VFI WEBINAR: Policy and Technology Responses to Cybersecurity Threats: October 11, 2017 at 10:30 am – 11:15 am PT. RSVP HERE
October is National Cybersecurity Awareness Month, but cybersecurity is a 24/7/365 issue. We’ll be joined by Jacob Crisp, who recently joined Microsoft as director of cybersecurity policy. Jacob previously served in Congress, the White House, and the Intelligence Community.
A bipartisan group of lawmakers is seeking to impose a significant new restraint on law enforcement’s access to data gathered by the National Security Agency under a powerful authority that enables collection of foreign intelligence on U.S. soil. The measure, contained in a bill unveiled Wednesday by the House Judiciary Committee, is likely to set up a clash with the Trump administration in the coming weeks, with the legal power set to expire at year’s end. The administration wants the bill to be renewed without change — and permanently.
New revelations that a 2013 security breach at Yahoo affected all three billion of its users has triggered a sharp rebuke from the U.S. Senate, which now plans to drag company representatives back to Capitol Hill for a hearing in the coming weeks. The powerful Senate Commerce Committee and its chairman, Sen. John Thune, announced on Tuesday that they aim to grill representatives from Yahoo, now owned by Verizon, along with executives from Equifax, a credit-reporting agency whose 2017 security incident affected the most sensitive information of more than 145 million Americans. “Later this month, the Commerce Committee will call representatives of Yahoo! and Equifax to testify about recent breaches, whether new information has revealed steps they should have taken earlier, and whether there is potentially more bad news to come,” Thune said in a statement.
In a press conference today, Senator Mark Warner (D-VA) called for stronger regulation of online ads. Sen. Warner appeared with Senator Richard Burr (R-NC) on behalf of the Senate Select Committee on Intelligence, which has been investigating Russian interference in the 2016 elections. Facebook has been cooperating with the committee’s investigation, but has drawn some criticism for not immediately providing ads linked to Russian election interference. “I was concerned at first that some of these social media platform companies did not take this threat seriously enough,” Sen. Warner told reporters. “I believe they are taking it seriously now.”
Two black lawmakers in the U.S. Congress sharply rebuked Twitter this week for serving as “an avenue to spread racism and bigotry” — and threatened regulation if the tech industry as a whole doesn’t identify and suspend the accounts behind those messages. The calls for action came from Reps. Bonnie Watson Coleman and Emanuel Cleaver in a letter to Twitter CEO Jack Dorsey sent on Tuesday. For them, the tipping point appears to be reports that Russian agents sought to stir political unrest ahead of the 2016 presidential election by stoking racial tensions, even running ads targeting groups like Black Lives Matter.
CNBC reported on comments by Microsoft President and Chief Legal Officer Brad Smith at The Cambridge Cyber Summit related to several issues, including access to encryption. Among other items, the article notes that Brad expressed that the “last thing” companies should do is create backdoors for encrypted services and devices.
I have been in high-tech for nearly 30 years, and while my father and older brother were knee-deep in intellectual property (IP) as IP attorneys, I always played on the IP outskirts in product, marketing, and strategy roles. Early in my career, I thought IP was for the lawyers and engineers to worry about, not me. How wrong I was. As I enter my 28th year in high tech, I am seeing an even increased importance of IP and also observing some disturbing trends that could chew on the foundations it was built, jeopardizing the notion and amount of invention itself. I will be doing a blog series on IP, and this is the first one, intended to be a stage-setter.
Wall Street Journal EU Court to Examine Latest Rule on U.S. Privacy
Europe’s top court will decide whether to ban a widespread legal tool that companies employ when they store data about Europeans on U.S. soil—the latest legal skirmish over what firms can do with the vast trove of information they are collecting on users.
Amazon will be hit with a fine for unpaid back taxes on Wednesday, the Financial Times said Tuesday. The European Union is contending that Amazon used Luxembourg as a tax haven and that it had established unfair partnerships with the country in an effort to skirt European taxes on 3 billion euros ($3.5 billion) in royalties. Such moves were seen as unfair by rivals, the FT said. The level of the fine was not reported. An Amazon spokesperson was not immediately available for comment.
NEW YORK (Reuters) – Some 10 million people in the United States saw politically divisive ads on Facebook that the company said were purchased in Russia in the months before and after last year’s U.S. presidential election, Facebook said on Monday. Facebook, which had not previously given such an estimate, said in a statement that it used modeling to estimate how many people saw at least one of the 3,000 ads. It also said that 44 percent of the ads were seen before the November 2016 election and 56 percent were seen afterward.
One of the cases in particular is perhaps the biggest privacy case to have reached the court in the Digital Age. Carpenter vs. United States asks a far-reaching question: do the authorities need a probable-cause court warrant to access people’s mobile phone location history? Warrantless mobile phone tracking has become a mainstay of the American surveillance state following the high court’s 2012 ruling that warrants were needed for the authorities to place GPS trackers on vehicles.
