TLJ News from October 11-15, 2012

SoftBank to Acquire 70% Stake in Sprint Nextel

10/15. Sprint Nextel Corporation and SoftBank announced that they have entered into agreements that will give SoftBank a 70% stake in Sprint Nextel.

 See, full story.

Commentary: Governmental Process in Regulating Cyber Security

10/15. Many in federal government are not following ordinary procedure, as specified by the Constitution and the rules of the House and Senate, to address cyber security.

For example, the Congress has not enacted any legislation that gives the President or any executive agency or commission authority to regulate private companies' business practices related to cyber security. There are pending bills, but none has been enacted.

The Constitution provides that "All legislative Powers herein granted shall be vested in a Congress ...". The Constitution gives the President "executive Power", and authority to "take Care that the Laws be faithfully executed".

Yet, if the President were to issue an executive order, as members of his administration have said he might do, directing the Department of Homeland Security (DHS) to regulate the cyber security practices of critical infrastructure providers, this would be an exercise of legislative authority which he does not have.

Second, the action by Rep. Mike Rogers (R-MI) and Rep. Dutch Ruppersburger (D-MD), the Chairman and ranking Democrat of the House Intelligence Committee (HIC) regarding Huawei, ZTE and the regulation of US companies' acquisitions and supply chain processes is also extraordinary.

The HIC and its Senate counterpart were created by the House and Senate to exercise oversight over federal intelligence agencies and operations, and occasionally enact laws that specify the authorities and activities of these agencies.

First, it should be noted that even the concept of executive branch oversight is conspicuously absent from the Constitution's enumeration of Congressional powers. But, what Rep. Rogers and Rep. Ruppersburger are essentially attempting is oversight over non-governmental private sector companies, a power which they do not have. Moreover, their report [60 pages in PDF] is not an action of the Congress, or even the HIC. It is an action of only two members.

Third, while Senate Democratic leaders have taken steps related to legislating, they have not followed Senate procedure.

S 3414 [LOC | WW | PDF], the "Cybersecurity Act of 2012" or "CSA" is the bill backed by Senate Majority Leader Harry Reid (D-NV). It is also President Obama's favored bill. However, this is a hastily drafted bill, vast swaths of which read like a first discussion draft. Key terms remain undefined. Some powers are vaguely stated and would fail to put regulators and companies on notice of their meaning. Critical issues are left unaddressed.

Ordinary Senate procedure would be to assign the bill to committees with jurisdiction (which has not yet occurred), conduct committee hearings (which has not yet occurred), hold committee mark ups to amend and clarify the bill (which has not yet occurred), and then bring an amended bill to the floor under a process that allows further amendment.

Sen. Reid skipped the entire committee process, and then brought a premature bill to the floor without opportunity for full debate and amendment, just before the August recess. Not surprisingly, the Senate did not pass any bill.

People and Appointments

10/15. Michael Simon was promoted to P/CEO for the Harry Fox Agency (HFA). He was previously SVP of Business Affairs, General Counsel and Chief Strategic Officer. Simon replaces Gary Churgin. See, HFA release.

10/15. Douglas Sicker was named Executive Director of the Broadband Internet Technical Advisory Group (BITAG). Sicker is also a professor in the University of Colorado at Boulder's Department of Computer Science. Sicker replaces Dale Hatfield. See, BITAG release.

More News

10/15. The Office of the U.S. Trade Representative (OUSTR) announced in a release that representatives of the US and Israel signed an agreement [33 pages in PDF] regarding the testing and certification of telecommunications equipment. It is titled "Mutual Recognition Agreement between the Government of the United States and the Government of Israel for Conformity Assessment of Telecommunications Equipment". The OUSTR release states that "Israeli regulatory authorities will now accept tests that recognized U.S. laboratories perform to determine the conformity of telecommunications equipment with Israeli technical requirements, rather than requiring additional testing by Israeli laboratories, before American products can be sold in Israel".

Former Senator Specter Died

10/14. Former Sen. Arlen Specter (PA) died. He represented the state of Pennsylvania in the Senate for five terms, as a Republican, until the final year of his Senate career. He failed to win re-election in 2010.

He was a long time member of the Senate Judiciary Committee (SJC), and late in his career, its Chairman.

