Overnight Cybersecurity: Europe weighs privacy rules for US companies

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry wrap their arms around cyberthreats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...


--AND HOW LONG HAVE YOU BEEN IN LOVE WITH KARL, OUR ENIGMATIC DESIGNER?: European privacy regulators will meet in Brussels on Feb. 2 to set common guidelines on how U.S. companies may legally handle European citizens' data in the absence of a recently invalidated U.S.-EU agreement. "It is evident that we will sanction any transfers of personal data which are solely based on the old Safe Harbor decision," said Johannes Caspar, head of Germany's data protection authority. Europe's high court struck down the so-called Safe Harbor agreement in October over privacy concerns, leaving the 4,400 firms that had relied on it scrambling for legal alternatives. Regulators from both sides of the Atlantic are working to create a revised framework. They face a looming deadline from the data protection authorities, which have said they will begin to take enforcement action at the end of this month. The U.S. has submitted a package of proposals for a new agreement, a person familiar with the matter told Reuters. Both sides have expressed optimism that they will meet the end-of-January deadline. Meanwhile, the privacy regulators have been analyzing different legal alternatives to Safe Harbor, which allowed U.S. companies to "self-certify" that they met Europe's stricter privacy standards. Experts say some data protection authorities are stricter than others and companies have expressed concerns that the high court's ruling will create a patchwork of enforcement from country to country. To read our full piece, click here.

--ALWAYS: The widow of a man who was killed in a November terrorist attack is suing Twitter for allegedly allowing the "explosive growth" of the Islamic State of Iraq and Syria (ISIS), resulting in the death of her husband. "Without Twitter, the explosive growth of ISIS over the last few years into the most-feared terrorist group in the world would not have been possible," according to a complaint filed Wednesday in federal court in Oakland, Calif. Tamara Fields's husband Lloyd Fields, a government contractor, was killed in an ISIS strike on a police training facility in Amman, Jordan, in November 2015. Fields is seeking unspecified damages from Twitter for "knowingly or with willful blindness" providing material support that allows the group to commit terrorist acts "including the attack in which Lloyd Fields, Jr. was killed." Although Twitter recently placed a formal ban on content that "promotes terrorism," the company has faced accusations in the past that it doesn't do enough to remove extremist content from its platform. "While we believe the lawsuit is without merit, we are deeply saddened to hear of this family's terrible loss," a Twitter representative told The Hill in an email. "We have teams around the world actively investigating reports of rule violations, identifying violating conduct, partnering with organizations countering extremist content online and working with law enforcement entities when appropriate." To read our full piece, click here.

--I'M GOING TO CUT YOUR HEART OUT WITH A SPOON: Rep. Justin AmashJustin AmashDemocrats defend Afghan withdrawal amid Taliban advance Vietnam shadow hangs over Biden decision on Afghanistan Kamala Harris and our shameless politics MORE (R-Mich.) on Wednesday introduced a bill to repeal a major cybersecurity bill signed into law just weeks ago. In a statement, the libertarian lawmaker called it "the worst anti-privacy law since the USA Patriot Act." Passed in December as part of the $1.1 trillion government spending bill, the Cybersecurity Act of 2015 gives businesses legal protections to encourage them to share more data on hacking threats with the government. Proponents -- including the White House -- argue the measure is needed to better understand and thwart the cyberattacks plaguing the public and private sectors. But privacy advocates and many tech companies say the bill will merely shuttle more private data on Americans to intelligence agencies. Detractors also take issue with the final negotiations that merged the House and Senate bills. Lawmakers combined the bills through unofficial meetings instead of the traditional conference process. Several House lawmakers have said they were forced into this process by senators who refused to appoint people to an official conference in an effort to stall the negotiations. "The Cybersecurity Act was negotiated in secret by just a few members of Congress and added quietly to the 2,009-page omnibus to avoid scrutiny," Amash said. "Most representatives are probably unaware they even voted on this legislation. We should repeal it as soon as possible." Joining Amash's effort is a bipartisan group of privacy-minded and civil liberties-focused co-sponsors including Reps. John Conyers Jr. (D-Mich.), Zoe Lofgren (D-Calif.), Thomas Massie (R-Ky.), Ted PoeLloyd (Ted) Theodore PoeSheila Jackson Lee tops colleagues in House floor speaking days over past decade Senate Dem to reintroduce bill with new name after 'My Little Pony' confusion Texas New Members 2019 MORE (R-Texas) and Jared Polis (D-Colo.). To read our full piece, click here.



--NOW I HAVE A MACHINE GUN, HO HO HO. A New York assemblyman has reintroduced a law that would require manufacturers of smartphones to be able to decrypt their products.

