Shortwave: FISA Reauthorization Moves Center Stage

This is the shorter, free version of The Wavelength. Please consider subscribing in order to get the longer version and to access back issues behind the paywall.

Do you feel that?

If you stay still, you can feel the oxygen getting sucked out of the tech policy space in the U.S., which can mean only one thing: it’s FISA reauthorization time.

Yes, a key part of the “Foreign Intelligence Surveillance Act” (FISA) expires at the end of the year, and the inevitable struggle over what a reauthorization should look like may serve to delay action on other technology issues as combatants will reach for any leverage they can use to ensure their favored language is used. In recent years, other tech bills have been taken hostage as a means of Members exerting pressure on a FISA reauthorization.

Moreover, in 2020, the previously unthinkable happened: Congress failed to reauthorize some provisions of FISA (see here). And this is a possible outcome given the antipathy on the right and left for different parts of the Section 702 surveillance regime. For example, last fall, Representative Jim Jordan (R-OH), the new chair of the House Judiciary Committee, said “I think we should not even reauthorize FISA.” Another potential outcome is that House Republicans refuse to reauthorize Section 702 unless the Biden Administration turns over materials and makes available witnesses in a number of inquiries with which the White House is not probably inclined to cooperate (e.g. any Hunter Biden probes or investigation into alleged pressuring of social media platforms.)

Well, what is Section 702, you might be asking. This section of FISA was added via the “FISA Amendments Act of 2008” (P.L. 110-261) and, broadly speaking, permits the U.S. government to collect the electronic communications (phone calls, email, etc.) of non-U.S. persons reasonably believed to be outside the U.S. without a search warrant. The Attorney General and the Director of National Intelligence manage the program with oversight from the Foreign Intelligence Surveillance Court (FISC.) The statute does allow for some “incidental” collection of the electronic communications of U.S. persons even though the Department of Justice (DOJ) and the Intelligence Community (IC) must have procedures to screen out such incidental collection.

The Privacy and Civil Liberties Oversight Board (PCLOB), a little known and little watched entity, may have started Section 702 reform with this event last week. Moreover, the PCLOB plans “to release a new report on Section 702 in the spring of 2023, in time to inform the upcoming public and congressional debate.” This would not be PCLOB’s first report on Section 702 (see here, here, and here.)

There is a strong interest in the IC that Section 702 be reauthorized. At the PCLOB event, NSA and CyberCom head General Paul Nakasone argued:

This authority provides the U.S. government irreplaceable insights whether we are reporting on cybersecurity threats, counterterrorism threats or protecting U.S. and allied forces. FISA Section 702 has helped us to understand the strategic intention of the foreign governments we are most interested in, the People’s Republic of China, Russia, Iran and Democratic People’s Republic of Korea.

To no great surprise, there are many groups that oppose a reauthorization of Section 702 without what they would see as reform. For example, just to look to one entity’s perspective on Section 702, in November 2022 comments, the Brennan Center for Justice at NYU School of Law argued for the following reform:

(1) narrowing the scope of Section 702 collection; (2) shoring up protections for “incidentally” acquired U.S. person information by requiring agencies to obtain a warrant, court order, or subpoena before running U.S. person queries of Section 702 data, and by placing stricter limits on retention; (3) modernizing FISA by establishing basic rules and requiring FISA Court oversight for EO 12333 surveillance; and (4) increasing transparency and accountability in the operations of Section 702 and EO 12333.

Of course, Section 702 has policy relevance beyond the U.S. since it largely pertains to warrantless surveillance of non-U.S. persons outside the U.S. The Court of Justice of the European Union (CJEU) named this program as one of the means of U.S. surveillance programs unacceptably compromises the rights of EU citizens such that there can be no agreement with the U.S. allowing for the free flow of personal data from the EU to the U.S. As a result, companies dependent on the unimpeded flow of EU personal data to the U.S. (e.g., Meta, Google, etc.) may engage in the debate on Section 702.

Washington Post; Axios; Cyberscoop; Politico;

The United States (U.S.) Federal Aviation Administration (FAA) said it “is continuing a thorough review to determine the root cause of the Notice to Air Missions (NOTAM) system outage” and its “preliminary work has traced the outage to a damaged database file.” The agency stressed that “[a]t this time, there is no evidence of a cyber attack.”

The Court of Justice of the European Union (CJEU) has found that under the General Data Protection Regulation (GDPR) “that where personal data have been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients” per the court’s summary.

The United Kingdom’s (UK) Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) issued statements (here and here) indicating they are investigating the ransomware attack on the UK’s Royal Mail.

Officials from the United States (U.S.) and United Kingdom (UK) met in Washington, D.C. “for the inaugural meeting of the U.S.-UK Comprehensive Dialogue on Technology and Data.”

The United States (U.S.) House Oversight and Accountability Committee announced renewed requests for former Twitter officials to testify on the company’s “censoring the New York Post’s reporting about the Biden family’s influence peddling.” The new Ranking Member called the matter the pursuit of “already debunked and hyper-partisan conspiracy theories about President Biden, his family, and the so-called ‘deep state.’”

The United Kingdom’s Office of Communications is “seeking evidence on risks of harms to children online and how they can be mitigated, as we prepare to develop codes of practice in our forthcoming role as online safety regulator” under the “Online Safety Bill” before the House of Commons.

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) released “its 2022 Year in Review highlighting the extensive work of CISA and its partners over the past year to protect the nation’s critical infrastructure.”

The European Data Protection Board issued a statement on Ireland’s Data Protection Commission (DPC) fining Facebook €210 and Instagram €180 million.

United States (U.S.) House Oversight and Accountability Committee Chair Member James Comer (R-KY), House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA), and House Judiciary Committee Chair Jim Jordan (R-Ohio) introduced the “Protecting Speech from Government Interference Act” (H.R.140) that “prohibits Biden Administration officials and federal bureaucrats from using their authority or influence to promote censorship of speech or pressure social media companies to censor speech.”

France’s Commission Nationale de L'Informatique et des Libertes (CNIL) “sanctioned the social network TIKTOK for a total amount of 5 million euros for two reasons: users of "tiktok.com" could not refuse cookies as easily as they accept them…[and] were not informed in a sufficiently precise manner of the purposes of the different cookies.”

Google filed its brief in Gonzalez v. Google LLC, a case pending before the Supreme Court of the United States regarding the potential limits of Section 230.

The United States (U.S.) National Telecommunications and Information Administration (NTIA) and Federal Communications Commission (FCC) said they will not grant requests to delay “improving the National Broadband Map” that will be used to disburse the bulk of the $48 billion made available in the “Infrastructure Investment and Jobs Act of 2021” (P.L. 117-58) for broadband expansion.

Germany’s Bundeskartellamt sent Google “its preliminary legal assessment in the proceeding initiated due to Google’s data processing terms” and the agency “assumes that the new provisions for large digital companies (Section 19a of the German Competition Act, GWB) are applicable and Google thus has to change its data processing terms and its associated practices.”

The United States (U.S.) Department of Justice (DOJ) and the Department of Housing and Urban Development (HUD) “filed a Statement of Interest to explain the Fair Housing Act’s (FHA) application to algorithm-based tenant screening systems…in Louis et al. v. SafeRent et al., a lawsuit currently pending in the U.S. District Court for the District of Massachusetts alleging that defendants’ use of an algorithm-based scoring system to screen tenants discriminates against Black and Hispanic rental applicants in violation of the FHA.”

The United Kingdom’s National Cyber Security Centre “launched the new Funded Cyber Essentials Programme, which offers some small organisations in high-risk sectors practical support at no cost to help put baseline cyber security controls in place.”

The United States (U.S.) National Institute of Standards and Technology (NIST) “is setting up this community of interest (COI) to allow the industry, academia, and government to discuss, comment, and provide input on the potential work that NIST is doing which will affect the automotive industry” because the “industry is facing significant challenges from increased cybersecurity risk and adoption of AI and opportunities from rapid technological innovations.”

The United Nations (UN) Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes started meeting in Vienna, Austria.

United States (U.S.) House Financial Services Committee Chair Patrick McHenry (R-NC) announced the creation of a new subcommittee, the Digital Assets, Financial Technology and Inclusion Subcommittee.

The United States (U.S.) National Institute of Standards and Technology (NIST) published NIST Interagency Report (IR) 8401, Satellite Ground Segment: Applying the Cybersecurity Framework to Satellite Command and Control that “applies the NIST Cybersecurity Framework to the ground segment of space operations;” is asking for comment on “SP 800-132, Recommendation for Password-Based Key Derivation: Part 1: Storage Applications;” and is seeking input on “initial public drafts of NIST SP 800-157r1 (Revision 1), Guidelines for Derived Personal Identity Verification (PIV) Credentials, and NIST SP 800-217, Guidelines for Personal Identity Verification (PIV) Federation.”

