At a glance.
- Could the EU’s new tech rules spell trouble for encryption?
- FCC calls for robocall mitigations.
- FCC prepares to change breach notification rules for telecoms.
Could the EU’s new tech rules spell trouble for encryption?
Tech giants have long benefited from the fact that their popularity gives them greater influence over the tech market. Last year the European Commission passed the Digital Markets Act, new rules designed to weaken Big Tech’s hold on the market and give smaller companies a chance. However, some fear that EU legislation could have a negative impact on encryption. Wired spoke with Andy Yen, the owner of Swiss technology firm Proton AG, to discuss how the new rules will affect smaller firms like his. Proton offers the same sorts of services that heavy-hitters like Apple and Google do – email, calendar, cloud storage, and so on – but the main difference is that all of Proton’s products are encrypted in order to increase user privacy. Yen notes that while the EU’s new rules, spearheaded by the Commission’s head of competition Margrethe Vestager, should work in smaller firms’ favor, enforcement will be challenging given Big Tech’s endless financial resources. “They [Big Tech] are throwing literally hundreds of millions of euros at this problem,” Yen says. “And as much as Ms. Vestager is committed to fighting this, she is facing an uphill battle against enormous resources of entrenched powers. So it will be a tough fight.” He also notes that other European regulations, like the Online Safety Bill and the EU’s chat control proposal, could make things more difficult for encrypted platforms, which are being scrutinized in the effort to fight against child abuse and other illegal activities. Yen questions whether this is the right tactic. “There's many other technological ways to do this—by looking at patterns of behavior, for example,” Yen argues. “We need to always find the right balance. And for me, mandating that we undermine or weaken or break encryption, that's not the right balance.”
FCC calls for robocall mitigations.
The US Federal Communications Commission’s Wireline Competition Bureau (WCB), which oversees American broadband and voice communications services, announced the deadlines for Gateway Provider Robocall Mitigation Requirements. Gateware providers, which are the entry points for foreign calls into the US, will be required to submit their plans for robocall mitigation to the Robocall Mitigation Database by January 11. The plans must include “know your upstream provider” provisions to prevent illegal robocall traffic, as well as a pledge to respond to all traceback requisitions within 24 hours, and a commitment to cooperate with investigations of illegal robocallers. “The implementation of these requirements is a critical step in protecting consumers in the United States from foreign-originated illegal robocalls, which the Commission has observed are a significant portion, if not the majority, of all illegal robocalls,” the announcement reads.
FCC prepares to change breach notification rules for telecoms.
In more news from the FCC, on January 6 the commission voted to overhaul its breach notification rules for telecommunications companies. Created over fifteen years ago, the current rules are in dire need of an update to keep up with modern technology, the Record by Recorded Future explains. While the idea of a revamp was introduced last year, the vote to proceed took place on Friday. FCC Chairwoman Jessica Rosenworcel stated, “The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.” As Yahoo News notes, in particular the agency is pushing to change a provision that allows companies up to seven days to notify consumers of a data breach. There also is currently no language specifying what details must be conveyed to consumers about such an incident, and the FCC is asking the public for input on what information would be most useful to the general public. Rosenworcel added that the commission is seeking comments on how its new breach reporting rules could work alongside the Cybersecurity and Infrastructure Security Agency’s own breach reporting rules for critical infrastructure owners.
Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, wrote to observe that this kind of rule can be distinctly hard on the companies it applies to. "This is all good news for consumers, but the requirement to immediately report could prove onerous. By requiring covered companies to have to report breaches right away it's going to make it more difficult for those companies to get all of the facts exactly right, right away. Will a company get sued if what it reports right away is inaccurate? Let's hope regulators use common sense leeway."