By: Josh Cervantes
After employing a panoply of unsuccessful measures designed to seal off Chinese telecommunications giant Huawei from the U.S. market and those of its allies, Attorney General William Barr in early February offered a bold, new approach: frustrating Huawei’s domination of the 5G market by having the U.S. State Department take a controlling ownership stake in Finland’s Nokia and Sweden’s Ericsson, two of Huawei’s arch rivals. Barr’s suggestion is in line with a U.S. campaign designed to reduce Huawei’s footprint around the world due to concerns that the company could, at the direction of the Chinse Communist Party, use its technology to spy on foreign governments and other entities that China considers a threat.
Suggesting that such a move be carried out “either directly or through a consortium of private American and allied companies”, Barr envisions a not-so-distant future where all U.S. 5G infrastructure and operations are carried out by domestic firms, with the exception of Ericsson and Nokia, given their significant U.S. presence.
However, if Barr’s ambitious plan were to be executed, it may leave taxpayers on the hook for a massive bill while potentially providing only minor security benefits in the national security realm. These considerations beg the question: is Barr’s plan actually worth it?
Barr’s plan would initially require paying satellite operators to vacate their allocated spectrum frequencies to make room for 5G services. Key to the success of the plan is having the FCC rapidly auction off C-band spectrum that is currently utilized by several space station (satellite) operators, including Intelsat, SES, and Eutelsat. In a hotly contested vote earlier this month, the FCC voted 3-2 to free up to 280 MHz of C-band for 5G, allocating at least $9.7 billion for accelerated relocation payments to the companies currently occupying the spectrum. These funds would be paid to companies in exchange for quickly vacating the desired C-band spectrum, after which a public auction for the spectrum would be held by the U.S. government. Companies occupying the desired spectrum were previously unified under the banner of the C-band Alliance but as the prospect of vacating the spectrum has materialized, these companies have turned on each other and began requesting separate payments for opening the spectrum. The requested compensation appears likely to dwarf the $9.7 billion allocation from the FCC.
Considering that Ericsson and Nokia have a combined market capitalization of approximately $50 billion, the cost of purchasing a controlling stake in both companies could enormously inflate the bill for U.S. taxpayers. This situation could be avoided, however, if the “consortium of private American and allied companies” Barr referenced in his statement were to come together and purchase controlling stakes in the companies. While not implausible, the possibility of such a move occurring in the immediate future- a crucial part of Barr’s plan- is questionable at best, as the coronavirus continues to rout global markets and curb major investment. For now, Barr’s plan would likely require the U.S. government—the American Taxpayer—to foot the bill for controlling stakes in Ericsson and Nokia.
Prominent U.S. allies have already allowed Huawei to install telecom infrastructure or are courting the idea. The U.K., a member of the Five-Eyes Alliance, announced it would allow Huawei to “play a limited role in its next generation 5G mobile networks.” While Germany wrestles with how much access Huawei should have in the 5G market, Huawei is working on building a 5G equipment factory in France. These developments—coupled with wider adoption of Huawei’s technology throughout the EU—suggest that if even if Barr’s plan is successful, it will provide only marginal security enhancements because the U.S. would likely be forced to curtail the amount of information it shares until new security protocols are implemented. Moreover, Barr’s plan appears to overlook a crucial paradigm shift in the U.S.-E.U. security apparatus: the current system is already being upended; Chinese technology will be used by the E.U. regardless of U.S. efforts to persuade it otherwise.
The State Department, AG Barr, and the wider U.S. intelligence community must ask itself: is the juice worth the squeeze? It appears that Barr’s plan may provide only modest security protections at the cost of upending our intelligence sharing agreements with crucial allies around the globe. If the U.S. is to effectively counter Huawei’s march toward global domination, it must find solutions that can adopted by its partners abroad, not just here at home.
By: Alvaro Maranon
Last month, the Department of Justice held a workshop on Section 230 of the Communications Decency Act [“Section 230”]. Attorney General Bill Bar’s opening remarks highlighted a myriad of talking points that continue to act as the basis for changing Section 230. In this speech, AG Barr argued how Section 230 is responsible for, among others: shielding criminals and bad actors; and enabling internet services to block access to law enforcement officials, even with a court-authorized warrant. Although the speech contained a far more exhaustive list of concerns, they all rally behind the call for reforming Section 230.
This speech was not superficial. It illustrates the reemergence of the government’s anti-encryption campaign. More recently, members of the “Five Eyes” (Australia, Canada, United Kingdom, United States, and New Zealand) have adopted or signaled to adopt overly-broad and expansive anti-encryption legislation. Whether it’s the United Kingdom’s “Ghost Protocol” proposal or Australia’s “Assistance and Access Bill of 2018,” each legislation represents a targeted effort to weaken encryption.
