive platforms towards removing or barring the use of end-to-end encryption, which will threaten the privacy of communications and will fall hardest on minorities and those who need anonymity.
The opposition to the new EARN IT Act was swift to articulate their concerns. Fight For The Future stated:
US Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) have reintroduced the EARN IT Act, a dangerous piece of legislation that has been roundly condemned by nearly every major LGBTQ+ organization in the US as well as human rights and security experts from around the world.
The Center for Democracy and Technology (CDT) warned:
…the reintroduction of the EARN IT Act in the Senate threatens free expression and internet users’ ability to take advantage of the crucial protections of strong encryption. Addressing online child exploitation is essential, but this bill increases risks to the online safety of both children and adults. As CDT and numerous other civil society organizations have explained in the past, the EARN IT Act will result in online censorship disproportionately impacting marginalized communities and it will jeopardize access to encrypted services.
The Electronic Frontier Foundation claimed:
A group of lawmakers led by Sen. Richard Blumenthal (D-CT) and Sen. Lindsey Graham (R-SC) have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that was dropped in the face of overwhelming opposition. Let’s be clear: the new EARN IT Act would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe. It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online—backups, websites, cloud photos, and more—is scanned.
However, the National Center for Missing & Exploited Children (NCMEC) voiced its support:
NCMEC supports the EARN IT Act because it provides ESPs with voluntary best practices developed by industry and subject matter experts to prevent, reduce, and respond to the online sexual exploitation of children. The bill also enables children who have been sexually exploited online, as well as State Attorneys General, to seek legal recourse against online platforms that engage in the distribution and circulation of sexually abusive images across the internet.
This legislation also recognizes the grievous impact of online child sex trafficking and online enticement of children for sexual abuse and the need to ensure ESPs report these crimes to the CyberTipline. Finally, this legislation also achieves a long sought-after and over-due measure to replace the term "child pornography" with "child sexual abuse material" throughout the criminal code. NCMEC strongly supports this legislative measure because child sexual abuse material most accurately reflects what is depicted in these images - the rape and sexual abuse of children.
One of the bill’s sponsors asserted in his statement:
The EARN IT Act is supported by more than 240 groups, survivors and stakeholders, including the National Center for Missing & Exploited Children (NCMEC), Rights4Girls, the National Center on Sexual Exploitation, National District Attorneys Association, National Association of Police Organizations, Rape, Abuse & Incest National Network, International Justice Mission, and Major Cities Chiefs Association.
The EARN IT Act establishes a National Commission on Online Child Sexual Exploitation Prevention (Commission) may “to develop recommended best practices that providers of interactive computer services may choose to implement to prevent, reduce, and respond to the online sexual exploitation of children, including the enticement, grooming, sex trafficking, and sexual abuse of children and the proliferation of online child sexual abuse material.” The Commission would consist of 19 members, and the Attorney General would chair the Commission, and the Secretary of Homeland Security and Chair of the Federal Trade Commission would also have seats on the Commission. Regarding the remaining 16 slots, the Speaker of the House and the House Minority Leader, and Senate Majority and Minority Leaders would each name four members based on specified criteria. The EARN IT Act stipulates that
§ 4 shall have current experience in investigating online child sexual exploitation crimes, of whom—
o 2 shall have such experience in a law enforcement capacity; and
o 2 shall have such experience in a prosecutorial capacity;
§ 4 shall be survivors of online child sexual exploitation, or have current experience in providing services for victims of online child sexual exploitation in a non-governmental capacity;
§ 2 shall have current experience in matters related to consumer protection, civil liberties, civil rights, or privacy; and
§ 2 shall have current experience in computer science or software engineering related to matters of cryptography, data security, or artificial intelligence in a non-governmental capacity; and
§ 4 shall be individuals who each currently work for an interactive computer service that is unrelated to each other interactive computer service represented under this subparagraph, representing diverse types of businesses and areas of professional expertise, of whom—
o 2 shall have current experience in addressing online child sexual exploitation and promoting child safety at an interactive computer service with not less than 30,000,000 monthly users in the United States; and
o 2 shall have current experience in addressing online child sexual exploitation and promoting child safety at an interactive computer service with less than 10,000,000 monthly users in the United States.
And so, the Commission would have at least five, maybe six members hailing from the law enforcement and prosecutorial communities (i.e. the four specified slots and the Departments of Justice and Homeland Security), or put another way, a third of the Commission would tilt towards law enforcement, which has tended to take an adversarial view towards encryption. I would hesitate to place the current or any of the recent chairs of the FTC in this camp, however.
Moreover, four of the Commission members “shall be survivors of online child sexual exploitation, or have current experience in providing services for victims of online child sexual exploitation in a non-governmental capacity.” It is likely these additional four members would make common cause with the five-six members from the law enforcement and prosecutorial communities. Thus, if the Commission operates on majority votes, nine-ten members are probably adversarial towards end-to-end encryption, meaning a majority. However, the EARN IT Act foresees this possible problem and requires a super majority of 14 members voting for best practices.
Consequently, assuming the remaining Commission members (four from the online platforms, two from the civil liberties and privacy communities, and two from the computer science or engineering) are united, some of the more law enforcement-friendly best practices may not make the recommendations.
18 months after a majority of the Commission is appointed, it “shall develop and submit to the Attorney General recommended best practices that providers of interactive computer services may choose to engage in to prevent, reduce, and respond to the online sexual exploitation of children, including the enticement, grooming, sex trafficking, and sexual abuse of children and the proliferation of online child sexual abuse material.” The EARN IT Act spells out what the best practices must address:
§ preventing, identifying, disrupting, and reporting online child sexual exploitation;
§ coordinating with non-profit organizations and other providers of interactive computer services to preserve, remove from view, and report online child sexual exploitation;
§ retaining child sexual exploitation content and related user identification and location data;
§ receiving and triaging reports of online child sexual exploitation by users of interactive computer services, including self-reporting;
§ implementing a standard rating and categorization system to identify the type and severity of child sexual abuse material;
§ training and supporting content moderators who review child sexual exploitation content for the purposes of preventing and disrupting online child sexual exploitation;
§ preparing and issuing transparency reports, including disclosures in terms of service, relating to identifying, categorizing, and reporting online child sexual exploitation and efforts to prevent and disrupt online child sexual exploitation;
§ coordinating with voluntary initiatives offered among and to providers of interactive computer services relating to identifying, categorizing, and reporting online child sexual exploitation;
§ employing age rating and age gating systems to reduce online child sexual exploitation;
§ offering parental control products that enable customers to limit the types of websites, social media platforms, and internet content that are accessible to children; and
§ contractual and operational practices to ensure third parties, contractors, and affiliates comply with the best practices.
