GAO outlined an array of broadband deployment options and concerns to three Democratic lawmakers in a Wednesday report. Sen. Ed Markey, D-Mass., House Commerce Committee ranking member Henry Waxman, D-Calif., and House Communications Subcommittee ranking member Anna Eshoo, D-Calif., had requested the study “to provide information on options for broadband deployment in unserved and underserved areas,” GAO said in the 45-page report (http://1.usa.gov/QFwQpg). The economics of providing such access are very difficult, it said. GAO interviewed FCC officials and stakeholders from 40 groups, reviewing 21 broadband projects in the process, it said, delving into different types of networks, whether municipally owned, cooperative or private in nature. Project heads told GAO they take into account demand for broadband and the different possible technologies they can use to provide access. It mentioned the streamlined procedures Google received in building its fiber network in Kansas City, Mo.: “The city helped facilitate an agreement for use of certain utility easements -- the areas surrounding power lines -- for approximately 90,000 utility poles owned by Kansas City Power and Light, a local utility owned by private investors,” GAO said. “The city negotiated with Google Fiber the use of these rights-of-way and of city properties free of charge in exchange for the company’s construction of a $250-$300 million fiber-optic network to serve homes with Internet and video service, as well as an agreement to provide free Internet connectivity to 300 public buildings, schools, community centers, and libraries.” Google Fiber has also been building this network in Kansas City, Kan., where it deals with that municipality. Some project heads and industry officials warned GAO of state legal barriers to deploying broadband, which also became a factor of consideration. “According to one legal expert who works with states that we contacted, as of May 2013, 20 states had in place restrictions on community broadband services or other public communications initiatives,” GAO said, citing the Baller Herbst Law Group. Stakeholders also attacked the accuracy of the National Broadband Map. It “shows the top half of an Indiana county as covered by broadband service and the bottom half as not covered, but in reality the entire county only has access to dial-up service (which is not considered broadband),” according to one official, GAO said. Telecom and cable stakeholders worry about overbuilding private networks with projects funded by public money, they told GAO.
Communities that want to encourage the creation of faster broadband need to “lower the cost and risk of an upgrade, while also creating an opportunity for more revenues,” said Gig U Executive Director Blair Levin (http://bit.ly/PqpG7q) at a conference on bringing gigabit transmission speeds to communities. That means communities need to reduce capital and operational expenditures, as well as risk for those deploying broadband, while increasing “potential revenues, system benefits and threat of competition,” he said April 11. In terms of competition, Levin cited the response to Google announcing it was building a gigabit network in Austin (CD Apr 10/13 p10). AT&T said it was at least considering doing the same, and Time Warner Cable announced a citywide Wi-Fi project in Austin, he said. The conference where Levin spoke was sponsored by Connecticut Consumer Counsel Elin Swanson Katz and State Broadband Coordinator Bill Vallée.
Certain types of data -- health, financial, personal communications -- deserve better protections under the law, said FTC Commissioner Maureen Ohlhausen during a Georgetown University event Tuesday on privacy and big data. “There’s a reason that health data and financial data … have traditionally had greater protection than general data,” Ohlhausen said during a Q&A after her speech. “It reflects a societal consensus … that these data are a little bit different,” she said. Which is, in part, why data security standards should vary based on industry expectations, she said in response to a question. The FTC should not be saying, “Set your security settings to this level or have this kind of elaborate protection,” she said. “It’s more to have a process-based approach.” If the FTC had rulemaking authority in this area, Ohlhausen would instead want “to require companies to have a process in place to assess what information they have,” figure out “who has access to it” and if they have antivirus software and breach protocol commensurate with industry standards. Ohlhausen’s speech Tuesday hit on many of her favorite themes: regulatory humility, ensuring the commission identifies substantial consumer harm before taking action, and developing a more explicit data security enforcement framework. “The FTC’s data security enforcement framework is not perfect,” she said. “I would like to develop more concrete guidance to industry, for example. But I haven’t seen anything that suggests big data technology raises fundamentally new data security issues.”
The National Institute of Standards and Technology (NIST) said it removed the controversial Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) cryptographic algorithm from its 800-90 standards series on random bit generators (http://1.usa.gov/1i8QyFL). The agency had reopened public comment on the standards in September amid reports that the National Security Agency engineered weaknesses into the NIST standards, which the International Organization for Standardization subsequently adopted (CD Sept 11 p10). NIST said it now recommends that current users of Dual_EC_DRBG transition to one of the other three approved algorithms “as quickly as possible.” Federal agencies and other entities buying cryptographic products should ask their vendors if the products use Dual_EC_DRBG, and if so, should ask vendors to reconfigure those products, NIST said. The agency said it will accept public comments on the revised 800-90 standards until May 23. NIST subsequently re-evaluated its cryptographic standards development process and has proposed a revised version of that process (http://1.usa.gov/1rg6mpG). The Center for Democracy & Technology, a critic of NSA’s involvement in NIST standards development, praised NIST in comments filed Friday for revising its standards development process. But the group also urged NIST to articulate due process and a pledge to avoid “undue influence” from parties like NSA (http://bit.ly/1eWzkL2). A coalition of eight other groups -- including the Electronic Frontier Foundation, the New America Foundation’s Open Technology Institute and TechFreedom -- said Monday in a letter to NIST that the agency must take “pro-active steps toward implementing a more transparent, accountable process for standards development.” The groups want NIST to avoid NSA influence in the future and allow more feedback from independent experts.
