Cyber Scene #35 - $5 Billion here, $5 Billion there...Facebook is Fine (d)
Cyber Scene #35
$5 Billion here, $5 Billion there...Facebook is Fine (d)
On 24 July, the Federal Trade Commission (FTC) delivered its 50-page plan to take Facebook to task for transgressions regarding improper use of personal identifying information (PII) of its users. This record fine had been anticipated at least since a July 12 article by Cecilia Kang as the FTC was awaiting a green light from the Department of Justice (DOJ). The DOJ usually approves FTC settlements. The core of this settlement on privacy was related to whether Facebook violated its agreement in 2011 with the FTC to refrain from deceiving users over how their PII was used and shared. The settlement is exponentially greater than the next largest one: $22M with Google in 2012, but a criticism Mark Zuckerberg seems to be taking to heart without significant danger to his company, as reported by NYT reporters Mike Isaac and Natasha Singer. A second settlement with the Securities and Exchange Commission (SEC) of $100M was also announced on 24 July - this from the perspective of misleading investors. This leaves a third potential settlement, with the FTC, still outstanding related to anti-trust actions creating an unlevel playing field. The FTC vote of 3-2 on the $5B settlement was not unanimous because the two "nay" votes believed that the reprimand was not strong enough.
Regarding mitigation plans, Wired on 24 July reports in "The FTC wants more privacy, less Zuckerberg at Facebook", that the CEO must certify annually and personally that the company is in compliance with the changes to Facebook's structure and privacy protection.
Facing the Nation
As for the view from across the Pond, The Economist in "Volte-Face" notes on 18 July that the series of testimonies from this social network to "...behave better from now on." has a familiar a ring. However, in the margins of testimony regarding the launch of cryptocurrency Libra, US Members of Congress and David Marcus from Facebook who heads up Libra all appeared to be better prepared, per the Economist, with Mr. Marcus now "asking for permission rather than forgiveness." It also notes that this points to a change in which "Facebook works with governments rather than around them" which appeals to its investors. The article includes a handy chart of US and EU tech companies' operating profits entitled "Fine and Dandy." Facebook is highly unlikely to risk debt prison.
This however leads to more regulation in the US and Europe, which spills over into other cyber-and facial-recognition issues. The Economist of 13 July addresses Congressional and Supreme Court views on facial recognition aspects of privacy. Two US towns banned the use of facial recognition by their local police, whereas one Congressman on the House Homeland Security Committee believes that someone in the public domain should have no expectation of privacy.
The Supreme Court disagreed, with Chief Justice Roberts holding that the Court's view of the Fourth Amendment indicates that "individuals have a reasonable expectation of privacy in the whole of their physical movements." Ergo, no non-consensual GPS tracking.
Can You See Yourself?
Wired's Brian Barrett penned an article on 17 July entitled "Think Faceapp is Scary? Wait Till You Hear About Facebook" in which he looks at the Faceapp ability to let you see what you will look like when you are old and grey. He reminds the reader that the product is of Russian descent and retains the right to use photos forever. But "...at least Faceapp didn't access your GPS or SIM card." And it stated that it doesn't upload all your photos to the cloud. Barrett casts this as good news in comparison to transgressions of Facebook, Life360, TikTok (a Chinese app) and other apps that are worse. However, he undercuts his own argument a bit by ending with a note that Faceapp does send data to DoubleClick (the Google ad company) and Facebook. He adds as a final caution for users to focus on broader awareness, recognize the value of one's personal data, and think twice about who, with your consent, gets your data.
For graphic learners, the NYT's Cade Metz on 13 July analyzes the "quiet hording" of millions of faces drawn from the web with a stunning photo of the Microsoft MS Celeb database with over 10 million photos of 100,000 (mostly famous) people. Facebook and Google are credited with not distributing their massive photo databases, and Microsoft and Stanford University's Brainwash have removed theirs as Duke and other innovators also struggle to conduct research while respecting privacy. We are back to the beginning regarding police being denied facial recognition access by two US towns: the FBI is mentioned by the author as having used this data for years.