This seems straight forward, but were a Facebook or an Amazon to start instituting these best practices, it could get expensive. Of course, these would task participating platforms with even more surveillance activities than they are currently undertaking, and a likely expansion of staff and resources. The likely counterargument to added expense would probably be along the lines of “they can afford it, being among the most valuable companies in the world” and “the well-being of children” is more important than added expenses for multi-billion corporations. If widely adopted, and surely there would be immense pressure on online platforms from the U.S. government and CSAM prevention stakeholders to do so, the search for CSAM would be regularized to a degree, making it easier for law enforcement agencies to hunt down this material.
Having said that, the likely outcome is that platforms would seek to do enough to appear compliant but a significant amount of the online CSAM would still be available albeit in different, harder to find places. Platforms would likely pay particular attention to CSAM in western nations much the same way moderation of hate speech, extremist rhetoric, misinformation, and disinformation has often flourished in nations without the inclination or resources to press social media platforms.
However, the EARN IT Act sponsors have considered some of the above concerns. In drafting its best practices, the Commission must consider these factors:
§ the cost and technical limitations of implementing the best practices;
§ the impact on competition, product and service quality, data security, and privacy;
§ the impact on the ability of law enforcement agencies to investigate and prosecute child sexual exploitation and rescue victims; and
§ the current state of technology.
Of course, the Commission merely has to consider them; it could consider these factors and decide other concerns outweigh them.
Strangely, the bill does not even define CSAM. The EARN IT Act takes the interesting approach of essentially advising courts on what Congress thinks CSAM is instead of just defining the term:
It is the sense of Congress that the term “child sexual abuse material” has the same legal meaning as the term “child pornography”, as that term was used in Federal statutes and case law before the date of enactment of this Act.
This gives courts flexibility to include new types of material in what shall be called CSAM, but it also introduces uncertainty to platforms and users about what material could possibly deemed CSAM. This runs the risk of separate CSAM definitions being used in different parts of the U.S., which would make the jobs of online platforms much harder. Perhaps the sponsors are wary of a statutory definition that could become outdated an obsolete, which is a fair point. Then the logical road to travel is a regulatory definition that could be changed, as necessary, through notice and comment rulemaking. And yet, neither the DOJ, FTC nor Commission are given the responsibility of generating a definition through regulation.
Things get interesting with the alternative best practices the Commission must also include with its best practices submitted to the Attorney General. The Commission is given a laundry list of factors it must consider in making these alternative best practice considerations:
§ the size, type of product, and business model of a provider of an interactive computer service;
§ whether an interactive computer service—
o is made available to the public;
o is primarily responsible for hosting, storage, display, and retrieval of information on behalf of third parties, including providers of other interactive computer services; or
o provides the capability to transmit data to and receive data from all or substantially all internet endpoints on behalf of a consumer; and
§ whether a type of product, business model, product design, or other factors related to the provision of an interactive computer service could make a product or service susceptible to the use and facilitation of online child sexual exploitation.
These alternative best practices are likely meant to exclude companies like Verizon or Charter that are technically ICS under Section 230 but are rarely if ever part of the online content moderation conversation. There are other companies who could make the case that their company would fit into this alternate scheme. And, it makes sense to treat such companies differently, for most cable and telecommunications companies that offer broadband, wireless, and other internet services are not as active in content moderation as companies like Facebook or Twitter. Incidentally, inserting language on alternative best practices neatly splits a number of potential opponents off from the companies that will oppose the bill. Legislating becomes easier when one has fewer deep-pocketed opponents.
Nonetheless, the Attorney General must publish the recommended best practices on the DOJ’s website and in the Federal Register.
But, as with many of the Section 230 bills[1], the hammer is exposing so-called interactive computing services (ICS) to litigation over CSAM. 47 U.S.C. 230[2] would be amended to generally carve out CSAM and make online platforms liable. To this end, the EARN IT Act adds this section to Section 230:
(6) NO EFFECT ON CHILD SEXUAL EXPLOITATION LAW.—Nothing in this section (other than subsection (c)(2)(A)) shall be construed to impair or limit—
(A) any claim in a civil action brought against a provider of an interactive computer service under section 2255 of title 18, United States Code, if the conduct underlying the claim constitutes a violation of section 2252 or section 2252A of that title;
(B) any charge in a criminal prosecution brought against a provider of an interactive computer service under State law regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material, as defined in section 2256(8) of title 18, United States Code; or
(C) any claim in a civil action brought against a provider of an interactive computer service under State law regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material, as defined in section 2256(8) of title 18, United States Code.
Consequently, online platforms could be sued for the CSAM on their platforms in court civilly in federal or state court by victims or criminally in state courts. The underlying statutes penalize generally those that knowingly circulate or transmit child sexual exploitative material or child pornography. Hence, to name two companies, Google or Apple, could conceivably be sued if people are using their cloud services to store or transmit such material, but it appears an ICS would have to have known about the CSAM in order to be liable for monetary damages and for some employees of an ICS facing time in prison and fines.
Of course, Section 230 already allows for federal criminal enforcement of the aforementioned laws against ICS because subsection (e)(1) already states “[n]othing in this section shall be construed to impair the enforcement of section 223 or 231 of this title, chapter 71 (relating to obscenity) or 110 (relating to sexual exploitation of children) of title 18, or any other Federal criminal statute.” Consequently, the EARN IT Act would open ICS to liability in federal civil cases and in state criminal and civil cases.
Note that 230(c)(2)(A) would still protect ICS with respect to CSAM moderation. This provision of existing law provide protection from lawsuits for “any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.” Hence, if a platform moderates or removes CSAM, it could not be sued for doing so.
The original EARN IT Act tied the use of the Commission’s best practices to a safe harbor from litigation to encourage platforms to better police CSAM. That was discarded two years ago in a Graham-Blumenthal managers’ amendment. However, in a more or less contemporaneous Trump Administration era document, the DOJ reasoned:
As with the terrorism carve-out, a tort standard would apply in the absence of immunity, so
platforms that take reasonable steps to address CSAM and child exploitation still would be protected.
In other words, under tort liability so long as a party meets whatever duty of care is needed for a type of conduct, she is safe from liability. Hence, the Commission’s recommended best practices could become the duty of care for platforms in civil lawsuits, and this is probably the goal of the redesigned bill. But, of course, this is the DOJ’s view and not a court’s. Bear in mind, nonetheless, the doctrine of torts does not generally play a role in criminal liability.
But, the elephant in the room is encryption as there is language in this version of the EARN IT Act regarding encryption. 47 U.S.C. 230 is further amended with these provisions:
(7) ENCRYPTION TECHNOLOGIES.—
(A) IN GENERAL.—Notwithstanding paragraph (6), none of the following actions or circumstances shall serve as an independent basis for liability of a provider of an interactive computer service for a claim or charge described in that paragraph:
(i) The provider utilizes full end-to-end encrypted messaging services, device encryption, or other encryption services.
(ii) The provider does not possess the information necessary to decrypt a communication.
(iii) The provider fails to take an action that would otherwise undermine the ability of the provider to offer full end-to-end encrypted messaging services, device encryption, or other encryption services.
(B) CONSIDERATION OF EVIDENCE.—Nothing in subparagraph (A) shall be construed to prohibit a court from considering evidence of actions or circumstances described in that subparagraph if the evidence is otherwise admissible.
