Category Archives: Law

U.S. Charges 4 Chinese Military Members in Equifax Breach

Law

The U.S. Department of Justice said that four members of the People’s Liberation Army, an arm of the Chinese military, have been charged with breaking into the networks of the Equifax credit reporting agency, and stealing personal information of tens of millions of Americans, according to the Associated Press.

This is specifically regarding the data breach that Equifax experienced on July 29, 2017 (which it failed to announce until September of 2017.) The Federal Trade Commission announced in July of 2019 that Equifax had agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB) and 50 states and territories.

The U.S. Justice Department posted today remarks from Attorney General William Barr, in which he announced the indictment of the four “Chinese military hackers”. Here is a small portion of those remarks:

…Today’s announcement comes after two years of investigation. According to the nine-count indictment handed down by a grand jury in Atlanta, four members of the Chinese People’s Liberation Army, or PLA – Wang Qian, Wu Zhiyoing, Xu Ke, and Liu Lei – are alleged to have conspired to hack Equifax’s computer systems and commit economic espionage. In doing so, they are alleged to have damaged Equifax’s computer systems to have committed wire fraud….

TechCrunch reported that the four alleged hackers were said to be part of the APT10 group, a notorious Beijing-backed hacking group that was previously blamed for hacking into dozens of major U.S. companies and government systems, including HPE, IBM, and NASA’s Jet Propulsion Laboratory.

Department of Justice Charged Evil Corp Hackers with Bank Fraud

Law

The U.S. Department of Justice (and the United Kingdom’s National Crime Agency) announced the unsealing of criminal charges against a 32-year-old hacker who goes by the name “aqua”, of Moscow, Russia. He has been charged with international computer hacking and bank fraud schemes that started in 2009 and spanned a decade. In addition, a second person from Yoshkar-Ola, Russia, was indited for his role related to the “Bugat” malware conspiracy.

Wired reported that these hackers were part of a group called Evil Corp, through which they siphoned off tens of millions of dollars from unwitting victims. Wired provided a good explanation of what the hackers were allegedly doing.

They’d convince victims to click on a malicious link in a phishing email to download Bugat. Once installed, the malware would use a variety of techniques to steal: a keylogger to grab passwords, or creating fake banking pages to trick someone into voluntarily entering their credentials. Armed with that information, the hackers would arrange for electronic funds transfers from victim bank accounts to a network of so-called money mules, who would then get the funds back to Evil Corp.

While I do not condone what these two individuals allegedly did, I cannot help but laugh at the name they chose. Evil Corp sounds like something the bad guy in a cartoon would name their organization.

The name is also used in Mr. Robot, where one of the characters refers to a multinational conglomerate called E Corp as “Evil Corp”. One of the plot lines in Mr. Robot involves hackers wiping out E Bank (the most prominent portion of E Corp) in an effort to free millions of people from debt. To me, it seems like the hackers picked the most obvious name imaginable!

Germany Shuts Down Illegal Data Center in Former NATO Bunker

Law

The Associated Press reported that German investigators arrested seven people in connection with an illegal data processing center that was installed in a former NATO bunker. It was located in Traben-Trarbach, a town that is located near the Mosel River in western Germany.

According to the Associated Press, the German investigators believe the facility served a number of dark web sites. Among them were “Wall Street Market” (drugs, hacking tools, financial-theft wares), “Cannabis Road” (drugs), and “Orange Chemicals” (synthetic drugs). The authorities believe that a botnet attack on German telecommunications company Deutsche Telekom, that happened in 2016, came from this data center.

Krebs on Security posted a drawing of the bunker. According to Krebs on Security, German police reportedly seized $41 million worth of funds allegedly tied to the markets (mentioned above), and more than 200 servers that were operating throughout the underground temperature controlled, ventilated and closely guarded facility. Krebs on Security also reported that German authorities seized at least two Web domains in the raid.

Deutsche Welle reported that in Germany, service providers cannot be prosecuted for hosting illegal websites unless it can be proven that they are aware of and supporting the illegal activity.

From what I’ve been reading about this, it appears that some of the people who were arrested, and some who are being investigated, are allegedly connected to other crimes beyond the illegal data processing center. If so, it seems likely that many people involved will end up with some legal consequences.

California Bill AB5 Turns Contract Workers into Employees

Law, , , ,

California’s Assembly Bill 5 (AB5) will reclassify many contract workers in California into full employees with benefits. It doesn’t cover all types of contract workers, and is anticipated to affect companies like Uber and Lyft the most.

The New York Times reported that AB5 passed the California State Senate in a 29 to 11 vote. California’s Governor, Gavin Newsom, endorsed the bill this month and is expected to sign it. If signed, the measure will go into effect on January 1, 2020. State Senator Maria Elena Durazo (Democrat – Los Angeles) authored the bill.

The bill redefines “employee” using an existing law that includes an “ABC” test to establish whether a worker is an independent contractor or an employee. It says a worker is an employee if the worker’s tasks are performed under a company’s control; those tasks are central to that company’s business; and the worker does not have an independent enterprise in that trade.

Those who are considered employees under this bill will have access to basic protections such as a minimum wage, unemployment insurance, and perhaps access to health insurance coverage.