Two decades ago, Consumer Reports started sharing its product reviews with subscribers online. Now, the 81-year-old magazine is making an even bigger change: Doing way more than just hardware. On the latest episode of Too Embarrassed to Ask, CEO Marta Tellado talked about how the nonprofit business, which is supported by paid subscriptions, is rethinking its role in the digital era. It wants to “bend the marketplace,” she said, to make all products safer, more reliable and more conscious of their users’ privacy. “We now have connected cars … [and] all this ambient technology that is constantly giving you information — connected products at home, smart homes,” Tellado said. “So how do you take a workforce and shift it from thinking about the hardware to thinking about the software?”
THE TRUMP ADMINISTRATION is pushing hard for the reauthorization of a key 2008 surveillance law — section 702 of the Foreign Intelligence Surveillance Act, known as FISA — three months before it sunsets in December. To persuade senators to reauthorize the law in full, the Trump administration is holding classified, members-only briefings for the entire House and Senate next Wednesday, with heavy hitters in attendance: Attorney General Jeff Sessions, Director of National Intelligence Dan Coats, NSA Director Mike Rogers, and FBI Director Christopher Wray will give the briefings, according to an internal announcement of the meetings provided to The Intercept and confirmed by multiple sources on Capitol Hill.
The Hill published an opinion piece by political consultant Matt Mackowiak urging Congress to finally update ECPA to reflect the global nature of technology. Mackowiak briefly cites Microsoft’s warrant case as an example of the need for updated laws protecting privacy rights for Americans’ electronic documents and communications.
THINK TANK/TECH TRADE ASSOCIATION HIGHLIGHTS
American Enterprise Institute (AEI)
- Blog post on regulating tech firms: Visiting scholar Mark Jamison questioned if “tech firms are too smart,” noting, “Some people seem to think so, and their proposed restrictions on tech companies could hurt customers.” He added, “If as a country we value knowledge so much that we subsidize universities, promote STEM education, and permit the patenting of ideas, perhaps we should allow tech companies to be as smart as they can be.” (AEI BLOG – Should we dumb down tech?, By Mark Jamison, October 4, 2017)
- Survey on Silicon Valley’s politics: Editor Gregory Ferenstein wrote that “the technology industry is reeling from an extraordinary backlash; there are now regular calls to rein in the concentrated power of Silicon Valley, from the regulation of Facebook as a utility to treating Google as a monopoly and unionizing Uber’s drivers.” Ferenstein released “the findings from a political survey of over 600 tech company founders,” which “revealed a group that was largely supportive of Democrats and redistribution through higher taxation.” (BROOKINGS BLOG – A deeper look at Silicon Valley’s long-term politics, By Gregory Ferenstein, October 4, 2017)
BSA | The Software Alliance
- Policy agenda on cybersecurity: BSA “released an agenda, ‘Security in the Connected Age,’ to define elements that US cybersecurity policy should address. These include promoting a secure software ecosystem, creating a stronger government approach to cybersecurity, pursuing consensus for cybersecurity action, developing a 21st century cybersecurity workforce, and advancing cybersecurity through digital transformation.” (BSA PRESS RELEASE – A Cybersecurity Agenda for the Connected Age, October 3, 2017)
Information Technology Industry Council (ITI)
- Report on regulatory barriers: ITI released a report, IT Product Safety Regulations and their Impact on the Ease of Doing Business, assessing “the regulatory practices of 44 governments and the European Union (EU) and their impact on the ease of doing business for IT companies in these markets. The report names the EU as a top performer and the United States ranked in the middle of the road.” (ITI PRESS RELEASE – Tech Group Publishes First Report on Regulatory Barriers to the Ease of Doing Business Around the World, October 4, 2017)
- Report on national IoT strategy: “Technology industry leaders Intel, Samsung, ITI, SIA and the Chamber Technology Engagement Center (C_TEC) released the first-of-its-kind, national Internet of Things (IoT) Strategy. These recommendations will assist Congress and the administration in proactively developing public policies that will allow the United States to fully realize the vast economic and societal benefits of the IoT.” Moreover, the final report released will “serve as a guide and a measuring stick for the federal government.” (ITI PRESS RELEASE – Technology Industry Leaders Release National Strategy to Maximize U.S. Economic and Societal Benefits from the Internet of Things, October 3, 2017) (Additional: ITI Blog)
U.S. Chamber of Commerce
- Event on cybersecurity: The U.S. Chamber of Commerce “hosted its Sixth Annual Cybersecurity Summit, titled ‘Get Your Hack Together,’ as the nation recognizes National Cybersecurity Awareness Month. The summit brought together industry and government experts to discuss how the public and private sectors can work together to enhance cybersecurity for American businesses.” (U.S. CHAMBER OF COMMERCE – U.S. Chamber Hosts Sixth Annual Cybersecurity Summit, October 4, 2017)
- “[Microsoft’s warrant case] is a critically important issue, but one that is better resolved by Congress than the court. Ideally, the court passes, gives Congress time to update the statute with the kind of nuance that is needed, and the entire issue becomes moot. There are multiple other similar cases percolating in the lower courts, so the Supreme Court will almost certainly have other bites at the apple if Congress fails to act.”
