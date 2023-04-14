Privacy
Experts Call for Multisector Collaboration to Fight Digital Fragmentation and Build Public Trust
Significant regulatory discrepancies disrupt global businesses, restrict cross-border data flow and limit user choice.
WASHINGTON, April 14, 2023 — As accelerating global digitalization exacerbates regulatory fragmentation, the public and private sectors are both crucial to strengthening consumer privacy and trust in digital infrastructure, according to experts at an Atlantic Council forum on Tuesday.
“The days of handling the internet as the all-democratizing force is behind us, and now there needs to be a real role for the government,” said Priya Vora, managing director of the Digital Impact Alliance.
The public sector’s challenge is to find effective solutions for all of the practical questions that arise alongside technological developments, Vora continued.
“How do you create a data protection authority with budget and staffing independence from the administration?” she asked. “How do you create redressal systems that are responsive, especially when you have a judicial system that’s very slow? How might you put online dispute resolution baked into your technology layers?”
The private sector should also play a role in the development and regulation of digital infrastructure, said Tim Murphy, chief administrative officer at MasterCard. “There’s things that are best in the public sector, but there’s things we can do better as well, and trying to advance the conversation about where private can make a constructive contribution in the context of a regulated market is something that is critical to our future.”
Building public trust is an essential step toward successful digital infrastructure development for both government entities and private tech companies, said Arturo Herrera Gutiérrez, global director for governance at the World Bank.
Many modern challenges call for “not only a technical solution, but they actually require an engagement strategy with the citizens,” Gutiérrez explained. “It’s not sufficient to bring what’s the best solution — it’s important to explain to them why the solution is good for them.”
‘Regulatory umbrella’ could fight digital fragmentation
Concerns about digital privacy and data security currently present some of the biggest barriers to public trust in emerging technologies. While acknowledging the United States as a hub for technological innovation, panelists pointed to the European Union as the global leader in data privacy protections.
“The whole next wave of innovation should really be about giving more tools of transparency and control to people,” Vora said.
MasterCard has implemented standards similar to the European Union’s General Data Protection Regulation around the world, Murphy said. “We need to be laser focused on highest global standards on privacy… even though it’s not required,” he said.
In addition to potentially harming user trust, the significant regulatory discrepancies between various countries and states contributes to digital fragmentation — which disrupts global businesses, restricts cross-border data flow and limits user choice.
“We need to be very careful and thoughtful about the kind of world we’re creating in terms of digital fragmentation,” Murphy said.
“A sort of regulatory umbrella — not to stifle innovation, but to have some basic agreed-to rules of the road — is incredibly important,” agreed Josh Lipsky, senior director of the Atlantic Council’s GeoEconomics Center.
Vora noted that these regulatory challenges will only become more complicated as digital globalization increases. The rapid headway of generative artificial intelligence technologies will likely “put all of this on steroids,” she added.
Murphy called for public and private sector stakeholders to come together and thoughtfully consider how to best regulate rapidly evolving technologies such as artificial intelligence.
“Anyone who tells you they’ve got the answers on how to navigate generative AI and so on is selling something, and that really needs our careful attention,” he said.
Cybersecurity
Charter Suggests Network Authentication Layer for Equipment Certification
The telecom said manufacturers are in the best position to ensure security.
WASHINGTON, April 5, 2023 – Charter Communications is recommending the Federal Communications Commission require device manufacturers seeking equipment authorization to add a layer of authentication security to protect against cyberthreats.
In a letter to the commission on Friday, the telecommunications company suggested the commission require, as a condition of certification, devices pass a security authentication step to connect to the user’s network. When an internet-connected device connects to a network, it can also access sensitive information being shared on it – leaving the door open to malicious activity.
This “baseline” security “would erect a new barrier to prevent malicious actors from exploiting unauthorized or unidentified devices connected to consumer broadband networks without consumers’ knowledge or consent,” Charter said in its letter, following a meeting with FCC officials. “It would also be a simple and efficient way to address major cybersecurity vulnerabilities without the Commission needing to prescribe detailed cybersecurity requirements.”
“The most vulnerable devices often lack strong passwords and other basic security measures, which make them susceptible to malicious actors and frequent sources of harmful traffic across networks,” Charter added. “Devices that can connect to home networks without first being authenticated are also a significant source of cyber threats. And, despite various educational efforts, many consumers still never change the default passwords that come printed on their devices.”
The company noted that this practice is accepted by industry standards bodies and the broader security community and would relieve consumers of an additional burden when they come to connect their devices.
