Industry groups lobbying for changes haven't said specifically what they want to see modified, but they're making clear they intend to play a major role in negotiations over the coming months. They include the Internet Association -- which represents Google, Amazon and other tech giants, as well as TechNet and the Interactive Advertising Bureau. (Amazon CEO Jeffrey P. Bezos owns The Washington Post).
“It is going to take time to fully understand the implications of this bill for California's consumers and economy,” said Robert Callahan, vice president of state government affairs for the Internet Association. “The bill was written in a hurried and ill-considered process, and received very little input from those affected by the legislation. Changes will be necessary as businesses of all types look at implementation.”
The law, signed by the governor late last week, requires tech companies to disclose the type of data they collect on customers and reveal the advertisers and other third parties they share it with. It also gives users the ability to opt out of data collection and empowers the state attorney general to punish companies that don’t protect user information.
Legislators introduced, debated and passed the law in the span of less than a week to head off a ballot initiative that contained even tougher privacy protections, as my colleague Tony Romm has reported. The initiative’s main backer agreed to withdraw his proposal if lawmakers passed a compromise bill before a June 28 deadline to get the measure on California’s November ballot.
Google, Uber and other giants fought to kill Alastair Mactaggart's initiative, which drew more than double the signatures needed to be put to a vote, Tony reported. But they ultimately came to accept the compromise legislation — likely because it's easier to change than a ballot initiative, according to Ashkan Soltani, an independent researcher and technologist who helped craft the measure .
“Part of the calculation by industry was to try to move Mr. Mactaggart off the table to bring this back into a standard legislative lobbying process,” Soltani told me.
“Moving forward, I think we will make clarifications, but the goals of the bill won’t change,” State Sen. Bob Hertzberg (D), who co-authored the legislation, said in an emailed statement. “The value of keeping these discussions in the Legislature is that as technology evolves, we will be able to have thoughtful conversations about how to balance innovation with the ability of consumers to control their private information, know if it’s being sold, and delete it if necessary.”
The law's January 2020 implementation date gives critics ample opportunity to amend it.
Google, in comments to the Hill newspaper, said that “we look forward to improvements to address the many unintended consequences of the law.” The Interactive Advertising Bureau, a digital advertising trade group whose members include Facebook and Microsoft, said it too was weighing its options. “This is the broadest, [most] sweeping piece of privacy legislation in the nation now, without question, so we are doing our due diligence as to what it means,” Brad Weltman, the organization’s vice president of public policy, told the Wall Street Journal.
The law also has detractors on the consumer side. The American Civil Liberties Union of Northern California said the law “fails to provide the privacy protections the public has demanded and deserved” in the wake of the Cambridge Analytica scandal and other high-profile cases of data misuse. “This measure was hastily drafted and needs to be fixed,” said Nicole Ozer, the group's technology and civil liberties director.
Despite those criticisms, the measure is already being held up as a bellwether for privacy initiative in other states and nationally. Soltani said that's important for Big Tech to keep in mind as they work to influence the final version. "If the measure is weakened too substantially," he said, "the industry risks having an even worse intervention than what’s on the table now."
Programming note: We'll be off tomorrow celebrating July 4th. We hope you are too! See you back in your inbox on Thursday.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The federal investigation into Facebook and Cambridge Analytica is expanding. “Representatives for the FBI, the SEC and the Federal Trade Commission have joined the Department of Justice in its inquiries about the two companies and the sharing of personal information of 71 million Americans, suggesting the wide-ranging nature of the investigation, said five people, who spoke on the condition of anonymity to discuss a probe that remains incomplete,” The Washington Post's Craig Timberg, Elizabeth Dwoskin, Matt Zapotosky and Devlin Barrett report. The social network said it is cooperating with investigators, The Post reported.
People familiar with the probe said investigators are examining the social network’s actions in 2015 when it found out that Cambridge Analytica had used information harvested from its users to assemble profiles of voters, my colleagues report. “The questioning from federal investigators centers on what Facebook knew three years ago and why the company didn’t reveal it at the time to its users or investors, as well as any discrepancies in more recent accounts, among other issues, according to these people. The Capitol Hill testimony of Facebook officials, including Chief Executive Mark Zuckerberg, also is being scrutinized as part of the probe, said people familiar with the federal inquiries ...
Many details about the federal probe remain unknown, including whether investigators are considering criminal charges or civil penalties for the companies involved,” Timberg, Dwoskin, Zapotosky and Barrett write. “But investigators seem particularly focused on what data Facebook allowed to be collected from its platform and under what conditions, as well as what Facebook told the public at the time of the data sharing and during recent Congressional hearings, said these people."
PATCHED: Misinformation is turning deadly in India. “More than a dozen people have been killed across India since May in violence fueled mainly by messages on the WhatsApp service,” The Post's Annie Gowen reports. Violence has erupted following fake allegations on the app about child trafficking or organ harvesting, according to Gowen. The size of India's population combined with the fact that new users, especially in rural areas, may be unfamiliar with smartphones underscore the acuteness of the problem, my colleague writes.
“As India’s government weighs what to do, local authorities have been left to tackle fake news as best they can, issuing warnings and employing low-tech methods such as hiring street performers and 'rumor busters' to visit villages to spread public awareness,” Gowen reports. “One such 'rumor buster' was killed by a mob Thursday in the eastern state of Tripura.”
