Apr 4, 2019

Axios Codebook


Welcome to Codebook, your now-weekly source of cybersecurity news and dad jokes.

1 big thing: How the U.S. could get a national privacy law

Illustration: Lazaro Gamio/Axios

Democratic senators involved in a key bipartisan working group left a Wednesday evening meeting with little to say about whether they were making progress on a national privacy bill Republicans hope will preempt state measures.

Why it matters: There is a unique convergence of forces behind privacy regulation. If the United States is ever going to pass a federal privacy law, the time might be now — and that's brought a wide array of stakeholders out of the woodwork to give advice.

The big picture: Republican lawmakers and groups like the U.S. Chamber of Commerce, typically hostile to regulation, are currently advocating federal privacy laws.

  • They hope a national measure will block states from passing their own privacy laws and supersede any that do pass (like California's).
  • With anti-regulatory entities looking for a national solution, advocacy groups have also been emboldened to publish policy papers on privacy regulations with the legitimate belief they might pass.

Browser-maker Mozilla, for example, released a framework for regulation Thursday focusing on a few key issues.

  • One is to require "purpose-based consent" for companies to take data. If Facebook, say, solicited users' cellphone numbers to help authenticate their identities, it couldn't then use the information for another purpose, like targeting ads.
  • Mozilla also called for the Federal Trade Commission to gain more rule-making and enforcement power over privacy, a stance that the FTC also takes.

Details: The working group includes Senate Commerce Committee chairman Roger Wicker (R-Miss.), as well as panel members Sens. Richard Blumenthal (D-Conn.), Jerry Moran (R-Kan.) and Brian Schatz (D-Hawaii).

  • Democrats have indicated they won't preempt states without getting an aggressive national bill in return.
  • "It was a useful meeting, and as far as a timeframe, nothing was decided today about some next step, but I’ve been optimistic for a long time," said Moran as he left the meeting.
  • Democrats were less eager to comment, though Blumenthal said that the meeting "is another in a series that I’m sure we’ll have."

The intrigue: In the public mind, the debate around passing privacy regulation would pit ad-centric web companies like Facebook or Google against Congress. The reality is far different.

  • For one, said Mozilla's Heather West, framing the debate as a continuum between privacy and Facebook ignores the bulk of the companies that would need to be regulated.
  • West said her favorite example of a company left out by tailoring debate to Facebook is John Deere. "They have an incredible data-driven product for farmers that takes all of this data in, including their schedule, meteorological data and fertilizer," she said. "That actually means they have a ton of data about someone's life. A tractor company could theoretically use that data for unexpected purposes."

The fallout: The mix of advocates for a privacy law has created wildly different visions of what a final version could look like.

  • Businesses that operate in multiple sectors argue that the current regulatory framework — with different industries operating under different rules — is unworkable in an innovative economy.
  • Peter Winn, who directs the Department of Justice's Office of Privacy and Civil Liberties, argued the opposite at a Wednesday AEI event, saying industry-specific laws could cater to the unique risk profiles of each industry.

David McCabe contributed reporting.

2. Data from Facebook was exposed, but Facebook didn't expose data

UpGuard reports that two Facebook apps left user data exposed on cloud servers.

But, but, but: Some accounts have framed the story as a Facebook problem, and that's a stretch.

Hear me out: There's no evidence either of the Facebook apps — one from Mexican company Cultura Colectiva and one titled At The Pool — mined data in a way inconsistent with the permissions that users directly granted them.

  • Improperly secured data is a fundamental problem with the data economy, which, mind you, Facebook did help create.
  • But think about whether you would blame Apple if it turned out a game you installed on your phone exposed user data.

The big picture: Typically, the flow of these data exposure stories works like this: A big company, let's call them SuperGlobalMegaCorp, either licenses data to a smaller company or employs a subcontractor, and that subcontractor improperly stores the data.

  • SuperGlobalMegaCorp takes the brunt of the blame. And the argument for that is that users entrusted their data to SGMC, not the contractor.
  • That's not really what happened here. Users selected these apps and agreed to their terms.

The other side: Axios' Scott Rosenberg argues that all the companies involved in data spills like this should take more responsibility.

3. Bayer purges hackers from Winnti group

Photo: Odd Andersen/AFP via Getty Images

German pharmaceutical firm Bayer announced it detected and eliminated an attack from its systems, reports Reuters.

The big picture: Bayer believes it was the Winnti group who orchestrated the attack. Winnti is associated with industrial espionage — Bayer does not believe that any industrial secrets were stolen — and some researchers have linked the group to China.

Details: Bayer found malware from the group in early 2018 and monitored the infection between then and March of this year, when it evicted the group.

4. London Blue email scammers set their sights east

London Blue, a criminal racket targeting businesses with email scams, is increasingly targeting Asian firms, according to a new report from email security firm Agari, and it's evolving its tactics to better hide criminal activity.

Background: The group first came to light when it tried to scam money from Agari, whose bread and butter is researching these kinds of email fraudsters.

  • While that's a little funny, the scam looked for Agari to transfer more than $200,000.
  • And while Agari didn't take the bait, others have. Since Agari's last report on the group in November, London Blue (Agari's nickname, not their own) began working from a new database of over 8,000 executives.
  • Since the last report, London Blue tried to scam Agari a second time. Oops.

Details: While U.S. targets still make up the plurality of London Blue's victims, the share of Asian targets is rising.

  • London Blue uses free email accounts in its attacks, but it has recently started disguising them as accounts from more respectable domains.
5. Odds and ends

Codebook will be back on Thursday, our new weekly slot.