Tag Archives: Section 230

Security News for the Week Ending May 28, 2021

The UK Might Beat Us to Regulating MSPs

In the US, anyone can become a managed service provider. Unfortunately, customers may think that comes with security, but usually it does not. The UK is about to create a legally binding cybersecurity framework for managed service providers. This may be the first step at forcing businesses to formally assess the cyber risks of their supply chain. Needless to say, MSPs are not happy about the added cost and responsibility. This comes just as the US begins to force defense contractors to do the same thing. Credit: The Register

Section 230 Preempts FCRA

The law is kind of twisted. Section 230 of the Communications Decency Act shields Interactive Computer Services like Facebook from being sued for content they did not create. In this case, a person tried to sue a company that publishes aggregated data from credit bureaus (basically a version of a credit bureau) for not following the rules of the Fair Credit Reporting Act by correcting faulty data. The company’s defense was that they didn’t create the data, so you can’t sue them. Congress (or the Supremes) need to clean up this mess – and it is and has been a mess forever, but that ruling is just not right to the consumer. They have ZERO recourse, according to this court. Credit: Professor Eric Goldman

NSA Tells Defense Contractors – Don’t Connect IoT/IIoT to the Internet

NSA released a guide to protecting operational technology systems (what we call IoT or Industrial IoT), geared to the National Security System, the Defense Department and the Defense Industrial Base. It is, of course, applicable to anyone. They start with the obvious. An unconnected OT system is more secure than one connected to the Internet. It also provides guidance for protecting OT systems that are connected to the Internet. Whether you are required to follow this or not, if you have IoT systems, this is a good read. Credit: Nextgov

Expect Higher Prices (and Longer Wait Times) for Computers

As the worldwide chip shortage continues (and is expected to continue for at least the rest of this year), PC makers plan to pass on costs to buyers. This likely will continue as buyers have not reduced demand as a result of higher prices. Companies like Dell are reporting strong financial results. Inventory is, however, way down, so expect to take any system that is available or wait for a while. Vendors will likely move available parts to higher margin products, leaving lower end products “out of stock”. Credit: ZDNet

New Bluetooth Attack Affects 28 Chips Tested

A new Bluetooth impersonation attack, called BIAS, allows a malicious actor to establish a secure connection with the victim, without having to authenticate. This attack does NOT require user interaction. The researchers tested the attack against Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung and other chips. There is not a fix yet, but fixes are expected. Credit: The Hacker News

FCC Says Maybe We Should Regulate Social Media

The President signed an executive order a few months ago asking the FCC to look at whether social media companies like Twitter should lose their “section 230 immunity” if they are biased in their editing. It also asks the FCC to propose regulations regarding this. That was about six months ago.

I suspect that the FCC staff attorneys looked pretty hard to find anything in section 230 that gave them the authority to implement regulations like this. Note that the FCC does not regulate social media companies. There is nothing in the law that gives them that authority.

In fact, when Ajit Pai, the current chairman of the FCC came into office, he decided that the FCC didn’t even have authority to regulate Internet providers at all and so he decided to rescind the net neutrality regulations that were approved before he got there but had not yet gone into effect.

FCC Chairman Ajit Pai And FTC Chairman Joseph Simons Testify To Senate Appropriations Committee Hearing On Their Dept.’s Budget
Ajit Pai, Chairman of the FCC

To me, it seems like a pretty big leap to say that we don’t have the authority to regulate Internet providers at all to say that in spite of that, we need to regulate social media companies.

Not terribly surprisingly, this announcement comes one day before Twitter and Facebook are set to testify before a House committee.

Pai does say a lot of things that I think are completely valid.

He says that these companies make a whole bunch of “algorithmic decisions” that the public customers of those companies have almost no visibility into. I think that is correct.

He also says that consumers have no insight into privacy issues on how their data is used. Also true.

He says that the public deserves to know more and these companies need to provide more transparency. Hard to argue with.

On the other hand, Pai, with the stroke of a pen, removed these exact same controls that were set to go into effect on Internet providers. Can he have it both ways?

