Juniper Networks never accounted for a 2015 security breach, in which unauthorized and NSA-designed code was added to its products, lawmakers led by Sen. Ron Wyden, D-Ore., wrote Wednesday. Sens. Mike Lee, R-Utah; Cory Booker, D-N.J.; and 13 House Democrats sought information. Four years since Juniper announced an investigation, the public has “no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security,” they wrote. They cited Attorney General William’s Barr’s effort to pressure tech companies to weaken encryption and assist government surveillance. The company didn’t comment.
Alleged robocall businesses Rising Eagle Capital and JSquared Telecom and principals of the companies were subject Tuesday to the largest fine in FCC history -- $225 million -- and litigation brought by seven states alleging Telephone Consumer Protection Act (TCPA) violations. FCC Commissioner Brendan Carr said the fine proposal -- approved unanimously by the commissioners -- "represents a major win" for commission efforts to partner with the telecom industry on robocall issues. USTelecom's Industry Traceback Group traced the calls coming from the firms and passed that information on to the Enforcement Bureau, he said. USTelecom didn't comment. The FCC said the fine is for an estimated 1 billion spoofed robocalls made in the first four-plus months of 2019 by the health insurance telemarketers. It said the calls purported to be from such insurers as Aetna, BlueCross BlueShield, Cigna and UnitedHealth Group but were on behalf of unaffiliated insurer clients of Rising Eagle and JSquared. It said people on the Do Not Call registry were particularly targeted. Chairman Ajit Pai said at least one of the companies that Rising Eagle and JSquared falsely claimed to represent was sued multiple times because its number was spoofed. Commissioner Jessica Rosenworcel said the fine "sounds right [for] fraud on an enormous scale" but criticized the DOJ for its largely fruitless efforts in recent years collecting FCC-levied fines. Echoing her, Commissioner Geoffrey Starks said it's also difficult to get information from the Enforcement Bureau on collections efforts. DOJ and EB didn't comment. The states' litigation (docket 20-cv-02021) brought Tuesday in U.S. District Court in Houston makes allegations similar to those the FCC investigated and says the companies also would make robocalls trying to sell automobile extended service warranties. The suit asks for damages of $1,500 for each willful TCPA violation or $500 for each unknowing violation, plus a permanent enjoinder. It alleges 328 million robocalls made to seven states during the first four-plus months of 2019. Suing are the state attorneys general of Arkansas, Indiana, Michigan, Missouri, North Carolina, Ohio and Texas. John Spiller, allegedly a principal of the companies and named in the states' suits, told us he was unaware of any possible fine, that he and fellow defendant Jakob Mears were unaware of an FCC investigation, and he denied the commission's robocall allegations.
HyperBeard, a kids app developer, agreed to pay $150,000 and to “delete personal information it illegally collected from children under 13,” the FTC said in a 4-1 settlement Thursday. The company allegedly violated the Children’s Online Privacy Protection Act rule by “allowing third-party ad networks to collect personal information in the form of persistent identifiers to track users of the company’s child-directed apps, without notifying parents or obtaining verifiable parental consent,” per a complaint filed by DOJ. It names HyperBeard CEO Alexander Kozachenko and Managing Director Antonio Uribe. Commissioner Noah Phillips dissented, saying, “Given the violations at issue, the harm to consumers, and how we have approached other COPPA cases, my view is that the fine imposed today is too much.” He questioned whether the $4 million penalty, which led to the settlement, was appropriate given the alleged harm, noting a $5.7 million penalty against Musical.ly (see 1902270059). Chairman Joe Simons disagreed, saying, “The goal of the civil penalty should be to make compliance more attractive than violation.” HyperBeard disagreed any of its games were directed at children under 13, but it settled to avoid “costly and distracting litigation,” the firm said, noting its limited resources as a “small company.” The “legacy apps” mentioned in the FTC complaint “have long been transitioned to COPPA-compliant advertising networks (which do not collect or use advertising IDs),” it said.
With “lots of first-time users” signing up during the pandemic, “as a CEO, I think I should have done a better job” managing the security and privacy issues, said Zoom's Eric Yuan. He wishes in hindsight the company had offered more tech support for novice customers, he said on a fiscal Q1 call Tuesday: “This is a mistake I made. So we learned a hard lesson.” The quarter ended April 30. COVID-19 stay-at-home mandates enabled Zoom to peak at more than 300 million daily meeting participants that month, up from 10 million in December, said Yuan. “We continue to see elevated levels of participants even as governments around the world have begun to ease stay-in-place restrictions.” The stock closed up 7.6% higher Wednesday at $223.87. Yuan acknowledged the “negative PR” that Zoom endured about security and privacy after demand spiked. “With good intentions, we opened our platform to unprecedented numbers of first-time users” who lacked the “established protocols for security and privacy” that were endemic to more seasoned “enterprise customers,” he said. Zoom since has “transparently and quickly addressed specific security and privacy issues,” he said. The company blogged about its improvements, amid some criticism (see 2004070053).
Senators introduced privacy legislation Monday that would require consumer consent for COVID-19-related tracking apps, limit data collection and create safeguards against potential discrimination. Introduced by Senate Commerce Committee ranking member Maria Cantwell, D-Wash.; Bill Cassidy, R-La.; and Amy Klobuchar, D-Minn., the Exposure Notification Privacy Act would mandate public health official involvement with app deployment. Consumer participation would be voluntary and participants could delete their data. “We need to regulate apps that provide COVID-19 exposure notification to protect a user’s privacy, prevent data misuse, and preserve our civil rights -- and this bill offers a roadmap,” said Public Knowledge Policy Counsel Sara Collins Tuesday.
