DOJ's Monaco Addresses Cyber Security

10/25. Lisa Monaco, Assistant Attorney General in charge of the Department of Justice's (DOJ) National Security Division (NSD), gave a speech in Seattle, Washington, regarding cyber security. It was largely a summary of statements of federal government officials and agencies, and news reports. However, she advocated "legislation proposed by the Administration last year".

Legislation. She did not name the titles of any proposals or pending bills. However, the Obama administration released a legislative language [60 pages in PDF] on May 11, 2011.

It includes proposed amendments to 18 U.S.C. § 1030, a data breach notification mandate, provisions regarding cyber security of federal systems, amendments to the Federal Information Security Management Act of 2002, a limitation on liability for certain cyber security related actions, and a provision that authorizes disclosure to the government of lawfully intercepted or acquired cyber security related information.

However, the key section of this administration proposal (at pages 33-41) would create a broad new federal regulatory regime that would affect any business that the government designates as critical infrastructure. It is titled "Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act".

Neither the House nor the Senate is considering this proposal. The House has passed a much different cyber security bill in April, which would create incentives for information sharing, but includes no new federal regulatory regime. See, HR 3523 [LOC | WW], the "Cyber Intelligence Sharing and Protection Act" or "CISPA".

The Senate failed to pass a Senate bill just before the August recess that includes a federal regulatory regime that is more vaguely worded than the Obama administration proposal. See, S 3414 [LOC | WW], the "Cybersecurity Act of 2012". And, Sen. John McCain (R-AZ) is the sponsor of a competing Senate bill that would create no new federal regulatory regime. See, S 2151 [LOC | WW], the "Secure IT Act".

Monaco also said that "we must consider what kinds of tools, investigations, and outreach we can launch now to lay the groundwork for future cyber efforts. These may be relatively simple things, like standardized protocols and established points of contact to make reporting intrusions easier. Or they may take the form of institutional relationships between the government and the private sector for sharing information."

Also, "The cyber threat demands ready and fluid means of sharing information and coordinating our actions."

She said that interaction between the private sector and the national security community "is absolutely necessary here".

She stated that "broader efforts to reform -- like the legislation proposed by the Administration last year -- will require our joint efforts".

Cyber Threats. Monaco (at right) also discussed cyber threats. She said that "a range of cyber activities is incrementally diminishing our security and siphoning off valuable economic assets".

She said that "over the last several weeks, financial institutions in the United States have been hit by a series of Distributed Denial of Service (or DDOS) attacks".

"A growing number of sophisticated state actors have both the desire and the capability to steal sensitive data, trade secrets, and intellectual property for military and competitive advantage". She added that the "Intelligence Community" has identified "China and Russia" as the main concerns, but also noted that Secretary of Defense Leon Panetta has mentioned Iran.

She also said that "trusted insiders pose particular risks. Those inside U.S. corporations and agencies may exploit their access to funnel information to foreign nation states. In these cases, perimeter defense isn’t worth much". She added that "cyberspace makes economic espionage that much easier".

She also discussed the role of lawyers. She said that "both public and private sector attorneys need to be able to tell clients what options they have available to deal with cyber threats".

People and Appointments

10/25. Jonathan Adler (Case Western law school) and William Kovacic (George Washington University law school) joined the Free State Foundation's (FSF) Board of Academic Advisors.

EC Finds Microsoft Failed to Comply with 2009 Browser Choice Order

10/24. The European Commission (EC) stated in a release that it "has informed Microsoft of its preliminary view that Microsoft has failed to comply with its commitments to offer users a choice screen enabling them to easily choose their preferred web browser."

Microsoft stated in a release that "we ... moved quickly to address this problem as soon as we became aware of it. Although this was the result of a technical error, we take responsibility for what happened, and we have taken steps to strengthen our internal procedures to help ensure something like this cannot happen again. We sincerely apologize for this mistake and will continue to cooperate fully with the Commission."

The EC added that "In December 2009, the Commission had made legally binding on Microsoft commitments offered by the US software company to address competition concerns related to the tying of Microsoft's web browser, Internet Explorer, to its dominant client PC operating system Windows ... Specifically, Microsoft committed to make available for five years (i.e. until 2014) in the European Economic Area a ``choice screen´´ enabling users of Windows to choose in an informed and unbiased manner which web browser(s) they wanted to install in addition to, or instead of, Microsoft's web browser." (Parentheses in original.)

See also, story titled "Microsoft Commits to EC to Offer Windows Without Browser in Europe" in TLJ Daily E-Mail Alert No. 2,024, December 17, 2009.

