Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices. The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to remotely access a Jeep Cherokee, including attacks that disabled the car’s brakes and transmission. While Fiat Chrysler’s statement on the recall emphasized that it was not aware of any incidents where the vulnerability had been exploited, the recall demonstrates the increasing attention being paid to security vulnerabilities discovered in connected devices. The same day that the Wired article was published, Sens. Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) introduced legislation aimed at establishing federal standards for cybersecurity of connected cars and privacy of drivers’ information.
According to the Wired article, many of Fiat Chrysler’s vehicle models – including the Jeep Cherokee – use Uconnect, an Internet-connected computer feature, to offer entertainment, navigation, and communication features. The Wired article described a method by which security researchers were able to use Sprint’s cellular network, the same network used by the Uconnect feature, to wirelessly access any vulnerable vehicle nationwide through its Uconnect system. Once the researchers accessed a vehicle, they could access the car’s internal computer network and control certain physical components of the car, such as its engine and wheels. According to the article, the researchers notified Fiat Chrysler of the vulnerability nine months ago, and Fiat Chrysler responded by releasing a software patch that could be manually implemented via a USB stick or a dealership mechanic. Following the article’s release, Fiat Chrysler initiated a full safety recall of multiple affected vehicle models, mailing a USB containing the patch to each vehicle’s owner that the owner could plug into a port in the vehicle to implement the fix. The automaker has also worked with Sprint to block the methods used by the researchers to find and access vehicles wirelessly using Sprint’s network.
Last week, Sens. Ed Markey and Richard Blumenthal also introduced the SPY Car Act, designed to protect drivers from the security and privacy risks inherent in the increased use of connected cars. According to the copy of the bill released by Sen. Markey, the bill would require NHTSA, in consultation with the FTC, to develop performance standards to prevent hacking of vehicles’ control systems. These standards, which would take effect within 2 years after the final regulations are prescribed, would require manufacturers to use “reasonable measures” to protect all access points to the car, including isolation of critical software systems and evaluation using penetration testing. Manufacturers would also have to secure all collected information against unauthorized access, both at rest and in transit, and equip vehicles with “capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.” In addition to these hacking protections, the bill would also require the FTC, in consultation with NHTSA, to develop privacy standards to govern the collection of data by vehicles, including increased transparency and choice for drivers and a prohibition on the use of such data for marketing purposes without express consent. Finally, the bill would also require NHTSA and the FTC to develop a “cyber dashboard” that would allow potential purchasers of new vehicles to easily evaluate how well each vehicle protects owners’ security and privacy.
A person who makes an accidental “pocket dialed” call has no reasonable expectation of privacy in the conversations exposed to the person who picks up that call, the Sixth Circuit ruled last week. The court compared this situation to a homeowner that mistakenly fails to cover his windows, exposing his actions to public view. In that situation, the homeowner would not have an expectation of privacy and the court reasoned that the maker of a pocket dialed call should not, either.
A second round of “trilogue” negotiation on the EU General Data Protection Regulation (GDPR), on July 14th, has addressed the law’s territorial scope and rules relating to international data transfers (Articles 3 and Chapter 5, respectively).
Although no agreed text has been released, public comments made by Jan Philipp Albrecht, the European Parliament’s lead negotiator on the GDPR, indicate that agreement has been reached “in principle” on most of the provisions discussed. (For a video of his comments, please see here, from 3:10:00 to 3:20:00.) However, some issues remain to be resolved, and it is expected they will be addressed when negotiations resume in September.
Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems may proceed with their proposed class action lawsuit against the retailer, a federal appeals court ruled Monday.
Neiman Marcus discovered in December 2013 that some of its customers had found fraudulent charges on their credit cards, and after an investigation the retailer disclosed in early January 2014 that a data breach had exposed about 350,000 credit cards, of which 9,200 were known to have been used fraudulently. The plaintiffs sued Neiman Marcus, alleging — among other claims — that the company was negligent, breached its implied contract with customers, engaged in unfair and deceptive business practices, and violated state data breach laws.
