Cyber Week in Review: September 25, 2015

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

• The United States and China have negotiated a cybersecurity deal in which both parties agree to not engage in economic espionage that benefits domestic companies. Compliance will be gauged by way of CERT-to-CERT cooperation, a pledge to address each other’s law enforcement requests with prompt, concrete investigations and follow-ups. A “high-level joint dialogue mechanism” will allow ministerial leaders (Ministry of State Security, Ministry of Public Security, Ministry of Justice and State Internet Information Office for China and Homeland Security and the Department of Justice, supported by the intelligence community for the United States) to discuss the cybercrime probes, reassess goals, and explore relevant issues twice per year, starting at the end of 2015. While effective implementation remains crucial--and many cyber watchers are skeptical--the agreement establishes an explicit framework for evaluating each other’s commitments. Certainly it reflects what Chinese President Xi Jinping would call “win-win cooperation.” Rob Knake has some early reactions here.
• Indian Telecommunications Minister Ravi Shankar Prasad withdrew a controversial draft of a national encryption policy proposal in light of widespread backlash about privacy concerns. The proposal would have required Indian citizens to save plaintext copies of their encrypted communications for ninety days in case they were requested by law enforcement. Although the Indian government later included an addendum to clarify that the policy would not cover standard social media usage on WhatsApp, Facebook, and other services, the entire draft was removed shortly after its posting. It is possible that Prime Minister Narendra Modi’s forthcoming trip to Silicon Valley also played a role in its withdrawal, as he probably would not want the issue to overshadow his visit. Similarly, the White House is investigating options to assuage law enforcement’s concerns with universal encryption, but according to the Washington Post, the White House is unlikely to support legislation that would require companies to build mechanisms to decrypt user data.
• The French Commission Nationale de l’Informatique et des Libertés (CNIL) rejected Google’s appeal of an order requiring the company to remove links under the EU’s right to be forgotten rules. Google appealed the order on the grounds that CNIL was trying to apply European law extraterritorially by requiring the search giant to remove links from all of its domains, not just the ones in Europe like google.fr or google.de. CNIL rejected that argument, noting that Google’s solution was too easy to bypass. Instead, it seems that CNIL wants Google to render the links inaccessible in Europe, irrespective of the domain name used. Unless Google complies with the decision, the search giant faces fines of approximately 300,000 euros according to the Guardian.
• Advocate General for the European Court of Justice Yves Bot has come out in favor of terminating the EU-U.S. Safe Harbor agreement that enables the flow of personal data between the two regions, citing anxieties about U.S. surveillance practices and their impact on European citizens. While the claims may worry tech companies and embolden privacy proponents, they could amount to nothing since the European Union and the United States are already renegotiating the terms of the Safe Harbor pact, which could include greater protections for EU citizens.
• Two untraditional bug bounties made headlines this week. According to Bloomberg, Russia has abandoned its offer to pay $59,000 for an exploit that would allow it to uncover users of the Tor anonymity network. Meanwhile, Wired reported that a new exploit acquisition firm called Zerodium has offered $1 million (up to three times over) for “an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.”