Maine’s ISP privacy law doesn’t raise First Amendment concerns or run afoul of federal law, Public Knowledge said Monday in an amicus brief (in Pacer) supporting the state at the U.S. District Court of Maine. Consumer privacy advocates supported Maine last week (see 2005280062). The law contested by cable and telecom associations “is part of a longstanding and continuing tradition of complementary state and federal laws that prohibit communications networks, whether paper or electronic, from disclosing any information relating to the acts of communication,” PK wrote. Access Now and New America’s Open Technology Institute filed jointly to support Maine. “ISPs sit in a privileged position,” they said (in Pacer). “Customers cannot reasonably avoid sharing details of their private lives with ISPs.” The Maine law shouldn’t face heightened First Amendment scrutiny because it doesn’t regulate speech and isn’t meant to suppress a particular viewpoint, Columbia University’s Knight First Amendment Institute wrote (in Pacer).
A company with facial recognition tech to create so-called faceprints of a person's identity (see 2003030054) was sued for allegedly violating people's privacy. Clearview AI undertook "unlawful surreptitious capture and storage of millions of Illinoisans’ sensitive biometric identifiers," alleged the American Civil Liberties Union, Chicago Alliance Against Sexual Exploitation, Sex Workers Outreach Project Chicago, Illinois State Public Interest Research Group and Mujeres Latinas en Accion. They told a state court in Cook County Thursday Clearview violated the Illinois Biometric Information Privacy Act: "Clearview has captured more than three billion faceprints from images available online, all without the [subjects'] knowledge." It's the first such case to attempt to "force any face recognition surveillance company to answer directly to groups representing survivors of domestic violence and sexual assault, undocumented immigrants, and other vulnerable communities uniquely harmed," the ACLU emailed. The company didn't comment.
Maine Attorney General Aaron Frey (D) opposed the telecom industry seeking immediate ruling that the state’s ISP privacy law is unconstitutional (see 2004070015). “It would be premature -- and misguided -- for the Court to grant judgment to” ACA Connects and other plaintiffs, the defendant said (in Pacer) Wednesday at the U.S. District Court of Maine. “The First Amendment accords comparatively less protection to commercial speech than traditional protected speech,” Frey said. The AG separately moved (in Pacer) for judgment on the industry’s federal preemption claims.
House leaders reached a deal over the long weekend to allow a vote on an amendment to the Senate-passed version of the Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring (USA Freedom) Reauthorization Act. HR-6172 from Reps. Zoe Lofgren, D-Calif., and Warren Davidson, R-Ohio, would bar law enforcement agencies from reading Americans’ internet browsing history without a warrant. The House Rules Committee is expected to meet Wednesday to set plans for debating and voting on HR-6172 and the amendment. A floor vote is expected Thursday. The Senate amended HR-6172 earlier this month with language to provide some additional oversight of Foreign intelligence Surveillance Act surveillance programs but not the text from Sens. Ron Wyden, D-Ore., and Steve Daines, R-Mont., preferred by some privacy advocates (see 2005140061). Lofgren hailed House leaders for agreeing to hold a vote on her HR-6172 amendment, which is similar to the Wyden-Daines proposal. “Without this prohibition, intelligence officials can potentially have access to information such as our personal health, religious practices, and political views without a warrant,” Lofgren said Tuesday. She touted the support of House Intelligence Committee Chairman Adam Schiff, D-Calif. His office didn’t comment. Free Press Action Government Relations Director Sandra Fulton said that "passing the bill with this amendment in it would be a tremendous milestone in curbing abuses under the Patriot Act and other surveillance authorities." The House “should overwhelmingly support the Lofgren-Davidson amendment and bring home this meaningful privacy protection for their constituents,” said Demand Progress Senior Policy Counsel Sean Vitka.
California might enforce its privacy law three months before final regulations by Attorney General Xavier Becerra (D), said privacy attorney Christina Gagnier on a Carlton Fields webinar Thursday. The AG hasn't announced timing for California Consumer Privacy Act rules, but “it’s been communicated that the regulations might not be out until October,” even though Becerra hasn’t budged on starting enforcement July 1, she said. COVID-19 has moved many things back but it’s also brought “a heightened awareness of privacy,” Gagnier said. “The AG’s office is basically balancing those two things.” The final rules probably won't deviate much from proposed regulations as revised a few months ago (see 2004020043), unless the legislature this summer passes major changes like what’s proposed in AB-3119 by Assemblymember Buffy Wicks (D), the lawyer said. Wiley heard the same, attorney Joan Stewart emailed us. "While the AG hasn’t provided guidance yet on how enforcement would work in a world without implementing regulations -- we anticipate that initially enforcement could be focused on the requirements of the statute, rather than compliance specifics tied to the regulations." Expect the AG to "go after businesses that have made no effort to comply rather than businesses that have made a good faith effort but fell short." The International Association of Privacy Professionals blogged Monday about the possible delay to CCPA rules. "For regulations to become effective July 1, they must be filed with the Office of Administrative Law by May 31," but they haven't been submitted, IAPP said. If the AG doesn't meet that deadline, "their effective date will likely slip until Oct. 1." Becerra is "committed to enforcing the law starting July 1," a spokesperson emailed. "We encourage businesses to be particularly mindful of data security in this time of emergency."