And so, an ICS’ use of encryption alone cannot serve as the basis for a lawsuit, meaning it could be used as evidence in suits brought on additional grounds. In other words, platforms could still face liability for using encryption, and perhaps a litigant could argue that a platform’s use of encryption along with its failure to take reasonable measures to remove CSAM create liability. If past is prologue, platforms facing new, potential liability tend to run from prohibited conduct that may expose them to new liability. For example, after the passage of SESTA/FOSTA in 2017 platforms quickly acted to remove any content that might be found to be sex trafficking:
For example, Craigslist took down its personal ads section out of fear that people would use it to coordinate prostitution, Google began reviewing and deleting content from the Drive accounts of some of its users, and Microsoft began policing Skype and its cloud service products to remove any content that might run afoul of the law.
It seems possible and perhaps even likely some would not use default end-to-end encryption or try to shift potential liability to users by requiring them to indemnify the platform if their use of encryption subjects it to liability and damages. And it is this sort of dynamic that critics of the EARN IT Act foresee as likely.
It should be added that in the July 2020 markup of the EARN IT Act, Senator Patrick Leahy (D-VT) added an amendment to the bill that would change 47 USC 230 by making clear that the use of end-to-end encryption does not make providers liable for child sexual exploitation laws and abuse material. Specifically, no liability would attach because the provider
§ utilizes full end-to-end encrypted messaging services, device encryption, or other encryption services;
§ does not possess the information necessary to decrypt a communication; or
§ fails to take an action that would otherwise undermine the ability of the provider to offer full end-to-end encrypted messaging services, device encryption, or other encryption services.
The current EARN IT Act language falls short of Leahy’s language, and he may well try again to get his preferred language added to the bill.
Other Developments
Photo by Marcos Bais from Pexels
§ At a meeting of the Competition Council he created through an executive order, President Joe Biden lauded Apple and Microsoft’s “voluntary” decisions to allow purchasers of some of their products the right to repair. He said “it’s going to make it easier for millions of Americans to repair their electronics instead of paying an arm and a leg to repair or just throwing the device out.” Biden also focused on a Food and Drug Administration (FDA) “proposed rule that would make it possible for hearing aids to be sold over the counter without a prescription.” Moreover, Biden stated that the “Department of Justice and other agencies with oversight authority have ramped up their efforts to scrutinize these mergers…[which] includes challenging or blocking mergers that are bad for the economy and your pocketbooks.”
§ The United States (U.S.) Environmental Protection Agency (EPA), the National Security Council (NSC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC) “announced the Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan to help protect water systems from cyberattacks.” The White House stated in its press statement:
o The Water Sector Action Plan is a collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings:
§ Today, the Biden-Harris Administration announced it will extend the Industrial Control Systems (ICS) Cybersecurity Initiative to the water sector. The Water Sector Action plan outlines surge actions that will take place over the next 100 days to improve the cybersecurity of the sector. The action plan was developed in close partnership with the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC).
· Similar to electric and pipeline action plans, this plan will assist owners and operators with deploying technology that will monitor their systems and provide near real-time situational awareness and warnings. The plan will also allow for rapidly sharing relevant cybersecurity information with the government and other stakeholders, which will improve the sector’s ability to detect malicious activity.
§ EPA and CISA will work with water utilities and invite them to participate in a pilot program for ICS monitoring and information sharing. This pilot will demonstrate the value of such technology to the sector. The WSCC, CISA, and EPA will also collaborate to promote cybersecurity monitoring to the entire sector.
§ The plan will meet the particular requirements of this sector. This sector is made up of thousands of systems that range in size from the very small to ones that service major metropolitan cities that have little or no cybersecurity expertise and are unsure what steps they should take to address cyber risks. EPA and CISA will work with appropriate private sector partners to develop protocols for sharing information. The government will not select, endorse, or recommend any specific technology or provider.
§ The plan will initially focus on the utilities that serve the largest populations and have the highest consequence systems; however, it will lay the foundation for supporting enhanced ICS cybersecurity across water systems of all sizes.
§ The United States (U.S.) Federal Trade Commission (FTC) settled claims with online fashion retailer Fashion Nova, LLC “that the company blocked negative reviews of its products from being posted to its website.” The company will pay $4.2 million and “will be prohibited from suppressing customer reviews of its products.” The FTC asserted:
o The FTC alleged in a complaint that the California-based retailer, which primarily sells its “fast fashion” products online, misrepresented that the product reviews on its website reflected the views of all purchasers who submitted reviews, when in fact it suppressed reviews with ratings lower than four stars out of five. The case is the FTC’s first involving a company’s efforts to conceal negative customer reviews.
o According to the FTC's complaint, Fashion Nova used a third-party online product review management interface to automatically post four- and five-star reviews to its website and hold lower-starred reviews for the company’s approval. But from late-2015 until November 2019, Fashion Nova never approved or posted the hundreds of thousands of lower-starred, more negative reviews. Suppressing a product’s negative reviews deprives consumers of potentially useful information and artificially inflates the product’s average star rating.
o The FTC also announced that it is sending letters to 10 companies offering review management services, placing them on notice that avoiding the collection or publication of negative reviews violates the FTC Act. In addition, the FTC has released new guidance for online retailers and review platforms to educate them on the agency’s key principles for collecting and publishing customer reviews in ways that do not mislead consumers.
o This is the second case the FTC has brought against Fashion Nova in recent years. In April 2020, the FTC announced that Fashion Nova agreed to pay $9.3 million to settle allegations that the company failed to properly notify consumers and give them the chance to cancel their orders when it failed to ship merchandise in a timely manner, and that it illegally used gift cards to compensate consumers for unshipped merchandise instead of providing refunds.
o Under the proposed settlement of the latest allegations, Fashion Nova will pay $4.2 million for harm consumers incurred. Fashion Nova will also be prohibited from making misrepresentations about any customer reviews or other endorsements. In addition, it must post on its website all customer reviews of products currently being sold—with the exception of reviews that contain obscene, sexually explicit, racist, or unlawful content and reviews that are unrelated to the product or customer services like shipping or returns.
