Hillicon Valley: Government used Patriot Act to gather website visitor logs in 2019 | Defense bill leaves out Section 230 repeal, includes White House cyber czar position | Officials warn hackers are targeting vaccine supply chain
Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.
Welcome! Follow our cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@chrisismills) and Rebecca Klar (@rebeccaklar_), for more coverage.
PATRIOT ACT USED TO COLLECT VISIT LOGS: The federal government used the Patriot Act to collect website visit logs in 2019, the Office of the Director of National Intelligence revealed in letters made public Thursday, putting a renewed focus on surveillance authorities that lapsed earlier this year.
Director of National Intelligence (DNI) John Ratcliffe, in a Nov. 6 letter in response to Sen. Ron Wyden (D-Ore.), wrote that Section 215 of the Patriot Act, which allows the FBI to covertly obtain court orders to collect any business records relevant to a national security, was not used to get internet search terms.
He later clarified that position in a Nov. 25 follow-up letter after being contacted by the Justice Department to note that the authority had been used once to collect logs showing which computers “in a specified foreign country” had visited “a single, identified U.S. web page” during 2019.
“The DNI’s amended letter raises all kinds of new questions, including whether, in this particular case, the government has taken steps to avoid collecting Americans’ web browsing information,” Wyden said in a statement to The Hill on Thursday.
“More generally, the DNI has provided no guarantee that the government wouldn’t use the Patriot Act to intentionally collect Americans’ web browsing information in the future, which is why Congress must pass the warrant requirement that has already received support from a bipartisan majority in the Senate.”
The Hill has asked ODNI and the FBI whether the FBI used the statute to gather similar information before 2019. Neither agency has responded.
NEW CYBER CZAR POST: The defense policy bill Congress plans to pass this month now includes language that would create a national cyber director at the White House, Rep. Jim Langevin (D-R.I.) confirmed to The Hill on Thursday.
The cyber czar would be responsible for coordinating federal cybersecurity priorities and would be a Senate-confirmed post.
The provision creating the top post is part of the conference report consolidating the House and Senate versions of the 2021 National Defense Authorization Act (NDAA).
Language establishing the position was included in the House-passed version of the NDAA, but the version approved by the Senate only included a clause requiring an “independent assessment” of the “feasibility” of establishing the role.
With its inclusion in the conference report, which is set to be rolled out Thursday, the provision will almost certainly be included in the measure sent to President Trump for his signature after it’s passed by Congress.
Langevin, who introduced standalone legislation to create the position earlier this year, credited inclusion of the provision to strong bipartisan support for creating the post.
He praised the efforts of Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), the co-chairs of the Cyberspace Solarium Commission that recommended the creation of the position to help combat against cyber threats to the U.S.
Langevin also noted that Sen. Mike Rounds (R-S.D.), the chairman of the Senate Armed Services Committee’s cybersecurity subcommittee, and House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-N.Y.), were also heavily involved in the position’s creation, with both panels holding hearings on the topic earlier this year.
SECTION 230 LEFT OUT: Lawmakers on Thursday officially unveiled a compromise defense bill that excludes President Trump’s demanded repeal of a key liability protection for online tech platforms.
The compromise National Defense Authorization Act (NDAA) includes a requirement that the Pentagon rename Confederate-named military bases in three years.
Trump has threatened to veto the NDAA over both issues.
Senate Armed Services Committee Chairman James Inhofe (R-Okla.) said Wednesday that Trump is prepared to accept the language on renaming bases, though White House press secretary Kayleigh McEnany said the same day she was unsure if Trump’s position has changed and highlighted his past objection to the language from over the summer.
On Tuesday night, Trump threatened to veto the bill if it did not include a repeal of Section 230 of the Communications Decency Act, a 1996 law that gives online platforms liability protection for content posted by third parties while allowing them to make good-faith content moderation efforts.
Trump and his Republican allies argue that Section 230 allows social media companies to discriminate against conservative content, a claim that has not been substantiated.
Despite Trump’s veto threat, lawmakers said Wednesday they were moving forward with an NDAA that does not address Section 230 in any way.
CLAMPING DOWN ON COVID VACCINE MISINFO: Facebook announced Thursday that it will begin removing misinformation about coronavirus vaccines as the immunizations are poised to be rolled out globally.
Posts containing false claims about “safety, efficacy, ingredients or side effects” about the vaccines can be taken down, the social media giant said in a blog post.