During his Chairmanship he sponsored patent reform legislation. However, the Congress did not enact its patent reform bill, HR 1249 [LOC | WW], the "Leahy-Smith America Invents Act", until 2011, just after Sen. Specter's retirement.

Sen. Specter was supportive of content industries' efforts to enforce their copyrights. For example, he was a cosponsor in the 111th Congress of S 3804 [LOC | WW], the "Combating Online Infringement and Counterfeits Act", or "COICA", introduced on September 20, 2010. This was the predecessor to the current Congress's S 968 [LOC | WW], the "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011", "PROTECT IP Act", or "PIPA".

See also, story titled "Senators Introduce Bill to Enable DOJ to Shut Down Web Sites Dedicated to Infringement", "Bill Summary: Combating Online Infringement and Counterfeits Act", and "Commentary: Combating Online Infringement and Counterfeits Act" in TLJ Daily E-Mail Alert No. 2,132, September 21, 2010.

During his Chairmanship he worked with the Bush administration to extend sunsetted surveillance related provisions of the 2001 USA PATRIOT Act.

In the 111th Congress, he advocated expanding the Title III wiretap and electronic surveillance regime to also cover video surveillance. See, S 3214 [LOC | WW], the "Surreptitious Video Surveillance Act of 2010", a bill that would have banned both private and governmental video surveillance. However, as with intercepts, the government could obtain court authorization.

See, story titled "Sen. Specter Introduces Surreptitious Video Surveillance Act of 2010" in TLJ Daily E-Mail Alert No. 2,079, April 19, 2010. See also, stories titled "Senate Judiciary Subcommittee to Hold Hearing on Video Laptop Surveillance", "Class Action Complaint Alleges School District Use of Laptops to Surveil Students", "Analysis of Claims in Robbins v. Lower Marion School District", and "School District Webcams and 2252/2252A" in TLJ Daily E-Mail Alert No. 2,062, March 23, 2010.

Sen. Specter sponsored Senate versions of the "Free Flow of Information Act". See, S 2035 [LOC | WW] in the 110th Congress, and S 448 [LOC | WW] in the 111th Congress. These bills would have limited the ability of federal entities to compel journalists to provide testimony or documents, or disclose sources, related to their work. These bills would also have limited government access to records of carriers, ISPs and other service providers. While the House passed one version of this bill in the 110th Congress, HR 2102 [LOC | WW], and another in the 111th Congress, both the Bush and Obama administrations have opposed these bills, and no bill has become law.

FCC Allows Cable Operators to Encrypt Basic Service Tier

10/12. The Federal Communications Commission (FCC) released a Report and Order [43 pages in PDF] regarding cable operators' encryption of basic tier service.

This Report and Order (R&O) states that "we amend our rules to allow cable operators to encrypt the basic service tier in all-digital cable systems if they comply with certain consumer-protection measures. As discussed below, this rule change will benefit consumers who can have their cable service activated and deactivated from a remote location. By allowing remote activation and deactivation, we expect our amended rules will result in benefits to both cable operators and consumers by significantly reducing the number of truck rolls associated with provisioning service and significantly reducing the need for subscribers to wait for service calls to activate or deactivate cable service."

It continues that "we recognize that this rule change will adversely affect a small number of cable subscribers who currently view the digital basic service tier without using a set-top box or other equipment. If a cable operator decides to encrypt the digital basic tier, then these subscribers will need equipment to continue viewing the channels on this tier. To give those consumers time to resolve the incompatibility between consumer electronics equipment (such as digital television sets) and newly encrypted cable service, we require operators of cable systems that choose to encrypt the basic service tier to comply with certain consumer protection measures for a period of time."

In addition, this R&O states that "we note that this rule change may impact the ability of a small number of subscribers that use certain third-party equipment that is not CableCARD compatible to access channels on the basic service tier. To address this issue, we require the six largest incumbent cable operators to comply with additional requirements that are intended to ensure compatibility with certain third-party-provided equipment used to access the basic tier."

Michael Powell, head of the National Cable & Telecommunications Association (NCTA), stated in a release that "By permitting cable operators to join their competitors in encrypting the basic service tier, the Commission has adopted a sensible, pro-consumer approach that will reduce overall in-home service calls and accelerate cable operators’ transition to all-digital networks. Encryption of the basic tier also enhances security of the network which reduces service theft that harms honest customers. We commend the FCC for updating its rules to promote these consumer and competitive benefits."