These social media companies are between a rock and a hard place. If they remove content they are said to be biased. If they leave content up, they are said to be pandering to extremists (and also to their advertising click counts).

All of this could be useful, however, if the House and Senate could, for once, do the job for which they are being paid, and pass legislation that addresses some of these issues. Removing section 230 immunity is one of those things that fall into the category of “be careful what you wish for”.

It certainly seems odd that Pai decided to make this announcement a couple of weeks before the election and on the eve of Twitter and Facebook testifying. It does not seem terribly “expeditiously” as the President asked Pai to do 5 months ago in his EO. Part of that is because an EO does not have the force of law. It is more like your boss sending you a memo to do something. Your boss might get made or he might even fire you, but that is about, for the most part, where it ends.

Also remember that Pai writing about the subject in his blog after 5 months is a whole lot different than him and the commission actually doing anything or even proposing anything or even saying they are going to start looking at anything. In fact, it is not clear what it means at all. Credit: The Verge

Trump Launches War on Twitter

The day after Twitter fact checked two of Trump’s tweets regarding vote by mail as massively fraudulent, he issued an executive order to get even with them.

What Trump would like to do is revoke Twitter and other social media sites’ protections provided by Section 230 of the Communications Decency Act, so that he and other people who think that have been wronged can sue those sites. After all, he has a long history of suing people.

Right after that, Twitter blocked another of Trump’s tweets saying that it violated Twitter’s terms of service by inciting violence, but allowed people to click through the block saying that was because he was an important public figure. Users could not retweet the post, however.

I am not going to spend the time needed to go through the issues with the EO in detail, but Professor Goldman wrote an almost 6,000 word blog post of his own going into significant detail. I will summarize parts of Professor Goldman’s blog for you. A link to his blog is below.

Professor Goldman is a Professor of Law at the Santa Clara University School of Law and is a recognized expert on security, privacy and related law.

Curiously, Mark Zuckerberg has been pretty quiet on the subject, likely due to the many investigations that Facebook is under by the feds and not wanting to make them even more unhappy with him. He did say that he disagreed with the President’s Tweets and also with Twitter’s response and that he is in favor of almost no restrictions to “free speech”. Whether this has anything to do with the money that Russian front companies pay Facebook is unclear – you can draw your own conclusions.

Back to the Executive Order. This is directly from Professor Goldman. You can tell that he is not a fan of the EO.

Section 1 contains policy statements.

Section 2 offers and explains its nonsensical interpretation of Section 230.

Section 3 instructs federal agencies to report on their online advertising. [QUESTION: WHY ARE THE FEDS PAYING FOR ADVERTISING ANYWAY? IS THAT A GOOD USE OF OUR TAX DOLLARS-Mitch]

Section 4 says it’s the policy of the executive branch that “large” online platforms shouldn’t restrict free speech.

Section 5 tells the AG to form a working group of state AGs to investigate how state laws can be used against Internet services; to develop model state legislation; and gather information on specified topics. If it wants, the FTC could also do a report on the 16,000+ reports being delivered to it. [REMEMBER THAT, IN MOST CASES, FEDERAL LAW TRUMPS STATE LAW, SO THIS IS NOT LIKELY TO BE PRODUCTIVE.]

Section 6 tells the AG to draft federal legislation to advance the EO. [WHICH OF COURSE WOULD NEED TO BE APPROVED BY THE HOUSE AND SENATE, WHICH CAN’T AGREE ON ALMOST ANYTHING.]

Section 7 defines “online platform”.

Section 8 has some boilerplate.

That is the whole EO.

The EO offloads most of the work to the DoJ, FTC and FCC, which can ignore him, for the most part, if they want to.

Professor Goldman and a lot of others say that the contorted interpretation of Section 230 in Section 2 is highly unlikely to stand up in court.

My thought is that any action that these agencies take will bring the agencies to court. While the feds do have a lot of lawyers, Google, Facebook and Twitter could afford to spend a couple of billion dollars if they wanted to in order to tie this up in knots for years and only minimally affect their balance sheets. Google, alone, made $160 billion in revenue last year and had $120 billion in cash on hand.

Big point here – nothing will happen any time soon.

