Facebook may soon face a reckoning in Washington.
The social media giant has been in an uncomfortable spotlight for months since the Cambridge Analytica scandal, but Congress and the Federal Trade Commission haven't taken any action against the company beyond their respective inquiries into Facebook's data-use practices.
This week’s revelations that the social media giant quietly shared users’ personal data with dozens of device manufacturers over the last decade may tip the scales. Legislation to rein in Facebook’s practices — and even stiff penalties from the FTC — are starting to look like a real possibility, even in a Congress typically slow to move on tech issues.
Lawmakers fired off letters with questions about how Facebook shares data with other companies. At least one senator is calling for chief executive Mark Zuckerberg to return to the Capitol for another round of grilling. And it may be more than just talk this time: Lawmakers are already talking about legislative solutions.
“Facebook is learning hard lessons that meaningful transparency is a high standard to meet," said Sen. John Thune (R-S.D.), chair of the Senate Committee on Commerce, Science, and Transportation, which is looking into Facebook's data privacy practices. "We’ve asked them to disclose some important but perhaps uncomfortable information and we’ll see how they respond.”
The New York Times reported Sunday that Facebook had struck data-sharing partnerships with at least 60 device makers — including Apple, BlackBerry and Samsung — over the past decade, giving them access to troves of personal information about its users. The arrangements were designed to make it easier for Facebook users to use the site on different platforms that didn't support its app, but lawmakers worried the data might have been harvested without user consent. The controversy deepened on Tuesday, when Facebook admitted that Huawei, a Chinese telecom firm that military and intelligence officials have called a security risk because of its alleged links to the country’s government, was one of the companies that got special access.
All this comes in the wake of disclosures that Cambridge Analytica, a data firm that contracted with President Trump's campaign, improperly obtained the personal information of millions of Facebook users. Taken together, the controversies are giving some lawmakers the impression Facebook is playing fast and loose with users' privacy — and could galvanize support for a legislative solution.
Lawmakers are pointing to two main vehicles emerging in Congress.
One is the Consent Act, a bill sponsored by Sen. Ed Markey (D-Mass.) that would require Facebook and other tech companies such as Google to get explicit permission from users before doing anything with their personal information. It would also require those companies to notify users about all collection, use and sharing of their data. A Markey spokeswoman told me legislation would bar Facebook from sharing precisely the type of user data its agreements apparently allowed the device makers to access. (Meanwhile, the company has defended the arrangements with device makers, saying it had “signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences.")
The second bill, the Social Media Privacy and Consumer Rights Act, introduced by Sens. Amy Klobuchar (D-Minn.) and John Neely Kennedy (R-La.), proposes similar rules allowing users to opt out of data collection. Additionally, it would allow users to prevent companies from tracking their data, require privacy policies to be written in "plain language" and guarantee users the ability to see what companies have already collected on them.
“I’m extremely concerned about reports that even more personal data was provided without consent, particularly about today’s report that some personal data may have been shared with a Chinese telecom company that the Department of Defense identified as a security threat," Klobuchar told me in an email. “That’s why my focus is on protecting consumers’ privacy online, promoting transparency in how their data is handled, and passing my bipartisan privacy bill with Senator Kennedy.”
Both bills were introduced in the wake of the Cambridge Analytica revelations, but may get more support now.
The FTC — which is already investigating Facebook's data practices — also has options. Facebook is bound by a 2011 consent decree with the agency over a different privacy matter to be more transparent about the data it collects about its users. Thune, Markey and other lawmakers are now questioning whether Facebook's arrangements with device makers violated that agreement.
The FTC may have grounds to hit Facebook with "significant financial penalties" if it violated the consent decree, according to William Kovacic, a former FTC general counsel, commissioner and chair.
But even if the disclosures about sharing data with device makers don't run afoul of the agreement, "I think this intensifies the FTC scrutiny in the inquiry that’s going on now and it creates pressure on the agency to do something more bold rather than something more restrained," he told me.