John Bergmayer of the Public Knowledge (PK), a constant critic of cable companies, wrote in a short piece that "There's some good and some bad in what the FCC did".

This R&O is FCC 12-126 in MB Docket No. 11-169 and PP Docket No. 00-67. The FCC adopted it on October 10, and released it on October 12.

House and Senate Republicans Write Obama Opposing Regulation of Internet by Executive Order

10/11. Eleven Republican members of the House and Senate sent a letter to President Obama urging him "not to issue an executive order exerting regulatory influence over the Internet in the name of cybersecurity".

They argued that "Doing so will lend further arguments to nations such as Russia, China, and Iran that are currently seeking to upend the non-regulatory, multistakeholder governance model that has allowed the Internet to flourish. Their goal is to give the United Nations unprecedented power over the Internet infrastructure and content at an International conference in Dubai this December, and to regulate it within their borders under the guise of combating cyber threats."

They also noted that the House has already passed a cyber security bill, HR 3523 [LOC | WW], the "Cyber Intelligence Sharing and Protection Act of 2011" or "CISPA". Moreover, they wrote that the President's preferred approach of giving the Department of Homeland Security (DHS) regulatory authority over "critical infrastructure" is "the wrong approach".

The House bill would incent cyber threat information sharing. In contrast, the cyber security bill favored by the President, S 3414 [LOC | WW | PDF], the "Cybersecurity Act of 2012" or "CSA", would create a regulatory regime. It has not been passed by the full Senate, or any Senate Committee.

They also wrote that "creating a top-down, one-size fits all bureaucracy to address cybersecurity will slow our response and impose unnecessary costs on our economy", and could "provide a road map to those that wish to do us harm".

The eleven who signed this letter are Rep. Fred Upton (R-MI), Rep. Greg Walden (R-OR), Rep. Mary Mack (R-CA), Rep. Lee Terry (R-NE), Rep. Bob Latta (R-OH), Rep. Adam Kinzinger, Sen. Jim DeMint (R-SC), Sen. Pat Toomey (R-PA), Sen. Kelly Ayotte (R-NH), Sen. Marco Rubio (R-FL), and Sen. Mike Lee (R-UT).

Defense Secretary Panetta Discusses Cyber Security Legislation

10/11. Secretary of Defense Leon Panetta gave a speech in New York City in which he addressed cyber security, pending legislation, and recent cyber attacks.

He urged that Congress to pass legislation, and added that President Obama is "considering issuing an Executive Order".

Leon Panetta Panetta (at right) He stated that "It's no secret that Russia and China have advanced cyber capabilities. Iran has also undertaken a concerted effort to use cyberspace to its advantage."

"In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks. These attacks delayed or disrupted services on customer websites. While this kind of tactic isn't new, the scale and speed with which it happened was unprecedented."

"But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. Shamoon included a routine called a ‘wiper’, coded to self-execute." He continued that "More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers."

"Then just days after this incident, there was a similar attack on RasGas of Qatar, a major energy company in the region. All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date."

In this speech, he stopped short of attributing these attacks to Iran.

Panetta said that "These attacks mark a significant escalation of the cyber threat and they have renewed concerns about still more destructive scenarios that could unfold. For example, we know that foreign cyber actors are probing America's critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country. We know of specific instances where intruders have successfully gained access to these control systems. We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life."

He said that "An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shutdown the power grid across large parts of the country."

Panetta continued that the Department of Homeland Security (DHS) "has the lead for domestic cybersecurity, the FBI also has a key part to play and investigating and preventing cyber-attacks. And our intelligence agencies, of course, are focused on this potential threat as well. The State Department is trying to forge international consensus on the roles and responsibilities of nations to help secure cyberspace."

He said that the Department of Defense (DOD) also "has a role. It is a supporting role but it is an essential role. And tonight I want to explain what that means. But first let me make clear what it does not mean. It does not mean that the Department of Defense will monitor citizens' personal computers. We're not interested in personal communication or in e-mails or in providing the day to day security of private and commercial networks."

