May 29, 2018
Welcome to Codebook, among the least flammable cybersecurity newsletters on the market today.
Tips? Reply to this email.
1 big thing: Congress pushes patch for outdated email privacy law
Supporters hope this will finally be the year that the Email Privacy Act will become law. The draft legislation — which has passed the House twice before — would require authorities to get warrants before gathering evidence stored in the cloud, and it's included in the House versions of two must-pass bills announced over the past week.
Why it matters: You might expect that police would always need a warrant to search someone's web-based email archive, cloud-stored files or social media direct messages. In reality, that's not a sure thing.
A 1980s-vintage law known as the Electronic Communications Privacy Act (ECPA) actually gives law enforcement the right to seize files without judicial review if they have been stored on someone else's hard drive for more than 180 days. Courts have limited ECPA's reach, but the outdated rule is still on the books.
Background: That statute made more sense before people started putting all their information online and leaving it there.
- Nearly all major online providers require a warrant for that data despite ECPA.
- In 2010, a landmark Sixth Circuit federal court decision ruled it unconstitutional for law enforcement to conduct these searches without a warrant.
- "The Fourth Amendment is very clear — if the federal government wants to access Americans’ digital content, it must get a warrant," said Rep. Kevin Yoder (R-Kansas), who co-wrote the bill with Rep. Jared Polis (D-Colo.). "It’s time our laws reflected that principle."
Why new legislation is needed: "The Sixth Circuit case technically only applies in the Sixth Circuit," said Tommy Ross, senior policy director at BSA, a software industry lobby. "It's important to codify what is already common practice."
But, but, but: Not all Federal agencies have the ability to obtain warrants. For a Security and Exchange Commission investigation, for example, ECPA is the only game in town. The new law would tie its hands.
Why now: The Email Privacy Act passed the House in 2016 and 2017, but failed in the Senate each time. Supporters think this time will be different.
- The act is attached to two high-priority bills — the defense authorization bill and the finanancial services appropriations bill.
- Ross is optimistic because there has been some ECPA reform already this year, including passage of the CLOUD Act that changed the process for international data warrants. The pending Supreme Court decision in Carpenter v. U.S., a case about whether law enforcement can access cell tower data without a warrant, also deals with ECPA.
2. Trump's ZTE deal tweet sows trail of uncertainty
The long weekend was a busy period for news about ZTE. Lawmakers from both parties rebelled against a deal to save China's second-largest telecom manufacturer that President Trump announced on Twitter Friday.
Meanwhile, Chinese tech giant Tencent said it aimed to reduce China's dependence on U.S.-made components, and President Trump announced plans for new trade restrictions against China.
- Earlier this month, the U.S. banned ZTE from purchasing American technology for seven years after the firm was caught selling to North Korea and Iran — its second such infraction. ZTE is dependent on American computer chips and said it would shut down production as a result.
- There's more going on here than just sales to two U.S. enemies. Lawmakers view Chinese telecom firms as a security risk, producing equipment that can be backdoored for espionage. And China lawmakers have long argued that a reliance on U.S. chips puts companies like ZTE in jeopardy.
- Trump's Friday announcement that he'd lift sanctions on ZTE in return for a $1.3 billion fine, oversight by U.S. compliance officers, and management changes chagrined national security-focused legislators.
The still-unfolding drama offers a case study in Trump's ability to handle competing U.S. interests during international negotiations. The president's transactional style may not be the best fit for diplomacy with so many variables, and the last few days have been erratic:
On Thursday, Trump blamed the growing bipartisan discontent from lawmakers on how the Obama administration dealt with China. That didn't appease any of his critics.
On Friday: Trump tweeted about his deal. Sen. Mark Warner (D-VA) said, in a statement, "This would be a big mistake. President Trump should listen to the advice of his intelligence leaders, who have unanimously said that ZTE poses a national security threat to the United States.”
On Saturday: Pony Ma Huateng, founder of Tencent, said regardless of the outcome of the ZTE deal, the ordeal was a "wake up call" and Tencent was looking to invest in a domestic chip industry for China in order to break the U.S.'s "grip on [China's] throat."
On Sunday: Marco Rubio expressed his concerns on Face the Nation: "If this was just a company that did something wrong and needed to be punished, the president's right. I don't just view the ZTE issue through ZTE alone. I view it in the broader context of what China is trying to do overtake the United States by stealing and by cheating and they're not going to stop until they know there are real consequences for doing it."
On Monday: Chinese President Xi Jinping told a crowd of engineers and scientists: "The initiatives of innovation and development must be securely kept in our own hands."
And, finally, on Tuesday: Trump announced export restrictions, tighter investment rules and 25% tariffs against parts of the the Chinese technology sector.
3. "Fraudsters" steal customer info from two Canadian banks
Two Canadian banks — Simplii Financial and BMO — announced Monday that "fraudsters" stole data from a small fraction of their accounts.
The details: Though details are scant, each bank said it was contacted Sunday by thieves saying they had stolen customer information. Both releases referred to the crooks as "fraudsters."
- Simplii said around 40,000 customers were hit. BMO did not announce a number.
- BMO said it was confident it has closed off the avenue through which the accounts were stolen, though neither said what that method was.
- Both banks are contacting customers.
4. Trump tries to flip election tampering accusations
President Trump’s charge that the Mueller investigation is going to tamper with this year’s American elections coopts language from the 2016 election hacking scandal to discredit the probe that scandal inspired.
What he’s tweeting: "The 13 Angry Democrats (plus people who worked 8 years for Obama) working on the rigged Russia Witch Hunt, will be MEDDLING with the mid-term elections…”
Why it’s an awful analogy: Russia is a foreign country that Democrats, Republicans and the international community agree broke U.S. law to try and sway the American election. The Mueller probe is home-grown and thus far well within the boundaries of the law.
This isn’t the first time that Trump has borrowed and redefined language from the saga of Russian interference with the 2016 election. Previously, he successfully transformed the meaning of “fake news” — from “clickbait articles on websites that make up news stories” to “any news stories I don’t like.”
Why it matters: If Trump succeeds in taking a legal investigation into foreign interference in one election and rebrand it as “meddling” in another election, he will muddy our necessary bipartisan national conversation about what happened in 2016 — and how to protect future U.S. elections from real foreign "meddling."
5. Odds and ends
- Russia wants Apple to help it block Telegram by blocking notifications and new downloads. (AFP)
- Some AMD processors might not be as adept at securing virtualized accounts as advertised. (The Register)
- Apple’s transparency reports will soon include government requests for app data. (Apple)
- Papua New Guinea may ban Facebook for a month to see what happens.
- Hackers posted antigovernment messages in an Iranian airport. (Radio Farda)
Codebook will return on Thursday.