At a glance.
- Incoming German governing coalition announces surveillance policies.
- ACLU appeal in surveillance case falls short.
- GAO urges NIH to continue improving its security.
- Utilities will no longer share data with ICE.
Germany vows to cease use of zero-days and spyware.
Expected to be voted into power today, the new German government has declared it will no longer purchase zero-day vulnerabilities, and will restrict government use of spyware. The Record by Recorded Future explains that the new political coalition, which combines the Green Party, the Social Democratic Party, and the Free Democratic Party, and which was solidified last month, has issued a document detailing the new government’s core principles, including their stance on info tech, data privacy, and cybersecurity. Regarding zero-days, the document states that exploiting IT vulnerabilities is “problematic” and a threat to civil rights: “The state will therefore not buy vulnerabilities or keep them open [to attacks], but will always try to secure them as quickly as possible in a vulnerability management program under the leadership of a more independent Federal Office for Information Security.” The decision follows in the footsteps of the US National Security Agency’s determination that the risks of collecting zero-days outweigh the benefits.
On the topic of monitoring software, the new government has pledged to limit the use of spyware to a higher “intervention threshold” determined by the Federal Constitutional Court, and to restrict the use of surveillance tech in police investigations. While the document does not specify which monitoring software it’s referring to, German police have been known to use an in-house spyware called the Staatstrojaner.
Some experts worry the decisions could leave Germany vulnerable to foreign threat actors with access to more advanced offensive cyber-espionage technology. Co-founder and CTO of Optimyze Cloud Sean Heelan tweeted, “This seems like it hobbles German intelligence agencies for no actual gain to the German public. Can someone from .de explain to me what I am missing here?” That said, the document will likely be modified before becoming law.
US court denies ACLU’s appeal in FISA case.
A US federal appeals court decided yesterday to uphold the terrorism conviction of Uzbekistan refugee and legal permanent US resident Jamshid Muhtorov in a case that raises questions about government surveillance, USA Today reports. After Muhtorov’s emails were searched by US government officials under Section 702 of the Foreign Intelligence Surveillance Act (FISA) nine years ago, Muhtorov was charged with providing material support to a designated foreign terrorist organization.
After Edward Snowden brought the surveillance practices of the National Security Agency (NSA) to light, Muhtorov was the first person to be notified that the government was monitoring his communications under FISA, which allows the NSA to conduct warrantless surveillance of US citizens’ international phone calls and internet activities. However, the American Civil Liberties Union, who claim Muhtorov was a defender of human rights and committed no terrorist acts, says the search of his messages violated his constitutional rights. Patrick Toomey, senior staff attorney with the ACLU’s National Security Project, stated, “The FBI and NSA don’t have a free pass to seize and sift through our most sensitive communications, and we will keep fighting to ensure they can’t violate the Constitution.”
GAO urges NIH to improve its cybersecurity practices.
The US Government Accountability Office (GAO) has issued guidance to the National Institutes of Health (NIH) on boosting the cybersecurity of its systems. In June of this year, GAO conducted a study of NIH’s security practices and infrastructure and found that, of the two hundred nineteen recommendations the GAO has issued to NIH (sixty-six tied to the security program and one hundred fifty-three related to system controls), NIH has fully instituted about a third of them and partially implemented more than half so far.
US utilities companies agree to stop sharing data with ICE.
Following a Washington Post investigation that revealed that the National Consumer Telecom & Utilities Exchange was sharing sensitive data from millions of Americans’ utility bills with US government agencies like Immigration and Customs Enforcement (ICE), the exchange has agreed to end the practice. The Washington Post explains that the exchange historically shared customer data with the credit bureau Equifax, which then sold it to databases like Thomson Reuters’s CLEAR, used for investigations conducted by private investigators, government agencies, and law enforcement.
The selling of 170 million Americans’ names, home addresses, Social Security numbers and other details raised questions about the potential misuse of this data. Oregon Senator Ron Wyden led the charge to stop the practice, and in October the exchange directed Equifax to stop selling any new data, though old data will remain available. Wyden penned a letter urging the Consumer Financial Protection Bureau to more closely regulate the data-broker industry to ensure that such commercial data be handed to police without proper oversight. “Selling personal information that people provide to sign up for power, water and other necessities of life, and giving them no choice in the matter, is an egregious abuse of consumers’ privacy,” Wyden wrote.