At a glance.
- Computer Fraud and Abuse Act clarification coming?
- US Commerce Department confirms that US companies can work with Huawei on 5G standards.
- Norway retreats from contact tracing over privacy concerns.
- Chinese intelligence interested in US Presidential campaigns.
- CIA WikiLeaks Task Force report released in redacted form.
Computer Fraud and Abuse Act clarification coming?
The US Supreme Court will take up a case involving the Computer Fraud and Abuse Act (CFAA). JDSupra reports that, when it hears United States v. van Buren, the Court will consider whether using a computer one is authorized to access, but using that access for unauthorized or improper purposes, constitutes a violation of the CFAA. Van Buren, while working as a police officer with permission to access license plate databases, was paid by an FBI informant to run a license plate search, ostensibly for the informant's personal purposes. He was charged under the CFAA, but he claimed that since he was authorized to access the information, what he'd done didn't constitute a violation.
US Commerce Department confirms that US companies can work with Huawei on 5G standards.
Reuters says that the Department of Commerce has clarified its position with respect to what sort of collaboration with Huawei is permissible while the Chinese company remains on the Entity List. Most forms of technology transfer and trade are still out, but US companies will be able to participate in conversations on the development of international 5G standards.
Norway retreats from contact tracing over privacy concerns.
Amnesty International this morning issued a report on COVID-19 contact-tracing apps, with an assessment of eleven tools in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia, and United Arab Emirates. Amnesty found that many of them threatened privacy, but three stood out as especially troubling surveillance tools: Bahrain’s BeAware Bahrain, Kuwait’s Shlonik, and Norway’s Smittestopp. The feature they had in common is "actively carrying out live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server."
TechCrunch reports that Norway responded to Amnesty's report by suspending its app, even though the responsible Institute of Public Health disagrees with Amnesty's assessment. The Institute intends to delete personal data "as soon as possible."
Chinese intelligence interested in US Presidential campaigns.
The Voice of America reports that Chinese intelligence services are collecting against the US Presidential campaign of presumptive Democratic nominee Joe Biden. What are they after? Position papers, apparently. The campaign appears not to have been compromised, and the operation appears to be part of a longstanding effort aimed at developing a picture of US Presidential candidate’s attitudes and likely policies toward the People’s Republic. Google’s Threat Analysis Group, cited by the Voice of America, has been tracking the espionage for weeks. FireEye attributes the effort to APT31, also known as Hurricane Panda or Stone Panda.
CIA WikiLeaks Task Force report released in redacted form.
The October 2017 report by the CIA’s WikiLeaks Task Force (formed to investigate how the leak site came to obtain the material it published as Vault 7) has been partially declassified. According to the Washington Post, the heavily redacted report found that the CIA was focused on developing offensive cyber tools, but that it neglected basic security measures and sound practice.
The report’s provenance is interesting. It came to the post from Senator Wyden (Democrat of Oregon) who received it in his capacity as a member of the Senate Intelligence Committee. The Senator got it from the Justice Department, which has it because it figures in the trial of Joshua Schulte, who’s been charged with passing the Vault 7 material to WikiLeaks. Mr. Schulte’s attorneys claim that the report shows that the CIA’s security was in this respect so slipshod that any one of hundreds of people could have given Vault 7 to Mr. Assange’s organization.
The CIA has said that it does indeed take network security seriously, but beyond that had little to say. A former intelligence official speaking anonymously told the Post that he disagreed with the conclusion that the CIA’s enterprise systems were carelessly secured, that to the contrary Langley had secured its enterprise systems to a “gold standard.” But the enterprise systems and the mission systems were two separate things, and, while security was emphasized, the source told the Post that the operators who ran the mission network thought there was better auditing, more insight into the network, than in fact there was. There was a mismatch of expectations between the operators and those who administered and maintained the network.