US Changes Stance on Wassenaar Arrangement Hacking Amendment; FCC Proposes Privacy Rules for Internet Providers; New Jersey Supreme Court Unanimously Approves Roving Wiretaps; FTC Commissioner Opposes Encryption Backdoor Legislation

US Changes Stance on Wassenaar Arrangement Hacking Amendment

Last week, the U.S. executive branch announced that it will change its stance on the 2013 amendment to the Wassenaar Arrangement that closely regulates the international export of cyber hacking and surveillance technology.  This is a big win for the private sector.  Indeed, industry has long been critical of this amendment to the Wassenaar Arrangement, a multilateral export control regime with 41 participating states, because of its potential to chill and stifle innovation in the cybersecurity.  The controversy over this rule has highlighted the difficulty of applying export controls, which are usually restricted to physical items, to the virtual world.   Now, the U.S. faces the daunting task of convincing the 40 other countries on the Arrangement to agree with its new position before the controversial amendment can be formally changed.

FCC Proposes Privacy Rules for Internet Providers

After much anticipation, on March 10 the FCC unveiled its proposed broadband privacy rules, which will be voted on by the full commission at its March 31 open meeting.  According to the fact sheet published alongside the rules, the FCC sought to emphasize customer choice, transparency, and security. Generally, the proposed requirements parallel requirements of other consumer privacy efforts, such as the proposed SPY CAR Act, where lawmakers have sought to require industry to better inform consumers about the use and collection of their data.

Among other things, the proposed rules would oblige providers to obtain customer consent via an “opt-in” to use customer data outside of marketing for “communications-related services.”  The proposed rules also require ISPs to take “reasonable steps” to safeguard customer information.   Those reasonable steps include, “at a minimum,” adopting risk management practices, instituting personnel training practices, adopting strong consumer authentication requirements, identifying senior management responsible for data security, and taking responsibility for the use and protection of customer information when shared with third parties.  Providers must also notify consumers, the Commission, the FBI, and the Secret Service in the event of some breaches.

New Jersey Supreme Court Unanimously Approves Roving Wiretaps

In 6-0 unanimous decision, the New Jersey Supreme Court has decided to permit law enforcement to obtain so called “roving wiretaps,” a phone tap that moves among the various phones that a target may use.  Many have challenged the Constitutionality of roving wiretaps, arguing that the taps violate the particularity requirement of state and federal constitutions, which requires a warrant to state “with particularity” the “place to be searched.”  The New Jersey Supreme Court, however, found the controversial form of surveillance constitutional.  It emphasized the practical consequences of failing to allow law enforcement to use this tool.  Without it, the Court reasoned, criminals could easily thwart surveillance by changing phones.

However, the New Jersey Supreme Court’s opinion also provided some privacy safeguards.   Under the Court’s rule, prosecutors must show that a subject has made a “purposeful choice to thwart detection by switching phones” and notify the court within 48 hours of implementing a roving tap.   These additional steps are not required under the current federal wiretap regime, providing yet another example of where state laws have required greater privacy protection than federal law.

FTC Commissioner Opposes Encryption Backdoor Legislation

Wading into the FBI versus Apple battle, FTC Commissioner Terrell McSweeny announced she would oppose laws that require tech companies to provide encryption keys to law enforcement at the Telecommunications Industry Conference this week.  Emphasizing how such legislation might affect emerging technology, particularly the internet of things (IoT),  Commissioner McSweeny warned, “If we’re ever going to have effective telemedicine, connected cars, or secure financial payment systems, we cannot legislate vulnerabilities into our devices.”

Taking a firm stance, Commissioner McSweeny argued that bills requiring an encryption backdoor “weaken privacy–based security for consumers.”   Commissioner McSweeny’s comments highlight the tension between two government agendas – law enforcement and consumer protection.  Like last week’s Eastern District of New York opinion, Commissioner McSweeny’s public position shows an increasing reluctance among policy-makers to support the FBI’s position in the encryption backdoor dispute.