"If a crippling cyber attack were launched against our nation, the American people must be protected. And if the Commander in Chief orders a response, the Defense Department must be ready to obey that order and to act."

He also discussed private sector businesses, "Particularly those who operate the critical networks that we must help defend. To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace. We've made real progress in sharing information with the private sector. But very frankly, we need Congress to act to ensure that this sharing is timely and comprehensive."

"Companies should be able to share specific threat information with the government, without the prospect of lawsuits hanging over their head. And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty bound to uphold."

This is a loose description of the content of HR 3523 [LOC | WW], the "Cyber Intelligence Sharing and Protection Act of 2011" or "CISPA", which the Republican controlled House passed earlier this year. Yet, Panetta did not name this bill by number or title.

However, he then proceeded to urge passage of S 3414 [LOC | WW | PDF], the "Cybersecurity Act of 2012", the largely Democratic bill which the full Senate rejected just before its August recess.

Panetta said that "Information sharing alone is not sufficient. We've got to work with the business community to develop baseline standards for our most critical private-sector infrastructure, our power plants, our water treatment facilities, our gas pipelines. This would help ensure that companies take proactive measures to secure themselves against sophisticated threats, but also take common sense steps against basic threats. Although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity."

He said that "cybersecurity legislation must be passed by the Congress", and "Congress must act and it must act now on a comprehensive bill such as the bipartisan Cybersecurity Act of 2012".

GAO Releases Report on Mobile Privacy

10/11. The Government Accountability Office (GAO) released a report [56 pages in PDF] titled "Mobile Device Location Data: Additional Federal Actions Could Help Protect Consumer Privacy". The GAO prepared this report for Sen. Al Franken (D-MN).

The report states that while "Collecting, using, and sharing location data provides benefits for both mobile industry companies and for consumers", "allowing companies to access location data exposes consumers to privacy risks, including disclosing data to unknown third parties for unspecified uses, consumer tracking, identity theft, threats to personal safety, and surveillance."

The report finds that companies "have not consistently or clearly disclosed to consumers what the companies are doing with these data or which third parties they may share them with".

The report also lists fair information practices (FIPs) designed to protect the privacy and security of location data that have been recommended by industry and privacy groups. It also reviews the extent to which companies comply with these.

Sen. Al FrankenSen. Franken (at right) stated in a release that "I believe Americans have a fundamental right to privacy: to know what information is being collected about them and to be able to control whether or not that information is shared with third parties".

He continued that "this report clearly shows that mobile industry companies often fail to respect that right, giving out consumers' location data without their knowledge or explicit consent."

He argued that "The report makes a strong case that legislation is needed to better protect our privacy -- and I've authored a bill to do just that. My Location Privacy Protection Act would require companies to get your permission before they get your location information or share it with third parties-a commonsense solution to make sure that consumers' privacy is protected."

See, S 1223 [LOC | WW], introduced on June 16, 2011. The bill has six Democratic cosponsors, and no Republican cosponsors. It was referred to the Senate Judiciary Committee, which not passed it.

The report, citing privacy advocates, states that "when a user agrees to use a service that accesses location data, the user is unlikely to know how his or her location data may be used in ways beyond enabling the service itself. The secondary uses of location data are generally not transparent to the consumer. Therefore, location data may be shared with third parties unknown to the consumer. Generally speaking, once location data are shared with a non-carrier, consumers have a limited ability to know about or influence the data’s use."

"Third parties that receive shared location information may vary in the levels of security protection they provide. If any of these entities has weak system protections, there is an increased likelihood that the information may be compromised." Also, "Because consumers do not know who these entities are or how they are using consumers’ data, consumers may be unable to make meaningful choices and judge whether they are disclosing their data to trustworthy entities."

The report next addresses tracking. It states that "When mobile location data are collected and shared, users may be tracked for marketing purposes without their consent. Since users often carry their mobile devices with them and can use them for various purposes, location data along with data collected on the device may be used to form a comprehensive record of an individual’s activities. Amassing such data over time allows for the creation of a richly detailed profile of individual behavior, including habits, preferences, and routines -- private information that could be exploited. Furthermore, since non-carriers' use of location data is unregulated, these companies do not have to disclose how they are using and sharing these profiles."