In conjunction with a November order that halted equipment authorizations from companies on a national security blacklist, the FCC is currently contemplating a proposal that would revamp the equipment authorization program to minimize cybersecurity threats and other malicious activity of foreign agents. The proposal asks whether it should ban component parts of a problematic device, and not just the manufactured product, and if it should require certification applicants to have a U.S.-based representative to ensure compliance.
As ubiquitous 5G connectivity takes hold in the country, more and more internet-connected devices are flooding the market.
“The proliferation of cybersecurity incidents in recent years and, particularly, the growing number of cyber threats that exploit unsecured IoT devices, underscores the need for more proactive efforts to deter and combat vulnerabilities before they reach consumers,” Charter noted in the letter, adding device manufacturers are in the “best position” to address these common security vulnerabilities.
Charter added that a combination of device manufacturer action on the authentication front and user action to additional security layers – through stronger passwords, for example – “will better protect Americans and US networks from the growing harm of cyber threats.”
The company said it actively strives to enhance security measures for its devices, including some of its newer routers requiring users to provide a unique credential to manage their home network instead of a default password. It said its routers also have pre-set security settings and undergo regular software updates.
FCC Commissioner Nathan Simington had previously advocated for mandating ongoing, as-needed cybersecurity updates to mitigate risks on wireless devices already in the hands of consumers.
Robocall
Experts Debate Whether Originating or Terminating Providers Hold Robocall Responsibility
Despite the FCC’s recent expansion of STIR/SHAKEN, some panelists called the framework ineffective.
WASHINGTON, March 22, 2023 — The current industry and regulatory fight against illegal robocall traffic is failing to make a meaningful dent in the problem, but there is not yet consensus about a better approach, according to experts at a Broadband Breakfast Live Online event on Wednesday.
“Robocalls have completely undermined the value of the U.S. telephone system,” said Margot Saunders, senior attorney at the National Consumer Law Center. “The system is losing value and that’s hurting all of us — especially businesses and health professionals who are trying to reach people in health emergencies.”
In addition to being an annoyance, fraudulent robocalls are expected to cost mobile subscribers more than $58 billion in 2023 alone, Saunders added.
The Federal Communications Commission voted Thursday to expand the STIR/SHAKEN robocall regime to include providers that receive and deliver phone traffic. Previously, the rules only applied to voice service providers that originate and terminate calls.
“This was a gap in our rules, a way to let junk calls sneak into our networks and reach unassuming consumers,” FCC Chairwoman Jessica Rosenworcel said in a statement. “No more. Today we close this loophole and require intermediate providers… to use STIR/SHAKEN. We also insist that they, along with all other providers, register in our Robocall Mitigation Database.”
Downstream carriers will be prohibited from accepting calls from intermediate providers not listed in the database, Rosenworcel added.
“In my almost 38 years of practice, I have never seen the FCC actually produce more rules and regulations around a single issue in a shorter time as they have with robocalling,” said Glenn Richards, partner at Pillsbury Winthrop Shaw Pittman LLP, at the Broadband Breakfast event.
Panelists disagree about efficacy of STIR/SHAKEN
Despite the FCC’s efforts, some of the initiatives intended to combat robocalling have resulted in more harm than good, claimed Jonathan Marashlian, managing partner at The CommLaw Group.
“STIR/SHAKEN is not the answer,” Marashlian said. “Maybe it was a very small incremental step in a positive direction, but there are so many holes in the framework from just a sheer technological standpoint.”
Vonage Founder Jeff Pulver agreed that STIR/SHAKEN has proven ineffective. “We’re living in an era where we should be able to communicate more, not less,” he said. “Yet the shenanigans that have been going on have actually dramatically reduced call completion rates.”
But other panelists were more optimistic. Richards argued that it was too early to deem STIR/SHAKEN a failure, noting that some problems — such as traffic originating from overseas call centers — are not entirely within the FCC’s control.
“STIR/SHAKEN is by no means a failure — it is an essential element of the full response needed… but it is only one,” Saunders said. “If you have a panoply of problems and you close the door against one of them and leave the other door open, you haven’t solved the problem because all the bad players will simply come in through the other door.”
The fact that VoIP providers are allowed to rent phone numbers to telemarketers and scammers “completely undermines the whole purpose of STIR/SHAKEN,” Saunders added.
Which party is responsible for blocking robocall traffic?
In determining responsibility for bad traffic, Saunders drew an analogy to a grocery story that repeatedly sold spoiled milk from a variety of different brands. “The authorities would go down and say, ‘Grocery store, if you can’t stop selling bad milk because you can’t control your suppliers, we’re going to shut you down,’” she said. “In the end, it’s the terminating providers’ job, we think, to police the providers from whom they accept calls.”
