The FTC Is The Tip of The Spear
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Socket.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
This week the US Federal Communications Commission (FCC) levied nearly USD$200m in fines against the country's largest mobile telecommunications providers for selling customers' location data without their consent.
The FCC says each of the telcos involved—Verizon, AT&T, Sprint and T-Mobile—sold customer location data to aggregators despite a 2007 regulation that required them to obtain consent from customers to do so. The aggregators then resold the data to third-party location-based service providers. In one example, aggregators shared AT&T customer location data with 88 third party entities directly or indirectly. They shared location data from other telcos with similar numbers of third parties.
Some carriers argue they shouldn't be fined because they discontinued the practice in 2019. This is an appealing argument at first glance, but the FCC started these investigations after a 2018 New York Times article showed the data was being abused by a Missouri sheriff. We're not sure companies should be let off the hook just because they stop a troubling practice when it receives unwelcome public attention.
In related news, the US Federal Trade Commission (FTC) aims to publish rules relating to 'commercial surveillance' in the next couple of months, according to The Record. The FTC defines commercial surveillance as the "business of collecting, analysing, and profiting from information about people".
The FTC recently published a speech from Samuel Levine, the Director of its Bureau of Consumer Protection, that lays out the thinking behind the commission's approach.
Perhaps most significantly, Levine says "there is momentum across government—state and federal, Republicans and Democrats—to push back against unchecked surveillance". In other words, it's not a coincidence that technology regulation is increasing.
In his speech, Levine talks of "unchecked surveillance" and, in our view, conflates the entire digital economy with commercial surveillance. There are companies that track people directly for profit, but that is not what most of the digital economy is about.
Despite this caveat, much of what Levine says makes sense and signals the direction for broader government action.
Levine takes aim at what he calls the 'notice and choice' regime, whereby consumers theoretically provide informed consent after reading terms and conditions or privacy policy documents.
He calls the choice regime "a fantasy world, divorced from the reality of how people live or how firms operate". Instead of protecting privacy it has become "a way for companies to give invasive data practices a thin veneer of legitimacy".
This regime is broken, he says, because people don't have the time or expertise to read and understand the documents and, even if they could, they couldn’t exercise choice because digital services are indispensable and there isn't much competition.
The solution here, Levine says, is that "firms need to collect and retain less data about us, and secure it better". The FTC has already secured a number of prohibitions against firms selling sensitive location information and sharing sensitive health data for advertising purposes.
In addition to improving consumer privacy, another goal for the FTC is to crack down on 'dark patterns' or manipulative user interfaces that trick users into making decisions they would not otherwise have made. One example here is interfaces that make it difficult to cancel ongoing subscriptions, and last year the FTC acted against Amazon for allegedly tricking users into subscribing to Amazon Prime and making the cancellation process deliberately difficult to navigate.
The FTC's complaint in that case says:
…the primary purpose of the Prime cancellation process was not to enable subscribers to cancel, but rather to thwart them. Fittingly, Amazon named that process "Iliad," which refers to Homer's epic about the long, arduous Trojan War.
Levine says another FTC goal is to ensure that AI technologies "work for people, and not the other way around". Although AI is still in its infancy, the intent here is to avoid leaving a regulatory vacuum as occurred during the 2000s where internet companies were left to regulate themselves.
These aren't rogue FTC actions, but rather represent what Levine calls "the tip of the spear in a broader rethinking of the government’s role in making markets work better".
There are two possible futures here.
In one, Congress passes comprehensive federal privacy legislation such as the recently proposed American Privacy Rights Act (APRA). Compared to other recent proposals, experts think this Act has the best chance of making it into law.
The APRA, however, hits the same notes that the FTC's Levine does, including data minimisation and a prohibition on the use of dark patterns. In this future the FTC is enforcing legislation.
In the second future, comprehensive privacy legislation does not pass Congress and instead the FTC tries to change business practices using regulation and enforcement actions. It's a more difficult road for the FTC, but the destination is much the same.
Microsoft: Security Is Our Top Priority… After AI and Teams
At Microsoft's quarterly earnings call last week, CEO Satya Nadella said security was the company's "number one priority" and that it is "doubling down on this very important work, putting security above all else—before all other features and investments".
It is good to see top-level support for security and its prioritisation over other features. These were entirely absent at the announcement of Microsoft's Secure Future Initiative last November.
Having said that, Nadella devoted just a few sentences to the topic, after first covering AI infrastructure, data and analytics, developers, the future of work, 'industry and cross-industry clouds' and how well Microsoft Teams is doing.
On the other hand, The Verge reported this week that Microsoft senior leadership are genuinely concerned about the company's security failings:
At an internal leadership conference earlier this month, both Microsoft CEO Satya Nadella and president Brad Smith spoke about the need to prioritise security above everything else, according to sources. The fear at Microsoft’s most senior levels is that trust is being eroded by these security issues and that it’s going to have to win back the trust of its customers as a result.
To us it seems that Microsoft's senior leadership are beginning to understand that good security underpins everything the company does… they are just afraid to say it out loud where it might spook investors.
Cloud Industry Resists Know-Your-Customer Requirements
The Record examines US cloud industry pushback to a Biden administration executive order that requires these companies to invest in know-your-customer (KYC) programs.
The justification for the requirement, as articulated by the Commerce Department, is that foreign cyber actors have used these services "to commit intellectual property and sensitive data theft, to engage in covert espionage activities, and to threaten national security by targeting U.S. critical infrastructure".