The bill would mandate that "any smartphone that is manufactured on or after Jan. 1, 2016 and sold or least in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider."

Apple recently rejected a court order in New York seeking encrypted iMessages, citing its unbreakable encryption system.

If the bill passes both houses and is signed into law, it would likely be the first state law regulating encryption technology.

It mirrors a push in Washington, D.C. by Sens. Dianne FeinsteinDianne Emiel FeinsteinFederal watchdog calls on Congress, Energy Dept. to overhaul nuclear waste storage process Senate advances Biden consumer bureau pick after panel logjam Republicans caught in California's recall trap MORE (D-Calif.) and Richard BurrRichard Mauze BurrThe Hill's Morning Report - Presented by Alibaba - Biden jumps into frenzied Dem spending talks GOP senators say Biden COVID-19 strategy has 'exacerbated vaccine hesitancy' Senate advances Biden consumer bureau pick after panel logjam MORE (R-N.C.) to lead the charge on legislation that would require companies to decrypt data under court order.

Read on at ArsTechnica, here.



--NO MORE MERCIFUL BEHEADINGS. Now available: a "smart" rectal thermometer, which Motherboard calls "the logical conclusion of the Internet of Things."

"This is the apparent future of home living: where even your squishy insides can't avoid the increasing presence of data collection and monitoring, and where the simple act of measuring a person's body temperature is somehow connected to the internet, an ever-sprawling network of systems transferring a truly dizzying amount of personal information," writes Joseph Cox.

We couldn't have said it better ourselves.

Read on, here.



--IT WON'T WORK, I HAVE AN EXCEPTIONALLY LARGE MIND. A new poll released Thursday found more people are comfortable with office surveillance cameras than they are with a social media company using their information to serve up targeted ads.

Despite the widespread adoption of social media, a majority of people, 51 percent, said they do not see it as an acceptable trade-off to get free access to a social media service in exchange for that company using their information to deliver targeted ads.

A Pew Research poll released Thursday asked participants about their comfort level in six different scenarios to test their willingness to give up some privacy in exchange for some service.

The social media scenario was one of two in which a majority of people said the privacy trade-off would be unacceptable.

The other, which 55 percent found unacceptable, dealt with a "smart thermostat" in the home that could save energy but would also gather some information about when you are home and moving from room to room.

One of the starkest divides in the survey was between how young and old people answered the question about social media. While only 24 percent of people aged 50 and above found the social media trade-off acceptable, 40 percent of those under the age of 50 said it would be fine.

To read our full piece, click here.



--HOTELS. Hotel chain Hyatt on Thursday said it found malicious software in about 250 of its hotels that may have exposed customers' personal information, making it the latest in a string of high-profile breaches at hospitality companies.

In late November, both Hilton Worldwide and Starwood Hotels & Resorts said hackers had infiltrated their payment systems.

In October, the Trump Hotel Collection, owned by Republican presidential front-runner Donald TrumpDonald TrumpGraham says he hopes that Trump runs again Trump says Stacey Abrams 'might be better than existing governor' Kemp Executive privilege fight poses hurdles for Trump MORE, confirmed it had uncovered a data breach at seven of its locations.

Experts say payment data is showing up for sale on the dark Web.

Robert Habeeb, chief executive officer of First Hospitality Group, which owns Hilton, Marriott and other hotel brands, told The Wall Street Journal that although he is unaware of any hacks at their hotels, "we went back and increased our data-breach insurance coverage."

Hotels are vulnerable in part because the industry has been fractured by years of corporate upheaval, The Journal notes. Large hotel chains have started to move away from ownership and are instead operating as managers or franchises.

Read on, here.



Links from our blog, The Hill, and around the Web.

JetBlue's main website went down Thursday afternoon because of a power outage, the low-cost airline said. (The Hill)

A Louisiana resident has been sentenced to 41 months for running a counterfeit coupon operation on the dark Web. (The Hill)

Presidential candidate John McAfee rebuts Jeb Bush's recent op-ed on cybersecurity. (Business Insider)

Theresa May, the UK's Home Secretary, defended the country's bulk interception capabilities on Wednesday, saying that they do not constitute mass surveillance. (Motherboard)

Chris Young of Intel Security and Chris Wysopal of Veracode talk about hacker culture, threats from the Internet of Things, and the suspected cyberattack on the Ukrainian power grid. (CSM Passcode)

Apple TV's latest app will teach you how to hack -- as long as you don't want to know how to hack iPhones or pacemakers, that is. (Variety)

If you'd like to receive our newsletter in your inbox, please sign up here: http://goo.gl/KZ0b4A