Now, Senators Graham and Blumenthal are seeking to codify these concerns with their bill titled the “EARN IT Act.” Despite the bill explicitly stating its focus is on combatting child sexual abuse material [“CSAM”], it is much more than that. The proposal amends Section 230 by removing a service providers’ liability shield in civil and state criminal suits over CSAM and exploitation-related material unless the newly created commission certifies them.
The commission would be directed by AG Barr and they would unilaterally determine what best practices each company would need to comply with to “earn” their liability shield. Moreover, the bill includes no oversight language nor any meaningful check on this expansive discretionary power. Thus, given the recent anti-encryption rhetoric, this power will very likely be used to weaken end-to-end encryption (E2E) and impose the frequently sought after but highly illusory backdoor requirement. Attempts to create a “law enforcement only” backdoor, creating a purposeful vulnerability in encryption that would permit an official to have easy access to the encrypted data, is not only impossible but dangerous. Once this weakness is created, nothing guarantees that this master key(s) to all the encrypted accounts can only be used by the good guys. Criminals will not only seek to discover this weakness, but will successfully steal it from law enforcement. The devastating WannaCry ransomware embodied this danger when it crippled devices in over 150 countries causing an estimated $4 billion in losses, after a hacking group had breached the NSA’s Vault7.
In an era where the digital economy continues to grow, and threat vectors continue to evolve, encryption needs to be strengthened. These legislative proposals epitomize a near-sighted approach that will fail to account for a plethora of foreseeable consequences. Section 230 and strong encryption have yielded endless economic benefits for individuals and the economy. Encryption strengthens domestic markets and economies by fostering consumer trust in e-commerce. And despite these successes, their true benefit to society has been how they have given a voice to the voiceless:
- Encryption empowers journalists, activists, and political dissidents to speak and think freely in times of oppression and xenophobia.
- Encryption helps oust corruption and other government malfeasance by protecting whistleblowers and activists who seek to reveal scandals and controversies.
To be clear, combatting CSAM and other heinous crimes should always be welcomed and encouraged. More support is needed in the efforts against similar crimes such as cyberstalking and revenge porn. If lawmakers sincerely sought to address this issue, then they would consult with experts rather than needlessly rush harmful legislation as was seen with SESTA. The Cyber Civil Rights Initiative, headed by a board of fantastic advisors and professionals, is one of many excellent groups that can contribute to the drafting of comprehensive and effective solutions.
Although critics of Section 230 may have some valid concerns, the aforementioned rationales for wanting to change this law are all based upon false pretexts. The same red herrings were reiterated during the recent Senate Committee on the Judiciary’s hearing on the EARN IT Act. Instead of dismantling Section 230, which has helped foster a rich online community of diversity and enabled ingenious start-ups to prosper like Go-Fund-Me, lawmakers should seek out ways to incentivize internet services to take down more harmful content.
This isn’t a zero-sum game between law enforcement and tech companies. A critical look at the harms mentioned by AG Barr can reveal how feasible and practical cooperation can be, rather than adversarial, which is often pitched as the only approach for tech private-public efforts. Each of Barr’s claims will be shown to be ultimately unnecessary given the ample alternatives demonstrating otherwise.
“No Effect on Criminal Law”- the language of Section 230 is clear.
Unlike most legislation, Section 230 is quite short and unambiguous, and even carries the nickname of “The Twenty-Six Words That Created The Internet.” Despite this lack of ambiguity, lawmakers continue to purposefully warp its effect and purpose. The bill’s congressional findings and policy indicate an intent that the liability shield would not undermine the enforcement of criminal laws nor the prosecution of sex trafficking crimes. Even with this clear language, AG Barr continues to claim that Section 230 enabled criminals and bad actors to evade punishment. This is far from the truth and the takedown of Backpage.com showcases this.
At first glance, the domain seizure of Backpage.com appeared to be a success story, given the mass proliferation of truly awful and despicable content on its site. But, a subsequent investigative report revealed that Backpage had not only had taken numerous steps to curb these activities but were a powerful ally in the fight against sex trafficking. The DOJ even described Backpage as being “remarkably responsive to law enforcement requests and often takes proactive steps to assist in investigations.” From developing content-moderation practices that filtered out certain search terms to retaining a former sex-crime and child abuse prosecutor to help craft a holistic safety program, Backpage did not act like they were above the law.
While takedowns of such sites do offer some solace and remedy to victims of these crimes, these bad actors and criminals will only migrate to other less-visited, and possibly less-cooperative, platforms. The sad truth is that CSAM and other related materials will continue to be widespread, with technology companies reporting “a record 45 million online photos and videos of the abuse last year.” Congress should not only authorize additional funding for these efforts, especially given how they consistently fail to fully approve previously authorized funding for state and regional investigations, but seriously investigate what tools and research can help both the private and public sector combat this problem more effectively.