Also, Joaquín Almunia, VP of the European Commission responsible for Competition Policy, made a statement on October 24. He said that "In addition, third parties have been raising various issues about other aspects of Microsoft's compliance. We have carefully looked at them during this investigation and we do not see grounds, at this point, for further intervention."

The EC's antitrust proceeding against Microsoft has run for almost a decade. See also, stories titled "European Commission Seeks 497 Million Euros and Code Removal from Microsoft" in TLJ Daily E-Mail Alert No. 863, March 25, 2004; "European Commission Releases Microsoft Decision" in TLJ Daily E-Mail Alert No. 883, April 23, 2004; "European Court of First Instance Rejects Key Parts of Microsoft's Appeal" in TLJ Daily E-Mail Alert No. 1,639, September 14, 2007; and "EC Demands More Money From Microsoft" in TLJ Daily E-Mail Alert No. 1,723, February 26, 2007.

People and Appointments

10/24. Kyle McSlarrow was named Comcast Cable Communication's Regional Vice President of the Mountain Region, overseeing operations in Utah and Arizona. He was previously head of Comcast's Washington DC office. See, Comcast release.

More News

10/24. The Federal Communications Commission (FCC) published a notice in the Federal Register (FR) that sets comment deadlines for its Notice of Proposed Rulemaking (NPRM) [18 pages in PDF] regarding the amateur radio service. The deadline to submit initial comments is December 24, 2012. The deadline to submit reply comments is January 22, 2012. The FCC adopted this NPRM on October 1, 2012, and released the text on October 2. It is FCC 12-121in WT Docket Nos. 12-283 and 09-209. See, FR, Vol. 77, No. 206, October 24, 2012, at Pages 64947-64949.

10/24. The Office of the U.S. Trade Representative (OUSTR) announced that the US and EU convened a meeting of the Working Group on Investment. The OUSTR stated in a release that this is "a dialogue of senior officials under the auspices of the Transatlantic Economic Council. The meeting was led for the United States by Assistant U.S. Trade Representatives Christine Bliss and L. Daniel Mullaney, and Principal Deputy Assistant Secretary of State for Economic and Business Affairs Deborah McCarthy, and for the European Union by the European Commission’s Director of Services and Investment, Intellectual Property and Public Procurement Rupert Schlegelmilch. The two sides discussed global investment policy and third country issues of common concern, and reaffirmed their shared commitment to maintaining and promoting investment policies that are open, transparent and non-discriminatory, including through the negotiation of high-standard international investment agreements."

European Parliament Adopts Resolution on US EU Trade Negotiations

10/23. The European Parliament (EP) adopted a resolution regarding forthcoming trade negotiations between the EU and US.

This resolution (see, pages 299-307) addresses several technology related issues, including intellectual property, free flow of information on the internet, e-commerce, data security, financial services, and digital markets.

This resolutions states that the EP "Emphasizes that ... there are many areas where progress would be greatly beneficial, in particular regarding the removal of trade barriers, the introduction of measures to ensure better market access, including for investment, the protection of intellectual property rights (IPR), the opening up of public procurement markets to ensure full reciprocity, the clarification, simplification and harmonisation of rules of origin, and the convergence on mutual recognition of regulatory standards".

The EP also "Affirms the importance of IPR to stimulate job and economic growth, and the significance, therefore, that high standards be maintained for IPR protection and enforcement, while promoting the free flow of information and access to the internet".

But, "it might not be feasible, in eventual negotiations, to seek to reconcile across-the-board differences with regards to the IPR obligations typically included in EU and US trade agreements; underlines, however, that the approach proposed for negotiations should be ambitious, aiming at solving the areas of divergence, and at dealing with the IPR matters in a mutually satisfactory manner, while ensuring a satisfactory level of protection for economic operators; reiterates that both EU and US growth and job creation efforts rely on the ability to innovate and produce creatively, and, that being the case, that the transatlantic economy is threatened by counterfeiting and piracy; considers the new EU-US Information and Communication Technology principles as an encouragement for increased synergy".

The EP also "Takes the view that given the increasing importance of e-commerce, data protection standards play an essential role in protecting customers both in the EU and US; stresses that both the EU and the US need to address rising cyber security threats in a concerted manner and in an international context; points out that interoperability and standards in the domain of e-commerce, recognised at global scale, can help to promote more rapid innovation by lowering the risks and costs of new technologies".

The EP also "Calls, in particular, for every effort to be made towards the creation of truly open and integrated transatlantic financial services and digital markets, given the positive effects this would have on both sides of the Atlantic in a reasonably short time frame; encourages the discussion of the inclusion of a financial services chapter, given the interconnected nature of our markets; highlights the importance of intensified exchanges and cooperation of financial services regulators on both side of the Atlantic in order to share best practices and identify regulatory gaps".