As I said, read Professor Goldman’s blog post for a LOT more detail.

But here is one takeaway and I have no clue or inside knowledge on this.

Twitter and it’s competitors – and more likely their smaller competitors that don’t have a hundred billion in cash – might do this to protect themselves.

Be very consistent. Do not treat anyone specially. That includes the President.

Make sure their terms of service are very clear about what is allowed and what is not allowed.

Then enforce the terms of service rigorously.

If the terms of service say that inciting violence, promoting conspiracy theories and alleging statements as fact that cannot be proven all violate their terms of service AND THEY APPLY THESE TERMS CONSISTENTLY, then most of Trump’s Tweets will go into the incinerator. As will many others.

Is that what the President is trying to achieve?

He says that he will shut down Twitter if he has to. Okay. sure. Expect a REALLY long legal fight if he tries.

In the meantime, if Twitter is, hypothetically, shut down or severely reigned in, what does he replace it with? CNN? Even Fox News is no longer as friendly as he would like. He is talking about moving to One America. I don’t think it has as big an audience as either Fox or Twitter, but maybe. It appears to be carried by Verizon, if you have FiOS, Centurylink TV and AT&T TV (not sure if that means Directtv).

I think this will give him more opportunity to Tweet about the unfairness of Twitter, but I will be really surprised if it makes Jack Dorsey (founder of Twitter) likely to be more affectionate towards him. There is no evidence of that so far.

For sure this is something to watch. If the feds to remove Section 230 immunity, expect a very different Internet. Very white bread. Nothing controversial. A whole lot of content that is currently carried will disappear. Along with hundreds of billions of market cap. Stay tuned.

President Signs SESTA/FOSTA; Web Sites Start Shutting Down Services

SESTA/FOSTA was a bill that was supposedly designed to shut down sex trafficking sites on the Internet by effectively repealing the protections provided by Section 230 of the Communications Decency Act which protects online service providers like Facebook and Google from being prosecuted for the postings of their users.

The bills, which have been around in different forms for a couple of years, was snuck into the budget bill in the dark of night.  There was no debate, no committee hearing and no markup of the bill.  Likely, knowing DC, it was a Quid Pro Quo to get someone to vote for the budget bill.

Section 230 of the Communications Decency Act protects online service providers from being held accountable for what their customers post.  While the “claim” is that this bill is designed to punish web sites that post prostitution ads, it is so poorly written that it could be used as a club against any web site that a federal prosecutor chooses to.  The main target of the bill was Backpage, which did post, in my opinion, prostitution ads, but that site was shut down and the people responsible for it arrested days before the President signed this bill, so, apparently, the feds did not need this law to shut down what was proclaimed to be the target of the bill.

Fringe dating sites, sex trade advertising sites, parts of Craigslist and other sites have already shut down.  Google has started wielding a meat axe on their site to ensure they are not charged.  All this before the law likely is implemented, some time next year (Source: Motherboard Vice).

Given this, what should you do?

First, this really only affects you if you run a website and you allow users to post content on that site.

For the moment, lets assume that you do run a website that allows users to post content such as comments or reviews.  Up until now, the rule was that if you did not impose editorial control over that content, then you were not liable for it.

Now, apparently, you are.

This means that you need to do one of two things:

1. Shut down the part of the web site that allows users to post content.  If this destroys your business model, tough.  Write a letter to Congress.  What Congress giveth, Congress can taketh away.

2.  If that is not an attractive option, then you have to create a process to review every post to make sure that it cannot be misconstrued by some over eager federal prosecutor to charge you.

Remember, you do not have to be guilty to be charged and proving yourself innocent can be very expensive.

I am not sure if cyber insurance will start covering this.  Prior to the effective repeal of Section 230, they did.  Now, it is not clear at all.

Fundamentally, you have to exercise full editorial control over the content.

Don’t be surprised if people start figuring out which sites do not monitor posts and start using those sites as a replacement for the ones that shut down.

As we get closer to 2019, there could be some clarity and, possibly although unlikely, Congress could amend the legislation.

In the meantime, stay tuned and start setting up those processes.