The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The Federal Trade Commission has the votes to crack down on surveillance

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Good morning and happy Thursday! If you have some free time this morning, I'd highly recommend this new series from my colleague Geoffrey A. Fowler on technology’s failings and ideas for making it better.

Today: Mesa County Clerk Tina Peters has been banned from overseeing elections in her own county, and Wisconsin's GOP-led election investigation is being paused. 

There’s a new surveillance and privacy cop in town

The Senate has confirmed Alvaro Bedoya to a seat on the Federal Trade Commission.

The long-awaited move gives the commission’s Democrats a majority and could foreshadow looming regulations and scrutiny over the surveillance industry.

Bedoya, a law professor who founded Georgetown Law’s Center on Privacy & Technology, is a surveillance critic. He has spearheaded research into facial recognition’s effects on marginalized groups and civil rights, reframing the conversation about the technology from its technical aspects to its real-world impacts, my colleague Drew Harwell reported.

Vice President Harris cast the tiebreaking vote to confirm Bedoya in the Senate yesterday, my colleagues Cat Zakrzewski and Felicia Sonmez reported. Bedoya’s confirmation means that FTC Chair Lina Khan has the votes to launch her ambitious agenda targeting major technology companies. 

GOP opposition

Bedoya’s confirmation saw weeks of delays. Because Bedoya lacked any Republican support, Senate Democrats had to wait to call a vote until all 50 members of its caucus were healthy and available. The confirmation had to be delayed when Sen. Ben Ray Luján (D-N.M.) had a stroke and others tested positive for the coronavirus.

It also faced Republican opposition. Conservative groups criticized Bedoya’s nomination in March, saying he would “steer the agency in a direction of overreaching and harmful regulatory policies.” This week, Senate Minority Leader Mitch McConnell (R-Ky.) called Bedoya a “radical partisan” and urged senators to oppose his confirmation. 

No Republicans ultimately voted in favor of confirming him.

Lots of action

The FTC has also boosted its foothold in the cybersecurity world. In January, it warned companies to mitigate the devastating Log4j software vulnerability. 

  • “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” it said at the time. The FTC is also considering the dynamic where users who contribute to open-source software like Log4j are largely volunteers, it said, “as we work to address the root issues that endanger user security.”

In the 11 months since Khan was named FTC chair, the commission has been busy. It has taken aim at companies that have been hacked, gone after firms that have collected data without user consent and required some to take novel actions:

  • In March, it ordered weight loss company WW International and a subsidiary to delete information it collected from children. It also ordered the company to delete algorithms that were developed using the data. That month, it also voted to require e-commerce platform CafePress to boost its cybersecurity and pay $500,000 to data breach victims.
  • Last year, it banned stalkerware app SpyFone and its chief executive from the surveillance industry, and told the company to delete illegally obtained data. It also fined advertising firm OpenX $2 million over children’s privacy violations and told it to delete ad request data and set up a privacy program.
  • In October, it released a report that found many Internet service providers amass large amounts of user data and could combine them in ways users may not expect
  • The commission has also proposed requiring that financial institutions report data breaches of 1,000 or more customers within 30 days, CyberScoop’s Tonya Riley reported.

Rulemaking is also on the horizon. At a conference last month, Khan “called for the federal government to expand its policing of data abuses to account for the vast ‘surveillance’ enabled by modern technology,” my colleague Cristiano Lima wrote at the time. The FTC is “considering initiating a rulemaking to address commercial surveillance and lax data security practices,” Khan said at the conference. 

The keys

Indicted official Peters barred from overseeing 2022 elections

A Colorado judge ruled Tuesday that Mesa County Clerk Tina Peters, a proponent of debunked election fraud conspiracy theories and a Republican candidate for secretary of state, is banned from overseeing elections in her county because of her indictment for allegedly tampering with voting equipment, my colleagues Timothy Bella and Emma Brown report

Peters — who was not allowed to oversee last year’s local elections — is not accused of fixing the election, but of breaking the law as she sought to investigate whether someone else did. She is facing multiple investigations stemming from allegations that she breached election equipment security and violated campaign finance law, including 10 felony and misdemeanor counts from a grand jury indictment. 

Two additional Mesa County employees, deputy clerk’s Belinda Knisley and Julie Fisher, have also been barred from overseeing this year’s elections. Knisley is facing cybercrime charges for activities related to the case. 