Monday’s ruling comes at a preliminary stage of the case and addressed only whether the plaintiffs’ allegations, if proved, would meet the requirements of Article III of the U.S. Constitution, which requires that federal courts hear only actual “cases or controversies.” The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury. The Supreme Court emphasized in a 2013 ruling, Clapper v. Amnesty International USA, that plaintiffs seeking to establish standing based on a risk of future injury must show that the threatened injury is “certainly impending,” a standard plaintiffs in other data breach cases have struggled to meet. Continue Reading
Last week, the Federal Communications Commission (FCC) released the text of its long-awaited order addressing certain aspects of the Telephone Consumer Protection Act (TCPA) and related FCC rules. The order addressed a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages.
Although the order purports only to “clarify” existing FCC precedent, there is widespread debate over whether the order imposed new requirements on entities that transmit automated calls and text messages. The order already has been appealed by one party and other appeals are expected. Nevertheless, because the FCC claims the order only clarifies existing precedent, its provisions became effective when the order was released on February 10, 2015.
The order focuses on ten key areas, which are summarized after the jump. Continue Reading
On July 6, 2015, China’s National People’s Congress (NPC) released a draft of the Network Security Law (“Draft Law,” referred to in some press articles as the draft Cybersecurity Law) for public comment. Comments can be submitted through the NPC website or by mail before August 5, 2015. The release of the Draft Law follows closely on the heels of the new National Security Law that was enacted last week (see Covington blog post here).
This Draft Law, initially reviewed by the NPC in June, would apply broadly to entities or individuals that construct, operate, maintain, and use networks within the territory of China, as well as those who are responsible for supervising and managing network security. A number of the provisions in this Draft Law, if enacted in their current form, are likely to significantly impact information and communications technology (“ICT”) and other companies with business operations or interests in China.
Those that most merit the close attention of companies are those that relate to (1) the “secure” operations of networks and “critical information infrastructure,” and (2) data protection. This post focuses on the latter. Continue Reading
In a consent decree adopted yesterday by the Federal Communications Commission, two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — agreed to pay a $3.5 million civil penalty and adhere to a three-year compliance program to settle allegations that the carriers violated the federal Communications Act by failing to adequately protect “proprietary information” the carriers collected from consumers applying for federally subsidized phone service under the Lifeline program. The consent decree reiterates the FCC’s interpretation of Sections 201 and 222 of the federal Communications Act — first articulated in a October 2014 decision proposing to fine TerraCom and YourTel $10 million — broadening telecommunications carriers’ privacy and data security obligations. The consent decree also settles allegations that YourTel failed to de-enroll certain subscribers after being instructed to do so by the Universal Service Administrative Company, which administers Lifeline. Continue Reading
As readers of the InsidePrivacy blog know, we often save some fun reading on privacy issues for the weekend, given the crush of business during the week. This week, we’re up for some digital magazine reading. It’s refreshing when privacy issues burst into the mainstream consciousness, and we have two great examples of that this week — robotics in Foreign Affairs, and the Internet of Things in Politico.
The Senate Judiciary Committee today held a hearing about the increased challenges that encryption poses for law enforcement. Government officials testified that advances in encryption technology make it more difficult for them to monitor communications, but there was little indication that lawmakers are prepared to require technology providers to ensure that law enforcement has backdoor access to encrypted communications and data.
Committee Chairman Charles Grassley, R-Iowa, said that the hearing is the first step in a conversation about the problem, and he hopes to see whether “any consensus is possible on this very important issue.”
On July 1, 2015, China’s State Administration for Industry and Commerce published a draft of the Interim Measures on Supervision of Internet Advertising (“Draft Internet Advertising Measures”; original Chinese here) for public comment. If adopted as drafted, the Draft Internet Advertising Measures would (1) require advertisements in email and instant messaging to contain conspicuous options for the user to agree to, refuse, or unsubscribe from advertisements; (2) require websites to allow users to block pop-ups for certain repeat visitors; and (3) require advertisements sent via email or instant message to identify the sender and be marked as an advertisement. Public comments on the Draft are due by July 31, 2015. Once finalized, the Draft is expected to come into effect on September 1, 2015. Continue Reading