Today, there’s a similar awakening among the scientists and researchers behind advancements in artificial intelligence. If AI really poses an extinction threat to humankind — as many in the field claim — many experts in the field are examining how efforts to limit the spread of nuclear warheads might control the rampant spread of AI.

Already, OpenAI, the world’s leading AI lab, has called for the formation of “something like” an International Atomic Energy Agency — the global nuclear watchdog —  but for AI. United Nations Secretary General Antonio Guterres has since backed the idea, and rarely a day goes by in Washington without one elected official or another expressing a need for stricter AI regulation. 

Early efforts to control AI — such as via export controls targeting the chips that power bleeding-edge models — show how tools designed to control the spread of nuclear weapons might be applied to AI. But at this point in the development of AI, it’s far from certain that the arms control lessons of the nuclear era translate elegantly to the era of machine intelligence.

Arms control frameworks for AI 

Most concepts of controlling the spread of AI models turn on a quirk of the technology. Building an advanced AI system today requires three key ingredients: data, algorithms and computing power — what the researcher Ben Buchanan popularized as the “AI Triad.” Data and algorithms are essentially impossible to control, but only a handful of companies build the type of computing power — powerful graphics processing units — needed to build cutting-edge language models. And a single company — Nvidia — dominates the upper end of this market. 

Because leading AI models are reliant on high-end GPUs — at least for now — controlling the hardware for building large language model offers a way to use arms control concepts to limit proliferation of the most powerful models. “It’s not the best governance we could imagine, but it’s the best one we have available,” said Lennart Heim, a researcher at the Centre for the Governance of AI, a British nonprofit, who studies computing resources. 

U.S. officials have in recent months embarked on an experiment that offers a preview of what an international regime to control AI might look like. In October, the U.S. banned the export of high-end GPUs to China and the chip making equipment necessary to make the most advanced chips, attempting to prevent proliferation of advanced AI models to China. “If you look at how AI is currently being governed,” Heim said, “it’s being governed right now by the U.S. government. They’re making sure certain chips don’t go to China.” 

Biden administration officials are now considering expanding these controls to lagging-edge chips and limiting Chinese access to cloud computing resources, moves that would further cut Beijing off from the hardware it needs to build competitive AI models.

While Washington is the driving force behind these export controls, which are aimed at ensuring U.S. supremacy in microelectronics, quantum computing and AI, it also relies on allies. In restricting the flow of chips and chipmaking equipment to China, the U.S. has signed up support from other key manufacturers of such goods: the Netherlands, Japan, South Korea and Taiwan.

By virtue of their chokehold on the chips used to train high-end language models, these countries are showing how the spread of AI models might be checked via what for now are ad hoc measures that might one day be integrated into an international body.

But that’s only one half of the puzzle of international arms control. 

Carrots and sticks 

In the popular imagination, the IAEA is an organization primarily charged with sending inspectors around the world to ensure that peaceful nuclear energy programs aren’t being subverted to build nuclear bombs. The less well-known work of the agency facilitates the transfer of nuclear science. Its basic bargain is something like this: sign up to the Nuclear Non-Proliferation Treaty, pledge not to build a bomb and the IAEA will help you reap the benefits of peaceful nuclear energy. 

“That’s the big reason that most states are enthusiastic about the IAEA: They’re in it for the carrots,” said Carl Robichaud, who helps lead the existential risk and nuclear weapons program at Longview Philanthropy, a nonprofit based in London. “They show up in Vienna in order to get assistance with everything from radiotherapy to building nuclear power plants.”

Building an international control regime of this sort for AI requires considering how to first govern the spread of the technology and then how to make its benefits available, argues Paul Scharre, the executive vice president and director of studies at the Center for a New American Security in Washington. By controlling where advanced AI chips go and who amasses them, licensing the data centers used to train models and monitoring who is training very capable models, such a regime could control the proliferation of these models, Scharre argued.

Countries that buy into this arrangement would then gain easier access to very capable models for peaceful use. “If you want to access the model to do scientific discovery, that’s available — just not to make biological weapons,” Scharre said.

These types of access controls have grown more feasible as leading AI labs have abandoned the open source approach that has been a hallmark of the industry in recent years. Today, the most advanced models are only available via online apps or APIs, which allows for monitoring how they are used. Controlling access in this way — both to monitor use and to provide beneficial access — is essential for any regime to control the spread of advanced AI systems, Scharre argued. 