Nikhil Pahwa, a technology expert, told Gowen that law enforcement authorities in India — a country with more than 200 million WhatsApp users — can't fix this problem alone and the messaging company should do more to tackle the problem. “The police are always going to be at a loss because the scale of WhatsApp usage is going to be difficult to contend with and they don’t have the manpower,” Pahwa told my colleague. “The platform itself needs to evolve.”
PWNED: Developers of applications that pair with gmail are probably scanning or maybe even reading your emails, The Wall Street Journal’s Douglas MacMillan reports. Data from users’ emails represents a wealth of personal and detailed information about consumers that can be used for marketing purposes, according to MacMillan. Thede Loder, former chief technology officer at eDataSource Inc., which assists marketers with email campaigns, told the Journal that it is “common practice” for emailed-based service companies to allow their staff to read people’s emails.“Data-mining companies commonly use free apps and services to hook users into giving up access to their inboxes without clearly stating what data they collect and what they are doing with it, according to current and former employees of these companies,” MacMillan writes.
Developers of external apps say that Google, whose Gmail platform is the most widespread email service in the world, does not strictly enforce its own guidelines, according to the Journal. “Google’s developer agreement prohibits exposing a user’s private data to anyone else ‘without explicit opt-in consent from that user,’” MacMillan reports. “Its rules also bar app developers from making permanent copies of user data and storing them in a database.”
— More cybersecurity news:
— Sens. Marco Rubio (R-Fla.) and Bill Nelson (D-Fla.) on Monday recommended that election officials in Florida collaborate with the Department of Homeland Security to strengthen election security across the state and highlighted the risk of foreign interference ahead of the midterm primaries and general elections. Rubio and Nelson wrote in a letter that the department provides “a wide range of services to state and local officials that will support your efforts to make your systems secure.”
“DHS will follow your lead and meet your needs with a tailored set of options,” Rubio and Nelson wrote. “We encourage you in the strongest terms to take advantage of those resources, and to let us know about your experience with DHS and FBI.”
— The National Telecommunications and Information Administration cited concerns about national security when it advised on Monday against granting a U.S. license to the company China Mobile, The Post’s David J. Lynch reports. “Granting the authorization poses an unacceptable risk to U.S. national security and law enforcement,” the NTIA said, as quoted by Lynch. “…This assessment rests in large part on China’s record of intelligence activities and economic espionage targeting the United States, along with China Mobile’s size and technical and financial resources.”
— The California Supreme Court ruled Monday that Yelp.com has no obligation to discard comments that a judge in a lower court had said amounted to defamation, the Associated Press’s Sudhin Thanawala writes. “In a 4-3 opinion, justices agreed, saying removal orders such as the one attorney Dawn Hassell obtained against Yelp ‘could interfere with and undermine the viability of an online platform,’” Thanawala reports. “The decision overturned a lower court ruling that Yelp had said could lead to the removal of negative reviews from the popular website.”
— More cybersecurity news from the public sector:
— Did you block someone on Facebook or Facebook Messenger recently, only to find them showing up again? Facebook says there’s an explanation. The social network on Monday announced that a bug between May 29 and June 5 on Facebook and Facebook Messenger resulted in some users being “unblocked.” Erin Egan, the company’s chief privacy officer, said in a statement that “while someone who was unblocked could not see content shared with friends, they could have seen things posted to a wider audience.” Egan also said the bug extended to more than 800,000 Facebook users and “83% of people affected by the bug had only one person they had blocked temporarily unblocked.” Facebook said it has solved the issue and will notify users whose accounts were caught in the glitch.
— Some NGOs and United Nations agencies worry about some security provisions of a law in Poland that aims to codify an international climate conference scheduled for December in Katowice, the Intercept’s Kate Aronoff reports. “While the vast majority of the law does little more than establish rules on governing how to host and finance the conference, one statute allows Polish authorities to ‘collect, obtain, gather, verify, process and use information, including personal data about persons posing a threat to public safety and order, including outside the borders of the Republic of Poland’ if there is a ‘justified assumption’ they will be staying in Poland,” Aronoff writes.
Authorities have defended the security measures contained in the legislation, according to the Intercept. “The primary responsibility of the country hosting the COP24 Summit is to ensure the safety of its participants,” a representative from the office of the Polish environment minister told Aronoff in a statement. “Due to the importance and nature of the meeting, as well as the specific terrorist threat associated with it, it is a major challenge for the services dealing with protecting the security of the state and public order, which the Polish Police is ready to face.”
— More cybersecurity news from abroad:
- National Homeland Security Conference in New York on July 9 through July 12.
- IoT Global Innovation Forum in Portland, Ore., on July 10 through July 11.
- House Homeland Security Committee hearing on the protection of election systems and other critical infrastructure on July 11.
- Two House Homeland Security subcommittees hold a joint hearing on supply chain threats on July 12.
- National Association of Secretaries of State 2018 Summer Conference in Philadelphia on July 13 through July 16.
LeBron James moves to the Lakers:
Puppies face off in World Cup alternative programming:
The United States wins a World Cup — in quidditch: