The legislation, which mirrors sweeping privacy rules adopted in the European Union this year, could generate new momentum for privacy initiatives at the federal level as well as in other states. The Golden State has long exerted an outsize influence on national Internet policy, and the law is likely to amplify debate over how to regulate companies’ use of personal data at a time when the issue has come to the fore.
“California has always been a bellwether for where rest of the country is going on tech policy and tech legislation,” said Nuala O’Connor, president of the Center for Democracy and Technology, a digital rights group. “If the people there are saying, ‘We demand more control, insight and transparency about how our data is collected and used,’ that’s a very important signal to the rest of the country.”
Under the new law, tech companies will be required to tell customers about the types of data they collect and disclose the advertisers and other third parties they share it with, as my colleague Tony Romm reports. It also allows people to opt out of having their data sold and empowers the state attorney general to fine companies if they fail to safeguard people’s information.
The law doesn’t take effect until 2020. In the meantime, lawmakers are expected to do a lot of fine-tuning, and they're all but certain to face aggressive lobbying from corporate opponents such as Facebook, AT&T and others. By the time the state implements the law, it could look very different from the way it does today:
But the push to get it passed is already rekindling discussion among federal lawmakers about the possibility of crafting national privacy rules.
“My hope is just that it will initiate a real conversation that gets us to adopting some principles by November,” Rep. Ro Khanna (D-Calif.), who represents part of Silicon Valley, told Tony.
Rep. Zoe Lofgren (D-Calif.) expressed skepticism about how much a gridlocked Congress could do, but noted that the public demand was strong. “The concerns about privacy have increased,” she told my colleague. “As people have learned more about this, there's been greater appetite to have protections.”
Indeed, there have been some signs of movement on this front lately. Just last week, Axios reported that White House officials had met with industry groups to discuss what federal online data privacy regulations might look like. Privacy regulators from the Federal Trade Commission said recently they're planning a listening tour this fall to learn about how to address data collection mishaps and other digital challenges. There are also data privacy bills in Congress that are drawing bipartisan support, as I reported this month.
And whether or not Congress takes action, other states are poised to follow in California’s footsteps, experts said. That’s what happened after California in 2003 passed the country’s first law requiring companies to notify customers of data breaches. In the 15 years since, all 50 states have adopted similar measures, many of them modeled after the Golden State’s.
“Inaction at the federal level is in part a reason why California seems to be taking this step,” Harley Geiger, director of public policy at the data security firm Rapid7, told me. “There should be broad realization that if federal inertia persists, we could well see a situation on privacy and security in the states that we currently do with data breach notification.”
From Geoffrey A. Fowler, The Washington Post's technology columnist:
The manner in which California’s law came to be sends a message in itself, underscoring how concerned the state’s residents are about who gets to do what with their personal information in the age of Cambridge Analytica, targeted advertising and massive data breaches.
“California is not only the home base for the largest data and tech companies in the world,” O’Connor told me. “It’s also the place where the companies are the most familiar with the power and the potency of data as a business asset. And there’s a fairly informed electorate about how data can be used and manipulated.”
The effort started with a ballot initiative introduced by a Alastair Mactaggart, a wealthy real estate developer, that would have imposed even tougher restrictions on the tech industry, as Tony has reported. After the measure garnered more than 600,000 signatures — nearly double the amount needed to include it on state ballots in November — Mactaggart agreed to withdraw it if lawmakers passed a compromise bill ahead of a June 28 deadline for finalizing ballot propositions.
In a mad dash, policymakers hammered out the bill and sent it to Brown’s desk.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The House Foreign Affairs Committee on Thursday approved a bill by Rep. Ted Yoho (R-Fla.) that aims to deter cyberattacks sponsored by foreign states. Yoho told lawmakers during the committee's meeting that “the United States urgently needs to upgrade its cyber deterrence, but there are no procedures in current law for naming and shaming state-sponsored hackers and, or linking penalties to their illicit conduct.”
Under the bill, titled Cyber Deterrence and Response Act of 2018, the president could label those engaging in state-sponsored cyberattacks against the United States as “critical cyber threat actors.” The bill also lists a variety of punitive measures the United States could take in response, such as financial sanctions or preventing travel. In a statement following the bill's passage in committee, Yoho said China, Russia, North Korea and Iran are among those that “have developed sophisticated capabilities” to harm the United States' economy, infrastructure and elections. “It is vital that when these attacks happen, they are exposed, pulled out of the shadows, and punished accordingly,” Yoho said in his statement.
PATCHED: Some experts worry that the improved ability of Microsoft's facial-recognition technology to recognize people of color could be used against immigrants given the company's work with U.S. Immigration and Customs Enforcement, The Washington Post's Drew Harwell reports. Satya Nadella, the company's chief executive, said in a post last week that Microsoft's work with ICE involves assisting the agency with “mail, calendar, messaging and document management workloads,” Harwell reports.
“Today’s facial-recognition systems more often misidentify people of color because of a long-running data problem: The massive sets of facial images they train on skew heavily toward white men,” Harwell writes. “A Massachusetts Institute of Technology study this year of the face-recognition systems designed by Microsoft, IBM and the China-based Face++ found their accuracy in classifying a person’s gender was 99 percent for light-skinned males and 70 percent for dark-skinned females.”
David Robinson, a managing editor of Upturn, a think tank seeking to promote the ethical use of technology, told Harwell that improving facial recognition is the bare minimum that tech companies can do. Those businesses “have to acknowledge their moral involvement in the downstream use of their technology,” Robinson told Harwell. “The impulse is that they’re going to put a product out there and wash their hands of the consequences. That’s unacceptable.”
PWNED: Gen. James M. Holmes, the head of Air Combat Command at Langley Air Force Base, said Thursday that the military intends to resort to artificial intelligence more in the future, Defense One's Marcus Weisgerber reports. Holmes said the military is bound to increasingly rely on programs such as Project Maven, which aims to use artificial intelligence to analyze drone footage, according to Weisberger. “The benefit of this will be: it will free up people to focus on thinking about what they see and what it means in the intelligence field and on passing that information to decision makers more timely because you’re able to do it faster,” Holmes said, as quoted by Weisberger. “That’s a big part of our future and you’ll continue to see that expanded, with Project Maven being one of the first steps in bringing learning machines and algorithms in to be able to allow people to focus on things that people do best and let the machine do that repetitive task.”
Holmes's comments follow Google's decision not to renew its involvement in Project Maven when its contract with the Pentagon expires in March of next year, which The Post's Harwell reported on June 1. Thousands of employees at Google had asked chief executive Sundar Pichai in a letter that the company withdraw from the program, Harwell wrote. Pichai said in a blog post on June 7 that Google will not use artificial intelligence to develop weapons or for applications that would aim “to cause or directly facilitate injury to people.” He added that the company intends to continue to partner with governments on “cybersecurity, training, military recruitment, veterans’ healthcare, and search and rescue.”
— More cybersecurity news:
— “A U.S. official says the suspect in the shooting at a Maryland newspaper was identified using facial recognition technology,” the Associated Press reported Thursday evening. “The official said the man was identified with the technology after he had damaged his fingerprints in what investigators believe was an attempt to prevent them from quickly identifying him.” Five people were killed and two were injured in a shooting yesterday at the Capital Gazette in Annapolis, Md., The Post's Lynh Bui, Ovetta Wiggins and Tom Jackman reported.
— The National Security Agency said it started “deleting all call detail records (CDRs) acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act (FISA)” last month. NSA analysts noticed that the agency was receiving some call detail records from telecom providers that it was not supposed to get, according to a statement released on Thursday. The agency noted that those records do not include the content of the calls. “Because it was infeasible to identify and isolate properly produced data, NSA concluded that it should not use any of the CDRs,” the statement said. “Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs.” The agency added that it has fixed the “root cause of the problem.”
— More cybersecurity news from the public sector:
— Huawei didn't quite appreciate lawmakers' concern that the Chinese telecom giant's partnerships with American universities may be a “significant threat to national identity.” Sen. Marco Rubio (R-Fla.) and Rep. Jim Banks (R-Ind.) expressed those worries in a June 19 letter to Education Secretary Betsy DeVos that was signed by 24 other Republican and Democratic lawmakers from both chambers. “In response, Eric Xu, Huawei’s rotating chairman, called Rubio and Banks 'closed-minded and ill-informed,' " Reuters's Sijia Jiang reported on Thursday. Huawei provided a transcript to Reuters of the comments that Xu made in Shanghai, Jiang writes. “It seems that their bodies are in the information age but their minds are still in the agrarian age,” Xu said, as quoted by Jiang.
— A former Equifax employee was charged with insider trading in connection with the huge data breach that hit the company in 2017, according to a statement released Thursday by the U.S. Attorney’s Office for the Northern District of Georgia. Judicial authorities alleged that Sudhakar Reddy Bonthu, who was a software development manager, exploited information to make money once the breach was revealed. “Bonthu allegedly took advantage of his position to profit while members of the public were unaware of the data breach at Equifax,” Byung J. “BJay” Pak, the U.S. attorney for the Northern District of Georgia, said in a statement. “The integrity of the stock markets are jeopardized when greedy individuals who are entrusted with nonpublic information use the knowledge for their benefit.” Bonthu, 44, was the second person to be charged in a case of insider trading related to the Equifax data breach, according to the U.S. attorney's office. Jun Ying, another former Equifax worker, faced similar charges and pleaded not guilty in March, according to the statement.
— More cybersecurity news from the private sector:
— A digital bank said it warned Ticketmaster UK about a security breach well before the ticketing service revealed the hack, the BBC reported on Thursday. “The cause of the breach, which the BBC understands has affected up to 40,000 UK users, appears to be a customer-service chatbot employed by third-party Inbenta Technologies,” the BBC wrote.
— President Trump again on Thursday expressed frustration with U.S. intelligence agencies’ conclusion that Russia interfered in the 2016 election. Here's what he said in a morning tweet:
His remarks sparked a day of discussion on Twitter. From CNN’s Abby D. Phillip:
“The timing of the president’s tweet makes it even more significant: The remark came amid increasing anxiety about next month’s NATO summit in Brussels, which will be immediately followed by Trump’s one-on-one meeting with Putin in Helsinki,” the Atlantic’s Natasha Bertrand wrote. She quoted Ivo Daalder, a former U.S. ambassador to the military alliance:
From Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee’s vice chairman:
Senate Minority Leader Charles E. Schumer (D-N.Y.) lamented Trump's upcoming meeting with Putin:
- National Homeland Security Conference in New York on July 9 through July 12.
- IoT Global Innovation Forum in Portland, Ore., on July 10 through July 11.
- National Association of Secretaries of State 2018 Summer Conference in Philadelphia on July 13 through July 16.
"Abolish ICE” is a new rallying cry for protesters on the border:
Sen. Susan Collins (R-Maine) says Roe v. Wade is "settled law":
Deputy Attorney General Rod J. Rosenstein has a testy exchange with Rep. Jim Jordan (R-Ohio):