But it’s not clear that the economic incentives of participating in such a regime translate from the world of nuclear arms control to AI governance. Institutions like the IAEA help to facilitate the creation of capital and knowledge intensive nuclear energy industries, and it’s unclear whether similar hurdles exist for AI to incentivize participating in an arms control regime.

“I like the idea of an international agency that helps humanity benefit more equitably from AI and helps this technology reach and help everyone. It’s not clear right now that there is market failure as to why that wouldn’t happen,” Robichaud said.

It’s also not clear that access controls can be maintained in the long run. Unlike nuclear weapons, which are fairly large physical devices that are difficult to move around, AI models are just software that can be easily copied and spread online. “All it takes is one person to leak the model and then the cats out of the bag,” Scharre said.

That places an intense burden on AI labs to keep their products from escaping the lab — as has already occurred — and is an issue U.S. policymakers are trying to address.

In an interview with CyberScoop, Anne Neuberger, a top White House adviser on cybersecurity and emerging technology, said that as leading AI firms increasingly move away from open source models and seek to control access, the U.S. government has carried out defensive cybersecurity briefings to leading AI firms to help ensure that their models aren’t stolen or leaked.

What are we trying to prevent? 

When AI safety researchers speak of the potentially existential threat posed by AI — whether that be a flood disinformation or the development of novel biological weapons — they are speculating. Looking at the exponential progress of machine learning systems in the past decade, many AI safety researchers believe that if current trends hold, machine intelligence may very well surpass human intelligence. And, if it does, there’s reason to think machines won’t be kind to humans. 

But that isn’t a sure thing, and it’s not clear exactly what catastrophic AI harms the future holds that need to be prevented today. That’s a major problem for trying to build an international regime to govern the spread of AI. “We don’t know exactly what we’re going to need because we don’t know exactly what the technology is going to do,” said Robert Trager, a political scientist at the University of California, Los Angeles, studying how to govern emerging technology. 

In trying to prevent the spread of nuclear weapons, the international community was inspired by the immense violence visited upon Hiroshima and Nagasaki. The destruction of these cities provided an illustration of the dangers posed by nuclear weapons technology and an impetus to govern their spread — which only gained momentum with the advent of more destructive thermonuclear bombs. 

By contrast, the catastrophic risks posed by AI are theoretical and draw from the realm of science fiction, which makes it difficult to build the consensus necessary for an international non-proliferation regime. “I think these discussions are suffering a little bit from being maybe ahead of their time,” said Helen Toner, an AI policy and safety expert at the Center for Security and Emerging Technology at Georgetown University and who sits on OpenAI’s board of directors.

If 10 or 20 years from now, companies are building AI systems that are clearly reaching a point where they threaten human civilization, “you can imagine there being more political will and more political consensus around the need to have something quite, quite strong,” Toner said. But if major treaties and conventions are the product of tragedy and catastrophe, those arguing for AI controls now have a simple request, Toner observes: “Do we have to wait? Can we not skip that step?”

But that idea hasn’t broken through with policymakers, who appear more focused on immediate risks, such as biased AI systems and the spread of misinformation. Neuberger, the White House adviser, said that while international efforts to govern AI are important, the Biden administration is more focused on how the technology is being used and abused today and what steps to take via executive order and congressional action before moving to long-term initiatives.

“There’s a time sequence here,” Neuberger said. “We can talk about longer term efforts, but we want to make sure we’re focusing on the threats today.”

In Europe, where EU lawmakers are at work on a landmark AI Act, which would limit its use in high-risk contexts, regulators have taken a similarly skeptical approach toward the existential risks of AI and are instead focusing on how to address the risks posed by AI as it is used today.

The risk of extinction might exist, “but I think the likelihood is quite small,” the EU’s competition chief Margrethe Vestager recently told the BBC. “I think the AI risks are more that people will be discriminated [against], they will not be seen as who they are.”

Long-term control 

Today’s leading AI models are built on a foundation of funneling ever more data into ever more powerful data centers to produce ever more powerful models. But as the algorithms that process that data become more efficient it’s not clear that ever more powerful data centers — and the chips that power them — will be necessary. As algorithms become more efficient, model developers “get better capability” for “less compute,” Heim from the Centre for the Governance of AI explains. In the future, this may mean that developers can train far more advanced models with less advanced hardware.

Today, efforts to control the spread of AI rest on controlling hardware, but if having access to the most advanced hardware is no longer essential for building the most advanced models, the current regime to control AI crumbles.

These shifts in training models are already taking place. Last year, researchers at Together, an open source AI firm, trained a model known as GPT-JT using a variety of GPUs strung together using slow internet speeds — suggesting that high-performing models could be trained in a decentralized manner by linking large numbers of lagging-edge chips. And as publicly available, ever more capable open source models proliferate, the moat separating AI labs from independent developers continues to narrow — or may disappear altogether.  

What’s more, arguments about the role of algorithmic efficiency making compute less relevant don’t account for entirely new approaches to training models. Today’s leading models rely on a compute-intensive transformer architecture, but future models may use some entirely different approach that would undermine efforts today to control AI models, Toner observes. 

Moreover, arms control experts observe that past efforts to control the spread of dangerous weapons should force a measure of humility on any policymaker trying to control the spread of AI. In the aftermath of World War II, President Truman and many of his key aides, ignoring their scientific advisers, convinced themselves that it would take the Soviet Union decades to build an atomic bomb — when it only took the Kremlin five years. And in spite of export controls, China succeeded in building “2 bombs and 1 satellite” — an atomic bomb, a thermonuclear bomb and a space program. 

That history makes Trager, the political scientist, skeptical about “grand visions for what export restrictions can do.” 

With private companies currently conducting the most advanced AI research, efforts to control the technology have understandably focused on managing industry, but in the long run, military applications may be far more concerning than commercial applications. And that does not bode well for arms control efforts. According to Trager, there is no example in history of major powers “agreeing to limit the development of a technology that they see as very important for their security, and for which they don’t have military substitutes.”

But even if arms control frameworks are imperfect vessels for regulating AI, arms control regimes have evolved over time and grown more stringent to deal with setbacks. The discovery of Iraq’s nuclear program in the 1990s, for example, spurred the creation of additional protocols to the Non-Proliferation Treaty. 

“We’re 80 years into the nuclear age, and we haven’t had a detonation in wartime since 1945 and we only have nine nuclear-armed states,” Robichaud from Longview Philanthropy argues. “We’ve gotten lucky a few times, but we’ve also built the systems that started off really weak and have gotten better over time.” 

The post Does the world need an arms control treaty for AI? appeared first on CyberScoop.

The memo also said the budget submissions should be consistent with the Biden administration’s national cyber strategy released earlier this year. The OMB and ONCD will review agencies’ upcoming budget submissions to “identify potential gaps” and “potential solutions to those gaps.”

“OMB, in coordination with ONCD, will provide feedback to agencies on whether their submissions are adequately addressed and are consistent with overall cybersecurity strategy and policy, aiding agencies’ multiyear planning through the regular budget process,” the memo said.

The five in the memo are the same as the National Cybersecurity Strategy: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future and forge international partnerships to pursue shared goals.

The memo comes as the White House is preparing multiple strategies such as the implementation plan for the National Cybersecurity Strategy expected this summer as well as a national cyber workforce strategy. ONCD and OMB also said that a separate memo will be released with additional guidance focused on cybersecurity research and development priorities.

The memo said federal agencies need to defend critical infrastructure by modernizing federal defenses by implementing the federal zero-trust strategy, improving baseline cybersecurity requirements and scaling public-private collaboration.

Additionally, the memo pointed out that ransomware continues to be a national security threat and that some agencies should focus on dismantling threat actors by focusing on investigating and disrupting criminal infrastructure, “prioritize staff to combat the abuse of virtual currency,” and to participate in interagency task forces.

Beyond that, the administration directed agencies to use their buying power to influence the cybersecurity market, to use skills-based hiring methods to strengthen the cyber workforce, follow national security memorandums surrounding a post-quantum future, strengthen international partnerships and secure global supply chains for information, communication and operational technologies.

The post White House releases cybersecurity budget priorities for FY 2025 appeared first on CyberScoop.

“The Kremlin continues to target a key pillar of democracy around the world — free and fair elections,” Brian Nelson, under secretary at the Office of Terrorism and Financial Intelligence at the Treasury Department, said in a statement. “The United States will not tolerate threats to our democracy, and today’s action builds on the whole of government approach to protect our system of representative government, including our democratic institutions and elections processes.”

Aleksey Borisovich Sukhodolov and Yegor Sergeyevich Popov, both Moscow-based officers of Russian Federal Security Service, or FSB, were directly engaged in a years-long effort to recruit local “co-optees” to influence elections that benefit the Kremlin, the Treasury said. “In support of its influence operations, Russia has recruited and forged ties with people and groups around the world who are positioned to amplify and reinforce Russia’s disinformation efforts to further its goals of destabilizing democratic societies.”

The sanctions announcement Friday follow a criminal indictment against Sukhodolov and Popov that the Department of Justice unsealed in April alleging the two were involved in a years-long campaign to influence elections. The U.S. government has also said the two are suspected of attempting to sway elections in Ukraine, Spain, the United Kingdom and Ireland.

According to the Treasury Department, Popov was the main handler for “co-optees” Aleksandr Viktorovich Ionov and Natalya Valeryevna Burlinova who were previously sanctioned by the Treasury Department and have also been indicted for their alleged activities. “From as early as 2015 through at least 2022, Popov worked with Burlinova and oversaw her activities on behalf of the FSB,” Treasury said.

Ionov and Burlinova influenced multiple U.S. individuals and political groups all in an effort to “to create or heighten divisions within the country,” according to a sanctions announcement in July 2022.

While it’s unlikely any of the four Russians sanctioned by the U.S. government and facing charges related to election interference will see the inside of an American court, the actions are part of broader government effort to more aggressively push back against foreign influence on elections, which many experts believe is only expected to increase ahead of the 2024 presidential campaign.

Former Cybersecurity and Infrastructure Security Agency Director Chris Krebs said earlier this month to expect a “very, very active threat landscape” concerning election influence and interference.

The post Treasury sanctions two Russian intelligence officers for election influence operations appeared first on CyberScoop.

A new voluntary cyber incentive framework from the Federal Energy Regulatory Commission that was required by the Biden administration’s bipartisan Infrastructure Investment and Jobs Act will allow utilities to make the case for receiving an incentive-based rate recovery when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program.

The new rule also helps clear the path for one of the biggest issue for critical infrastructure owners and operators: a lack of money to invest in cybersecurity.

“It’s about removing the excuses and one of the huge excuses for anyone in the utility space to do anything with cyber has to do with resources and dollars,” said Ron Fabela, field CTO at cybersecurity firm XONA Systems. “Whether it’s an investor-owned utility or a local co-op, they are still beholden to the approved rates for power and that rate is heavily regulated and they can’t necessarily go to the ratepayer — you and me — to cover all their expenditures.”

For instance, in most states public utility commissions are unlikely to approve a rate increase unless it’s directly tied to the ability to generate and deliver power to customers, says Fabela. Those requirements can change depending on the state but nearly all are an arduous process and how they will respond to new cyber investments is still an open question, he said.

“This is essentially telling the public utility commissions that utilities that wish to invest in cybersecurity in these areas and these ways can effectively get rate relief from their customers,” Fabela said.

The new rule that goes into effect July 3 comes as the federal government is grappling with ways to add cyber mandates for critical infrastructure and to help “target rich, cyber poor” owners and operators improve digital defenses. Additionally, the recently released National Cybersecurity Strategy outlined goals for the administration to pursue more cybersecurity regulations for critical infrastructure.

The electric sector is already regulated by FERC, an independent agency under the Energy Department, and the North American Electric Reliability Corp., an international nonprofit corporation. FERC can tell NERC to develop a certain standard to mitigate a threat with input from industry. Once NERC develops new rules, FERC considers whether to implement them. NERC then acts as the enforcer with regular audits and fines.

However, that process can take years from concept to enforcement. And the slow pace of NERC rule-makings has been a common concern among experts as cyberthreats can quickly outpace policy. The cyber incentives plan could help utilities adopt to new threats at a faster pace, experts say.

“There’s the carrot and the stick and sometimes the stick is going to have limitations,” said Jason D. Christopher, director of cyber risk at industrial cybersecurity firm Dragos. “If NERC CIP hasn’t made it mandatory, enforceable, then it’s harder for utilities to get rate recovery and it’s hard for them to necessarily fund the initiative and this provides that flexibility.”

For instance, one of the two pre-qualified investments is internal network security monitoring, which is also a new standard the NERC drafting team is exploring. That proposed rule would require covered utilities to have internal network security monitoring within environments that impact the bulk electric system. However, that rule is still in an early phase and will likely be years before the standard is in place.

“So, we’re talking about years of a period where there’s not going to be a mandatory regulation in place for internal network security monitoring, which is — in our [operational technology] context — how we detect whether or not attackers are in our systems,” said Christopher. “The incentives order says, ‘Hey, if you want to do this before it’s mandatory, enforceable we will help you with that and will provide an incentive in those areas.”

So far, only internal network security monitoring and joining an ISAC are on the pre-qualified list for investments. However, FERC plans on allowing for case-by-case incentives where a utility can make a case why the investment would “materially improve a utility’s security posture.”

Additionally, FERC would consider additional controls from the National Institute of Standards and Technology catalog of “security and privacy controls for information systems and organizations,” NIST’s cybersecurity framework technical subcategory, and specific recommendations from federal agencies like CISA, the FBI, National Security Agency, or DOE.

Other potential investments have yet to be defined as the commission needs “a high degree of confidence that such items will likely materially improve cybersecurity for all utilities,” according to the rule. FERC will re-evaluate the pre-qualified investment list “from time to time.”

The post Federal incentives could help utilities overcome major cybersecurity hurdle: money appeared first on CyberScoop.

Some of those fears have been realized. After the Supreme Court’s Dobbs decision overturning a constitutional right to abortion, news surfaced that Nebraska police served Facebook’s parent company Meta a search warrant for messages that turned out to be related to an illegal abortion. In March, a Texas man filed a civil lawsuit against three women he alleges helped his wife obtain an abortion. The lawsuit cited unencrypted text messages.

But even though the ruling ushered in urgent pleas from advocacy groups and many lawmakers for legislation to safeguard reproductive health data that can be easily obtained by data brokers or law enforcement, there remains little movement in Washington to pass legislation to strengthen U.S. privacy protections.

“I do think that there is a greater awareness now,” Rep. Sara Jacobs, D-Calif., told CyberScoop.  “As a young person, I think it’s taken Congress too long to catch up with the American people in understanding these vulnerabilities.”

Jacobs, who introduced the “My Body My Data Act” last year is one of the lawmakers who has led the conversation about reproductive and sexual health privacy in the wake of Dobbs. The legislation limits the reproductive and sexual health data that entities can collect and protects personal data such as cellphone data and search engine history not currently covered by the landmark health data protection law, the Health Insurance Portability and Accountability Act of 1996.

Jacobs reintroduced the legislation in May with 91 cosponsors in the House and 13 sponsors in the Senate. She is still seeking privacy-minded Republicans to co-sponsor the legislation but acknowledged the difficulty in getting bipartisan support.

“The fact of the matter is this isn’t just about abortion,” said Jacobs. “It’s all sexual and reproductive health data. So if you’re a 70-year-old, Republican man who doesn’t want your wife to know you’re searching about gonorrhea on Google this does protect you, too.”

Rep. Anna Eshoo, D-Calif., a co-sponsor of the bill, said that while Republicans aren’t going to take up the bill “it’s important to build support for these policies so that the minute that we take over the majority that we’re ready to go.”

The legislation has gained the support of a number of civil liberties and reproductive rights groups. “With the GOP dead set on criminalizing abortion, it is critical that we do everything we can to protect the data and privacy of those seeking and providing care. We’ve seen our champions at the federal and state levels spring into action to do so, including U.S. Representative Sara Jacobs … or California state Assemblymember Rebecca Bauer-Kahan’s AB 254—which ensures the privacy of individuals when they use apps and websites that provide reproductive health services,” NARAL Pro-Choice America Communications Director Ally Boguhn wrote to CyberScoop in an email.

Where Washington has seen more success in protecting reproductive health data is in regulatory action helmed by the White House. For instance, President Biden last summer signed an executive order tasking the Federal Trade Commission and the Department of Health and Human Services with protecting abortion services. In April, HHS proposed a rule that would strengthen existing privacy protections under the Health Insurance Portability and Accountability Act by prohibiting healthcare providers from disclosing reproductive healthcare data investigating an individual for a legal abortion. Last week, 24 state attorneys general threw their support behind the proposed rule.

States with pro-choice leadership have also pushed through a cohort of laws around reproductive health, such as shield laws in New York, Washington and California barring entities from sharing data about legal abortions with states conducting criminal investigations into the behavior. California lawmakers are also seeking to ban reverse search warrants that could ensnare abortion seekers, as CyberScoop first reported.

“So far, we haven’t seen indicators that these types of shield laws have actually proved necessary… but we expect it is certainly just a matter of time before they do,” said Jake Laperruque, deputy director at the Security and Surveillance Project for the Center For Democracy & Technology.

Experts note that there could be several reasons there haven’t been more high-profile cases of digital evidence showing up in abortion criminal cases. One is that companies that receive law enforcement requests are often subject to an initial gag order. Secondly, abortion-related investigations may not be explicitly labeled and may instead be charged as a crime like murder or child endangerment.

Even with some strides by states and the Biden administration, without Congress to codify abortion and privacy rights, many state and agency protections fall short. For instance, the HIPAA rulemaking only applies to states where abortion is legal. Applying the protections all states would take an act of Congress. Rep. Jacobs and Eshoo’s Secure Access for Essential Reproductive (SAFER) Health Act, which served as a model for the HIPAA rule, would apply to all reproductive health information regardless of local laws.

Democrats in both chambers are expected to force a vote on legislation protecting access to abortion nationally ahead of the Dobbs anniversary.

Moreover, legislative solutions tailored to health data ignore a world of data that can also be used to incriminate abortion-seekers, such as private messages and geolocation history. Protecting other forms of metadata requires more comprehensive federal privacy legislation. After Dobbs, many civil society groups redoubled support of the American Data Privacy and Protection Act, comprehensive privacy legislation that passed out of its House committee last summer but has yet to be reintroduced this year. Eshoo and Rep. Zoe Lofgren, D-Calif., introduced their own comprehensive privacy legislation, the Online Privacy Act, in April.

“ADPPA would go a long way to not only raise the bar for protections around sensitive data, including health data,” Andrew Crawford, senior policy counsel on the Privacy and Data Project at CDT, told CyberScoop. “Our approach to data privacy burdens the consumer far too much and does not place much of a burden requirement on companies to act as responsible stewards.”

Crawford, who recently released with CDT a guide for best practices for companies to protect reproductive health data, says that the private sector also plays an important role in protecting consumers. Concerns about reproductive health privacy have put pressure on companies to take steps to reduce harm. For instance, Google last summer promised to stop collecting users’ location data for visit to reproductive health clinics. Fertility and reproductive tracking apps at the center of new fears also responded with new privacy modes, such as Flo’s anonymous mode which allows users to track on the app without sharing data like their name or IP address.

Crawford emphasized that any company that collects information like location data could find itself on the receiving end of a law enforcement request and that the kinds of protections that CDT is pushing apply to every company.

“We would like folks to embrace these best practices right now and they don’t necessarily need legislation to do it,” said Crawford.

Lawmakers aren’t giving up, however. “I think together with my colleagues we have built legislative products that are worthy of the support of members but most importantly they would be laws that would fully protect women in our country given the Dobbs decision,” Eshoo told CyberScoop. “It’s a different era. It’s a different time.”

The post A year after Dobbs, federal privacy legislation to protect abortion seekers remains stalled appeared first on CyberScoop.

The FTC alleges that the California-based 1health previously known as Vitagene, deceived customers about its privacy policy, retroactively changed that policy and misled customers about its process for deleting data. The company will pay $75,000 to the FTC for consumer refunds as part of a settlement with the agency.

“Companies that try to change the rules of the game by re-writing their privacy policy are on notice,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”

Vitagene’s DNA test kits provide reports that include personal information such as ancestry and level of risk for certain health problems, such as high triglycerides and obesity. According to its website, 1health provides testing to corporate and government clients.

According to the complaint, Vitagene stored nearly 2,400 records belonging to at least 227 consumers in publicly accessible data buckets on Amazon Web Services, exposing sensitive consumer and raw genetic data, some of which was tied to consumers’ names. Vitagene claimed that it did not store DNA results connected with identifying information.

According to the FTC, Vitagene was warned three times that the unencrypted health and user data was publicly accessible but only fixed the issue and notified customers in 2019 after a security researcher shared their findings with the media.

The FTC accused the company of deceiving customers by failing to follow through with its promises to customers that they could delete their data at any time. The company later began sharing customer information with third parties without notifying customers of the change.

As part of the proposed order, 1health will be prohibited from sharing health data with third parties without obtaining affirmative customer consent. It must also implement a new security program to address the security concerns in the complaint and notify the FTC about any incidents of unauthorized disclosures of consumer health data. 1health will be required to destroy all DNA samples retained for more than 180 days.

The proposed agreement will be made available for public comment for 30 days before the agency reaches a final settlement.

1health CEO Mehdi Maghsoodnia called the FTC investigation a “case of extraordinary government overreach.”

In a statement, Maghsoodnia said the company first learned in July 2019 that a “small number of customer files had been inadvertently stored in a publicly accessible location” but that the company has no evidence they were “improperly accessed.”

“In response, the FTC launched an investigation which has now dragged on for nearly four years,” Maghsoodnia said. “Ultimately, we disagree with many of the FTC’s conclusions. But we look forward to finally putting this matter behind us.”

Updated June 16, 2023: To include comment from 1health.

The post FTC accuses genetic testing company of exposing sensitive health data appeared first on CyberScoop.

The creation of the task force comes as the agency confronts a number of data protection issues facing customers of U.S. telecoms, such as the sharing of sensitive consumer data, the collection of geolocation data and repeat data breaches at major carriers. Rosenworcel said that the new task force will lead the agency’s recently proposed efforts to modernize its 15-year-old data breach rule.

The task force — which will be led by Loyaan Egal, the agency’s enforcement chief — will also coordinate the FCC’s rulemaking efforts aimed at preventing SIM swapping and creating standards for carriers to authenticate a customer before transferring a number to a new device or a new carrier.

“This kind of fraud demonstrates how powerful these forces are and how privacy is so important for communications and digital age trust,” Rosenworcel said about SIM-swapping, a kind of attack in which cybercriminals use a victim’s personal information to steal their phone number and swap it into a scammer-controlled device.

During her remarks on Tuesday at the Center for Democracy and Technology, a Washington think tank, Rosenworcel said she has serious concerns about how mobile carriers collect and share users’ private data, such as geolocation data. Queries from the FCC found last year that ten of the top 15 mobile carriers in the United States collect geolocation data and provide consumers no way to opt-out.

Rosenworcel said that the agency is carrying out a follow-up investigation about how to address the collection of geolocation data that has now been delegated to the new task force.

Rosenworcel also noted concerns about carriers selling sensitive user data and called on her fellow FCC commissioners to finalize $200 million in proposed fines brought in 2020 against AT&T, Sprint, T-Mobile and Verizon for sharing customer location data without their consent, penalties that won’t come into effect until the agency votes to approve them.

During her speech, Rosenworcel hinted at an upcoming “enforcement action against two companies that have put the security of communications customers at risk.”

“I can’t say more right now, but I can say this right out of the gate: We are showing that this task force means business,” said Rosenworcel.

The post New FCC privacy task force takes aim at data breaches, SIM-swaps appeared first on CyberScoop.

Representatives of the Justice Department and FBI made the case that the long history of abuses linked to Section 702 of the Foreign Intelligence Surveillance Act are already being addressed by significant new reforms instituted in the last two years. But several members of the Judiciary Committee questioned whether these reforms go far enough and pressed witnesses about potentially more serious reforms, including a warrant requirement for using the sensitive intelligence data.

“I will only support the reauthorization of Section 702 if there are significant, significant reforms. And that means first and foremost, addressing the warrantless surveillance of Americans in violation of the Fourth Amendment,” Senate Judiciary Chair Dick Durbin, D-Ill., said in his opening statement.

The hearing sets up what is an uphill battle for the Biden administration to get Congress to renew the authority without changes. The administration and its surrogates insist that failing to renew the law would have grave national security consequences. Ahead of Tuesday’s hearing, Biden administration officials detailed several newly declassified examples of Section 702’s usefulness in combating cyber operations and narcotics trafficking.

But that argument has so far failed to gain traction on the Hill. Lawmakers at Tuesday’s hearing were largely united in opposing a clean reauthorization, arguing that the intelligence community hasn’t shown that it can self-correct a history of serious abuses or show that current systems don’t merit greater reforms.

“Why should we ever trust the FBI and the DOJ again to police themselves under FISA, when they’ve shown us repeatedly, for more than a decade, that they cannot be trusted to do so?” asked Sen. Mike Lee, R-Utah.

The Judiciary Committee members aired a variety of reform proposals, including a warrant requirement for Section 702, adding an “adversarial” process to the FISA system and assigning amicus curiae to targeted individuals who can otherwise not challenge their surveillance — all proposals that Tuesday’s witnesses opposed.

At the heart of lawmakers’ concerns is the FBI’s use of Section 702, which is designed to collect data belonging to foreign intelligence targets whose communications transit U.S. communications infrastructure, to query data incidentally collected on Americans. Committee members raised concerns about the FBI’s history of abusing incidental collection, citing a court ruling declassified last month that showed that the FBI misused the powerful surveillance tool more than 278,000 times.

The Justice Department’s Assistant Attorney General for National Security Matt Olsen said that these abuses predate reforms undertaken by the agency in 2021 and 2022 and that the bureau’s policies would prevent them from recurring.

These reforms include requiring agents to opt-in to search data, something that was a driving factor in reducing U.S. person queries more than 90% between 2021 and 2022, Olsen said. The Foreign Intelligence Surveillance Court is currently carrying out a declassification process for a 2023 opinion that identifies “some additional improvements in FBI compliance,” Olsen said.

On Tuesday, FBI Deputy Director Paul Abbate announced a pair of new compliance measures that the agency is putting forward as it tries to reduce FISA abuse. The first is a three-strike policy for query-related incidents that could lead to an agent’s dismissal. The second involves evaluations that can affect performance ratings and promotions for agency leaders monitoring 702 compliance in their divisions.