Richards took a different approach. “I think the obligation really belongs to the originating service provider to taste the milk before they send the call,” he said. “There’s probably a relatively small number of originating service providers that are responsible for a large number of the illegal fraudulent traffic that is getting into the United States… and frankly, I think it’s important that those parties probably are the ones that are subject to enforcement.”
While Saunders agreed that the originating providers would ideally be held liable, she noted that “this problem has been going on for years and we’ve not been able to catch them.” Holding the terminating partners accountable, she said, would provide a more effective and pragmatic solution.
Pulver proposed a system where the caller party would pay and the destination party would set the price for call completion. In addition, he said, consumers should be empowered with tools such as “personal communication firewalls” that would allow individuals to block all unrecognized traffic.
Richards also promoted consumer choice, but noted that “not all consumers have that same technical capability — and particularly older consumers, who are the targets of a lot of these nefarious practices — so having the carriers intervene make some sense.”
Privacy
Children’s Online Safety Bills Criticized for Compliance Burden, Plus Speech and Privacy Risks
States are considering measures ranging from age verification to a “duty of care.”
WASHINGTON, March 17, 2023 — As an increasing number of states start to consider and implement their own laws aimed at protecting children’s online safety, some experts are highlighting concerns about the practical implications of the resulting legislative “patchwork” — as well as concerns that some proposals might actually harm consumers’ digital privacy.
“States have realized that the federal government is going to be very slow in acting in this area,” said James Czerniawski, senior policy analyst at Americans for Prosperity. “So they’re going to try to take the lead here.”
Speaking at a Cato Institute forum on Wednesday, Czerniawski described the two competing approaches that have emerged among the various state laws and proposals.
The first is typified by California’s Age Appropriate Design Code Act, passed in August 2022, which requires that online platforms proactively prioritize the privacy of underage users by default and by design. Many aspects of the law are modeled after the United Kingdom’s Online Safety Bill, a controversial proposal that would establish some of the world’s most stringent internet regulations.
The second approach focuses on age verification, such as Utah legislation that will require social media companies to verify the age of Utah residents before allowing them to create or keep accounts.
In addition to those two core directions, many of the state proposals have their own unique twists, Czerniawski said. For example, the Utah legislation prohibits any design choice that “causes a minor to have an addiction to the company’s social media platform.” While the bill has not yet been signed, Gov. Spencer Cox has previously indicated his intent to do so.
For online platforms that operate nationally or internationally, complying with a growing range of disparate state privacy laws will only become more complicated, Czerniawski said. “This patchwork doesn’t work.”
Potential unintended consequences for free speech, competition and privacy
Some experts have raised concerns that legislation intended to protect children online could have unintended consequences for the privacy and speech rights of adult users.
Matthew Feeney, head of technology and innovation at the Centre for Policy Studies, argued that a heavy compliance burden could incentivize online platforms to over-moderate content. “Given the punitive fines attached to the Online Safety Bill, I think they will engage in an abundance of caution and remove a lot of legal and valuable speech.”
The task of determining which users are underage and then figuring out how to prevent them from seeing any harmful content presents a significant challenge for platforms that host a massive amount of user-generated content, Feeney said.
“Something that’s very crucial to understand is that if you require firms to treat children differently, then you’re asking them to find out which of their users are children — and that is not free; that is a cost,” he added. “And for many firms, I think it will just be cheaper to err on the side of caution and assume all users are children.”
In addition to the implications for online speech, Feeney expressed concern that the regulatory burden adds a “very worrying anti-competitive element” to the legislation. “Most of the companies that will be in scope do not have the army of lawyers and engineers that Meta and Google have,” he said.
While the age verification measures might be easier in terms of compliance, Feeney said, they might ironically create their own risk to children’s online privacy by mandating the collection of highly identifying data.
Czerniawski agreed, specifically pointing to TikTok. “From a privacy standpoint, it seems a little odd that we want to have a company that currently has some security concerns collecting more information on kids in order to continue operating in the country,” he said.
Despite agreeing that there may be legitimate concerns about TikTok’s privacy practices, Czerniawski again argued that many of the proposed solutions — such as a complete national ban — fail to address the actual problem.
“If you’re truly concerned about the privacy issues that TikTok has raised, that’s why… we need a federal data privacy law passed, right? I think that that can go a long way towards solving a lot of those issues,” he said.
In terms of child-specific legislation, Czerniawski called for a more narrowly targeted approach to address problems such as the proliferation of online child sexual abuse material without risking the privacy and free speech rights of all other internet users. “We have to be very serious when we’re looking at trade-offs that are involved here,” he said.