People and Appointments

10/23. The Department of Commerce's (DOC) Bureau of Industry and Security (BIS) published a notice in the Federal Register (FR) that announces the membership of the BIS Performance Review Board: Michael Levitt, Geovette Washington, Daniel Hill, Matthew Borman, and Gay Shrum. See, FR, Vol. 77, No. 205, October 23, 2012, at Page 64796.

More News

10/23. The Federal Communications Commission (FCC) Commissioner Mignon Clyburn gave a speech in Washington DC regarding spectrum policy.

10/23. The Federal Communications Commission (FCC) released a Notice of Apparent Liability Forfeiture (NALF) that fines Patrick Keane $608,000 for sending unsolicited faxes in violation of the Telephone Consumer Protection Act (TCPA).

10/23. The World Trade Organization (WTO) announced in a release that its Dispute Settlement Body (DSB) established a panel to examine the US complaint against the People's Republic of China regarding anti-dumping and countervailing duties on US automobiles.

10/23. The World Trade Organization (WTO) announced in a release that its Dispute Settlement Body (DSB) established a panel to examine whether the US has complied with DSB recommendations regarding subsidization of Boeing. It also referred to arbitration a request by the EU to take countermeasures for $12 Billion against the US.

FTC Brings Section 5 Action for Use of Web Tracking Software that Violates Privacy Policy

10/22. The Federal Trade Commission (FTC) announced that it filed an administrative complaint [PDF] against, and entered into a consent agreement [PDF] with, Compete, Inc., in connection with its use of web tracking software in ways that violated its privacy policy.

The FTC stated in a release that contrary to assurances in its privacy policy, "Compete failed to remove personal data before transmitting it; failed to provide reasonable and appropriate data security; transmitted sensitive information from secure websites in readable text; failed to design and implement reasonable safeguards to protect consumers’ data; and failed to use readily available measures to mitigate the risk to consumers' data".

The complaint alleged that this violates Section 5 of the FTC Act. The complaint does not allege that Compete's activities, in the absence of a privacy policy, would have violated the FTC Act.

Section 5 of the FTC Act, which is codified at 15 U.S.C. § 45, provides, in part, that "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful".

The complaint states that "Compete is a market research company that collects data from consumers so that it can, among other things, develop and sell analytical reports about consumer behavior on the Internet." It "collected data about consumers" who downloaded its software. It promised consumers "information about websites as they surfed the Internet" and "rewards".

The complaint continued that Compete's privacy policy stated that it would "anonymously" collect browsing information, and that "All data is stripped of personally identifiable information before it is transmitted to our servers."

But, "In fact, Compete collected more than browsing behavior or addresses of web pages. It collected extensive information about consumers’ online activities and transmitted the information in clear readable text to Compete’s servers. The data collected included information about all websites visited, all links followed, and the advertisements displayed when the consumer was on a given web page. The captured data included details about consumers’ online behavior to the extent that, for example, Compete knew whether a consumer abandoned or completed a purchase after placing an item in an online shopping cart."

The complaint also states that "Compete also captured some information consumers communicated on secure web pages (e.g., https), such as credit card numbers, financial account numbers, security codes and expiration dates, usernames, passwords, search terms, or Social Security numbers." And, "Compete failed to implement a simple, commonly used, algorithm to screen out credit card numbers".

The complaint also states the Compete asserted falsely in its privacy policy that "We take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information."

The settlement agreement includes no admission of wrongdoing, and no fine. It merely prohibits prospectively certain enumerated practices. It also requires disclosures, deletion of data, outside monitoring, record keeping, and reporting.

Compete is represented in this matter by Christopher Wolf of the law firm of Hogan Lovells and Gary Kibel of the law firm of Davis and Gilbert.

The deadline to submit comments to the FTC regarding this proposed consent agreement is November 19, 2012. See, notice in the Federal Register, Vol. 77, No. 209, October 29, 2012, Pages 65550-65552. This administrative proceeding is FTC File No. 102 3155.

Copyright Office Issues Notice of Inquiry on Orphan Works

10/22. The Copyright Office (CO) published a notice in the Federal Register (FR) that requests comments regarding "orphan works".

The deadline to submit initial comments is 5:00 PM on January 4, 2012. The deadline to submit reply comments is 5:00 PM on February 4, 2013. See, FR, Vol. 77, No. 204, October 22, 2012, at Pages 64555-64561. See also, CO web page for submitting comments.

Outline of this Story:

Background.
Alignment of Interests.
Legislative History.
Recent Litigation Developments.
Questions Asked.
Questions Not Asked.

See, full story.

FCC Seeks More Comments on Wireless Microphones

10/22. The Federal Communications Commission (FCC) published a notice in the Federal Register (FR) that sets comment deadlines in its proceedings regarding wireless microphones.

