Cyber Week in Review: December 4, 2015

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

• United States and Chinese officials led respectively by Secretary of Homeland Security Jeh Johnson and Minister of Public Security Guo Shengkun met in Washington, DC Tuesday for the first round of a high-level dialogue on cybercrime. The two sides agreed on guidelines for jointly combating cybercrime, announced a joint cybersecurity tabletop exercise to be held in spring 2016, and began planning a hotline for cyber issues. The next round of the dialogue will be in Beijing in June 2016. The meeting came as China’s state news service reported that the cyber-enabled theft of personal information from the U.S. Office of Personnel Management (OPM) was conducted by criminals, rather than state-sponsored actors as U.S. lawmakers have claimed. The Washington Post also reported that China arrested suspects in relation to the OPM hack in September prior to Chinese President Xi Jinping’s state visit to the United States, although some Chinese media reports dispute this account.
• BlackBerry will no longer operate in Pakistan, the company announced Monday. BlackBerry provides encrypted e-mail and messaging services to its corporate clients through its Blackberry Enterprise Servers (BES), which prevents the Pakistani intelligence services from achieving their surveillance goals. When the company refused to build encryption backdoors, Pakistan’s telco regulator ordered mobile network operators to shut down access to Blackberry servers, which would essentially make the handsets useless. The short-term impact of Blackberry’s decision on Pakistanis is likely to be minimal, as the company holds just 0.3 percent of the world smartphone market share. However, as mobile device makers increasingly move to end-to-end encryption, we may see similar showdowns between Pakistani regulators and bigger phone manufacturers like Apple and Samsung. In other encryption news, my colleague Matt Waxman has a good roundup of Israeli encryption policy over at Lawfare.
• Pakistan is not the only central Asian government that’s trying to limit Internet freedom. Kazakhstan’s primary telecommunications provider Kazakhtelecom JSC announced Monday that it and other telcos are "obliged" by law to conduct surveillance on HTTPS connections to addresses outside the country. Starting next year, Kazakhtelecom will require all users to install a "national security certificate" on their Internet-enabled devices that will trick programs into thinking the telecom’s servers are the legitimate websites users intended to visit. This will allow Kazakhtelecom to man-in-the-middle any encrypted connection to servers outside the country, giving them the power to see all the online activity of their users. Some commentators have called it a cheap version of China’s Great Firewall, although they’re fundamentally different systems albeit with similar effects. Although the company subsequently pulled the announcement from their website, you can expect it to come back soon; Kazakhstan has one of the worst records in the world for online freedom.
• Max Schrems’ crusade against Facebook isn’t over yet. In October, the Austrian grad student’s case against the Irish data protection authority resulted in the Court of Justice of the European Union (CJEU) invalidating the Safe Harbor framework that governed data transfers between the EU and the United States. In letters to data regulators in Ireland, Belgium, and Germany this week, Schrems calls on the authorities to suspend all data flows from Facebook’s local subsidiaries to the U.S.-based company, ahead of the January 2016 deadline EU regulators have given companies to change their practice. January 2016 is also the self-imposed deadlines that EU regulators set to have a new Safe Harbor framework in place, but that seems increasingly unlikely. EU officials said this week that they’d like to give national data regulators a greater role in ascertaining that the privacy of EU citizens is protected in the United States. The good news is that the Judicial Redress Act currently being considered by Congress could help move the negotiations forward. The bad news is that it’s not looking like it will be passed any time soon. Meanwhile, the Dutch minister of justice says he doesn’t expect a conclusion to the Safe Harbor negotiations any time soon.
• A House Judiciary Committee hearing Tuesday examined the Email Privacy Act, which has languished in Congress for two and a half years despite having more than three hundred cosponsors and broad support from the tech industry. The bill would update the Electronic Communications Privacy Act (ECPA) to require the government to obtain a warrant before accessing emails more than 180 days old, rather than seizing them with a subpoena, as ECPA allows. Federal regulators and law enforcement officials are concerned this revision would tie their hands, and in a committee hearing Tuesday reviewing the bill, House Judiciary Committee Chairman Bob Goodlatte (R-VA) reiterated these apprehensions. Goodlatte said that while he supports the “core” of the bill, he wants an exception allowing the government to demand information from tech companies without a warrant when it has determined that an “emergency” exists. It’s unclear when the bill might get a vote in the committee.