THE KEY

Facebook found itself in a familiar hot seat on Tuesday, under siege from lawmakers around the world who feel that “big tech” has become too big — and too lax in protecting consumers’ private data and policing online platforms.

But the takeaway from two major hearings — one in the United Kingdom convened by legislators from nine countries, another in the U.S. Senate — is that regulators increasingly seem ready to transform their rhetoric into action and rein in social media companies that many foreign governments view as responsible for the spread of misinformation, hate speech and other digital ills. 
 
Here are the some key areas to watch after yesterday’s hearing bonanza:

1. Facebook (and its tech friends) should prepare for more pressure. Tuesday began with a rare, joint hearing featuring nine countries, which grilled Facebook over its efforts to thwart the spread of falsehoods online. But the day-long affair, held in the United Kingdom, won’t mark the end of heightened scrutiny for Facebook or its tech peers. Hours later, world legislators signed a “Principles of the Law Governing the Internet” — a sign of further hearings, and new regulations, perhaps to come outside the United States.

Without mentioning companies, the document sought to adopt a tough tone on tech giants including Facebook, Google and Twitter. It stressed “it is an urgent and critical priority for legislatures and governments to ensure that the fundamental rights and safeguards of their citizens are not violated or undermined by the unchecked march of technology,” listing ills they hope to address — from disinformation in civic discourse to online privacy.

The new statement stipulated that social media companies “should be held liable” if they fail to comply with orders to take down “harmful or misleading content,” and that they “should be regulated to ensure they comply with this requirement.” And it said that tech giants should make “themselves fully answerable to national legislatures and other organs of representative democracy.” The call follows a decision by Facebook chief executive Mark Zuckerberg to decline to testify despite the international policymakers’ repeated entreaties.

Some experts, however, said they had more questions than answers after reading it. Daniel Castro, vice president of the tech-backed Information Technology and Innovation Foundation, sketched out a few: “What are they going to actually achieve with this? Most of these principles aren’t objectionable overall, but how do you implement them? Are particular governments going to say what Facebook can and can't [allow people to post] on these platforms?” 

On top of that, Castro said there are broad implications for free speech and free trade. “It's not clear the cure is better than the disease in this case.”

2. Facebook's no-good, very bad week could get worse. For the embattled social media company, the next few days could prove especially brutal. That's because U.K. legislators said Tuesday they plan to release a tranche of documents that could raise new questions about Facebook's privacy and security practices — including a potential, previously unreported 2014 incident involving Russia.

The brewing controversy centers on a legal dispute between Facebook and a third-party app maker called Six4Three. The developer has sued Facebook on grounds that earlier changes to the social network's privacy practices — restricting the data that apps could tap in 2015 — essentially forced it to shut down its app that allowed users to surface photos of their friends wearing bikinis. Six4Three obtained key Facebook documents, including the tech giant's internal communications, but a California judge placed them under seal. U.K. lawmakers, however, seized them from Six4Three after its founder stepped foot in the country. Damian Collins, the leader of the U.K. parliamentary committee, said Tuesday that lawmakers planned to release the documents “within the next week or so.” (H/T The Post’s Karla Adam, who attended the news conference.)

One tidbit is out: Collins teased an internal communication from 2014 in which a Facebook employee took note of suspicious activity seeming to emanate from Russia. Collins said the note showed that bad actors may have tried to use special code to pull billions of data points from Facebook. A spokesman for Collins did not elaborate on the matter. Facebook initially said the documents were misleading — and later stressed in a statement that it found “no evidence of specific Russian activity” at the time. By late Tuesday, the company shared with reporters some of the emails in question, which appear to reflect that bad actors with Russian ties had not been the culprit. 

“There's an enormous public interest in the disclosure of these documents,” Collins said.

3. In the United States, meanwhile, there's a desire for a bigger, bolder watchdog. Facebook’s chief U.S. regulator found itself in the congressional hot seat on Tuesday. And there emerged broad, bipartisan agreement among members of a key panel under the Senate Commerce Committee that the Federal Trade Commission simply lacks the tools it needs to keep watch over tech giants.

The FTC is an approximately century-old agency with more than 1,100 employees, a far cry from the multibillion-dollar tech behemoths that it regulates, as I reported earlier this year. To some experts, that’s a problem as the FTC proceeds with its still-incomplete investigation of Facebook for its recent privacy mishaps.

On Tuesday, though, Senate Democrats and Republicans expressed similar sentiments. Outgoing Sen. Bill Nelson (D-Fla.) opened the hearing with a call to action: “It is my hope that Congress will finally step up to the plate and do the right thing by providing the FTC with increased funding and personnel to police the marketplace and protect American consumers from the myriad of scams, frauds and corporate practices that fleece them of their hard-earned money,” he said. The subcommittee’s chairman, Republican Sen. Jerry Moran (Kan.), also expressed an openness to helping out the FTC.