“Clerk Peters’ actions compromised Mesa County’s voting equipment and election security constituting one of the nation’s first insider threats where an election official risked the integrity of the election system in an effort to prove unfounded conspiracy theories,” Colorado Secretary of State Jena Griswold (D), who filed the lawsuit against Peters, said in a written statement. Griswold appointed Brandi Bantz, the county elections director, to fill Peters’s position. 

In March, Peters claimed to our colleagues that the charges against her were a “politically motivated attack” aimed at weakening her candidacy in the state’s upcoming elections. Peters and her attorney didn’t respond to requests for comment.

Partisan Wisconsin election review paused over legal disputes

One of the last remaining GOP efforts to scrutinize the results of the 2020 election will be paused in battleground Wisconsin while several lawsuits are heard in court. In the meantime, the Republican investigator tapped to lead the probe will be paid half as much moving forward, the Associated Press reports.

Yet: The investigation could be revived if the courts rule that election officials must comply with subpoenas issued by former state Supreme Court justice Michael Gableman, who is leading the investigation. 

The five lawsuits in question deal with Gableman’s request to interview state officials involved with running Wisconsin elections behind closed doors, which Democrats vehemently oppose. They argue the lawsuits could be resolved, and taxpayer funds saved, if Gableman agreed to conduct the interviews in public. 

Gableman’s review was initially supposed to be completed in October, but since then, under pressure from former president Donald Trump, GOP lawmakers have extended his taxpayer-funded contract indefinitely. His investigation has faced bipartisan criticism and has yet to produce evidence to show there was widespread voter fraud in the 2020 presidential election won by President Biden. 

Gableman’s review has also been plagued by blunders, including glaring errors in subpoenas. Gableman also asserted that a mapping official was “liberally deplorable” and “probably” a Democrat because she plays video games, “has a weird nose ring” and “loves nature and snakes.” 

The Biden administration drafts executive order to safeguard U.S. data

An initial draft of the executive order would give Attorney General Merrick Garland the power to examine and potentially block transactions that include data sales or access if they pose national security risks, Reuters’s Alexandra Alper and Karen Freifeld report. It would also tell the Department of Health and Human Services to start writing a rule “to ensure that federal assistance, such as grants and awards, is not supporting the transfer of U.S. persons’ health, health-related or biological data … to entities owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries.”

It comes as the U.S. government tries to prevent the transfer of sensitive U.S. data to China. “The draft order reflects an effort by the administration to respond more aggressively to national security threats allegedly posed by Chinese companies that acquire reams of U.S. personal data, after failed bids by the Trump administration to bar Americans from using popular social media platforms TikTok and WeChat,” Alper and Freifeld report. The White House, Justice Department and Commerce Department declined to comment to Reuters, while the Department of Health and Human Services did not respond to their request for comment.

Global cyberspace

Russian cyber experts restore RuTube access after three-day outage (Reuters)

UK revamps espionage legislation to tackle modern threats (Financial Times)

Israel's opposition passes preliminary bill for probe into police spying (i24NEWS)

Prince Charles announces UK ‘data reform’ bill, throwing EU adequacy status into limbo (The Record)

French watchdog mulls action against U.S. AI company Clearview (Reuters)

Privacy patch

Lawmakers question Education Department about Facebook student aid tracking after Markup investigation (The Markup)

San Francisco police are using driverless cars as mobile surveillance cameras (Motherboard)

Thousands of popular websites see what you type—before you hit submit (WIRED)

Cyber insecurity

U.S., allies warn of rising recent and future attacks on managed service providers (CyberScoop)


  • The House Homeland Security Committee’s cybersecurity subcommittee holds a hearing on the cybersecurity of federal networks Tuesday at 2 p.m.
  • The Senate Health, Education, Labor and Pensions Committee holds a hearing on the cybersecurity of the health and education sectors Wednesday at 10 a.m.
  • Rep. Michael McCaul (R-Tex.), Rep. Elissa Slotkin (D-Mich.) and Bob Kolasky, a senior vice president for critical infrastructure at Exiger who previously led CISA’s National Risk Management Center, discuss cybersecurity at a Washington Post Live event Wednesday at 2:30 p.m.
  • The U.S. Chamber of Commerce hosts a briefing on Russian cyberthreats with FBI and CISA officials on May 19 at 2 p.m.

Secure log off

Thanks for reading. See you tomorrow.