The state that is the epicenter of Big Tech’s data collection has just adopted the strongest privacy protections in the country.
After a last-minute frenzy in the legislature, California Gov. Jerry Brown (D) on Thursday signed the California Consumer Privacy Act into law, setting tough new restrictions on how Facebook, Google and other tech giants handle Californians’ personal data.
The legislation, which mirrors sweeping privacy rules adopted in the European Union this year, could generate new momentum for privacy initiatives at the federal level as well as in other states. The Golden State has long exerted an outsize influence on national Internet policy, and the law is likely to amplify debate over how to regulate companies’ use of personal data at a time when the issue has come to the fore.
“California has always been a bellwether for where rest of the country is going on tech policy and tech legislation,” said Nuala O’Connor, president of the Center for Democracy and Technology, a digital rights group. “If the people there are saying, ‘We demand more control, insight and transparency about how our data is collected and used,’ that’s a very important signal to the rest of the country.”
Under the new law, tech companies will be required to tell customers about the types of data they collect and disclose the advertisers and other third parties they share it with, as my colleague Tony Romm reports. It also allows people to opt out of having their data sold and empowers the state attorney general to fine companies if they fail to safeguard people’s information.
The law doesn’t take effect until 2020. In the meantime, lawmakers are expected to do a lot of fine-tuning, and they're all but certain to face aggressive lobbying from corporate opponents such as Facebook, AT&T and others. By the time the state implements the law, it could look very different from the way it does today:
California's @JerryBrownGov has signed the country's most sweeping data privacy bill into law. It goes into effect in 2020...giving special interest groups plenty of time to try to tinker with it. Stay tuned. https://t.co/ab02qergB1— issie lapowsky (@issielapowsky) June 28, 2018
But the push to get it passed is already rekindling discussion among federal lawmakers about the possibility of crafting national privacy rules.
“My hope is just that it will initiate a real conversation that gets us to adopting some principles by November,” Rep. Ro Khanna (D-Calif.), who represents part of Silicon Valley, told Tony.
Rep. Zoe Lofgren (D-Calif.) expressed skepticism about how much a gridlocked Congress could do, but noted that the public demand was strong. “The concerns about privacy have increased,” she told my colleague. “As people have learned more about this, there's been greater appetite to have protections.”
Indeed, there have been some signs of movement on this front lately. Just last week, Axios reported that White House officials had met with industry groups to discuss what federal online data privacy regulations might look like. Privacy regulators from the Federal Trade Commission said recently they're planning a listening tour this fall to learn about how to address data collection mishaps and other digital challenges. There are also data privacy bills in Congress that are drawing bipartisan support, as I reported this month.
And whether or not Congress takes action, other states are poised to follow in California’s footsteps, experts said. That’s what happened after California in 2003 passed the country’s first law requiring companies to notify customers of data breaches. In the 15 years since, all 50 states have adopted similar measures, many of them modeled after the Golden State’s.
“Inaction at the federal level is in part a reason why California seems to be taking this step,” Harley Geiger, director of public policy at the data security firm Rapid7, told me. “There should be broad realization that if federal inertia persists, we could well see a situation on privacy and security in the states that we currently do with data breach notification.”
From Geoffrey A. Fowler, The Washington Post's technology columnist:
Wow. The passage of California’s new privacy law #AB375 — by unanimous vote — is the clearest rebuke I’ve seen of Big Tech’s spying ways.— Geoffrey A. Fowler (@geoffreyfowler) June 28, 2018
The manner in which California’s law came to be sends a message in itself, underscoring how concerned the state’s residents are about who gets to do what with their personal information in the age of Cambridge Analytica, targeted advertising and massive data breaches.
“California is not only the home base for the largest data and tech companies in the world,” O’Connor told me. “It’s also the place where the companies are the most familiar with the power and the potency of data as a business asset. And there’s a fairly informed electorate about how data can be used and manipulated.”
The effort started with a ballot initiative introduced by a Alastair Mactaggart, a wealthy real estate developer, that would have imposed even tougher restrictions on the tech industry, as Tony has reported. After the measure garnered more than 600,000 signatures — nearly double the amount needed to include it on state ballots in November — Mactaggart agreed to withdraw it if lawmakers passed a compromise bill ahead of a June 28 deadline for finalizing ballot propositions.
In a mad dash, policymakers hammered out the bill and sent it to Brown’s desk.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The House Foreign Affairs Committee on Thursday approved a bill by Rep. Ted Yoho (R-Fla.) that aims to deter cyberattacks sponsored by foreign states. Yoho told lawmakers during the committee's meeting that “the United States urgently needs to upgrade its cyber deterrence, but there are no procedures in current law for naming and shaming state-sponsored hackers and, or linking penalties to their illicit conduct.”
Under the bill, titled Cyber Deterrence and Response Act of 2018, the president could label those engaging in state-sponsored cyberattacks against the United States as “critical cyber threat actors.” The bill also lists a variety of punitive measures the United States could take in response, such as financial sanctions or preventing travel. In a statement following the bill's passage in committee, Yoho said China, Russia, North Korea and Iran are among those that “have developed sophisticated capabilities” to harm the United States' economy, infrastructure and elections. “It is vital that when these attacks happen, they are exposed, pulled out of the shadows, and punished accordingly,” Yoho said in his statement.
PATCHED: Some experts worry that the improved ability of Microsoft's facial-recognition technology to recognize people of color could be used against immigrants given the company's work with U.S. Immigration and Customs Enforcement, The Washington Post's Drew Harwell reports. Satya Nadella, the company's chief executive, said in a post last week that Microsoft's work with ICE involves assisting the agency with “mail, calendar, messaging and document management workloads,” Harwell reports.
“Today’s facial-recognition systems more often misidentify people of color because of a long-running data problem: The massive sets of facial images they train on skew heavily toward white men,” Harwell writes. “A Massachusetts Institute of Technology study this year of the face-recognition systems designed by Microsoft, IBM and the China-based Face found their accuracy in classifying a person’s gender was 99 percent for light-skinned males and 70 percent for dark-skinned females.”
David Robinson, a managing editor of Upturn, a think tank seeking to promote the ethical use of technology, told Harwell that improving facial recognition is the bare minimum that tech companies can do. Those businesses “have to acknowledge their moral involvement in the downstream use of their technology,” Robinson told Harwell. “The impulse is that they’re going to put a product out there and wash their hands of the consequences. That’s unacceptable.”
PWNED: Gen. James M. Holmes, the head of Air Combat Command at Langley Air Force Base, said Thursday that the military intends to resort to artificial intelligence more in the future, Defense One's Marcus Weisgerber reports. Holmes said the military is bound to increasingly rely on programs such as Project Maven, which aims to use artificial intelligence to analyze drone footage, according to Weisberger. “The benefit of this will be: it will free up people to focus on thinking about what they see and what it means in the intelligence field and on passing that information to decision makers more timely because you’re able to do it faster,” Holmes said, as quoted by Weisberger. “That’s a big part of our future and you’ll continue to see that expanded, with Project Maven being one of the first steps in bringing learning machines and algorithms in to be able to allow people to focus on things that people do best and let the machine do that repetitive task.”
Holmes's comments follow Google's decision not to renew its involvement in Project Maven when its contract with the Pentagon expires in March of next year, which The Post's Harwell reported on June 1. Thousands of employees at Google had asked chief executive Sundar Pichai in a letter that the company withdraw from the program, Harwell wrote. Pichai said in a blog post on June 7 that Google will not use artificial intelligence to develop weapons or for applications that would aim “to cause or directly facilitate injury to people.” He added that the company intends to continue to partner with governments on “cybersecurity, training, military recruitment, veterans’ healthcare, and search and rescue.”
— More cybersecurity news:
— “A U.S. official says the suspect in the shooting at a Maryland newspaper was identified using facial recognition technology,” the Associated Press reported Thursday evening. “The official said the man was identified with the technology after he had damaged his fingerprints in what investigators believe was an attempt to prevent them from quickly identifying him.” Five people were killed and two were injured in a shooting yesterday at the Capital Gazette in Annapolis, Md., The Post's Lynh Bui, Ovetta Wiggins and Tom Jackman reported.
— The National Security Agency said it started “deleting all call detail records (CDRs) acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act (FISA)” last month. NSA analysts noticed that the agency was receiving some call detail records from telecom providers that it was not supposed to get, according to a statement released on Thursday. The agency noted that those records do not include the content of the calls. “Because it was infeasible to identify and isolate properly produced data, NSA concluded that it should not use any of the CDRs,” the statement said. “Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs.” The agency added that it has fixed the “root cause of the problem.”
— More cybersecurity news from the public sector:
— Huawei didn't quite appreciate lawmakers' concern that the Chinese telecom giant's partnerships with American universities may be a “significant threat to national identity.” Sen. Marco Rubio (R-Fla.) and Rep. Jim Banks (R-Ind.) expressed those worries in a June 19 letter to Education Secretary Betsy DeVos that was signed by 24 other Republican and Democratic lawmakers from both chambers. “In response, Eric Xu, Huawei’s rotating chairman, called Rubio and Banks 'closed-minded and ill-informed,' " Reuters's Sijia Jiang reported on Thursday. Huawei provided a transcript to Reuters of the comments that Xu made in Shanghai, Jiang writes. “It seems that their bodies are in the information age but their minds are still in the agrarian age,” Xu said, as quoted by Jiang.
— A former Equifax employee was charged with insider trading in connection with the huge data breach that hit the company in 2017, according to a statement released Thursday by the U.S. Attorney’s Office for the Northern District of Georgia. Judicial authorities alleged that Sudhakar Reddy Bonthu, who was a software development manager, exploited information to make money once the breach was revealed. “Bonthu allegedly took advantage of his position to profit while members of the public were unaware of the data breach at Equifax,” Byung J. “BJay” Pak, the U.S. attorney for the Northern District of Georgia, said in a statement. “The integrity of the stock markets are jeopardized when greedy individuals who are entrusted with nonpublic information use the knowledge for their benefit.” Bonthu, 44, was the second person to be charged in a case of insider trading related to the Equifax data breach, according to the U.S. attorney's office. Jun Ying, another former Equifax worker, faced similar charges and pleaded not guilty in March, according to the statement.
— More cybersecurity news from the private sector:
— A digital bank said it warned Ticketmaster UK about a security breach well before the ticketing service revealed the hack, the BBC reported on Thursday. “The cause of the breach, which the BBC understands has affected up to 40,000 UK users, appears to be a customer-service chatbot employed by third-party Inbenta Technologies,” the BBC wrote.
— President Trump again on Thursday expressed frustration with U.S. intelligence agencies’ conclusion that Russia interfered in the 2016 election. Here's what he said in a morning tweet:
Russia continues to say they had nothing to do with Meddling in our Election! Where is the DNC Server, and why didn’t Shady James Comey and the now disgraced FBI agents take and closely examine it? Why isn’t Hillary/Russia being looked at? So many questions, so much corruption!— Donald J. Trump (@realDonaldTrump) June 28, 2018
His remarks sparked a day of discussion on Twitter. From CNN’s Abby D. Phillip:
Minutes before the WH is expected to announce the date and time of Trump's meeting with Putin, the president once again casts doubt on Russian election interference.— Abby D. Phillip (@abbydphillip) June 28, 2018
It is still the conclusion of the U.S. intelligence community that Russia meddled and plans to again. https://t.co/NNvnw4zUhj
“The timing of the president’s tweet makes it even more significant: The remark came amid increasing anxiety about next month’s NATO summit in Brussels, which will be immediately followed by Trump’s one-on-one meeting with Putin in Helsinki,” the Atlantic’s Natasha Bertrand wrote. She quoted Ivo Daalder, a former U.S. ambassador to the military alliance:
.@IvoHDaalder: The “biggest worry in Europe” right now is that Trump “makes unilateral concessions” to Putin following “a confrontational meeting at NATO, that exposes disagreement and division among allies."— Natasha Bertrand (@NatashaBertrand) June 28, 2018
“None of this would be surprising." https://t.co/Dv1hAOH9Fn https://t.co/sr2Ztjhkg0
From Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee’s vice chairman:
And they’re lying. The President can either believe Russia or he can believe our country’s intel chiefs, generals, cabinet secretaries, and diplomats who’ve all said the same thing: Russia interfered in the 2016 election, and they’ll be back in 2018. https://t.co/qny9WIyJkb— Mark Warner (@MarkWarner) June 28, 2018
Senate Minority Leader Charles E. Schumer (D-N.Y.) lamented Trump's upcoming meeting with Putin:
For @realDonaldTrump to reward President Putin with a one-on-one meeting while Russia actively continues to interfere with our elections & undermine the integrity of the transatlantic alliance, proves his priorities are out of whack.— Chuck Schumer (@SenSchumer) June 28, 2018
- National Homeland Security Conference in New York on July 9 through July 12.
- IoT Global Innovation Forum in Portland, Ore., on July 10 through July 11.
- National Association of Secretaries of State 2018 Summer Conference in Philadelphia on July 13 through July 16.
"Abolish ICE” is a new rallying cry for protesters on the border:
Sen. Susan Collins (R-Maine) says Roe v. Wade is "settled law":
Deputy Attorney General Rod J. Rosenstein has a testy exchange with Rep. Jim Jordan (R-Ohio):