And leaders at the FTC said they’d welcome the help. “There is more and more data collection, and the largest firms in the economy are trying to monetize that data,” said Democratic FTC Commissioner Rohit Chopra. “If that is going to grow, then the FTC’s resources have to grow commensurately.”

4. Big tech hearings are not over for this year.  Google chief executive Sundar Pichai is set to testify in a scheduled Dec. 5 before the House Judiciary Committee, as I reported late last night. From my story: The company will "[face] off against lawmakers for the first time at a hearing that could subject the search giant to the same harsh political spotlight that has faced its tech peers all year....Led by House Majority Leader Kevin McCarthy (Calif.), GOP lawmakers long have blasted Google for allegedly silencing right-leaning news, views and users, and President Trump similarly has claimed the company promotes negative stories about his administration. Neither has provided significant evidence that Google is biased, however, and Google has vehemently denied the accusations. 'There’s a lot of interest in their algorithm, how those algorithms work, how those algorithms are supervised,' Goodlatte, the outgoing chairman of the House Judiciary Committee, said during an interview at the time."

Sign Up! Our newest 202 newsletter is launching Tuesday, Dec. 4: The Technology 202 by Cat Zakrzewski. Cat worked at the Wall Street Journal covering venture capital in Silicon Valley before joining The Post to launch this new venture. She’ll be covering the dynamic and evolving relationship between Washington and technology companies, delving into everything from proposed privacy regulations to artificial intelligence and quantum computing. Get your copy here.

PINGED, PATCHED, PWNED

PINGED: The United States' policy to “name and shame” hackers linked to foreign governments such as Russia, China, Iran and North Korea could one day be turned against American hackers, BuzzFeed News's Kevin Collier reported. “To date, none of those countries have returned the favor,” Collier wrote. “But it’s just a matter of time, said Michael Daniel, who served as cybersecurity coordinator during Obama’s second term, when the Justice Department issued the first such indictment in 2014, accusing five members of China’s People’s Liberation Army of hacking Americans. ‘They will,’ Daniel told BuzzFeed News. ‘I’m shocked they haven’t already. It’s the logical thing to do, right?’ ”

Moreover, it's unclear what would happen if a foreign adversary decided to unmask U.S. hackers. “There doesn’t appear to be a single, overarching plan for what to do in such a scenario,” Collier wrote. “Variables like where the US hacker works, which country outs them, and the way they do so would all likely influence the response. ‘We do need to get prepared,’ Daniel said. ‘I’m sure at least on some level it would involve the Justice Department, the State Department, and some form of the employee’s home agency. Beyond that, I don't think anybody’s gone far enough down that road to actually tell you.’ ”

PATCHED: “U.S. prosecutors in the Eastern District of New York filed a 13-count cybercrime indictment Tuesday against the suspected orchestrators of a scheme to defraud internet advertisers out of tens of millions of dollars,” CyberScoop's Jeff Stone reported. “The indictment accuses the eight defendants, who hail from Russia, Ukraine and Kazakhstan, with criminal violations including wire fraud, computer intrusion, aggravated identity theft and money laundering. The list includes Aleksander Zhukov, one of the Department of Justice’s recent high-profile cybercrime arrests.”

One scheme relied on servers in data centers while a second operation used a global botnet controlling more than 1.7 million computers, according to a news release from the U.S. attorney’s office for the Eastern District of New York. “As alleged in court filings, the defendants in this case used sophisticated computer programming and infrastructure around the world to exploit the digital advertising industry through fraud,” U.S. Attorney for the Eastern District of New York Richard P. Donoghue said in a statement. The botnet scheme also involved “an array of servers that could generate mountains of fake traffic with bots, roughly 5,000 counterfeit websites created to impersonate legitimate web publishers, and over 60,000 accounts with digital advertising companies to help fraudsters receive ad placements and get paid,” according to BuzzFeed News's Craig Silverman.

PWNED: Discontent continues to brew among Google employees over the company's Dragonfly project. More than 300 Google employees “joined a petition protesting the company’s plans to build a search engine that complies with China’s online censorship regime,” The Washington Post's Hamza Shaban reported. “An employee-led backlash against the project has been churning for months at the company, but Tuesday’s petition marks the first time workers at Google have used their names in a public document objecting to the plans.” The employees expressed their opposition to the project as Amnesty International launched a “day of action” to call on Pichai to drop the endeavor.

“Our opposition to Dragonfly is not about China: we object to technologies that aid the powerful in oppressing the vulnerable, wherever they may be,” the Google employees said in a post published on Medium. “The Chinese government certainly isn’t alone in its readiness to stifle freedom of expression, and to use surveillance to repress dissent. Dragonfly in China would establish a dangerous precedent at a volatile political moment, one that would make it harder for Google to deny other countries similar concessions.” Hamza also reported that opponents to the project “question Google’s corporate values and have raised concerns about the consequences of tech companies cooperating with authoritarian governments.”