Congress United, Microscopes in Hand
This ever-growing challenge of balance continues to drive regulators. It particularly draws politicians of opposite polarities together with respect to the Big Tech FAANGs. NYT's Steve Lohr, Mike Isaac and Nathaniel Popper in the 17 July "Reprimands of Big Tech Cross Aisle" look at senators and congressmen of considerable status such as Senators Ted Cruz (R-TX) and Sherrod Brown (D-OH) who join forces, if only on cyber security or anti-trust issues related to regulating Big Tech.
Who's Watching? Mueller Time
For those returning from an isolated African jungle safari, on 24 July former FBI Director Robert Mueller testified before the House Judiciary Committee on obstruction of justice and the House Permanent Select Committee on Intelligence (HPSCI) on Russian election interference. The former hearing did not directly address cyber issues; Mr. Mueller was "by the book" with no surprises, and the Members of both parties expressed their admiration for the witness's service and then launched into somewhat politicized blasts, despite Chairman Jerrold Nadler's (D-NY) attempts to rein them in and direct them to complete their comments within the allotted time. Some "questions" gave Mr. Mueller no time to respond. This behavior is not unusual on the Hill. In contrast, the HPSCI was markedly civil, in part likely due to Mr. Mueller as a former FBI director having appeared before the HPSCI many of his nearly 90 times before Congress. Chairman Adam Schiff (D-CA) had a less contentious three hours, with Ranking Member Devin Nunez (R-CA) being a slight exception. What was also, conversely, exceptional was the questioning of Member Will Hurd (R-TX) who commended Mr. Mueller and his work, and did so with no "howevers." More expectedly, Member Eric Swalwell (D-CA) asked about cyber attacks and countermeasures used against the US during the 2016 elections. He also queried whether encryption and other technologies deployed against the elections hampered US defenses. Mr. Mueller acknowledged that they did, and that they continue "as we sit here." He added that these attacks were also involving additional actors beyond Russia. When asked about who should be in charge of this now, Mr. Mueller asked Congress to do its part to strengthen the connectivity across the Intelligence Community (IC), as was initiated post-9/11.
Interestingly, NYT intelligence reporter Julian Barnes wrote on 20 July of a new post of IC Election Threats Executive to be held by IC professional Shelby Pierson who had served as crisis manager on interference in the 2018 midterms. The Director of National Intelligence Dan Coats has directed that all IC agencies name a senior executive to her ODNI leadership board to defend against 2020 election interference.
Does Crime Pay? It Depends
Although criminals benefitting from the 2017 Equifax breach have undoubtedly reaped financial benefits, the company itself is poorer, responsible for payouts that may exceed $650M dollars for many of the 147 million individuals whose data was stolen, per NYT reporter Stacy Cowley. A federal judge issued that minimum settlement on 22 July, pending finalization. The complexity derives from the involvement of two US government agencies and 48 of the 50 states. There may also be compensation for the time it took for victims to secure their accounts. Stay tuned.
NYT's journalist Frances Robles reported on 7 July that Lake City FL, whose municipal IT system holding 100 years of data was held for ransom on 6 June, is still dealing with data now encrypted that is not yet accessible. Sixteen terabytes of data were locked. Despite a ransom payment, some remain unlocked. The triple-threat Ryuk attack, executed through spearphishing, is the culprit. Negotiators for this and other ransom events in Baltimore, Atlanta, Riviera Beach FL, Dallas, Key Biscayne FL, and Jackson County GA are loathe to disclose details to the public. This would just drive prices up as well as publicly disclose vulnerabilities and regret. Officials and insurer negotiators often do not expose how many Bitcoins the ransom demands total, despite FBI's official position on not dealing with the criminals. So cities are paying for crime--that inflicted against them. And Bitcoin traders...? Well, money certainly makes the netherworld go 'round.