Initial comments are due by November 21, 2012. Reply comments are due by December 12, 2012. See, FR, Vol. 77, No. 204, October 22, 2012, at Pages 64446-64450.

The FCC's Wireless Telecommunications Bureau (WTB) and Office of Engineering and Technology (OET) released a Public Notice (PN) [8 pages in PDF] on October 5, 2012, that requests that commenters refresh the record. It also asks two questions.

The FCC asks whether the FCC "should provide for a limited expansion of license eligibility that would permit some wireless microphone and other low power auxiliary station users, which currently operate in the TV broadcast spectrum on an unlicensed basis, to operate on a licensed basis under the part 74 rules applicable to low power auxiliary stations (LPAS)".

The FCC also asks "what steps the Commission should take to promote more efficient use of this spectrum by wireless microphones."

Also, the FCC asks "that these comments take into consideration recent industry developments, including advances in wireless microphone technologies, as well as related Commission proceedings that affect use of wireless microphones, including the TV White Spaces proceeding and the Incentive Auctions proceeding proposing auction of spectrum currently allocated to television broadcasting."

The FCC released this PN on October 5, 2012. It is DA 12-1570 in WT Docket Nos. 08-166 and 08-167 and ET Docket No. 10-24.

The FCC adopted its Report and Order and Further Notice of Proposed Rulemaking [103 pages in PDF] on January 14, 2010. It released the text on January 15. It is FCC 10-16 in the same three dockets.

See also, 2008 NPRM and Order (FCC 08-188) and story titled "FCC Releases NPRM on Wireless Microphones Operating in 700 MHz Band" in TLJ Daily E-Mail Alert No. 1,817, August 21, 2008.

See also, FCC web page titled "Wireless Microphones 700 MHz Band Prohibition After June 12, 2010".

FTC Releases Staff Report on Facial Recognition Technologies

10/22. A divided Federal Trade Commission (FTC) released a staff report [30 pages in PDF] titled "Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies".

The five member commission did not vote to approve this item. And, it is not a final order subject to judicial review. However, Commissioner Thomas Rosch wrote a dissent.

This report recommends that social networks should "provide consumers with (1) an easy to find, meaningful choice not to have their biometric data collected and used for facial recognition; and (2) the ability to turn off the feature at any time and delete any biometric data previously collected from their tagged photos."

It recommends that "companies using digital signs capable of demographic detection ... should provide clear notice to consumers that the technologies are in use, before consumers come into contact with the signs."

This report "recommends that companies using facial recognition technologies design their services with privacy in mind". This includes maintaining "reasonable data security protections for consumers’ images and the biometric information collected from those images" and " putting protections in place that would prevent unauthorized scraping which can lead to unintended secondary uses".

It also recommends that "companies should establish and maintain appropriate retention and disposal practices for the consumer images and biometric data that they collect".

It also recommends that "companies should consider the sensitivity of information when developing their facial recognition products and services".

This report promulgates no rules. It concludes no adjudication. Rather, it makes "recommendations" regarding what businesses "should" do. It may serve as a basis for future FTC enforcement actions involving use of facial recognition technologies brought under Section 5 of the FTC Act, which is codified at 15 U.S.C. § 45. This is essentially an anti-fraud provision.

See, full story.

Rep. Markey Writes Microsoft Regarding Its Privacy Practices

10/22. Rep. Ed Markey (D-MA) sent a letter to Microsoft that asks numerous questions about its "new policy that expands the ability of the company to collect and use personal information from consumers using its free Web-based services, including e-mail, search, and instant messaging".

Rep. Markey did not allege any wrongdoing. And, he described as "positive" Microsoft's browser do not track default setting.

But, he propounded numerous interrogatories, to be answered by November 13, regarding Microsoft's old and new business practices, including what web based products are affected, what information is collected, how it is shared across products, and opting in and opting out choices for consumers.

Rep. Joe Barton (R-TX), who often joins with Rep. Markey in privacy related matters, did not sign this letter.

More News

10/22. The Department of Commerce's (DOC) Bureau of Industry and Security (BIS) published a notice in the Federal Register (FR) that announces that its Information Systems Technical Advisory Committee will hold a two day, partially closed, meeting on November 7-8, 2012. See, FR, Vol. 77, No. 204, October 22, 2012, at Page 64464.

10/22. The Department of Homeland Security (DHS) published a notice in the Federal Register (FR) that announces, describes, recites, and sets the effective date (November 1, 2012) for, its rules changes that provide for the designation of Taiwan for the Visa Waiver Program. See, FR, Vol. 77, No. 204, October 22, 2012, at Pages 64409-64411.

Go to News from October 16-20, 2012.