§ The United States (U.S.) Federal Communications Commission (FCC) “announced that it is ready to authorize more than $1.2 billion through the Rural Digital Opportunity Fund to fund new broadband deployments in 32 states” according to its press statement. The FCC stated:
o In the largest funding round to date, 23 broadband providers will bring broadband service to over 1 million locations. The Commission also has created the Rural Broadband Accountability Plan, a new effort to monitor and ensure compliance for universal service high-cost programs including the Rural Digital Opportunity Fund.
o The Rural Broadband Accountability Plan makes a number of changes and enhancements to existing audit and verification procedures, including:
o Increasing audits and verifications of support recipients – The number of audits and verifications will double in 2022 as compared to 2021, and include on-site audits as well as audits and verifications based upon random selection.
o Increasing audits and verifications of large and higher-risk support recipients – The largest dollar recipients will be subject to an on-site audit in at least one state and higher-risk recipients will be subject to additional audits and verifications.
o Increasing program transparency – For the first time, results of verifications, audits, and speed and latency performance testing will be made public on USAC’s website.
o A fact sheet on the Rural Broadband Accountability Plan is available here: https://www.fcc.gov/document/fcc-creates-rural-broadband-accountability-plan
§ A number of advocacy groups are calling on the United States (U.S.) Senate, House, Federal Trade Commission (FTC), and Department of Justice (DOJ) and argued “the expansion of Google, Amazon, Apple, and Facebook into the auto sector spells trouble for workers and consumers.”
o American auto workers have traditionally been protected by unions to prevent workplace abuses and ensure fair wages and good benefits. But Big Tech has a much different record.
o Beyond workers’ welfare - which should be concern enough - the American economy simply cannot sustain deeper corporate concentration and monopolization from Big Tech. Together, these four corporations have too much control over our economy and the lives of every American. They have gained this control through a relentless pursuit of market domination and political power, while undermining competition - at times, illegally
o The data privacy and security implications are grave as well. Google already profits off of our browser history. Imagine if they can also monetize our behavior behind-the-wheel as well. They know where we go, what we search for, and now they’ll know how often we use our turn signals or go five miles over the limit. There are already widespread concerns of privacy violations and data impropriety against each of these four tech giants, including accusations that Apple’s Siri and Amazon’s Echo Dot record without consent and that Google tracks Android users’ locations when location services are disabled.
§ The United States (U.S.) Federal Bureau of Investigation (FBI) released a Private Industry Notification (PIN) to warn “entities associated with the February 2022 Beijing Winter Olympics and March 2022 Paralympics that cyber actors could use a broad range of cyber activities to disrupt these events.” The FBI claimed:
o These activities include distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, or insider threats, and when successful, can block or disrupt the live broadcast of the event, steal or leak sensitive data, or impact public or private digital infrastructure supporting the Olympics. Additionally, the FBI warns Olympic participants and travelers of potential threats associated with mobile applications developed by untrusted vendors. The download and use of applications, including those required to participate or stay in country, could increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware1. The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the Games. The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the Games. The FBI to date is not aware of any specific cyber threat against the Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.
§ Australia’s eSafety Commissioner Julie Inman Grant “welcomed the commencement of the Online Safety Act, which provides additional protections for Australians in the fight against online harms” per her press statement. Grant further explained the “new laws:”
o A new Adult Cyber Abuse Scheme for Australian adults:
§ eSafety will be able to act as a safety net to give Australian adults who have been subjected to serious online harm somewhere to turn if the online service providers have failed to act in removing the abusive content.
§ If a platform fails to take action, people can visit the Report section of the eSafety website to make a report. Our new investigative and information gathering powers will allow us to investigate and assess complaints and decide what action we can take.
§ If the material is not removed, eSafety can impose civil penalties (including fines) on those who posted it, or the provider of the service where it appears, if they do not comply with a notice from eSafety to remove the material.
§ The bar for determining what ‘adult cyber abuse’ is has been set deliberately high, to ensure it does not stifle freedom of speech.
§ Under the law, to reach the threshold the abuse must be both ‘intended to cause serious harm’, and ‘menacing, harassing or offensive in all the circumstances’. Serious harm could include material which sets out realistic threats, places people in real danger, is excessively malicious or is unrelenting.
§ If a matter does not meet the threshold, we will still be able to offer support, information and advice.
o A stronger Cyberbullying Scheme for Australian children:
§ eSafety’s existing Cyberbullying Scheme will be bolstered to enable eSafety to be able to order online service providers to remove material not just from social media sites, but from online services where a lot of children spend their time – including online game chats, websites, and direct messaging platforms..
§ If eSafety seeks removal of content, the online service provider has 24 hours to respond, down from the previous 48 hours (this may be longer in certain circumstances).
o An updated Image Based Abuse Scheme
§ Online service providers will now have half the time – cut from 48 hours to 24 hours – to take down intimate images (including videos) after getting a removal notice from eSafety.
§ The Act also gives eSafety new powers to expose repeated failures to deal with image-based abuse. For example, eSafety will be able to name and shame online service providers that allow publication of intimate images without consent of the person shown on two or more occasions in a 12-month period, and are in breach of their own terms of service.
o Targeted blocking power
§ New Abhorrent Violent Conduct powers allow eSafety to direct internet service providers to block access to certain material that promotes, incites, instructs in or depicts abhorrent violent conduct, such as rape, torture, murder, attempted murder and terrorist acts, and is likely to cause significant harm to the Australian community.
§ This will allow eSafety to respond to online crisis events, like the Christchurch terrorist massacre, by requesting or requiring internet service providers block access to such extreme violent content.
o Illegal and restricted online content
§ Under updates to Australia’s Online Content Scheme, online service providers who fail to comply with eSafety removal notices to take down illegal and restricted online content that is accessible to Australians – such as child sexual exploitation material - face financial penalties of up to $111,000 per offence for individuals and $555,000 for corporations.
§ Those services may also have their content delinked from search engines and their apps removed from app stores if they fail to comply.
§ As a last resort, where a service is deemed to pose a serious threat to the safety of Australians, eSafety may also apply for a Federal Court order that the provider of a particular social media service, relevant electronic service, designated internet service, or internet carriage service stop providing that service in Australia.
§ The White House published a “Bipartisan Infrastructure Law Guidebook for State, Local, Tribal and Territorial Governments” and explained the document:
o Overview and Purpose of this Guidebook
o To achieve the ambitious goals outlined by the President and this legislation, the Biden- Harris Administration needs help. Building a better America is a shared endeavor no one can do alone, and investing federal infrastructure dollars will require significant coordination between the federal government, states, Tribal governments, community stakeholders, local governments, and other key partners.
o This guidebook is a roadmap to the funding available under the law. It explains, in as much detail as currently available, how much funding is available at the program level. Our primary goal is to help our partners across the country know what to apply for, who to contact for help, and how to get ready to rebuild. We have also published an accompanying data file on Build.gov that allows users to quickly sort programs funded under the law by fields like agency, amount, eligible recipient, or program name.
o The guidebook contains 13 chapters grouping Bipartisan Infrastructure Law programs by issue area. Each chapter contains a cover note explaining how to get ready to apply for and receive this subset of funding. These memos identify additional resources our partners can and should utilize to prepare while the federal government gets ready to distribute Bipartisan Infrastructure Law funds from new and existing programs.
o This is the first version of this product. In the coming weeks, we plan to publish subsequent versions of this document to keep our partners up to date on the latest deadlines and details. The White House has also encouraged external stakeholders to use this information to develop local or regional-specific guides on available sources of funding, so every community in America can identify, understand, and access investment opportunities that they need and deserve under the law. This initial publication is not an attempt to capture every possible federal infrastructure program, authorization, or expenditure—rather, it provides our partners with a deeper view into funding soon to be available under the law. If you have questions, please see the appendix for agency-level contact information and links to more information online.