Blocking Access to Law Enforcement
“This bill says nothing about encryption.” Senator Blumenthal actively sought to shut-down this narrative at the Senate hearing last week. Numerous experts in this field have denounced this claim and articulated how it could be used to impose ad-hoc carve out exceptions to encryption. Please read any of the following excellent pieces on this subject: Riana Pfefferkorn, Electronic Frontier Foundation, TechFreedom, NetChoice.
Although the backdoor issue warrants an entire discussion in and of itself, the misleading justification for which law enforcement relies upon deserves scrutiny. Many of the pretexts have painted an environment where law enforcement is helpless against technology companies in the fight against crime. From encryption creating impenetrable barriers to nullifying the power of a warrant, each fear is far from a reality. In fact, it is the failures of law enforcement that often result in stand-offs and the compounding of problems in investigations. A key CSIS report assessed the challenges and opportunities law enforcement faces as they seek to access and use digital evidence. It found that although encryption does pose a challenge in digital evidence gathering, it is far from the problem. The biggest reported difficulty was their “inability to effectively identify which service providers have access to relevant data.” Moreover, officials often reported going to the wrong ISP, having little to no training in data requests, and an overall lack of funding.
Cooperation is possible. Creating a comprehensive approach to digital evidence can help lift the burden for both service providers and law enforcement. Narrowing warrant requests can incentivize more cooperation, as service providers will be more comfortable in the sharing of specific information about their users. Narrowing warrant requests can prevent officials from being burdened with large amounts of information that may run afoul to the particularity requirement and the holdings from Carpenter v. United States.
These incentives can also easily be applied to harmful content takedowns. Following the mass shootings in Texas and Ohio last year, Cloudfare cut their ties with the notorious 8chan by no longer offering them their essential DDOS protection service. More recently, Facebook, Twitter, YouTube, and other social media giants announced a coordinated update to their policies to flag conspiracy theories about coronavirus and other misinformation. Section 230 encouraged companies to act proactively, and they continue to do so.
While attacking Section 230 is an easy cop-out, efforts should be put elsewhere. In a time where some legislators continue to lecture private companies about their duty to the public, despite some officials mocking serious issues, their focus should be on supporting Good Samaritans. In the end, Cloudflare’s response to 8chan should represent the norm, not the outlier, in the approach of combating harmful speech.
By: Margarita Gorospé
Use of surveillance technologies within Airbnb properties is not a new phenomenon. However, in December 2019, Airbnb announced an update to their company policies. The update focused on trust, and the new official ban on “party houses”, which refers to the use of rental properties as house party venues. The update also included ways the company hopes to combat safety and hosts’ concerns, including a “Neighborhood Support” initiative, and the new discount program for smart home technology devices. Risks and concerns regarding these initiatives, specifically the use of smart home technology, must be balanced with the considerable benefits they afford to the platform users – hosts and guests alike.
Following this December announcement, an email from Airbnb was recently sent out in February 2020 to hosts, which touted the platform’s discounts on three optional surveillance devices hosts could use in their rented out properties – Minut, NoiseAware, and Roomonitor.
Minut allows homeowners to remotely monitor the maintenance of the property, including noise, temperature, motion, and humidity. The device allows homeowners to set a threshold noise level and does not need an outlet. NoiseAware alerts homeowners of “sustained noise levels”, and considers excessive noise to be “a leading indicator of property misuse”. The website boasts that it is the only home device with a “microphone that does not record audio”. Finally, Roomonitor allows homeowners to be aware of the property’s noise levels all day through analyzed noise patterns, with real time access. All three of these devices claim to not have the ability to record.
These new technologies, which allow “smart” monitoring without recording capabilities, pose many questions. However, one significant question that is often at the center of smart technology use does stand out – do these devices finally strike a compromise between privacy concerns and safety concerns?
On the one hand, many Airbnb guests are often shocked whenever they inadvertently discover a recording device in their rental. Renters reacted with anger, confusion or disgust. Use of a hidden camera in a hotel-like space or other short-term rental is still unsettling, despite knowing it is someone else’s property. It is a temporary home, where most people expect a level of privacy at least somewhat close to what they would expect in their own home. Guests often feel violated when intimate moments are captured for homeowners to watch.
On the other hand, the homeowner who chooses to rent out their property for visitors has true ownership. Homeowners desire to maintain the value of their properties, wish to keep good relationships with their neighbors, aim to maintain a safe environment within their home, and want to ensure that their properties avoid damage. When they choose to stay off-site after guests arrive, they are placing their assets and trust in the hands of complete strangers. Anything can happen to their property without their watchful eye, including shootings, such as the ones reported in California and Canada. Finding a way to monitor their home while they are not physically present allows homeowners to have peace of mind about leaving their property to strangers, and also allows them to act swiftly if any unusual or impermissible activity is occurring.