It's also possible to amend the existing consent decree, Kovacic said. A retooled version could "more precisely and more completely" spell out Facebook's privacy obligations, he said, and instruct the company in "more expansive and more detailed in terms of what they need to do."
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: The team led by special counsel Robert S. Mueller III has been asking witnesses in the Russia investigation to hand over their cellphones so that investigators can examine their encrypted messaging apps, CNBC's Brian Schwartz reports. Sources told Schwartz that the special counsel's team has sought to inspect WhatsApp, Confide, Signal and Dust apps, and witnesses have obliged for fear of getting subpoenaed. "While it's unclear what Mueller has discovered, if anything, through this new request, investigators seem to be convinced that the apps could be a key to exposing conversations that weren't previously disclosed to them," Schwartz writes. (I wrote yesterday about how the FBI found a way around encryption on messages from former Trump campaign chairman Paul Manafort by searching his iCloud account.)
The Mueller team's request isn't that surprising, according to Michael German, a former FBI agent. "There's nothing wrong with asking people to voluntarily provide information to the FBI for whatever investigation," German, a fellow at the Brennan Center for Justice's Liberty and National Security Program, told CNBC. "And to the extent that that's a voluntary action is where the rub is."
From New York Magazine’s Olivia Nuzzi:
Sam Nunberg tells me he’s handed over his old Blackberry phones to Robert Mueller, who became aware of his use of the device when his Blackberry email signature was disclosed in his leaked correspondence with Roger Stone: “Sent from my BlackBerry - the most secure mobile device.”— Olivia Nuzzi (@Olivianuzzi) June 6, 2018
PATCHED: The Committee on Foreign Investment in the United States, which is tasked with reviewing transactions that may give control of American companies to foreigners and assessing their potential effect on national security, must do a better job of securing the data it handles, according to Sen. Ron Wyden (D-Ore.). Wyden requested in a letter today to the Treasury Department that CFIUS only use an encrypted platform for companies to submit sensitive data as part of the reviews of transactions that the committee conducts. He added that in the future, CFIUS should “develop and deploy a secure electronic docketing system, through which it can securely and efficiently receive and manage” the data.
The current system by which companies submit documents for reviews by CFIUS via an unsecured email address “unnecessarily exposes sensitive data to interception and theft by malicious third parties, including foreign governments,” according to Wyden. The senator also noted that Aimen Mir, the deputy assistant secretary for investment security, has acknowledged that CFIUS does have a secure portal but doesn’t advertise it or recommend that companies use it. “This status quo is simply unacceptable — encrypted submission of sensitive data to the U.S. government should be the default, not the exception,” Wyden wrote.
PWNED: The VPNFilter malware has infected more Internet routers and other devices and is more disruptive than previously estimated, researchers from Cisco's Talos cybersecurity group said in a blog post on Wednesday. "These new discoveries have shown us that the threat from VPNFilter continues to grow," the researchers said. They found that the malware has compromised devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE, in addition from other brands that they listed last month. Talos also said no Cisco devices have been compromised. Additionally, VPNFilter has the ability to "intercept network traffic and inject malicious code into it without the user's knowledge." Another feature "removes traces of the VPNFilter malware from the device and then renders the device unusable."
Talos initially announced on May 23 that the malware had spread to at least 500,000 devices in at least 54 countries and had the capacity to make a compromised device unusable. The Justice Department said in a statement the same day that the VPNFilter campaign was led by a group linked to Russia and the FBI later asked owners of routers to reboot their devices to help stop the malware. (I recently wrote about the VPNFilter malware and the FBI's response.)
— More cybersecurity news from The Washington Post and elsewhere:
The Atlanta cyber attack has had a more serious impact on the city's ability to deliver basic services than previously understood, a city official said at a public meeting on Wednesday, as she proposed an additional $9.5 million to help pay for recovery costs.
— The House Homeland Security Committee on Wednesday approved by unanimous consent a bill that aims to help protect industrial control systems from cyberattacks. In a reference to the attack on Pearl Harbor, Rep. Don Bacon (R-Neb.) said as he presented the bill that “the next December 7 won’t be a strictly kinetic attack with missiles and torpedoes, but will be paired with cyberattacks to our private sector functions.” The bill would direct the Department of Homeland Security’s National Cybersecurity and Communications Integration Center to “maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes.”