§ The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) issued a policy paper titled “How user data shapes the media sector,” and the agency asserted:
o The biggest challenges raised by media organisations throughout this research were linked to the explosion of competition in the media landscape—social media and online only content providers can often offer content to audiences in cheaper and easier to access formats, and big tech organisations are increasingly acting as gatekeepers to valuable data.
o Media organisations were often struggling to find the right balance in this value exchange, and at the same time were facing additional challenges, which made it more difficult for them to collect and utilise data in comparison to big tech organisations:
§ Unequal access to data – tech firms often own the interfaces between the user and the content, meaning their access to user data is often greater (e.g. social media platforms, online browsers, smart devices). This is exacerbated by a perceived lack of negotiating power for small and often even large media organisations, who feel they are not in a position to demand data from tech firms, or even have a conversation about it.
§ Unequal control over how data is used – tech firms often set the agenda for how data can be used by media organisations (e.g. Apple privacy tracking, Google third party cookies).
§ Unequal regulation to abide by – tech firms are often less heavily regulated, meaning they can focus on providing the most value to users, without any restrictions on what their content should include. In contrast UK based media organisations are often overseen by regulatory and industry standards bodies, for example, local commercial radio stations can be required by Ofcom to provide a certain level of local content (news, travel etc.). This means that media organisation can’t always be completely data led in their decision making.
§ Unequal importance placed on providing ‘public value’ – The values of many media organisations don’t always align with the implications of pursuing data driven model. Many of the organisations we spoke to were keen to continue to provide audiences with free-to-access, high quality and varied content, which they felt might be compromised by some of the available routes for increased or more lucrative data collection and use. Big tech firms in comparison, particularly social media organisations, have always operated via a data driven model.
§ The United States (U.S.) Court Of Appeals For The Ninth Circuit ruled against the telecommunications companies appealing a denial of its motion to enjoin enforcement of the “California Internet Consumer Protection and Net Neutrality Act of 2018” (SB-822). The court stated:
o We conclude the district court correctly denied the preliminary injunction. This is because only the invocation of federal regulatory authority can preempt state regulatory authority. As the D.C. Circuit held in Mozilla, by classifying broadband internet services as information services, the FCC no longer has the authority to regulate in the same manner that it had when these services were classified as telecommunications services. See id. at 75–76. The agency, therefore, cannot preempt state action, like SB-822, that protects net neutrality. See id. at 18. Without the authority to preempt, it does not much matter whether SB-822 conflicts with the federal policy objectives underlying the reclassification decision. And SB-822 does not conflict with the Communications Act itself, which only limits the FCC’s regulatory authority. As to the service providers’ field preemption argument, Supreme Court authority, the case law of this circuit, and various provisions of the Communications Act itself all foreclose that argument.
§ United States (U.S.) Federal Bureau of Investigation Director Christopher Wray gave a speech on the threat the People’s Republic of China poses to the U.S. Wray asserted:
o Today, we in the United States and the Western world find ourselves in a very different struggle against another global adversary—the Chinese Communist Party. Now, there are some surface-level similarities between the threat posed by the Chinese government and the historical threat of the Soviet Union: The Chinese government also rejects the fundamental freedoms, basic human rights, and democratic norms we value as Americans.
o But the Soviet Union didn’t make much that anyone in America wanted to buy. We didn’t invest in each other’s economies or send huge numbers of students to study in each other’s universities. The U.S. and today’s China are far more interconnected than the U.S. and the old U.S.S.R. ever were, and China is an economic power on a level the Soviets could never have dreamed of being.
o The complexity of the threat posed by the Chinese government flows from those new realities, because China’s government has the global reach and presence of a great nation, but it refuses to act the part and too often uses its capabilities to steal and threaten, rather than to cooperate and build. That theft, those threats, are happening right here in America, literally every day.
o That’s what I want to talk to you about tonight, the threat posed by the Chinese government here at home to our economic security and to our freedoms. Our freedom of speech, of conscience; our freedom to elect and be served by our representatives without foreign meddling; our freedom to prosper when we toil and invent. I’ve spoken a lot about this threat since I became FBI Director. But I want to focus on it here, tonight, because in many ways it’s reached a new level—more brazen, more damaging than ever before, and it’s vital—vital—that all of us focus on that threat together.
o Now, having said that, I do want to be clear that the Chinese government and the Chinese Communist Party pose the threat we’re focused on countering—not the Chinese people, and certainly not Chinese Americans, who are themselves frequently victims of the Chinese government’s lawless aggression. Protecting them from the Chinese government is top of mind for us, too. America is richer and stronger because of the generations of people who immigrated here from China, many of whom will celebrate the traditional Lunar New Year festival this week. At the FBI, we’re committed to protecting the safety and rights of all Americans.
§ United States (U.S.) Senate Finance Committee Chair Ron Wyden (D-OR) and Ranking Member Mike Crapo (R-ID) wrote President Joe Biden urging his administration “to work with the European Union to address the discriminatory aspects of the Digital Markets Act (DMA) and Digital Services Act (DSA), which focus regulations on a handful of American companies while failing to regulate similar companies based in Europe, China, Russia and elsewhere, giving those companies a competitive advantage and running afoul of bedrock principles of international trade.” Wyden and Crapo stated:
o As the EU works to take positive steps to protect privacy, ensure competition, and facilitate digital inclusivity, it is critical that U.S. innovators, and the American workers and internet users behind them, are not placed at an unfair disadvantage by discriminatory trade policies.
o We welcome your Administration’s commitment to deepening and expanding transatlantic trade and investment relations. We are encouraged to see officials leveraging the U.S.-EU Trade and Technology Council (TTC) to renew engagement and cooperation on the unique challenges facing 21st century democracies. As you have highlighted, the United States and the EU are indispensable partners that must work together to establish trade and technology policies that work for all of our citizens.
o We also recognize and applaud the EU’s objectives to ensure fair conditions for competition in the digital services sector and improve the welfare of consumers. However, policies intended to meaningfully address the excess market power of technology firms must apply equally to firms based in Europe, China, the United States, and other countries. In its pending legislative proposals, the EU uses arbitrary thresholds to ensure only a handful of large American companies fall within the scope, while failing to regulate similar companies based in Europe and elsewhere. Such regulatory inequities raise serious concerns of discrimination.
§ The Consumer Reports and the Electronic Privacy Information Center (EPIC) “released a white paper that provides a detailed roadmap for how the Federal Trade Commission (FTC) should issue privacy rules under its unfair practices authority.” The groups stated:
o The paper urges the FTC to establish a Data Minimization Rule to prohibit all secondary data uses with limited exceptions, ensuring that people can safely use apps and online services without having to take additional action. It also lays out two additional options to consider should the FTC decline to prohibit all secondary uses: prohibit specific secondary data uses, such as behavioral advertising or the use of sensitive data; or mandate a right to opt out of secondary data use, including through global opt-out controls and databases.
o Additionally, the paper encourages the FTC to adopt data transparency obligations for primary use of data; civil rights protections over discriminatory data processing; nondiscrimination rules, so that users cannot be charged for making privacy choices; data security obligations; access, portability, correction, and deletion rights; and to prohibit the use of dark patterns with respect to data processing.
o As outlined in the paper, the FTC has wide authority to issue prescriptive rules in order to forestall business practices that can cause consumer injury. With respect to judicial interpretation, the courts generally give broad deference to expert agencies’ interpretation of their substantive statutes, and these privacy regulations are likely to withstand First Amendment scrutiny.
o The two groups submitted the paper to the FTC in support of the privacy rulemaking petition from Accountable Tech, which calls on the FTC to prohibit surveillance advertising under its authority to regulate unfair competition in the marketplace. Last year, CR and EPIC joined over 40 groups in calling on the FTC to begin a privacy rulemaking.
§ The United States (U.S.) Government Accountability Office (GAO) issued a report titled “Privacy: Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information” and concluded:
o CFPB and the four prudential regulators we reviewed maintain more than 100 mission-related information system applications that collect and use consumer PII. Applications at the five regulators use PII, primarily in their role overseeing supervisory examinations of financial institutions, but also for other mission purposes such as enforcement of consumer financial laws and the processing of consumer complaints. These five regulators also regularly share PII with partners such as other government agencies, law enforcement and judicial entities, and with third parties such as contractors, vendors, and service providers.
o The five regulators have each created privacy programs, which have processes to ensure privacy protections for the PII they collect, use, and share in accordance with key practices in federal guidance. However, four of the five regulators did not fully perform key practices such as maintaining a systems inventory that allow it to ensure the accuracy of its PII holdings, documenting steps taken to minimize PII collected and used by applications, identifying and documenting metrics to evaluate the implementation of privacy controls, and documenting key decisions and approvals for the selection and testing of privacy controls. As a result, regulators are less likely to be fully aware of the extent of PII they handle or the controls that are in place internally and externally to protect it. Until regulators take steps to mitigate weaknesses in performing key practices in federal law and guidance, the PII they collect, use, and share could be at increased risk of compromise.
§ In a press statement, the United States (U.S.) Federal Communications Commission (FCC) “announced that it is committing $240,888,016 in its eighth wave of Emergency Connectivity Fund program support.” The FCC stated:
o The funding commitments will support over 600,000 students and provide funding for 693 schools, 55 libraries and 8 consortia in 49 states, Puerto Rico, the Northern Mariana Islands, and the District of Columbia. The institutions are approved to receive nearly 683,000 connected devices and 182,000 broadband connections. Since its June 2021 launch, the program has committed over $4.4 billion supporting all 50 states, Guam, Puerto Rico, the U.S. Virgin Islands, the Northern Mariana Islands, and the District of Columbia.
§ The United States (U.S.) Federal Bureau of Investigation (FBI) released a Private Industry Notification (PIN) on “Context and Recommendations to Protect Against Malicious Activity by Iranian Cyber Group Emennet Pasargad.” The FBI explained:
o This Private Industry Notice provides a historical overview of Iran-based cyber company Emennet Pasargad’s tactics, techniques, and procedures (TTPs) to enable recipients to identify and defend against the group’s malicious cyber activities. On 20 October 2021, a grand jury in the US District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad (formerly known as Eeleyanet Gostar) for computer intrusion, computer fraud, voter intimidation, interstate threats, and conspiracy offenses for their alleged participation in a multi-faceted campaign aimed at influencing and interfering with the 2020 US Presidential Election. In addition, the Department of the Treasury Office of Foreign Assets Control designated Emennet along with four members of the company’s management and the two indicted employees for attempting to influence the same election. The Department of State’s Rewards for Justice Program also offered up to $10 million for information on the two indicted actors.
§ The United States (U.S.) Government Accountability Office (GAO) issued a report titled “Spectrum Management: NTIA Should Improve Spectrum Reallocation Planning and Assess Its Workforce” and concluded:
o Effective spectrum management is critical given the importance of spectrum’s role in ensuring the nation’s security and communications. NTIA is able to process over 90,000 frequency assignment applications for federal users each year and has recently facilitated a complex, multi- stakeholder spectrum reallocation to free up spectrum critical for mobile services. However, by following program management leading practices related to planning, particularly for creating a plan, developing an integrated master schedule, and anticipating risks, NTIA could better ensure that reallocations are executed in a timely fashion and that potential challenges and risks are addressed before they arise. Furthermore, with a documented internal plan inclusive of all anticipated NTIA reallocation work, NTIA could more effectively coordinate with FCC in the decision-making processes related to overall national spectrum planning, and understand how NTIA resource limitations may constrain various options.
o Moreover, by establishing a documented process to inform how NTIA collects and synthesizes agency viewpoints to develop and communicate the executive branch view to FCC, NTIA could mitigate confusion on its role and the expectations of federal agencies involved and bolster the transparency of how and why NTIA provides the final information to FCC that it does. Ultimately, NTIA’s efforts to fulfill its statutory obligations to conduct these and other tasks is dependent on NTIA having a qualified staff. While NTIA collects some information about its employees’ annual performance, NTIA could be better informed of potential human capital skill gaps by conducting organizational skill-gap assessments. By following leading practices related to program management, policy documentation, and human capital management, NTIA could strengthen its ability to effectively manage federal spectrum.
§ The United States (U.S.) Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS) and ten Republican colleagues wrote the Secretary of the Treasury Janet Yellen “to raise concerns regarding the recently-announced final rule for broadband infrastructure funding through the Coronavirus State and Local Recovery Funds.” Wicker and his colleagues stated:
o The final SLFRF rule increases the risk of overbuilding existing broadband investments. First, the final rule eliminates a key requirement that eligible broadband projects provide service to unserved or underserved households or businesses that lack access to minimum speeds of 25 Mbps download/3 Mbps upload. Instead, recipients can invest in projects designed to serve locations with “an identified need for additional broadband infrastructure investment”—a vague and subjective standard. The rule also permits recipients to invest in projects regardless of whether there is an existing federal or state funding commitment. As a result, the final rule will allow SLFRF recipients to fund projects in areas where broadband service is already or will be available – while continuing to leave truly unserved areas in our states without access to broadband.
o The final rule also moves away from a purely quantitative approach to assessing existing broadband service. In addition to federal and state broadband data, funding recipients are permitted to consider user speed tests, interviews, and “any other information they deem relevant” when determining whether to fund a broadband project in a given area. Although input from stakeholders is important to ensuring Americans have access to quality broadband service, this information should be considered against quantitative data about an area’s access to, and quality of, broadband. Additionally, the broad nature of this guidance allows states to choose whatever information they wish to determine the availability of broadband in a given area.
o Together, these changes will hinder the identification of unserved areas that need broadband service the most. Instead, the final SLFRF rule has the potential to waste taxpayer dollars funding duplicative service in areas with existing access to broadband, leaving a significant portion of the country unable to realize the benefits of quality broadband service and participate in the digital economy.