The report also states that the ACLU states that "law enforcement agents could potentially track innocent people".

The report finds that "While companies’ disclosures routinely informed consumers that their location data were being collected, companies’ disclosures did not consistently or clearly explain the purposes behind such collection or identify which third parties these data might be shared with."

People and Appointments

10/11. Mark Lloyd joined the New America Foundation (NAF) as head of its "Media Policy Initiative". Lloyd previously worked for the Federal Communications Commission (FCC) Office of General Counsel (OGC), the Leadership Conference on Civil Rights (LCCR), the Center for American Progress (CAP), the Benton Foundation, and the law firm of Dow Lohnes. The NAF stated in a release that it "formulates policy and regulatory reforms to foster the development of a healthy media that satisfies the needs of democracy in the 21st century". The NAF has hosted events at which speakers have advocated government media, and government subsidization of news media.

More News

10/11. The U.S. Patent and Trademark Office (USPTO) published a notice in the Federal Register (FR) that extends the deadline to submit comments in response a July 26, 2012 notice in the FR regarding its proposed changes to its rules of practice in patent cases to implement the changes to the conditions of patentability, to implement the first inventor to file system provisions of the Leahy Smith America Invents Act, and to eliminate the provisions pertaining to statutory invention registrations. The just published notice also extends the deadline to submit comments in response to another July 26, 2012 notice in the FR requesting comments regarding its proposed changes to its examination guidelines to implement the first inventor to file system provisions of the Leahy Smith America Invents Act. The old deadline for both was October 5, 2012. The new deadline for both is November 5, 2012. See, July 26 rules of practice notice, FR, Vol. 77, No. 144, July 26, 2012, at Pages 43742-43759; July 26 examination guidelines notice, FR, Vol. 77, No. 144, July 26, 2012, at Pages 43759-43773; and extension notice, FR, Vol. 77, No. 197, October 11, 2012, at Page 61735. See also, story titled "USPTO Announces First Inventor to File NPRM and Roundtable" in TLJ Daily E-Mail Alert No. 2,430, August 16, 2012.

10/11. The Office of the U.S. Trade Representative (OUSTR) published a notice in the Federal Register (FR) requesting comments on the complaint (request for consultations) filed by the People's Republic of China (PRC) on September 17 with the World Trade Organization (WTO) against the U.S. alleging violation of WTO obligations in connection with US government imposition of countervailing and anti-dumping duties on numerous products exported by the PRC. Comments are due by November 1, 2012. See, FR, Vol. 77, No. 197, October 11, 2012, at Pages 61819-61820.

10/11. The Office of the U.S. Trade Representative (OUSTR) published a notice in the Federal Register (FR) requesting comments on the complaint (request for consultations) filed by the U.S. on September 18 with the World Trade Organization (WTO) against the People's Republic of China (PRC) alleging violation of WTO obligations in connection with PRC government imposition of countervailing and anti-dumping duties on automobiles exported by the US. Comments are due by November 16, 2012. See, FR, Vol. 77, No. 197, October 11, 2012, at Pages 61818-61819.

10/11. The Federal Trade Commission (FTC) published a notice in the Federal Register (FR) announcing recent Hart Scott Rodino (HSR) grants of early termination of the waiting period provided by law and the premerger notification rules. See, FR, Vol. 77, No. 197, October 11, 2012, at Pages 61753-61755.

10/11. The Department of Justice's (DOJ) Antitrust Division published a notice in the Federal Register (FR) that announces that the Heterogeneous System Architecture Foundation (HSAF) filed a notification of formation, pursuant to the National Cooperative Research and Production Act of 1993, which pertains to limiting antitrust liability of standard setting consortia. See, FR, Vol. 77, No. 197, October 11, at Page 61786. The HSAF states in its web site that it is " building a heterogeneous compute ecosystem, rooted in industry standards, for combining scalar processing on the CPU with parallel processing on the GPU while enabling high bandwidth access to memory and high application performance at low power consumption." The original members listed in this notice are AMD, ARM, MediaTek, Imagination Technologies Group, and Texas Instruments. The HSAF has also announced additional members, including Qualcomm and Samsung. See, October 3 release and August 31 release.

Go to News from October 6-10, 2012.