“Industrial control systems perform essential functions in managing the operation of electric power generators, medical devices, water treatment facilities, manufacturing processes and so much more,” Bacon said in a statement after the bill passed the committee. “If these critical applications were to be disrupted or damaged, our nation could face catastrophic consequences to our national and economic security, and public health and safety.”
— A former Federal Communications Commission official responds to Gizmodo’s Dell Cameron's report this week that FCC emails show the commission lied to defend unsubstantiated claims about a cyberattack following technical glitches on its comment system last May. Former FCC chief information officer David Bray replied in a post on Medium that “it is disappointing to read an article that misinterprets emails” and added that he had not been contacted by the reporter. Bray also said that regardless of the terminology to describe the problems that crippled the FCC’s website then, “the fact is something odd was happening in May 2017.”
— More cybersecurity news about the public sector:
— A British computer security researcher credited with helping stop the WannaCry ransomware last year faces new charges that include lying to the FBI, the Associated Press's Ivan Moreno reports. "Marcus Hutchins now faces 10 charges alleging that he created and distributed malware known as Kronos, including four new ones in the revised indictment in the Eastern District of Wisconsin," Moreno writes. "The prosecutors’ updated filing comes as a federal judge weighs a request from Hutchins’ attorneys to suppress the statements he made to the FBI when the agents detained him Aug. 2. His attorneys argue he wasn't properly informed of his rights."
The government also alleges that Hutchins created and sold a second piece of malware called UPAS Kit, according to Ars Technica's Cyrus Farivar. "The superseding indictment describes UPAS Kit as being designed to facilitate 'the unauthorized exfiltration of information form protected computers. UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer,'" Farivar writes.
Hutchins, who uses the name MalwareTech online, asked on Twitter for donations to help pay for his legal defense and used profanity to describe charges such as lying to the FBI as baseless.
Legal and emotional pressure doesn’t really work on me, why not save a couple of years and try waterboarding instead? 🙃— MalwareTech (@MalwareTechBlog) June 6, 2018
From Brian Klein, an attorney for Hutchins:
@marciahofmann and I are disappointed the govt has filed this superseding indictment, which is meritless. It only serves to highlight the prosecution’s serious flaws. We expect @MalwareTechBlog to be vindicated and then he can return to keeping us all safe from malicious software https://t.co/E1M0qod3CN— Brian Klein (@brianeklein) June 6, 2018
— More cybersecurity news about the private sector:
ZTE is nearing a deal with the U.S. to save its business, but the Chinese telecom giant faces more battles ahead as losses pile up and aggrieved customers demand compensation for delayed projects.
The Wall Street Journal
THE NEW WILD WEST
— During an appearance before British lawmakers on Wednesday, former Cambridge Analytica chief executive Alexander Nix denied a Financial Times report that he withdrew more than $8 million before the firm floundered, Bloomberg News’s Nate Lanxon reports. Nix also admitted that the company received data about millions of Facebook users from security researcher Aleksandr Kogan, which Nix had previously denied, Reuters’s Alistair Smout writes.
— “A Cambridge Analytica director apparently visited Julian Assange in February last year and told friends it was to discuss what happened during the US election, the Guardian has learned,” Carole Cadwalladr and Stephanie Kirchgaessner write in the British newspaper. “Brittany Kaiser, a director at the firm until earlier this year, also claimed to have channelled cryptocurrency payments and donations to WikiLeaks.”
— More cybersecurity news from around the world:
- Senate Judiciary Committee hearing on June 11 about the Justice Department inspector general’s first report on the department and the FBI’s actions before the 2016 election.
- Senate Judiciary Committee hearing on June 12 about combating election interference.
Trump praises everyone except Attorney General Jeff Sessions:
Will 2018 be a leap forward for women or just another small step?:
Dennis Rodman's history with North Korea: