At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.

NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.


Continue Reading

The Republican-led FCC’s effort to get out of the business of regulating broadband providers’ consumer practices took a step forward on Monday.  In an appeal that has been proceeding in parallel with the FCC’s “Restoring Internet Freedom” reclassification proceeding, the U.S. Court of Appeals for the Ninth Circuit issued an opinion giving the Federal Trade Commission (FTC) broad authority over practices not classified by the FCC as telecommunications services.  Specifically, the Ninth Circuit, sitting en banc, issued its long-awaited opinion in Federal Trade Commission v. AT&T Mobility, holding that the “common carrier exemption” in Section 5 of the FTC Act is “activity based,” exempting only common carrier activities of common carriers (i.e., the offering of telecommunications services), and not all activities of companies that provide common carrier services (i.e., rejecting a “status-based” exemption).  The case will now be remanded to the district court that originally heard the case.  Coupled with the FCC’s reclassification of Broadband Internet Access Services (BIAS) in the net neutrality/restoring internet freedom proceeding, the opinion repositions the FTC as top cop on the Open Internet and broadband privacy beats.

Continue Reading

Last week, the Federal Communications Commission (FCC), in a 3-2 vote, approved an order allowing “television broadcasters to use the ‘Next Generation’ broadcast television (Next Gen TV) transmission standard, also called ‘ATSC 3.0.’”  Described in the Order “as the world’s first Internet Protocol (IP)-based broadcast transmission platform,” the Next Gen TV standard is expected to allow broadcasters to provide more targeted advertisements to individual viewers.  Some had expressed concerns over the collection of the demographic and consumer data necessary for Next Gen TV targeted advertising, and applicable privacy safeguards for the new standard.  At this stage though, the FCC majority took a wait and see approach to privacy concerns.

Continue Reading

On November 1, 2017 the House Antitrust Law Subcommittee held a hearing to discuss the role of federal agencies in preserving an open Internet.

The core question discussed at the hearing was whether current antitrust law is sufficient to ensure net neutrality absent FCC rules. The panelists—including FTC Acting Chairman Maureen Ohlhausen and Commissioner Terrell McSweeney; former FCC Commissioner Robert McDowell; and Michael Romano, NTCA Senior Vice President of Industry Affairs and Business Development—and committee members were generally divided down party lines, with Republicans arguing that FCC rules were both unnecessary and counterproductive and Democrats arguing that rules were necessary to ensure an open Internet, free expression, and innovation.  
Continue Reading

Today the Office of Federal Register published a final rule from the Federal Communications Commission (FCC or Commission) that formally voids the rule changes in the Commission’s 2016 Privacy Order—which Congress invalidated in a 2017 Congressional Review Act (CRA) joint resolution earlier this year—and reinstates the voice-centric customer proprietary network information (CPNI) rules “in

businessman is dialing a phone number in officeAt its June 22, 2017 Open Meeting, commissioners of the Federal Communications Commission (FCC) voted to start a proceeding that will consider proposed changes to the agency’s rules regarding Caller ID privacy. Specifically, the FCC’s notice of proposed rulemaking (“NPRM”) proposes to revise its rules in section 64.1601 to allow law enforcement and interested parties to obtain access to blocked caller information in cases of threatening phone calls.
Continue Reading

Pole-2On June 5, 2017, the United States Supreme Court granted cert in Carpenter v. United States, a case in the hotly contested area of mobile cellular location data privacy.  The question before the Court is whether law enforcement must obtain a warrant for historical cell-site location information.

The case stems from 2014, when Timothy Carpenter was sentenced for his alleged role in coordinating a series of armed robberies of smartphone vendors.  To support its case, law enforcement obtained access to 127 days’ worth of Mr. Carpenter’s cell-site location records through what is commonly referred to as a “D order” (after the subsection of the act under which the records were requested).  Whereas warrants require the government to show probable cause, under the Stored Communications Act, a D order merely requires that law enforcement present “specific and articulable facts showing that there are reasonable grounds to believe” that the records requested “are relevant and material to an ongoing criminal investigation.”  18 U.S.C. § 2703(d). 
Continue Reading

On May 19, 2017, House Communications and Technology Subcommittee Chairman Marsha Blackburn (R-TN) introduced the Balancing the Rights of Web Surfers Equally and Responsibility Act of 2017 (the Browser Act or the bill), which overhauls privacy requirements for both Internet service providers (ISPs) and edge providers (e.g. Facebook, Netflix) (collectively, service providers).  The bill adopts policies similar to the broadband privacy rules adopted by the Federal Communications Commission (FCC or the Commission), which were overturned by a Congressional Review Act resolution in late March of this year.

The Browser Act would require service providers to provide their users with notice of the provider’s privacy policies; require user opt-in for sensitive information and an opt-out option for non-sensitive information; prohibit the conditioning of service on waivers of privacy rights; and specifically authorize the Federal Trade Commission (FTC) to oversee the privacy practices of ISPs.  Co-sponsor Rep. Brian Fitzpatrick (R-PA) said in a statement the bill is intended to “introduce comprehensive internet privacy legislation that will more fully protect online users in their use of Internet service providers, search engines and social media.”  The bill is likely to face an uphill battle in both the House and the Senate, and has drawn mixed reviews from industry and public interest groups.


Continue Reading

On May 9, 2017, the U.S. Court of Appeals for the Ninth Circuit issued an order granting a Federal Trade Commission (FTC) request for rehearing en banc of the court’s earlier decision to dismiss an FTC case against AT&T Mobility over allegedly “unfair and deceptive” throttling practices in connection with wireless data services provided to

On April 3, 2017, President Trump signed into law a Congressional joint resolution eliminating new broadband and voice privacy rules set forth in a November 2016 order (the 2016 Privacy Order) by the Federal Communications Commission (FCC) (the Joint Resolution).  Members of Congress largely voted along partisan lines. The House approved the Joint Resolution by a 215-205 vote and the Senate approved it by a 50-48 vote.
Continue Reading