- “What we’d like to see is responsible corporations consider how they can be responsive to a judicial order. The government shouldn’t have a place in saying how that’s done. But the design considerations up front should consider that we as a society need to do investigations.”
- “It is logical and plausible that the vendor may be less capable than the FBI of protecting its proprietary information in the face of a cyber-attack. The FBI’s conclusion that releasing the name of the vendor to the general public could put the vendor’s systems, and thereby crucial information about the technology, at risk of incursion is a reasonable one.”
- “There is a growing surveillance of immigrants in our country, and the social media monitoring is one part of it. The announcements that all of the social media monitoring is going into in an A-file where it’s being kept for an indefinite period of time and being used against immigrants in all kinds of situations in the future is very troubling… The government has not done its job of justifying this massive invasion of privacy.”
- “We urge you to ensure that any reform proposal include a full fix requiring all agencies to obtain a warrant based on probable cause to search Section 702 data for information about U.S. citizens and residents in all investigations.”
- “U.S. law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that… As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”
- “As our society continues to evolve into the Silicon Valley dream of all citizens existing in a perpetual state of online activity, with constant connectivity and mobile capability, it is crucially important that our laws evolve with us… Congress needs to update ECPA to ensure we enjoy our Fourth Amendment rights — both from the U.S. government and from governments around the globe.”
- “[Data retention] establishes a form of mass surveillance of virtually the entire population of the state… Access to a person’s private historical communications data is an intrusion on their rights and on data which is personal to them… The potential threat to fundamental rights and freedoms arising from the statutory rights of access to retained data by state investigatory authorities is especially concerning.”
- “No Democrat should support a law that grants Trump the ability to spy — without a court-issued warrant — on the more than 325 million people that live in this country.”
- “Individuals’ First Amendment rights to free speech and association—particularly for naturalized citizens and lawful permanent residents—are chilled by the government collecting information about them. This includes chronicling their beliefs and opinions; mapping their social networks; tracking their movements—and permanently storing this information in a government database, and using it against them when making decisions about their immigration status, or for a myriad of other purposes.”
- “The advent of warrant-proof encryption is a serious problem. It threatens to destabilize the balance between privacy and security that has existed for two centuries… People should understand the consequences of warrant-proof security. We should have a candid public debate about the pros and cons of allowing companies to create lock boxes that cannot be opened by police and judges.”
- “There is much I support in the legislation… However, I have concerns about the operational impacts of some elements of the proposal on counter terrorism efforts, and also believe there are additional privacy and transparency provisions and protections that should be added.”
- “There are other ways I can’t talk about which we think they can help us more without necessarily entering into end-to-end encryption. So we think they can do more.”
- “This legislation marks an important step forward for reining in the overly broad government surveillance revealed by Edward Snowden more than four years ago…but, the legislation must do more to protect the rights of both US and global citizens”
SOCIAL MEDIA HIGHLIGHTS
- @bradheath: Court: The FBI cannot be forced to disclose the name of the vendor that built its iPhone crack, or how much it paid for the tool. #FOIA
- @dnvolz: NSA says it would need to begin scaling down 702 spying prior to expiration if renewal in limbo tip @Techmeme
- @OrinKerr: No action yet on DOJ’s cert petition in the MSFT/Ireland warrant case , No. 17-2.
- @politico: Judge: the FBI does not have to reveal how much it paid or the source of San Bernardino iPhone hack
- @vicenews: U.S. citizens also may have their own data “vacuumed” up if they interact online with anyone the policy touches
- @CNBC: Las Vegas tragedy reignites encryption debate
- @EFF: BREAKING: Irish Court says European Court of Justice must decide whether U.S. surveillance breaks EU privacy law
- @jimwaterson: Amber Rudd says she doesn’t need to understand how end-to-end encryption works to understand it helps criminals.
- @lawfareblog: Stewart Baker: The Cyberlaw Podcast: Equifax and the Upside of Nation-State Cyberattacks
- @EFF: Irish court says U.S. surveillance law doesn’t protect European privacy
- @EFF: The new DHS rule to store immigrants’ social media data would affect all US citizens who communicate with immigrants
- @MattMackowiak: My latest @thehill column: Privacy Laws Need an Update
- @P_Strickland_: My latest @AJEnglish: DOJ warrants demand Facebook had over information from accounts of three anti-Trump activists
- @WSJbusiness: EU cases is latest legal skirmish over what firms can do with data they collect on users..
- @ZDNet: Former Irish Chief Justice slams data retention as mass surveillance and threat to fundamental rights by @dobes
- @BradSmi: Thank you @jonfortt for the opportunity to discuss cybersecurity and more on @CNBCClosingBell. #CambridgeCyber
- @dnvolz: The long-simmering debate over Section 702 surveillance is about to explode in Congress… tip @Techmeme
- @ericgeller: Rosenstein hits tech companies for how they deploy encryption: “Increasingly, technology frustrates the traditional law enforcement efforts to collect evidence that’s needed to protect public safety and solve crimes.”
- @TechCrunch: UK gives WhatsApp another spanking over e2e crypto by @riptari
- @zackwhittaker: Just in: House lawmakers have just released a bill that imposes new restrictions on section 702 surveillance powers.