Buying their way onto US infrastructure hides foreign cyber actors from the US intelligence community's overseas-focussed programs and gives them a way to approach targets in the US.
Requiring cloud companies to do some due diligence identifying customers won't eliminate the problem, but it will make it harder for these foreign actors.
It's worth remembering that banks and financial institutions weren't always required to carry out formal KYC procedures, but the regulations were introduced after increasing detection of money laundering and fraud.
These regulations don’t stop money laundering, but it would be silly to say that they don't make a difference.
KYC in banks helps tackle the money aspects of significant societal problems—for example, organised crime, fraud and the drug trade. Adversary states launching cyber operations against domestic targets are also an extremely significant problem that it is reasonable to expect cloud companies to do something about.
Three Reasons to Be Cheerful This Week:
- App Store ramps up privacy requirements: This month Apple is ramping up requirements for developers of apps in the App Store to include information about how customers' information is collected and used. The ultimate goal is to make it clear to both developers and end users how data is treated by apps and third party SDKs.
- More sensible hiring for FedGov: The US National Cyber Director, Harry Coker, announced federal agencies will move to more flexible, skills-based hiring for IT and cyber security employees, rather than employment based on degrees or years of experience. Former CISA Director Chris Krebs thinks this will open up the pool of potential candidates and also align compensation more with the private sector.
- UK bans default passwords for IoT devices: The UK's Product Security and Telecommunications Infrastructure Act came into effect this week and bans default and weak or easily guessed passwords for Internet of Things devices.
Sponsor Section
In this Risky Business News sponsored interview, Tom Uren talks to CEO and founder of Socket, Feross Aboukhadijeh about the open source software and supply chain security. Feross says the software ecosystem has evolved in ways that make it more vulnerable to trust-based attacks (such as seen in XZ Utils) and discusses what can be done to defend against this type of supply chain subversion.
Shorts
Drones Today, Automobiles Tomorrow
Chinese drone maker DJI has launched a lobbying campaign to counter proposed legislation that would effectively ban the company's drones from the US.
The US Cybersecurity and Infrastructure Security Agency (CISA) has formally warned that Chinese manufactured drones "continue to pose a significant risk" to US national security and critical infrastructure. The advisory cites the potential for data transfer and says they could possibly allow foreign adversaries to gather previously inaccessible intelligence.
Drones aren't the only concern, either. This week a US Senate enquiry found that major automakers were surrendering vehicle location to law enforcement requests without a warrant or court order.
We wonder where all this ends up. Modern automobiles are in some ways very similar to drones. They are internet-connected rolling sensor packages, rather than flying ones. As Chinese-made electric vehicles become more popular we expect we'll hear a lot more about the security risks.
The Chinese government has already placed restrictions on Teslas in China and barred them from military bases and government affiliated venues.
Amazon In Hot Water Over Disappearing Messages
The US Federal Trade Commission has submitted a court filing claiming that senior Amazon executives used Signal's disappearing messages feature to hide conversations dealing with the Commission's antitrust suit against the company.
It's not a good look for the company, especially as Amazon Web Services runs encrypted messaging app Wickr as a business offering. One of its selling points is that it is compliant and offers 'automatic enforcement of data retention policies'.
The Unreasonable Effectiveness of Phishing
Akamai researchers have found phishing sites targeting the US Postal Service (USPS) get the same or more internet traffic than does the postal service's legitimate domain.
The researchers base this analysis on data from Akamai's DNS servers and found that malicious traffic peaks during busy periods.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the life cycle of 0days, dissect the conventional wisdom and talk about how 0days are never truly 'burnt'.
From Risky Biz News:
Cyber Partisans hack Belarus KGB: Belarusian hacktivist group the Cyber Partisans claims to have hacked Belarus' national intelligence agency, the Belarusian KGB.
The group says it breached the agency in the fall of 2023 and exfiltrated data from its official website.
The intrusion went undetected for months until earlier this year, when the KGB put its website into maintenance mode—in which it remained to this day.
Over the weekend, the Cyber Partisans have leaked a copy of the site's database and its server logs.
The Cyber Partisans also claim they obtained the personal details of over 8,600 current and former KGB employees. This data allegedly includes names, dates of birth, and photo IDs.
The group used the data to create a Telegram bot. The bot allows Belarusian citizens to upload photos and face-match it against the KGB database to detect if someone is part of the agency's staff.
[more on Risky Business News, including a short history of the Cyber Partisans]
Cisco zero-day fun time is here!: A suspected state-backed hacking group is exploiting two zero-days in Cisco ASA security appliances as part of a campaign targeting government networks globally.
Cisco confirmed the attacks earlier this week when it also released patches for the two zero-days.
The company linked the attacks to a group it tracks as UAT4356. Cisco says the group has also targeted perimeter network devices from other vendors, as well as Microsoft Exchange email servers.
[more on Risky Business News]
Change Healthcare hack: UnitedHealth CEO Andrew Witty says hackers breached the network of its Change Healthcare subsidiary using stolen credentials for the company's Citrix web portal. In a written testimony [PDF] to be delivered later this week at a Senate hearing, Witty says Change Healthcare failed to enable MFA on the hacked Citrix account. The UnitedHealth CEO didn't mention the exploitation of any Citrix vulnerabilities. He also took credit for deciding to pay the hacker's ransom demand. The decision backfired after the leaders of the AlphV ransomware group stole the $22 million for themselves. This led the AlphV affiliate who carried out the attack to continue the extortion against Change Healthcare, seeking a new payment. The hearing will take place on May 1 and will be live-streamed on YouTube via the URL embedded below.