Personally, I am an independent contract worker – not an employee. None of the work I do for a living could be considered “central to that company’s business”. That said, people who are part of the gig economy and who drive for companies who produce ride-hailing apps, could be considered employees. They are doing the work that is central to the the business of Uber, Lyft, and DoorDash.

According to The New York Times, Uber and Lyft have “repeatedly warned that they will have to start scheduling drivers in advance if they are employees, reducing drivers’ ability to work when and where they want”. But, this is nonsense. There is absolutely nothing in AB5 that requires companies to “schedule drivers in advance”. It is possible that Uber and/or Lyft will retaliate by raising the prices for rides – but this will ultimately backfire because public transit is always going to be less expensive.

There are lists of professions who are exempt from AB5. Those professions include: doctors, dentists, psychologists, insurance agents, stockbrokers, lawyers, accountants, engineers, direct sellers, real estate agents, hairstylists, commercial fisherman, travel agents, and graphic designers.

U.S. Department of Justice Announced Antitrust Review of Big Tech

Law, , , ,

The United States Department of Justice announced that the Department’s Antitrust Division is reviewing whether and how market-leading platforms have achieved market power and are engaging in practices that have reduced competition, stifled innovation, or otherwise harmed consumers.

The Department’s review will consider the widespread concerns that consumers, businesses, and entrepreneurs have expressed about search, social media, and some retail services online. The Department’s Antitrust Division is conferring with and seeking information from the public, including industry participants who have direct insight into competition in online platforms, as well as others.

The Wall Street Journal reported that the inquiry by the Justice Department add “a new Washington threat for companies such as Facebook Inc., Google, Amazon.com Inc., and Apple Inc.”

CNBC reported: “The move is the strongest by Attorney General William Barr towards Big Tech, which faces increased scrutiny from both political parties because of the expanded market power the companies have and the tremendous amount of consumer data they control”.

CNBC also reported that shares of Facebook, Alphabet, and Amazon all fell more than 1% immediately after the announcement and that Apple’s stock also dropped.

This follows the European Commission’s antitrust investigation to assess whether Amazon’s use of sensitive data from independent retailers who sell on Amazon’s marketplace is in breach of EU competition rules.

There have been several investigations, by other countries, regarding questionable practices made by the big technology companies.

It seems to me that the more investigations that happen, the less likely it is that all of these big tech companies will come away from this without facing penalties, fines, or requirements that they make changes.

California Law Bans Bots from Pretending to be Real People

Law,

California has passed a law that went into effect on July 1, 2019. It amends part of the state’s existing Business and Professions Code. The purpose of the amendment is to require bots to make it clear that they are not a human.

The “Bots: disclosure” amendment includes the following:

It shall be unlawful for any person to use a bot to communicate with or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election. A person using a bot shall not be liable under this section if the person discloses that it is a bot.

A “bot” is defined as: “an automated online account where all or substantially all of the actions or posts of that account are not the result of a person.”

A “person” is defined as: “a natural person, corporation, limited liability company, partnership, joint venture, association, estate, trust, government, governmental subdivision or agency, or other legal entity or any combination thereof.”

According to The New Yorker “Violators could face fines under the statutes related to unfair competition.” The article points out that California is “testing society’s resolve to get our (virtual) house in order after more than two decades of a runaway Internet.”

The legislation is a California state law. This means that the person behind a bot will have to disclose itself as a bot if it communicates with people who live in California. That said, those who are running bots will, by default, likely have to disclose that they are a bot to everyone on social media in order to avoid being fined by California’s law.

Two Senators Introduced Bill to Ban “Dark Patterns”

Law

Two U.S. Senators, Mark Warner (Democrat – Virginia) and Deb Fischer (Republican – Nevada), have introduced a bill that, if passed into law, would prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.

The Deceptive Experiences To Online Users Reduction (DETOUR) Act would ban online social media companies, such as Facebook and Twitter, from tricking consumers into giving up their personal data.

The bill also would ban online platforms with more than 100 million monthly users from designing addicting games or other websites for children under age of 13.

A press release from both Senators includes a description of dark patterns:

Dark patterns can take various forms, often exploiting the power of defaults to push users onto agreeing to terms stacked in the favor of the service provider. Some examples include: a sudden interruption during the middle of a task repeating until the user agrees to consent; a deliberate obscuring of alternative choices or settings through design or other means; or the use of privacy settings that push users to ‘agree’ as the default option, while users looking for more privacy-friendly options often must click through a much longer process, detouring though multiple screens. Other times, users cannot find the alternative option, if it exists at all, and simply give up looking.

The DETOUR Act does the following:

  • Enables the creation of a professional standards body, which can register with the FTC to focus on best practices surrounding user design for large online operators. It would act as a regulatory body, providing updated guidance to platforms on practices that impair user autonomy, decision-making, or choice, and positioning the FTC to act as a regulatory backstop.
  • Prohibits segmenting consumers for the purpose of behavioral experiments, unless with a consumer’s informed consent. This includes routine disclosures for large online operators, not less than once every 90 days on any behavioral or psychological experiments to users and the public.
  • Prohibits user design intended to create compulsive usage among children under 13 years old.

To me, it sounds like the DETOUR bill was written with Facebook in mind. In 2014, Facebook apologized for conducting secret psychological tests on its nearly 700,000 users in 2012. I also think the DETOUR bill could potentially be used to prevent large video game companies and platforms from using dark patterns.