Federal Trade Commissioner Criticizes Repeal Of FCC Privacy Rules — On April 17, 2017, Federal Trade Commissioner Terrell McSweeny spoke at an event in Washington, D.C., hosted by New America’s Open Technology Institute about broadband privacy issues in the wake of the repeal of the Federal Communications Commission’s (“FCC”) broadband privacy rules. Commissioner McSweeny, a Democrat, criticized the repeal of the FCC rules and expressed concern about the attendant impact on online privacy. A copy of Commissioner McSweeny’s remarks is available here.
Commissioner McSweeny noted that “Americans understand and value a free and open Internet—81% support the concept of Internet nondiscrimination and 60% oppose the idea of paid fast lines for data.” She said Americans expect their data to be protected and that “91% of Americans want more control over their data, not less.” Commissioner McSweeny then addressed the rollback of the FCC rules, stating that there has been a “rapid implementation of a ‘no cops on the beat’ approach to privacy and data security in which control over who gets our sensitive information rests in the hands of a few very large companies that are the gatekeepers for our connections to modern life.” She further noted that “[w]e cannot count on the marketplace or competition to deliver us better options because our broadband markets are highly concentrated.”
Commissioner McSweeny said the Federal Trade Commission (“FTC” or the “Agency”) is hamstrung on the issue because it does not have jurisdiction over data security matters involving wireless, cable, and broadband carriers. However, she discussed the FTC’s work in the data security space overall, stating that the Agency’s “efforts have focused on holding companies accountable for the promises they make about the information they use and collect” and that the FTC “has consistently focused on transparency, consumer choice, and security.” She noted that the FTC “supports use of opt-in consent for the collection and sharing of sensitive information including content of communications; social security numbers; health, financial, and children’s information; and precise geolocation data.”
The most effective regulatory approach, per Commissioner McSweeny, is for the FTC to partner with other regulators across the government to work on industry-specific rules, which is “why the FTC worked with the FCC on its broadband privacy rule—and it is what the FTC is now doing … with [the National Highway Traffic Safety Administration] on connected cars.” She emphasized that “[p]rivacy and security considerations are too important to be partitioned from core design and regulatory decisions.”
Commissioner McSweeny concluded by stating that in highly concentrated markets such as broadband, “we need all the public policy tools at our disposal—regardless of which agency they reside in—to safeguard an open and nondiscriminatory Internet.”
Reporter, Kyle Sheahen, New York, +1 212 556 2234, ksheahen@kslaw.com.
Senator To Propose ISP Consumer Privacy Bill — On Friday, April 14, 2017, Senator Richard Blumenthal (D-Conn.) announced his plan to introduce a bill that would allow the Federal Trade Commission (“FTC”) to regulate consumer privacy protections regarding Internet service providers (“ISPs”). The bill, to be called the Managing Your Data Against Telecom Abuses (MY DATA) Act, would grant the FTC jurisdiction and authority to make rules regarding privacy and data security.
The proposed bill is in response to President Trump’s recent signing of a Congressional Review Act (“CRA”) resolution that repealed regulations of the Federal Communications Commission which were adopted in October 2016 under the Obama Administration. Those regulations would have required ISPs to take steps to protect consumer privacy, including obtaining consent from customers before using customers’ information for marketing or advertising purposes.
Since the CRA resolution now bars the FCC from contemplating any similar rules, Sen. Blumenthal’s bill would grant this power to the FTC instead. According to the Senator, the proposed bill is meant to close “an out-of-date loophole in the Federal Trade Commission Act.” Sen. Blumenthal has not provided a timetable for the public release of the proposed legislation.
Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com.
United States Department Of Justice Seeks To Dismantle Massive Kelihos Botnet, Files Complaint In Federal District Court — The United States Department of Justice (“DOJ”) recently announced that it would be undertaking an “extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that [were] used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software.”
The DOJ is targeting an ongoing international scheme and seeks to protect American citizens and to find and combat cybercrime no matter where such threats are in the world. According to Acting U.S. Assistant Attorney General Kenneth A. Blanco: “The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives.”
In connection with its efforts to dismantle the Kelihos operation, the government filed a complaint in the United States District Court for the District of Alaska against defendant Peter Yuryevich Levashov, seeking to enjoin him from engaging in wire fraud and unauthorized interception of electronic communications. Levashov has allegedly operated the Kelihos botnet since approximately 2010, targeting computers running Microsoft Windows operating systems. The computers infected with the malware were then allegedly funneled into the Kelihos network, becoming “part of a network of compromised computers known as a botnet and [that] were controlled remotely through a decentralized command and control system,” allowing Kelihos to operate on infected computers behind the scenes undetected on victims’ computers. Essentially, the computers infected with malware allegedly became part of a sophisticated network under the control of a criminal operator who could “weaponize” the network to do his bidding.
The government further announced that it began on April 8, 2017, the far-reaching and difficult process of “blocking malicious domains associated with the Kelihos botnet to prohibit further infections.” In connection with that effort, the government obtained court orders out of the U.S. District Court for the District of Alaska to facilitate neutralization of the botnet by (1) establishing substitute servers so that infected computers cannot communicate with the criminal operator, and (2) blocking any attempt of the criminal operator to re-establish control of previously infected computers.
Peter Yuryevich Levashov, the 36-year-old Russian man named as defendant by the government in the civil complaint, was taken into custody earlier this month while vacationing in Barcelona, Spain. The pending criminal investigation against Levashov remains under seal.
The government stated that it has and will continue to share samples of the Kelihos malware with the Internet security community so that antivirus vendors can update their programs to detect and remove Kelihos.
Reporter, Brittany N. Clark, Washington, D.C., +1 202 626 5528, bclark@kslaw.com.
ALSO IN THE NEWS
King & Spalding’s 2017 Cybersecurity & Privacy Summit — Today, King & Spalding hosts its 2017 Cybersecurity & Privacy Summit, where cybersecurity and privacy experts from King & Spalding and PwC, as well as representatives from the U.S. Department of Justice, the Federal Trade Commission, Georgia Institute of Technology, The Home Depot, and TSYS, discuss the latest strategies for protecting your company against the legal and financial risks of cybersecurity breaches and other privacy incidents. Click here for more information on the Summit.