“For example, we will remove false claims that COVID-19 vaccines contain microchips, or anything else that isn’t on the official vaccine ingredient list,” it said.
The policy change comes as vaccines from three companies — Pfizer, AstraZeneca and Moderna — near approval by health authorities.
Facebook has already been removing more general coronavirus misinformation and the company in October also banned ads discouraging all kinds of vaccinations, although it allowed ads that advocate against government policies around vaccinations to stay up.
Despite these efforts, Facebook has been a fertile breeding ground for all kinds of vaccination misinformation.
HACKERS TARGET VACCINE DISTRIBUTION: A senior FBI cybersecurity official and top security experts at leading health care groups on Thursday warned that nation state hackers and other cyber criminals are targeting the COVID-19 vaccine distribution process.
“We see our most determined nation state adversaries not just relying on one method to target the supply chain, but combining cyber with using more traditional espionage and human sources to try to penetrate organizations,” Tonya Ugoretz, the FBI’s deputy assistant director of Cyber Readiness, Outreach, and Intelligence Branch, said at the Aspen Institute’s virtual Cyber Summit.
Ugoretz’s comments were made the same day IBM issued a warning that a “global phishing campaign” was targeting the cold storage portion of the COVID-19 vaccine supply chain. The Cybersecurity and Infrastructure Security Agency (CISA) put out a joint alert to encourage groups involved in the vaccine distribution process to be on guard against attacks.
The Wall Street Journal reported earlier this week that North Korean hackers had attempted to hack into at least six pharmaceutical groups in the U.S. and the United Kingdom involved in developing the COVID-19 vaccine, including Johnson & Johnson and Novavax.
Marene Allison, the chief information security officer (CISO) for Johnson & Johnson, emphasized Thursday that the incident was an “attempted hack,” but confirmed that the health sector is facing escalating cyber threats aimed at the COVID-19 vaccine.
RUMOR CONTROL CONTINUES: Brandon Wales, the nation’s new top federal cybersecurity official, said Thursday that his agency intends to leave up its “rumor control” webpage that pushes back against election misinformation and disinformation until after the Georgia Senate elections in January.
Wales, who took over as acting director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) after former Director Christopher Krebs was fired by President Trump, said the webpage was “an important way for us to put out accurate information about the security of voting infrastructure.”
“What I’ve told our staff is that our election security mission, particularly associated with the Protect 2020 effort, will continue until all the elections are complete,” Wales said at the Aspen Institute’s virtual Cyber Summit.
“We will keep issuing rumor control entries as we think that the situation warrants it and where we can actually have an impact, and will we do that through the end of this cycle, which hopefully will happen sometime in early January,” he added.
The Georgia Senate runoff elections, which will determine control of the Senate, are set to take place the first week of January.
CISA’s “rumor control” page was updated to include two new items on Wednesday, with CISA detailing ballot protection efforts that prevent destruction, and outlining the lengthy process voting systems go through to be certified for use by state and federal testing programs.
FACEBOOK FACES DOJ SUIT: The Trump administration is suing Facebook over allegations that the tech giant discriminated against U.S. workers by creating recruitment processes that favored temporary visa holders, according to a complaint filed by the Department of Justice (DOJ) Thursday.
The complaint alleges that Facebook created a separate hiring process for certain temporary immigration status holders, such as H-1B visa holders, and alleges Facebook did not consider U.S. workers for more than 2,600 positions with an average salary of about $156,000.
The complaint is the Trump administration’s latest action targeting a big tech company.
It follows a nearly two-year investigation and targets hiring practices between Jan. 1, 2018, and Sept. 18, 2019.
“Our message to workers is clear: if companies deny employment opportunities by illegally preferring temporary visa holders, the Department of Justice will hold them accountable. Our message to all employers — including those in the technology sector — is clear: you cannot illegally prefer to recruit, consider, or hire temporary visa holders over U.S. workers,” Assistant Attorney General Eric S. Dreiband of the Civil Rights Division said in a statement.
A Facebook spokesperson said in a statement that “while we dispute the allegations in the complaint, we cannot comment further on pending litigation.”
GOOGLE UNDER FIRE: The National Labor Relations Board (NLRB) filed a complaint against Google Wednesday alleging that the company illegally spied on and then fired two employees for organizing.