Enter Minut, NoiseAware, and Roomonitor, with promises of monitoring abilities while limiting privacy intrusion.
Will the use of these devices help move private surveillance technology use in the right direction? First, such use completely gets rid of any facial recognition problems, an area rife with questions of bias and mistaken identity. Second, the devices claim to only monitor certain conditions, which significantly limits the scope of information being analyzed by the device. None of these devices have video features, which gives guests some level of anonymity. Third, the lack of recording capabilities allow for another layer of privacy by providing a lighter touch on accessible information.
Without recordings, the homeowner can only use live streaming or can only access compiled data. This may be a good thing. After all, recordings allow for unnecessary inspections, and require some method of storing information about a target person in a way that he or she may not know about. Instead, the devices limit homeowners to glimpses and summaries, not “on-demand” watching.
While there are certain benefits to this technology, potential risks inevitably come along. Recording capabilities do serve important functions, and without them, there are less ways to determine context. For example, will a device that alerts homeowners of sustained noise levels ignore the sound of a single gunshot? What if the homeowner chose a significantly low noise threshold on his or her Minut device, resulting in an alert if guests end up having animated and lively conversation? Finally, what if information on any of these devices could be used to provide evidence for or against a claim between the homeowner and guest, but since a full recording is non-existent, the court is stuck with a limited number or dataset? A single spike in noise chart can mean anything, and without a full recording, there is little to nothing that can be used to prove assertions.
Other concerns center around how the data is stored and handled. These devices may not have recording capabilities, but they do collect data for analysis and reports presented on the devices’ respective applications. How exactly is this information compiled and where does it store this information prior to the creation of the analysis or report?
Finally, laws and policies concerning surveillance devices center on notice. Airbnb states that hosts must disclose the presence of a recording device within the home and disclose any active monitoring, and places little to no restrictions thereafter, as long as the devices are not placed in bathrooms or similar intimate areas. There are no federal video or audio recording laws that would be applicable in these instances, so these devices are likely going to be regulated by state laws. However, it appears that the legal status of these three specific devices is unclear. While it is a tamer version of Ring or Nest, it is also a more watchful version of traditional home alarm systems. They act more like sensor devices, but still have information collecting capabilities. However, none of that information is recorded in the same way other popular home surveillance devices record footage or audio – there are no playback features, just charted data. Since most laws concerning surveillance devices center on the “recording” aspect, questions remain about regulation when a device significantly waters down collected information to near anonymity.
There are still many unknown factors when it comes to finding the balance between privacy and safety. Devices such as Minut, NoiseAware, and Roomonitor may be attempting to consciously find that balance, and if so, such innovation may help provide future initiatives with important lessons.
By: Soniya Shah
Virtual reality (VR) simulates environments and allows users to interact in those environments. The technology is embraced by many corporate entities, such as the healthcare sector for use in training or the aerospace industry, which uses VR for flight simulation. Virtual reality is also popular with consumers who use it in video games. Games like Pokémon Go allow a player to walk around searching for virtual characters in their real-world surroundings. Most users access the environment through an interface, which is usually a headset the user wears during the interaction. The virtual reality and augmented reality industry was valued at $26.7 billion in 2018 and is expected to increase to $814.7 billion by 2025. Such a valuable industry is likely to be a target for privacy and security concerns.
Many devices connected to the Internet of Things, which includes virtual reality devices, are likely to have been designed and developed without security protocols in mind. Of course, many emerging technologies raise questions about the privacy of the user, especially when that is not a key design question. The main concern is that VR companies have a whole new level of access because the programs access the video and audio feed of a user’s surroundings. Many of the privacy policies state that information will be shared with third parties.
Many VR devices also track biometric data – movements of the body including the head, hands, and eyes. This data can be medical data. What happens if that information falls into the lap of an insurance company who uses it to make determinations about medical coverage? The issue is that the unintended consequences of doing something fun have very real, potentially damaging consequences when third parties have paid for access to that information.
As security and privacy concerns form, developers are now making devices that have a private mode feature that prevents the device from recording data while you are using it. The burden falls on users to choose devices that incorporate such a feature if they want to keep their information safe because there are no laws regulating the devices. Users should also be cognizant of privacy policies and check to see what data companies are releasing and what permissions are given away when you agree to use a VR device. There are also potential implications because many VR companies use cloud technology, which the users never interact with. There may be different terms of service between a VR company and the cloud provider.
Regulations are likely necessary now but the law tends to move slower than the pace of new technology. To protect users, regulations should limit the amount of biometric data VR devices can collect, either by deleting it immediately or not allowing its collection at all. Further, it is critical that VR companies provide their users with explicit information regarding the type of information they collect and who – including third parties – has access to that information. If a data policy changes, all users should be required to opt-in again. User awareness is ever-critical in an era where security and privacy are afterthoughts.