The United States (U.S.) Federal Communications Commission (FCC) Robocall Response Team “announced the latest batch of Enforcement Bureau cease-and-desist letters…[that] tell two more voice service providers to end their apparent support of illegal robocall traffic or face serious consequences.”

The Telecommunications Workforce Interagency Group (or TWIG), an entity comprised of the Federal Communications Commission, the National Telecommunications and Information Administration, and the Departments of Labor and Education sent their final report to Congress “to provide recommendations to address the workforce needs of the telecommunications industry, including the safety of that workforce.”

The Coalition for App Fairness (CAF) sent a letter to United States (U.S.) Trade Representative Ambassador Katherine Tai and Secretary of Commerce Gina Raimondo “regarding the upcoming negotiations for the Indo-Pacific Economic Framework (IPEF), warning the Administration that Big Tech gatekeepers will try to weaponize U.S. trade policy to protect their monopoly power.”

“Tech bosses could face jail after Tory MPs revolt on bill” — BBC

“UK lawmakers vote to jail tech execs who fail to protect kids online” — Ars Technica

“President Biden really wants to boost chip manufacturing and he needs Mexico’s help to do it” — Fortune

“Ukraine calls for ‘Cyber United Nations’ amid Russian attacks” — Politico

“Apple Reaches Deal With Investors to Audit Its Labor Practices” — New York Times

“Chips Are the New Oil and America Is Spending Billions to Safeguard Its Supply” — Wall Street Journal

“White House, House GOP take aim at Big Tech, but see different targets” — Roll Call

“What the Jan. 6 probe found out about social media, but didn’t report” — Washington Post

“Are we too worried about misinformation?” — recode

“TikTok Tries to Win Allies in the U.S. With More Transparency” — Wall Street Journal

“The US government is still trying to find ways to regulate Big Tech. He has some ideas” — CNN

“One of Google's big plans to replace third-party cookies just hit a huge setback that it might not recover from” — Insider

“Aviation warning system that crashed was already a pain for pilots” — NBC News

“The US Far Right Helped Stoke the Attack on Brazil’s Congress” — WIRED

“What Drove a Mass Attack on Brazil’s Capital? Mass Delusion.” — New York Times

“DOJ antitrust chief cleared to oversee Google probes” — Politico

“FBI seeks victims of China's overseas pressure campaign” — Axios

“In Response to Haaretz Investigation, Bangladesh Says It Made No ‘Direct’ Purchases of Spytech From Israel” — Haaretz

“U.S. tech firms are replacing workers with cheaper talent in Latin America” — Rest of the World

“Amazon Labor Union Certified by U.S. Labor Officials” — Vice

“A Police App Exposed Secret Details About Raids and Suspects” — WIRED

“New Records Rules Require Agencies to Save Chats and Texts” — Nextgov

“Royal Mail ransomware attackers threaten to publish stolen data” and “Royal Mail overseas post badly disrupted after cyber incident” — Guardian

“Hackers access Guardian staff salary, passport information” — Semafor

“Delivery app Hugo crushed Uber in El Salvador. So why is it shutting down?” — Rest of the World

“It’s Not Just You: 5G Is a Big Letdown” — Wall Street Journal

“‘My AI Is Sexually Harassing Me’: Replika Users Say the Chatbot Has Gotten Way Too Horny” — Vice

“Vigilantes for views: The YouTube pranksters harassing suspected scam callers in India” — Rest of the World

§ 18 January and 19 January

o   The United States (U.S.) National Institute of Standards and Technology’s  (NIST) Internet of Things (IoT) Advisory Board will hold a meeting.

§ 19 January

o   The United States (U.S.) Federal Trade Commission will hold an open meeting.

§ 23 January

o The United Kingdom’s House of Commons’ Public Accounts Committee will hold a formal meeting (oral evidence session) as part of its “DCMS: Broadband, Gambling and Unboxed” inquiry.

§ 26 January

o   The United States (U.S.) Federal Communications Commission will hold an open meeting.

o   The United States (U.S.)-China Economic and Security Review Commission will a public hearing on “China's Military Diplomacy and Overseas Security Activities.”

§ 1 February

o   The Colorado Attorney General will hold a rulemaking hearing on the draft regulations proposed to implement the “Colorado Privacy Act.”

§ 1 and 2 March

o The United States (U.S.) National Institute of Standards and Technology’s Information Security and Privacy Advisory Board (ISPAB) will hold its first quarterly meeting of the year.

§ 29 and 30 April

o The G7 Digital and Technology Ministers' Meeting will take place.