PUBLIC KEY

— “Conservative author Jerome Corsi alerted longtime Trump adviser Roger Stone in early August 2016 that WikiLeaks planned to release material damaging to Democratic candidate Hillary Clinton, including documents related to her campaign chairman John Podesta, according to a draft court filing,” The Washington Post's Carol D. Leonnig, Rosalind S. Helderman and Manuel Roig-Franzia reported“Corsi emailed Stone about WikiLeaks’s plans nearly 10 weeks before the group published Podesta’s hacked emails in October, according to the document, which was prepared by special counsel Robert S. Mueller III’s team as part of plea negotiations with Corsi that have collapsed.”

— “The charges against WikiLeaks founder Julian Assange will remain sealed for now, with a federal judge in Alexandria saying she would hear more before ruling on whether the public has a right to see the documents,” The Post's Rachel Weiner reported. “‘This is an interesting case, to say the least,’ Judge Leonie M. Brinkema said Tuesday. ‘Obviously, some kind of mistake has been made.’ That mistake by the government, she noted, exposed Assange’s name and ‘the fact that he has been charged’ in a filing for an unrelated case.”

— “Officials in Valdez, Alaska, admitted earlier this month that they paid off hackers to regain access to municipal computer systems that were crippled in July by a ransomware attack,” StateScoop's Benjamin Freed reported. “The city of just 4,000 gave its attackers four bitcoins, worth $26,624 at the time of the payment, in exchange for a decryption key that unlocked its systems that had been affected by the cyberattack. In a press release posted Nov. 13 to Valdez’s Facebook page, City Manager Elke Doom said she approved the payment after consulting with a cybersecurity firm in Virginia, which negotiated with the hackers as a third party. She didn’t name the company that assisted the town.”

— More cybersecurity news from the public sector:

New authorities allow DoD to act faster and respond quicker to activities in cyberspace.
Fifth Domain
Politics
The U.S. and Russian presidents are scheduled to meet at the Group of 20 meeting in Buenos Aires later this week.
Philip Rucker, Josh Dawsey and Anne Gearan
The comments by Brent McIntosh, Treasury's general counsel, are at odds with concerns by state regulators and consumer groups who fear that a national standard on how firms handle data breaches could weaken pre-existing rules.
American Banker
Former National Security Agency director Michael Rogers has welcomed the Trump administration’s willingness to use cyber-operations to deter foreign adversaries, adding that the United States’ previous reluctance to do so was counterproductive.
CyberScoop
A Russian consulting firm indicted by special counsel Robert Mueller is set to ask a U.S. court for permission to internally share information the federal government deems "sensitive."
The Hill
PRIVATE KEY
Kaspersky Lab’s found evidence that a small spyware government contractor sells iOS malware, showing it may not be as rare as some people think.
Motherboard
Technology
Predictim's chief said the company was undeterred by the restrictions: “If you’re not hiding anything, if you’re not abusive, if you’re not a bully, I don’t see why you’d be scared."
Drew Harwell
THE NEW WILD WEST

— “New Zealand’s international spy agency on Wednesday halted mobile company Spark from using Huawei equipment in its planned 5G upgrade, saying it posed a ‘significant network security risk,’” the Associated Press's Nick Perry reported. “The action follows a ban in Australia, where the Chinese telecommunications giant was blocked in August from rolling out Australia’s 5G network due to security concerns. In New Zealand, Huawei has previously helped build mobile networks.”

— “Britain’s Financial Conduct Authority will punish firms that are failing to get the basics right on cyber defenses, or whose botched IT projects harm consumers, a senior official at the markets watchdog said on Tuesday,” Reuters's Huw Jones reported. “Outages at banks such as TSB have left thousands of customers without banking services and this month British lawmakers opened an investigation into such incidents.”

— More cybersecurity news from abroad:

U.S.-China trade tensions are poised to come to a head this week when President Trump meets with Chinese President Xi Jinping, and a major component of those talks will likely focus on intellectual property (IP) theft.
The Hill
In China, a new type of internet loan comes with a catch: lenders can track your car’s whereabouts and can seize it if you fail to make payments.
The Wall Street Journal
ZERO DAYBOOK

Today

Coming soon

  • The Georgetown University Law Center hosts a cybersecurity symposium, titled “Cybercrime 2020: Revisiting the Future of Online Crime and Investigations,” in Washington tomorrow.
  • The Council to Secure the Digital Economy hosts an event for the release of the “International Anti-Botnet Report” in Washington tomorrow.
EASTER EGGS

Bolton on Khashoggi tapes: “I don't speak Arabic.”

 White House Christmas decorations through the years:

Video shows gender reveal stunt that caused Arizona wildfire: