Connect with us

Privacy

Privacy and Fragmentation of Devices on Broadband Networks a Cause for Concern

Published

on

Photo of Omdia Research Director Michael Philpott

February 3, 2021—The range and number of devices on broadband networks is causing problems in the internet-connected home, and internet service providers are only now beginning to get their hands around issues of “fragmentation” caused by this growth.

Results of a five-year survey laying out these challenges highlighted a secondary problem plaguing internet service providers globally: Consumer privacy.

The consultancy firm Omdia laid out the results of their survey in a Wednesday webinar on The Future Telco-Connected Home” survey, and hosted by the Broadband Forum.

The survey featured responses from broadband service providers regarding the primary issues facing their consumers, projected sectors of development, and future developments that will be necessary to sustain a connected home.

The continued drive to eradicate fragmentation, developing data standards and privacy to maintain trust, and the development of open platforms where the three major issues that Omdia identified in the survey data.

Michael Philpott, research director at Omdia, said that open standards will help eradicate fragmentation. In this context, he was referring to the different vendors that sell hardware or software each being responsible for accomplishing the same objectives.

This can be problematic when different pieces of hardware, sold by different vendors, do not work well in tandem.

For example, have you ever had the problem figuring out which TV remote control is suppose to power which home electronics device?

Another example of this would be a router and a modem by different vendors. They should be able to work together, shouldn’t they?

Fragmentation can delay the role-out and of smart Wi-Fi deployment by hampering the ability of third-party developers to utilize another vendor’s technology. “Many of those vendors may not actually invest time and money to do work with a third party that’s not really going to add an advantage to them as a business.”

Open platforms and tech standards prevent vendors from having to go through this process with every third-party they encounter.

Consumer trust and privacy

But the other big area of chief concern was preserving consumer trust.

Privacy and security weren’t even in the first round of questions given to broadband providers in 2015. But in 2020, “customer privacy” was the second most commonly cited concern, with “customer home network security” coming in fourth.

When asked which features broadband services hoped to “virtualize,” more than 40 percent of respondents hoped to do that with online privacy protection

The report can be downloaded in its entirety from Broadband Forum.

As a child of American parents working abroad, Reporter Ben Kahn was raised as a third culture kid, growing up in five different countries, including the U.S.. He is a recent graduate of the University of Baltimore, where he majored in Policy, Politics, and International Affairs. He enjoys learning about foreign languages and cultures and can now speak poorly in more than one language.

Privacy

Colorado and Virginia Lead In Consumer Privacy Legislation, Still Need Federal Law, Conference Hears

Both states join California as the only ones with comprehensive privacy laws, but experts say a federal bill should fill the regulatory void.

Published

on

Stacey Gray, senior counsel at the Future of Privacy Forum.

WASHINGTON, November 30, 2021 – Amid the lack of comprehensive privacy law at the federal level, states across the nation join California to take privacy matters into their own hands.

California was the first state to adopt privacy legislation with its California Consumer Privacy Act (CCPA) in 2018, followed by the California Privacy Rights Act of 2020 (CPRA). In 2021, Virginia and Colorado enacted their own privacy laws, which will go into effect in 2023.

At the Federal Communications Bar Association’s annual privacy symposium on November 16, privacy experts celebrated Colorado’s and Virginia’s progress amid an industry-wide push for a comprehensive federal privacy law.

Virginia’s and Colorado’s privacy laws align with California’s CPRA by applying many of CPRA’s concepts: the scope of data covered by the law is the same, and all states impose data use restrictions that limit a company’s ability to analyze and share consumers’ personal information.

Further, all states impose affirmative duties on data processing entities. Colorado’s privacy law, however, sets itself apart by using a heightened standard for businesses to obtain a customer’s agreement to process their personal data. Colorado’s attorney general also has broad policy-making authority in the bill, making Colorado’s attorney general an effective state enforcement regime.

Drawbacks to piecemeal legislation

Despite the relative uniformity between the three states’ legislation, privacy experts agree that widely differing privacy frameworks sets the industry up for a messy regulatory compliance landscape.

Stacey Gray, senior counsel at the Future of Privacy Forum, said a lack of interoperability makes compliance across multiple states more difficult. “This is a huge issue with three states with different frameworks,” she said. “Lawmakers are getting a big push not to regulate differently or creating direct conflict with different states. That’s why [the] other proposals have similar basic language and features.”

Gray also pointed to differing frameworks for service opt-in and opt-out models as another point of tension. “We should explore what Colorado and California have done, which is include a global opt-out for browsers or internet plug-ins that communicates [opting out] to every company in the ecosystem of a person’s data,” she added.

Although Gray said she believes that a federal privacy bill is the best way to develop a national standard, she sees growing state interest as an inevitable product of growing data harms affecting consumers.

“It really started in the past few years and is snowballing,” she said. “Between the passage of the European Union’s General Data Protection Regulation, the Cambridge Analytica scandal, California’s law in 2018, some federal momentum, and the role of the media…there’s been an increasing state interest in these issues. There’s a motivation to protection residents in their own states.”

Federal privacy law is still best

Consumer privacy bills were considered in 26 states this year, and only Colorado and Virginia made it past the finish line. As lawmakers are getting ready for sessions in early 2022, stakeholders are preparing to push for greater privacy legislation across the nation regardless of any federal action. ‘’

Gray argues that a federal law would be the best authority for a nationwide privacy standard. “The federal standard would be ideal,” Gray said. If there is no action on the federal level and we’re left with the states, then states should continue enacting privacy laws, she said. “But we should tackle this at the federal level to get a standard that applies nationwide. We already have hundreds of privacy laws in various sectors that supplement HIPAA, students and privacy, and even long-standing narrow laws like paparazzi and school records,” so more state laws could be hard for businesses and entities to navigate and comply.

Still, there may be benefits to testing privacy laws on the state level before enforcing the legislation nationwide. “States are the laboratory for democracy,” said Ryan Kriger, assistant attorney general in Vermont’s attorney general public protection division.

“We have three laws in the books now to look at,” Kriger added. “It’s a huge benefit for states to test things out and see how things work, as well as finding ways to make an existing law better by applying it to the states.”

Continue Reading

Privacy

Federal Trade Commission Should Make Privacy Rules Against ISP Data Collection, Experts Say

To protect consumers in the digital revolution, experts say serious federal action on privacy can lead the way.

Published

on

Photo of Alan Butler, executive director of the Electronic Privacy Information Center

WASHINGTON, November 30, 2021 – Privacy experts are calling on the Federal Trade Commission to start the process of empowering itself to penalize internet service providers that collect unnecessary data from their customers to push targeted advertisements.

While discussions on privacy matters have overwhelmingly been focused on big technology companies and how they use customer data, experts at a Federal Communications Bar Association privacy symposium on November 16 said ISPs should be in the crosshairs of federal regulators.

Specifically, according to Alan Butler, president of the Electronic Privacy Information Center, unnecessary ISP data collection “demands action” from the FTC.

“The current status is that internet service providers are within the jurisdiction of the FTC and the FTC should act” and not wait for other federal actors to initiate ISP consumer privacy rules, said Butler. In 2017, Congress voted to disallow the Federal Communications Commission, which regulates the telecom space, from making regulations on protecting ISP consumer privacy, leaving the door open for the FTC to regulate providers’ privacy practices.

But there’s a wrinkle. While the agency can investigate and penalize business practices that are “unfair” and “deceptive,” according to the Federal Trade Commission Act, the FTC cannot issue its own federal privacy rules under its current consumer protection authority. To do that, the FTC would need to initiate a policy-making process by which the agency develops and issues regulations, which can then become federal policy.

Some experts think the FTC would be the best entity for developing such rules and should start the process, while others think the FTC’s regulatory process wasn’t made to give the agency its own privacy authority.

A separate federal agency for privacy regulation

As the FTC could receive funding to establish a privacy bureau under the House of Representatives’ reconciliation bill, Butler left open the question of whether the FTC should proceed by issuing broad privacy regulations or whether it should be should be “parsed out” into specific issues.

“The FTC has to adopt rules that establish fair data practices and seek to protect secondary data uses and sensitive data,” such as customers’ biometric and demographic data, he said. Butler said FTC privacy regulations would be a “temporary solution,” but there must be a separate federal agency that regulates privacy in the United States. “Funding for an FTC privacy bureau in the reconciliation bill is an important step forward,” he said.

The law at play for an FTC privacy authority

The FTC’s ability to regulate privacy would be governed by the Magnuson-Moss Warranty-Federal Trade Commission Improvement Act. The Magnuson-Moss Act is notorious for adding several steps beyond the normal federal policy-making process, including a requirement that the FTC must find the problematic conduct to be “prevalent” in the marketplace.

“Magnuson-Moss was designed to choke off the FTC’s ability to engage in rulemaking,” said Georgetown law professor David Vladeck. Issuing privacy rules from the FTC would hard, he says, because the FTC must clear substantial hurdles before it can enforce any privacy rules.  “There’s a clear implication that the FTC is not able to promulgate a rule unless it can prove to a court after the rulemaking is done that the intrusive conduct is ‘prevalent.’ Well, Congress doesn’t define ‘prevalent,’” he added.

Butler argued that finding prevalence of data abuse won’t be hard. “The FTC wouldn’t struggle to find issues that are endemic to the industry,” he said. “The [agency] is capable of finding that its widespread use of location data unrelated to the use of the service as prevalent in the marketplace, and online behavioral tracking.” Thus, Butler argues, the FTC would be able to prove that data abuse substantially harms consumers and correctly uses its [proposed] authority to enforce privacy rules against technology companies.

Earlier this year, FTC chair Lina Kahn approved revisions to its Magnuson-Moss procedures, making it easier for the FTC to conduct its process for developing and issuing privacy rules. The rules grant the chair the authority to serve as the Chief Presiding Officer of the rulemaking hearing process, grants the commission the authority to control the conduct of the informal hearings, and eliminates a rule requiring the commission staff to publish a report analyzing the final rule before it is established as official agency policy.

Kahn said the changes to the rulemaking process will remove “extraneous and onerous procedures” that only delay the issuance of FTC rules.

FTC process could “surface” issues

Despite the difficulty of issuing privacy regulations, Vladeck said there may be value in initiating the process anyway, including “to surface the issues” of privacy and data collection by ISPs.

Vladeck highlighted “illegal dark patterns” as an example of a narrow issue the FTC can go after. The FTC characterizes “dark patterns” as methods companies use to keep consumers trapped in subscription services.

“The FTC is the only policeman on this beat,” Vladeck said, adding it could act as an effective enforcement regime against data abuses that affect consumers.

Continue Reading

Cybersecurity

House Oversight Reveals Details of Investigation into Colonial Pipeline, Other Company Hacks

The committee released a memo stating that “small lapses” led to many prominent cyberattacks this year.

Published

on

Oversight and Reform Committee Chairwoman Carolyn Maloney, D-New York

WASHINGTON, November 17, 2021 – A House Oversight and Reform Committee investigation concluded in a staff memo that “small lapses” in cyber security led to hacks of Colonial Pipeline, meat producer JBS USA, and insurance group CNA Financial Corporation that occurred earlier this year.

Additionally, in Tuesday’s memo, the committee stated that the companies’ lack of “clear points of contact with the federal government” hampered response efforts to the attacks and that the companies faced a “huge” amount of pressure to pay hackers. Cyber security officials on Tuesday asked Congress to push legislation that would force companies to notify the government about cyber breaches.

The CNA hack occurred after an employee accepted a fake browser update and hackers gained access to JBS through an old account with a weak password that had not been deactivated. Colonial Pipeline was hacked as a result of just one stolen password linked to a profile, leading to gas shortages in several states.

Employees at JBS and Colonial Pipeline may have been operating on Internet of Things devices, which often only make use of mass-produced factory password settings due to limited processing power. This makes such devices extremely vulnerable to cyberattacks.

“Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack,” reads Oversight’s memo.

Security issues for schools and libraries

Experts say that similar issues with IoT and password security are increasingly threatening cybersecurity in schools and libraries as well. During a School, Health and Libraries Broadband Coalition event Wednesday, leaders in education emphasized data that shows attacks on the educational sector to continue increasing in frequency from a rate that already ranks second among all professional sectors.

Amy McLaughlin, executive director of technical and solutions architecture for Oregon State University, suggested during the event that schools and libraries expand their security beyond basic firewall that is paid for by E-rate funding and change default passwords when possible, avoiding using an administrator login, patch systems, as well as use anti-malware software on all devices.

Similarly, Bob Turner, field chief information security officer for higher education at Fortinet, stated that his organization recommends schools use multi-factor authentication.

The recently signed Infrastructure Investment and Jobs Act specifically allocates funding to be used for the implementation of improved cybersecurity practices in institutions including libraries, cyber security officials said Tuesday.

National security concerns

In June, Oversight and Reform Committee Chairwoman Carolyn Maloney, D-New York, told CNA, JBS USA and Colonial Pipeline via letters that she was “extremely concerned that the decision to pay international criminal actors sets a dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward.”

During an Oversight and Reform panel Tuesday, committee members questioned witnesses on the efforts by President Joe Biden’s administration to push back on recent ransomware attacks by Russian-based cybercriminals.

Continue Reading

Recent

Signup for Broadband Breakfast

Get twice-weekly Breakfast Media news alerts.
* = required field

Trending