Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,750 words, this briefing is about an 8-minute read.
At a Glance.
- Net Neutrality struck down by US courts.
- Utah’s election laws put officials in an “untenable position.”
US Court of Appeals Ends Net Neutrality.
The News.
Last week, the United States (US) Court of Appeals for the Sixth Circuit struck down the Federal Communications Commission’s (FCC) net neutrality rules. In their ruling, the Court stated that the FCC had overstepped its authority when reinstating these rules citing Loper Bright, a Supreme Court decision from June 2024, which had overturned a legal precedent from 1984 that gave deference to government agencies regarding imposing regulations. In their ruling, the court wrote “applying Loper Bright means we can end the FCC’s vacillations.” However, while this ruling has effectively ended the two-decade-long debate surrounding net neutrality, the ruling did not state that net neutrality was inherently unlawful but rather that the FCC does not have the authority to impose net neutrality and the matter must be resolved by Congress instead.
In response to this ruling, Jessica Rosenworcel, the chairwoman for the FCC stated that “consumers across the country have told us again and again that they want an internet that is fast, open, and fair.” Rosenworcel continued emphasizing that “it is clear that Congress now needs to heed their call, take up the charge for net neutrality, and put open internet principles in federal law.”
The Knowledge.
For greater context, the debate surrounding net neutrality has gone on for over twenty years and centers around how broadband internet services should be handled. Under these rules, broadband would have been reclassified to ensure that internet services would be kept “open.” By classifying broadband services as “telecommunications” under Title II of the Communications Act, Internet Service Providers (ISPs) would have been prohibited from blocking, throttling, or engaging in paid content prioritizations when handling Internet traffic meaning that ISPs would be required to treat all Internet traffic equally.
Since the FCC created the first set of net neutrality rules under the second Obama administration, the topic has been the subject of intense debate. More specifically, since the rules were created, they have been subsequently rescinded under the first Trump administration, then reinstated by the Biden administration, and now have been rescinded for the second time by the courts. When Trump originally ended these rules in 2017, his administration argued that net neutrality stifled competition and harmed consumers. At the time, Ajit Pai, the FCC’s chairman, stated that rescinding the rules would give ISPs “more incentive to build networks, especially to underserved areas.”
Since then, the debate surrounding net neutrality has only grown becoming both a highly partisan issue and has pitted large tech companies, like Google, against ISPs, like Verizon. For greater context, these large technology companies, like Google, Netflix, and Meta, have lobbied in favor of net neutrality emphasizing that these provisions will prevent ISPs from giving preferential treatment of content whereas ISPs have argued that net neutrality will limit innovation and increase regulatory burdens for ISPs.
The Impact.
Since the courts have now formally ruled that the FCC cannot impose net neutrality, this matter has been settled unless Congress and the President choose to craft and pass a bill that would reinstitute this policy. While it is unlikely that the incoming Congress and second Trump administration will revisit this topic, especially considering that the first Trump administration ended the rules in 2017, the debate surrounding net neutrality will likely resurface when its supporters gain enough political capital to discuss and potentially pass relevant legislation effectively.
In the meantime, with net neutrality’s end, this means that ISPs are no longer bound by its rules and can return to how they operated during most of the Trump administration. Meaning, ISPs will be legally allowed to prioritize certain traffic over others; however, it is unclear how much ISPs will utilize this new power.
Conflicting Utah Privacy Laws Are Challenging State Officials.
The News.
On Friday, John Dougall, a Utah State Auditor, published a report detailing concerns surrounding the state’s requirements for securing voter data privacy while simultaneously ensuring transparency. To create this report, Dougall’s office reviewed the candidate petition signature verification process, and the legal controls regarding the disclosure of voter registration data found in the state’s legal codes and laws. With this report, Dougall stated that the state’s existing laws have created “inconsistencies” regarding how specific personal data is secured.
In his press release, Dougall stated that with Utah’s current legal framework “voters who request privacy protections for their voter registration records may be lulled into a false sense of security, given how freely that data may be shared and the lack of any follow-up to ensure sensitive data is protected.”
The Knowledge.
