Cybersecurity & Tech

The FTC Is the Tip of the Spear

Tom Uren
Friday, May 3, 2024, 10:01 AM

The latest edition of the Seriously Risky Business cybersecurity newsletter, now on Lawfare.

Tip of the spear, Stable Diffusion

Published by The Lawfare Institute
in Cooperation With
Brookings

The FTC Is The Tip of The Spear

This week the U.S. Federal Communications Commission (FCC) levied nearly $200 million in fines against the country's largest mobile telecommunications providers for selling customers' location data without their consent.

The FCC says each of the telcos involved—Verizon, AT&T, Sprint, and T-Mobile—sold customer location data to aggregators despite a 2007 regulation that required them to obtain consent from customers to do so. The aggregators then resold the data to third-party location-based service providers. In one example, aggregators shared AT&T customer location data with 88 third-party entities directly or indirectly. They shared location data from other telcos with similar numbers of third parties.

Some carriers argue they shouldn't be fined because they discontinued the practice in 2019. This is an appealing argument at first glance, but the FCC started these investigations after a 2018 New York Times article showed the data was being abused by a Missouri sheriff. We're not sure companies should be let off the hook just because they stop a troubling practice when it receives unwelcome public attention.

In related news, the U.S. Federal Trade Commission (FTC) aims to publish rules relating to "commercial surveillance" in the next couple of months, according to The Record. The FTC defines commercial surveillance as the "business of collecting, analyzing, and profiting from information about people."

The FTC recently published a speech from Samuel Levine, the director of its Bureau of Consumer Protection, that lays out the thinking behind the commission's approach.

Perhaps most significantly, Levine says "there is momentum across government—state and federal, Republicans and Democrats—to push back against unchecked surveillance." In other words, it's not a coincidence that technology regulation is increasing.

In his speech, Levine talks of "unchecked surveillance" and, in our view, conflates the entire digital economy with commercial surveillance. There are companies that track people directly for profit, but that is not what most of the digital economy is about.

Despite this caveat, much of what Levine says makes sense and signals the direction for broader government action.

Levine takes aim at what he calls the "notice and choice" regime, whereby consumers theoretically provide informed consent after reading terms and conditions or privacy policy documents.

He calls the choice regime "a fantasy world, divorced from the reality of how people live or how firms operate." Instead of protecting privacy, it has become "a way for companies to give invasive data practices a thin veneer of legitimacy."

This regime is broken, he says, because people don't have the time or expertise to read and understand the documents, and, even if they could, they couldn’t exercise choice because digital services are indispensable and there isn't much competition.

The solution here, Levine says, is that "firms need to collect and retain less data about us, and secure it better." The FTC has already secured a number of prohibitions against firms selling sensitive location information and sharing sensitive health data for advertising purposes.

In addition to improving consumer privacy, another goal for the FTC is to crack down on  "dark patterns" or manipulative user interfaces that trick users into making decisions they would not otherwise have made. One example here is interfaces that make it difficult to cancel ongoing subscriptions, and last year the FTC acted against Amazon for allegedly tricking users into subscribing to Amazon Prime and making the cancellation process deliberately difficult to navigate.

The FTC's complaint in that case says:

[T]he primary purpose of the Prime cancellation process was not to enable subscribers to cancel, but rather to thwart them. Fittingly, Amazon named that process "Iliad," which refers to Homer's epic about the long, arduous Trojan War.

Levine says another FTC goal is to ensure that artificial intelligence (AI) technologies "work for people, and not the other way around." Although AI is still in its infancy, the intent here is to avoid leaving a regulatory vacuum as occurred during the 2000s, when internet companies were left to regulate themselves.

These aren't rogue FTC actions but, rather, represent what Levine calls "the tip of the spear in a broader rethinking of the government’s role in making markets work better."

There are two possible futures here.

In one, Congress passes comprehensive federal privacy legislation such as the recently proposed American Privacy Rights Act (APRA). Compared to other recent proposals, experts think this act has the best chance of making it into law.

The APRA, however, hits the same notes that the FTC's Levine does, including data minimization and a prohibition on the use of dark patterns. In this future, the FTC is enforcing legislation.

In the second future, comprehensive privacy legislation does not pass Congress and instead the FTC tries to change business practices using regulation and enforcement actions. It's a more difficult road for the FTC, but the destination is much the same.

Microsoft: Security Is Our Top Priority… After AI and Teams

At Microsoft's quarterly earnings call last week, CEO Satya Nadella said security was the company's "number one priority" and that it is "doubling down on this very important work, putting security above all else—before all other features and investments."

It is good to see top-level support for security and its prioritization over other features. These were entirely absent at the announcement of Microsoft's Secure Future Initiative last November.

Having said that, Nadella devoted just a few sentences to the topic, after first covering AI infrastructure, data and analytics, developers, the future of work, "industry and cross-industry clouds," and how well Microsoft Teams is doing.

On the other hand, The Verge reported this week that Microsoft senior leadership are genuinely concerned about the company's security failings:

At an internal leadership conference earlier this month, both Microsoft CEO Satya Nadella and president Brad Smith spoke about the need to prioritize security above everything else, according to sources. The fear at Microsoft’s most senior levels is that trust is being eroded by these security issues and that it’s going to have to win back the trust of its customers as a result.

To us it seems that Microsoft's senior leadership are beginning to understand that good security underpins everything the company does… they are just afraid to say it out loud where it might spook investors.

Cloud Industry Resists Know-Your-Customer Requirements

The Record examines U.S. cloud industry pushback to a Biden administration executive order that requires these companies to invest in know-your-customer (KYC) programs.

The justification for the requirement, as articulated by the Commerce Department, is that foreign cyber actors have used these services "to commit intellectual property and sensitive data theft, to engage in covert espionage activities, and to threaten national security by targeting U.S. critical infrastructure."

Buying their way onto U.S. infrastructure hides foreign cyber actors from the U.S. intelligence community's overseas-focused programs and gives them a way to approach targets in the U.S.

Requiring cloud companies to do some due diligence identifying customers won't eliminate the problem, but it will make it harder for these foreign actors.

It's worth remembering that banks and financial institutions weren't always required to carry out formal KYC procedures, but the regulations were introduced after increasing detection of money laundering and fraud.

These regulations don’t stop money laundering, but it would be silly to say they don't make a difference.

KYC in banks helps tackle the money aspects of significant societal problems—for example, organized crime, fraud, and the drug trade. Adversary states launching cyber operations against domestic targets is also an extremely significant problem that it is reasonable to expect cloud companies to do something about.  

Three Reasons to Be Cheerful This Week:

  1. App Store ramps up privacy requirements: This month Apple is ramping up requirements for developers of apps in the App Store to include information about how customers' information is collected and used. The ultimate goal is to make it clear to both developers and end users how data is treated by apps and third-party SDKs.
  2. More sensible hiring for FedGov: The U.S. national cyber director, Harry Coker, announced federal agencies will move to more flexible, skills-based hiring for information technology and cybersecurity employees, rather than employment based on degrees or years of experience. Former CISA Director Chris Krebs thinks this will open up the pool of potential candidates and also align compensation more with the private sector.
  3. U.K. bans default passwords for IoT devices: The U.K.'s Product Security and Telecommunications Infrastructure Act came into effect this week and bans default and weak or easily guessed passwords for Internet of Things devices.

Shorts

Drones Today, Automobiles Tomorrow

Chinese drone maker DJI has launched a lobbying campaign to counter proposed legislation that would effectively ban the company's drones from the U.S.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally warned that Chinese-manufactured drones "continue to pose a significant risk" to U.S. national security and critical infrastructure. The advisory cites the potential for data transfer and says they could possibly allow foreign adversaries to gather previously inaccessible intelligence.

Drones aren't the only concern, either. This week a Senate inquiry found that major automakers were surrendering vehicle location data to law enforcement requests without a warrant or court order. 

We wonder where all this ends up. Modern automobiles are in some ways very similar to drones. They are internet-connected rolling sensor packages, rather than flying ones. As Chinese-made electric vehicles become more popular, we expect we'll hear a lot more about the security risks. The Chinese government has already placed restrictions on Teslas in China and barred them from military bases and government-affiliated venues.

Amazon in Hot Water Over Disappearing Messages

The FTC has submitted a court filing claiming that senior Amazon executives used Signal's disappearing messages feature to hide conversations dealing with the commission's antitrust suit against the company.

It's not a good look for the company, especially as Amazon Web Services runs encrypted messaging app Wickr as a business offering. One of its selling points is that it is compliant and offers "automatic enforcement of data retention policies."  

The Unreasonable Effectiveness of Phishing

Akamai researchers have found phishing sites targeting the U.S. Postal Service get the same or more internet traffic than does the postal service's legitimate domain. The researchers base this analysis on data from Akamai's DNS servers and found that malicious traffic peaks during busy periods.

Risky Biz Talks

In the latest "Between Two Nerds" discussion, Tom Uren and The Grugq look at the life cycle of zero-days, dissect the conventional wisdom, and talk about how zero-days are never truly "burnt."

From Risky Biz News:

Cyber Partisans hack Belarus KGB: Belarusian hacktivist group the Cyber Partisans claims to have hacked Belarus's national intelligence agency, the Belarusian KGB. The group says it breached the agency in the fall of 2023 and exfiltrated data from the agency's official website. The intrusion went undetected for months until earlier this year, when the KGB put its website into maintenance mode—in which it remains to this day.

Over the weekend, the Cyber Partisans leaked a copy of the site's database and its server logs. The Cyber Partisans also claim they obtained the personal details of over 8,600 current and former KGB employees. This data allegedly includes names, dates of birth, and photo IDs. The group used the data to create a Telegram bot. The bot allows Belarusian citizens to upload photos and face-match them against the KGB database to detect if someone is part of the agency's staff.

[more on Risky Business News, including a short history of the Cyber Partisans]

Cisco zero-day fun time is here! A suspected state-backed hacking group is exploiting two zero-days in Cisco ASA security appliances as part of a campaign targeting government networks globally. Cisco confirmed the attacks earlier this week when it also released patches for the two zero-days. The company linked the attacks to a group it tracks as UAT4356. Cisco says the group has also targeted perimeter network devices from other vendors, as well as Microsoft Exchange email servers.

[more on Risky Business News]

Change Healthcare hack: UnitedHealth CEO Andrew Witty says hackers breached the network of its Change Healthcare subsidiary using stolen credentials for the company's Citrix web portal. In a written testimony [PDF] to be delivered later this week at a Senate hearing, Witty says Change Healthcare failed to enable multifactor authentication on the hacked Citrix account. The UnitedHealth CEO didn't mention the exploitation of any Citrix vulnerabilities. He also took credit for deciding to pay the hacker's ransom demand. The decision backfired after the leaders of the AlphV ransomware group stole the $22 million for themselves. This led the AlphV affiliate who carried out the attack to continue the extortion against Change Healthcare, seeking a new payment.


Tom Uren writes Seriously Risky Business, a big-picture, policy-focused cyber security newsletter. He also co-hosts the Seriously Risky Business and Between Two Nerds podcasts that appear on the Risky Business News feed. He was formerly a Senior Analyst in the Australian Strategic Policy Institute's (ASPI) Cyber Policy Centre where he contributed to various projects including on offensive cyber capabilities, information operations, the Huawei debate in Australia and end-to-end encryption.

Subscribe to Lawfare