US Changes Stance on Wassenaar Arrangement Hacking Amendment; FCC Proposes Privacy Rules for Internet Providers; New Jersey Supreme Court Unanimously Approves Roving Wiretaps; FTC Commissioner Opposes Encryption Backdoor Legislation
US Changes Stance on Wassenaar Arrangement Hacking Amendment
Last week, the U.S. executive branch announced that it will change its stance on the 2013 amendment to the Wassenaar Arrangement that closely regulates the international export of cyber hacking and surveillance technology. This is a big win for the private sector. Indeed, industry has long been critical of this amendment to the Wassenaar Arrangement, a multilateral export control regime with 41 participating states, because of its potential to chill and stifle innovation in the cybersecurity. The controversy over this rule has highlighted the difficulty of applying export controls, which are usually restricted to physical items, to the virtual world. Now, the U.S. faces the daunting task of convincing the 40 other countries on the Arrangement to agree with its new position before the controversial amendment can be formally changed.
FCC Proposes Privacy Rules for Internet Providers
After much anticipation, on March 10 the FCC unveiled its proposed broadband privacy rules, which will be voted on by the full commission at its March 31 open meeting. According to the fact sheet published alongside the rules, the FCC sought to emphasize customer choice, transparency, and security. Generally, the proposed requirements parallel requirements of other consumer privacy efforts, such as the proposed SPY CAR Act, where lawmakers have sought to require industry to better inform consumers about the use and collection of their data.
Among other things, the proposed rules would oblige providers to obtain customer consent via an “opt-in” to use customer data outside of marketing for “communications-related services.” The proposed rules also require ISPs to take “reasonable steps” to safeguard customer information. Those reasonable steps include, “at a minimum,” adopting risk management practices, instituting personnel training practices, adopting strong consumer authentication requirements, identifying senior management responsible for data security, and taking responsibility for the use and protection of customer information when shared with third parties. Providers must also notify consumers, the Commission, the FBI, and the Secret Service in the event of some breaches.