For greater context, when a Utah resident registers to vote, they are required to provide their name, address, birthday, driver's license number or state identification number, and the last four digits of their social security number. Additionally, residents have the option to provide their email addresses and phone numbers. Once all this information has been filled out, residents are then required to sign their name attesting that the information they have provided is accurate and they are legally eligible to vote in Utah. This data is then stored in the state's Voter Information and State Tracking Application (VISTA) and Utah’s Government Records Access and Management Act (GRAMA) dictates who can access this data and how it should be protected. GRAMA dictates that a resident’s date of birth, driver's license number or state identification number, partial social security number, email address, and phone number need to be kept private and the resident’s signature must also be protected.
However, within this report, Dougall’s office highlighted how other key Utah laws conflict with these requirements. For example, Utah law allows any state voter to request to be a “watcher,” which entitles that person to observe functions related to an election, including the right to check in voters, certify results, and verify ballot signatures. Yet, a watcher’s powers then conflict with the state’s privacy laws by allowing them to observe private voter information. In another instance, Dougall’s office also highlighted how similar personal voter data is treated differently when used in VISTA compared to when it is used in petitions. More specifically, Utah law requires that petitions have strong privacy protections when handling voter data that has been requested to be private such as regarding names. However, when this same data is stored in VISTA, it is not afforded the same protections.
Given these privacy discrepancies, Dougall’s report emphasizes that improvements are needed to both address and clarify these discrepancies. At a minimum, Dougall’s report recommended remediating the following:
- The lack of a statutorily defined mechanism for effective observation of the Petition signature verification process.
- The lack of consistent treatment of the same voter registration data elements between VISTA and Petitions.
- The conflicting statutes regarding transparency in the Petition review process while demanding the privacy of protected voters.
- The lack of an effective enforcement mechanism over how specific parties handle private voter registration data.
The Impact.
While this report specifically centers around how Utah handles securing its voter registration data, the report is reflective of a larger issue within the US regarding how sensitive personal data is stored and what parties can legally access it. While the federal government did attempt to pass a new comprehensive privacy law last year, their efforts fell short leaving the matter unresolved.
While US citizens await a stronger privacy bill to be implemented, people should take time to understand their respective state’s privacy and what powers it provides citizens when securing their sensitive data. For Utah voters, residents should take time to read through this report in greater detail and understand how their personal data is currently stored and who can access it.
Highlighting Key Conversations.
In this week’s Caveat Podcast, our team met with Caleb Barlow, the CEO of CyberBit, to discuss executive protection and how it intersects with cybersecurity. During this conversation, our team focused on the recent murder of the UnitedHealthcare CEO and how this incident has caused many organizations to reevaluate how they approach both physical and online security. Some of the topics our team discussed include liability, public opinion, and the dangers of over-correction.
Like what you read and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other noteworthy stories.
Chinese firm sanctioned in US after botnet attack.
What: The Integrity Technology Group, a Chinese cyber group, was sanctioned by the US over alleged cyber incidents.
Why: On Friday, the US State and Treasury Departments levied sanctions against the Integrity Technology Group alleging that hackers associated with the company targeted multiple corporations, universities, telecommunication firms, governments, and media organizations. This operation, dubbed Flax Typhoon, alleges that since 2021 the firm has utilized its botnet to aid in its hacking operations. With these sanctions, all property and interests of Integrity Tech will now be blocked in the US and must be reported to the Treasury Department.
In response to these allegations, a Chinese embassy spokesperson countered these allegations stating that this was a part of the US’s attempt to “smear” other countries. The spokesperson continued by stating that “China firmly opposes and combats any form of cyber attacks in accordance with the law” and that “the US has drawn conclusions without effective evidence, made groundless accusations and smears against China, and imposed sanctions on Chinese entities, which is extremely irresponsible.”
Apple settles Siri eavesdropping accusations.
What: Apple has agreed to settle a class-action lawsuit by paying $95 million that alleged the company used its voice assistant feature, Siri, to obtain and share private conversations without user permission.
Why: Last week, Apple settled this five-year-long legal battle that claimed that Siri was regularly recording private conversations and shared these calls with third parties. Aside from recording and sharing these conversations, the lawsuit also alleged that Siri would activate and begin recording even if the user did not activate the feature.
If the settlement is approved, each customer could file for compensation and potentially receive up to twenty dollars per Siri-equipped device for up to five devices owned between September 17th, 2014 through the end of last year. Lastly, with this settlement, Apple did not acknowledge any wrongdoing.