Organizations using “remote access software or appliances” susceptible to the Heartbleed bug should “identify infrastructure affected by the vulnerability and upgrade it as soon as possible,” said security provider Mandiant in a blog post (http://bit.ly/1tinjDV) Friday. Heartbleed is the recently discovered security glitch in Secure Sockets Layer (SSL), which affects OpenSSL, a cryptographic software library used to secure websites using HTTPS encryption to protect data (CD April 11 p13). Organizations and businesses with vulnerabilities to Heartbleed should “implement network intrusion detection signatures to identify repeated attempts to leverage the vulnerability,” it said. “In our experience, an attacker will likely send hundreds of attempts because the vulnerability only exposes up to 64KB of data from a random section of memory,” it said. Historical reviews of virtual private networks should be performed to “identify instances where the IP address of a session changed repeatedly between two IP addresses,” it said. “It is common for an IP address to legitimately change during a session, but from our analysis it is fairly uncommon for the IP address to repeatedly change back and forth between IP addresses that are in different network blocks, geographic locations, from different service providers, or rapidly within a short time period,” it said.
The White House’s updated privacy policy took effect Friday. The planned update was announced in a March 19 blog post (http://1.usa.gov/RvJYhF). “On a practical level, if you have opted in to receive email updates, we'll use data that you submit or that is automatically generated by your use of the website to try to send you more information about issues or events you care about,” said Nathaniel Lubin, White House acting director-digital strategy. “Of course, you can always unsubscribe from our emails or turn off cookies in your browser if you decide you're not interested in this kind of information anymore.” The new policy clarifies the White House app does not collect geolocation information. It’s the first overhaul since 2011, the White House said.
A human rights guide for Internet users was approved by the 47-nation Council of Europe Thursday. User rights are generally contained in Internet companies’ lengthy contract terms, which few people read or fully understand, prompting the development of the guide (http://bit.ly/QqYztJ) to help users assert their rights online, the CoE said. The document focuses on the rights on which the Internet has the most impact, it said: (1) Access and non-discrimination. Generally, users shouldn’t be disconnected against their will except when ordered by a court. (2) Freedom of expression and information. Users have the right to express themselves online and to access others’ information and opinions, including those that may be offensive or shocking, while respecting other’s reputation and privacy. Governments must ensure that any restrictions on that right are based on legitimate goals such as protecting national security and that they comply with the European Convention on Human Rights. (3) Privacy and data protection. Personal data should be processed only with users’ consent or when it’s required by law. People should be told what personal data is processed or transferred to other parties, when, by whom, and for what purpose. Users should be able to check the accuracy of the data processed or request a deletion. Internet users shouldn’t be subjected to general surveillance or interception measures except in exceptional circumstances prescribed by law. (4) Education and literacy. Users should have online access to education. (5) Protection of children and young people. If they post content that compromises their dignity, security or privacy, or could be detrimental to them in the future, they should have the right to ask to have it deleted within a short time period. (6) Right to effective remedies for violations. Users should have accessible, affordable mechanisms for obtaining redress when their human rights are restricted or violated online.
Eight companies joined the Application Developers Alliance, the industry group said in a Monday release (http://bit.ly/1nqELlm). The companies -- including ridesharing company Lyft and comparison engine FindTheBest -- are joining to advocate for issues such as consumer privacy, software patents and reducing ridesharing regulations, the alliance said. FindTheBest Director of Operations Danny Seigle said his company is hoping by joining the alliance to “take a stance against patent trolls that attack startups and small businesses.” “As a leading voice on patent reform issues, the Alliance has brought us to Washington to testify on the impact of patent troll abuse on behalf of innovators across the globe,” he said. Lyft Vice President-Government Relations David Estrada said “this partnership will be invaluable as peer-to-peer transportation continues to face challenges from city and state leaders across the country who are more concerned with protecting entrenched interests than furthering public safety through technology.” In total, the alliance has more than 175 member companies, it said.
The 4th U.S. Circuit Court of Appeals Wednesday affirmed a contempt-of-court finding against encrypted email provider Lavabit for resisting a government subpoena asking for the company’s private encryption keys (http://bit.ly/1j1aPtp). Lavabit initially refused to give over the information because it argued doing so would make sensitive customer information vulnerable. The Electronic Frontier Foundation (EFF) filed an amicus brief on Lavabit’s behalf in its appeal (CD Oct 28 p12). Wednesday’s ruling said many of Lavabit’s arguments raised on appeal were new arguments and “when a party in a civil case fails to raise an argument in the lower court and instead raises it for the first time before us, we may reverse only if the newly raised argument establishes ‘fundamental error’ or a denial of fundamental justice.” The only argument against turning over the encryption keys previously was one sentence from Lavabit owner Ladar Levison: “I have only ever objected to turning over the [Secure Sockets Layer] keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic.” The court ruled “we cannot refashion this vague statement of personal preference into anything remotely close to the argument that Lavabit now raises on appeal."
The National Retail Federation (NRF) is creating a cybersecurity information sharing program, it said in a Monday release (http://bit.ly/Qn7P1S). The platform, dubbed the Information Sharing and Analysis Center (ISAC), follows a similar effort by the financial industry, which has already developed its own ISAC (http://bit.ly/1iSy4Eo). The retail trade industry has been under the crosshairs of federal agencies and lawmakers because of large data breaches from major retailers such as Target and Neiman Marcus. The move also comes days after the FTC and Department of Justice issued a joint policy statement saying properly sharing cyberthreat information is “not likely to raise antitrust concerns.” The NRF said it expects its ISAC to be functional in June. It will be overseen, in part, by the NRF’s IT Security Council, which includes chief information officers and tech experts from roughly 120 retailers, NRF said.