Further Reading
§ “Facebook says Apple iOS privacy change will result in $10 billion revenue hit this year” By Kif Leswing — CNBC. Facebook parent Meta said on Wednesday that the privacy change Apple made to its iOS operating system last year will decrease the social media company’s sales this year by about $10 billion. “We believe the impact of iOS overall is a headwind on our business in 2022,” Meta CFO Dave Wehner said on a call with analysts after the company’s fourth-quarter earnings report. “It’s on the order of $10 billion, so it’s a pretty significant headwind for our business.”
§ “As the Russian threat grew, U.S. intelligence ties to Ukraine deepened” By Zach Dorfman — yahoo! news. Intelligence-sharing between U.S. and Ukrainian spy agencies has greatly expanded since Russia's 2014 annexation of Crimea, with the two countries exchanging information obtained from eavesdropping on Russian military activities and cooperating on cybersecurity issues, according to more than half a dozen former U.S. intelligence and national security officials.
§ “FBI Director Wray says scale of Chinese spying in the U.S. 'blew me away'” By Pete Williams — NBC News. Chinese spying in the U.S. has become so widespread that the FBI is launching an average of two counterintelligence investigations a day to counter the onslaught, FBI Director Christopher Wray said in an interview.
§ “DHS Warns That Right-Wing Extremists Could Attack Power Grid” By Shannon Vavra — The Daily Beast. Domestic violent extremists and racially motivated extremists have been developing plans to attack the U.S. electric sector, according to an intelligence bulletin from the Department of Homeland Security that was issued this week and obtained by The Daily Beast.
§ “Capitol Police examines backgrounds, social media feeds of some who meet with lawmakers” By Betsy Woodruff Swan and Daniel Lippman — Politico. After the Jan. 6 insurrection, the Capitol Police’s intelligence unit quietly started scrutinizing the backgrounds of people who meet with lawmakers, according to three people familiar with the matter.
§ “North Korea Hacked Him. So He Took Down Its Internet” By Andy Greenberg — WIRED. For the past two weeks, observers of North Korea's strange and tightly restricted corner of the internet began to notice that the country seemed to be dealing with some serious connectivity problems. On several different days, practically all of its websites—the notoriously isolated nation only has a few dozen—intermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un's government. At least one of the central routers that allow access to the country's networks appeared at one point to be paralyzed, crippling the Hermit Kingdom's digital connections to the outside world.
§ “Hackers target Canada's foreign ministry in cyber attack” By Sean Lyngaas — CNN. A "cyber incident" first detected last week has interrupted some of the Canadian foreign ministry's "internet-based services," the Canadian government said Monday. Canadian cybersecurity officials were working to restore those internet services as of Monday night. "Critical services for Canadians" through the foreign ministry were not affected by the incident, the Treasury Board of Canada Secretariat, a government agency, said in a statement to CNN. "At this time, there is no indication that any other government departments have been impacted by this incident," the statement said.
§ “Finland says it found NSO’s Pegasus spyware on diplomats’ phones” By Catalin Cimpanu — The Record. The Finnish government said today that the telephones of some of its foreign diplomats were infected last year with Pegasus, a spyware strain developed by controversial Israeli surveillance vendor NSO Group. Finland’s Ministry of Foreign Affairs said the hacks were discovered in the autumn and winter of 2021–2022 and that the espionage campaign is no longer active. Officials said that both Android and iPhone phones were infected but that the devices only stored information classified at “level 4,” which they said was their lowest level of classified information.
§ “Ireland's data centers are an economic lifeline. Environmentalists say they're wrecking the planet” By Kara Fox — CNN. In the west of Ireland lies a medieval market town, its roots steeped in legend. Beyond the labyrinth of narrow streets of the center are the chimney stacks of housing developments that still puff coal and peat. Past those homes, on the outskirts of Ennis, is an unremarkable but huge plot of land, nestled between a power station and farmland where cattle and sheep graze. This is where a mysterious company has applied to develop a new data center the size of 22 American football fields.
§ “Google’s Privacy Sandbox targeted by fresh EU antitrust complaint” By Natasha Lomas — TechCrunch. German publishers are the latest to band together to try to derail or at least delay Google’s “Privacy Sandbox” plan to end support for tracking cookies in Chrome via a complaint to the European Commission.
§ “Google proposes a new way to track people around the Web. Again.” By Gerrit De Vynck — The Washington Post. Google floated a new set of ideas Tuesday for changing how advertising on the Web should work, scrapping and replacing a previous plan that had triggered anger and concern from privacy advocates and government competition regulators alike.
§ “Out-of-Control Cybercrime Will Cause More Real-World Harm” By Ciaran Martin — WIRED. In 2022, cyber incidents will cause real and sustained disruption to our everyday comforts—and maybe kill people. This won’t be because of any great geopolitical development, but because a bunch of semi-sophisticated, well-organized, and mostly Russian criminals are increasingly out of control.
§ “How Australia’s Leader Lost Control of His Chinese Social Media Account” By Yan Zhuang and John Liu — The New York Times. When Prime Minister Scott Morrison of Australia opened his public WeChat account in 2019, it was during the lead-up to a federal election. He said it would allow him to directly communicate with Chinese-Australians and better understand the issues that concerned them.
§ “Intel Wins Historic Court Fight Over EU Antitrust Fine” By Stephanie Bodoni — Bloomberg. Intel Corp. won a historic victory in its court fight over a record 1.06 billion-euro ($1.2 billion) competition fine, in a landmark ruling that upends one of the European Union’s most important antitrust cases.
§ “A Former Hacker’s Guide to Boosting Your Online Security” By Cezary Podkul — ProPublica. Ngô Minh Hiếu was once a fearsome hacker who spent 7 1/2 years incarcerated in the U.S. for running an online store that sold the personal information of about 200 million Americans. Since leaving prison, Hiếu has become a so-called white hat hacker, attempting to protect the world from the sorts of cybercriminals he once was.
§ “ID.me CEO backtracks on claims company doesn't use powerful facial recognition tech” By Tonya Riley — cyberscoop. Identity verification company ID.me uses a type of powerful facial recognition that searches for individuals within mass databases of photos, CEO Blake Hall explained in a LinkedIn post on Wednesday.
§ “Amazon has disbanded the Twitter army it paid to tweet about how great Amazon is” By James Vincent — The Verge. Amazon has shuttered a controversial influence campaign in which it paid workers to tweet about how much they love working at Amazon, reports The Financial Times. Employees at the retailer’s warehouses (which it calls fulfillment centers) were paid to share positive impressions about the company and to deny widely-reported workplace failings — like employees being forced to urinate in bottles in order to meet performance targets.
§ “Everyone Has Left the Chat” By Lauren Mechling — The New York Times. It wasn’t until the outset of the pandemic that Sarah O’Dell fully awakened to the allure of the group chat. Stuck at home in Redding, Conn., with her husband and two children, she came to see how a nonstop conversation on her phone could provide welcome distraction, exchange of information and social support.