The complaint says that Google violated labor laws by surveilling and terminating Laurence Berland and Kathryn Spiers, both former engineers at the company’s San Francisco office, in 2019.
Berland was fired after organizing against Google’s decision to hire the notorious union-busting firm IRI Consultants. He had found out about the work with IRI from colleagues’ calendar events, which Google claimed was in violation of their policies.
“Google’s hiring of IRI is an unambiguous declaration that management will no longer tolerate worker organizing,” he said in a statement Wednesday. “Management and their union busting cronies wanted to send that message, and the NLRB is now sending their own message: worker organizing is protected by law.”
Spiers had created a pop-up for Google employees visiting IRI’s website that reminded them of their “right to participate in protected concerted activities.”
“This week the NLRB issued a complaint on my behalf,” she said. “They found that I was illegally terminated for trying to help my colleagues.”
Google has previously defended the firings, arguing that the two workers had violated company policy.
MODERATING ONLINE HATE: Social media giants Twitter and Facebook are working on plans to update how they handle hate speech on their platforms after mounting scrutiny from civil rights groups.
Twitter is expanding its hateful conduct policy to prohibit language that “dehumanizes people on the basis of race, ethnicity, or national origin,” the company announced Wednesday.
Posts with such language may be removed from Twitter if reported, and users who repeatedly break the rule may have their accounts temporarily locked or suspended.
The update expands the company’s hateful conduct policy, which previously included prohibiting language that dehumanizes others on the basis of religion or caste, as well as on the basis of age, disability or disease.
Facebook is also updating how it handles hate speech online, a company spokesperson confirmed to The Hill.
The company is overhauling its algorithm that detects hate speech as part of a project first reported by The Washington Post on Thursday.
YOUTUBE TO WARN USERS: YouTube will begin warning users before they post comments that may be offensive to other people, the company announced Thursday.
The new feature is part of the video-sharing platform’s efforts to address widespread racist and homophobic harassment targeted at creators by commenters and other accounts.
YouTube will also begin proactively asking users to provide demographic information in an effort to find patterns of hate speech “that may affect some communities more than others.”
The company last December beefed up its policy on harassment, saying it would be taking a stricter stance on “veiled or implied threats” moving forward.
The company touts that since the beginning of 2019 it has increased the number of daily hate speech comment renewals by 46-fold.
However, hateful content remains rampant on the platform.
The strategy of warning users that their comments may be offensive has been tested by other platforms.
TRUMP DOUBLES DOWN ON SECTION 230 REPEAL: President Trump doubled down Thursday on his calls for Republicans to include the repeal of a legal protection for tech companies in a must-pass defense policy bill after many in the GOP pushed back on tying the two issues together.
In a tweet, Trump recognized the Republican criticism of his proposal but said repealing Section 230, a provision that protects tech firms from liability over third-party content on their platforms, is a “MUST.”
Trump has railed against social media platforms throughout his tenure over unsubstantiated claims that companies such as Twitter and Facebook are unfairly censoring conservative content. He views a repeal of Section 230 as prime way of hitting back at the firms, and his criticism has ramped up in recent weeks as the platforms flag his posts featuring unfounded claims of widespread voter fraud in the presidential race.
IMPENDING ANTITRUST SUIT: New York is leading a group of states in a Facebook antitrust investigation and the states plan to sue the tech giant next week, Reuters reported Thursday, citing unnamed sources.
The state-led complaint would be the second major lawsuit filed against a major tech company in the U.S. this year, following the Justice Department’s lawsuit against Google in October.
More than 40 states plan to sign the lawsuit, a source told Reuters. The source did not name which states will be part of the effort.
Spokespeople for Facebook and the New York attorney general’s office declined to comment to Reuters, and the spokespeople did not immediately respond for comment when contacted by The Hill.
Details of what the states plan to include in the complaint is not known, Reuters reported.
Lighter click: We have questions
An op-ed to chew on: ‘Wise Men’ redux: The Biden national security team
NOTABLE LINKS FROM AROUND THE WEB:
Google’s Co-Head of Ethical AI Says She Was Fired for Email (Bloomberg / Dina Bass, Shelly Banjo, and Mark Bergen)
How Microsoft crushed Slack (Platformer and The Verge / Casey Newton)
How an ICE Contractor Tracks Phones Around the World (Motherboard / Joseph Cox)
Cyber Command deployed personnel to Estonia to protect elections against Russian threat (CyberScoop / Shannon Vavra)