§ “Notorious Spyware Firm Reportedly Offered 'Bags of Cash' for Access to U.S. Networks” By Lucas Ropek — Gizmodo. A whistleblower alleges that the scandal-ridden spyware firm NSO Group once offered a telecom security company “bags of cash” to buy access to its cellular networks, ostensibly so its clients could track specific mobile users within the United States.
§ “German government warns of APT27 activity targeting local companies” By Catalin Cimpanu — The Record. The German government said on Tuesday that a Chinese cyberespionage group known as APT27 has repeatedly attacked German companies over the past few months using vulnerabilities in software like Microsoft Exchange and Zoho SelfService.
§ “Biden Official Credits Diplomacy With Russia for Arrest of Colonial Pipeline Hacker” By Mariam Baksh — Nextgov. A senior administration official put questionable timing aside and commended the Kremlin’s arrest Friday of individuals Russian officials say comprise the notorious REvil ransomware group, which U.S. officials have attributed to attacks on critical infrastructure.
§ “Ro Khanna Wants to Save Silicon Valley From Itself” By Blake Hounshell and Leah Askarinam — The New York Times. It’s not often that you meet a member of Congress who is eager to discuss the German philosopher Jürgen Habermas. But Representative Ro Khanna is not like most members of Congress. He represents one of the wealthiest districts in America — a chunk of Silicon Valley that is home to tech behemoths like Apple and Intel — yet he was a co-chair of Bernie Sanders’ 2020 presidential campaign. He’s a former intellectual property lawyer whose 2016 House bid was backed by venture capitalists and tech moguls, but he’s also a prominent critic of social media companies like Facebook.
§ “Biden administration weighing new rules to limit TikTok, foreign apps” By Cat Zakrzewski and Drew Harwell — The Washington Post. The Biden administration is developing new regulations that could lay the groundwork to bar TikTok and other Chinese-owned apps that present national security concerns, after revoking Trump administration orders that sought to ban the apps.
§ “EU drafts counteroffensive to China, US on technology rules” By Laurens Cerulus — Politico EU. The EU is taking a "Europe First" approach to technological standardization. The European Commission on Wednesday presented a plan to bolster its influence in creating global technology standards, as the bloc currently risks falling behind in global standardization organizations, where tech giants, government regulators and experts gather to set rules for how emerging technology works — everything from the internet to batteries, connected devices and beyond. Faced with the U.S.' market dominance and China's aggressive attempts to rewrite global rules, the EU wants to raise its game. "We need to make sure we're not just a standard-taker. We need to be a standard-setter," said Thierry Breton, the EU's industry commissioner.
Coming Events
Photo by riciardus from Pexels
§ 3 February
o The United States Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the nominations of William Valdez to be the Under Secretary of Homeland Security for Management; Dimitri Kusnezov to be the Under Secretary of Homeland Security for Science & Technology; and Kenneth Wainstein to be the Under Secretary of Homeland Security for Intelligence & Analysis.
o Canada’s House of Commons’ Standing Committee on Access to Information, Privacy and Ethics will hold a hearing titled “Collection and Use of Mobility Data by the Government of Canada” because of reports “of the Public Health Agency of Canada collecting, using or possessing Canadians' private cellphone data, without their knowledge or consent.”
o The United States Senate Judiciary Committee will consider nominations and bills, including the Open App Markets Act (S. 2710) and the EARN IT Act of 2022.
o The United States House Transportation and Infrastructure Committee’s Aviation Subcommittee will hold a hearing titled “Finding the Right Frequency: 5G Deployment & Aviation Safety.”
§ 22 February
o The European Data Protection Board (EDPB) will hold a plenary meeting.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”
[1] Like 2017’s “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (aka SESTA or FOSTA) (P.L.115-164) and others pending in the current Congress.
[2] §230. Protection for private blocking and screening of offensive material
(a) Findings
The Congress finds the following:
(1) The rapidly developing array of Internet and other interactive computer services available to individual Americans represent an extraordinary advance in the availability of educational and informational resources to our citizens.
(2) These services offer users a great degree of control over the information that they receive, as well as the potential for even greater control in the future as technology develops.
(3) The Internet and other interactive computer services offer a forum for a true diversity of political discourse, unique opportunities for cultural development, and myriad avenues for intellectual activity.
(4) The Internet and other interactive computer services have flourished, to the benefit of all Americans, with a minimum of government regulation.
(5) Increasingly Americans are relying on interactive media for a variety of political, educational, cultural, and entertainment services.
(b) Policy
It is the policy of the United States-
(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;
(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;
(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;
(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children's access to objectionable or inappropriate online material; and
(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer.
(c) Protection for "Good Samaritan" blocking and screening of offensive material
(1) Treatment of publisher or speaker
No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
(2) Civil liability
No provider or user of an interactive computer service shall be held liable on account of-
(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or
(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).1
(d) Obligations of interactive computer service
A provider of interactive computer service shall, at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors. Such notice shall identify, or provide the customer with access to information identifying, current providers of such protections.
(e) Effect on other laws
(1) No effect on criminal law
Nothing in this section shall be construed to impair the enforcement of section 223 or 231 of this title, chapter 71 (relating to obscenity) or 110 (relating to sexual exploitation of children) of title 18, or any other Federal criminal statute.
(2) No effect on intellectual property law
Nothing in this section shall be construed to limit or expand any law pertaining to intellectual property.
(3) State law
Nothing in this section shall be construed to prevent any State from enforcing any State law that is consistent with this section. No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.
(4) No effect on communications privacy law
Nothing in this section shall be construed to limit the application of the Electronic Communications Privacy Act of 1986 or any of the amendments made by such Act, or any similar State law.
(5) No effect on sex trafficking law
Nothing in this section (other than subsection (c)(2)(A)) shall be construed to impair or limit-
(A) any claim in a civil action brought under section 1595 of title 18, if the conduct underlying the claim constitutes a violation of section 1591 of that title;
(B) any charge in a criminal prosecution brought under State law if the conduct underlying the charge would constitute a violation of section 1591 of title 18; or
(C) any charge in a criminal prosecution brought under State law if the conduct underlying the charge would constitute a violation of section 2421A of title 18, and promotion or facilitation of prostitution is illegal in the jurisdiction where the defendant's promotion or facilitation of prostitution was targeted.
(f) Definitions
As used in this section:
(1) Internet
The term "Internet" means the international computer network of both Federal and non-Federal interoperable packet switched data networks.
(2) Interactive computer service
The term "interactive computer service" means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.
(3) Information content provider
The term "information content provider" means any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.
(4) Access software provider
The term "access software provider" means a provider of software (including client or server software), or enabling tools that do any one or more of the following:
(A) filter, screen, allow, or disallow content;
(B) pick, choose, analyze, or digest content; or
(C) transmit, receive, display, forward, cache, search, subset, organize, reorganize, or translate content.