Abbate told Sen. John Cornyn, R-Texas, that the bureau would welcome codifying reforms already in place into law.

Civil liberties advocates said these reforms fail to address the surveillance abuses — including the collection of data belonging to racial justice protesters and political donors — committed under Section 702.

“The new items the FBI touted at the hearing are wholly inadequate, and out of touch with how serious these abuses are,” said Jake Laperruque, the director of the Security and Surveillance Project at the Center for Democracy and Technology, a group that is calling for FISA reforms.

Tuesday’s hearing previews what is likely to be a significant clash between the Biden administration and Congress over the possibility of a warrant requirement for U.S. person queries of Section 702 data. The reform is one that both lawmakers at the hearing largely supported but the administration has opposed. On Monday a senior administration official said a warrant requirement would have “very serious national security costs.”

Intelligence agency officials testifying in front of Congress shared those concerns. “The reason for not requiring a warrant is that this is lawfully collected information that is in the FBI holdings,” said the Justice Department’s Olsen.

But lawmakers expressed skepticism about the FBI’s argument.

“The U.S .person query aspect of this is really concerning to the Congress,” said Sen. Jon Ossoff, D-Georgia. “I don’t think you’ve effectively made the case that there shouldn’t be a warrant requirement whether or not it is constitutionally required.”

The post Congress and intelligence officials spar over surveillance reforms appeared first on CyberScoop.

Monday’s briefing with reporters came ahead of a hearing Tuesday before the Senate Judiciary Committee that will feature a collection of senior U.S. intelligence officials and will consider the controversial surveillance tool, which sunsets at the end of this year.

According to Biden administration officials who briefed reporters ahead of that hearing on condition of anonymity, Section 702 of the Foreign Intelligence Surveillance Act allowed the U.S. government to recover the majority of the $4.4 million ransom paid by Colonial Pipeline to the hackers. In another example newly made public, Section 702 data helped the U.S. government to identify and mitigate a 2022 Iranian ransomware attack against a nonprofit, allowing the organization to recover without paying the ransom.

This newly declassified intelligence is just some of what the U.S. intelligence officials testifying on Tuesday are expected to describe in making the case to a deeply skeptical Congress to renew the law.

Since appealing to lawmakers in February to renew the tool, the Biden administration has argued that Section 702 is vital to combat an array of national security threats to the homeland and that it plays an especially vital role in combating cyber threats. A senior FBI adviser recently told CyberScoop that a “plurality” of Section 702 searches by the agency pertain to investigations into nation-state cyberattacks.

Section 702 allows intelligence agencies to collect the communications of non-U.S. persons abroad whose communications transit U.S. telecommunications systems. However, the program’s incidental collection of Americans’ data, which can then be searched by the FBI, has raised oversight concerns from civil liberties advocates and many lawmakers.

In a letter released Monday, a coalition of 19 civil liberties groups called for substantial reforms to Section 702 and urged Congress not to reauthorize the law without a warrant requirement.

Senior administration officials stressed on Monday that the White House has “heard loud and clear” a desire for conversations around reform and that “those conversations are underway.” Reform proposals under consideration include codifying recent reforms by the FBI in how it limits access to 702 information, such as requiring agents to opt-in to search the 702 database and requiring high-level approvals for some searches.

Requiring a warrant for Section 702 searches “would have very serious national security costs,” according to a senior administration official. “They would essentially lead us the government to turn a blind eye to information lawfully in the U.S. government’s possession, including in situations where that information could provide critical protections to victims of malicious foreign activity,” the official said.

Another senior administration official noted that U.S. person queries against Section 702 allowed the FBI to identify where Chinese hackers had attempted to infiltrate the network of a U.S. transportation firm. U.S. person queries also allowed the FBI to identify that Iranian hackers had “conducted extensive research on the former head of a federal department” and allowed agents to warn the department to take precautions against the threat.

Outside of cyber, Section 702 intelligence has been used to gain insights into the activities of foreign adversaries, including Russia’s actions in Ukraine and China’s tracking of dissidents. It has also played a key role in law enforcement efforts targeting narcotics trafficking, according to a senior administration official.

In seeking Section 702’s renewal, the Biden administration faces an uphill fight in Congress, where members of both parties have made it clear that they won’t consider reauthorization without serious reforms.

“This authority should not be renewed without significant reforms to safeguard Americans’ privacy and constitutional rights,” Senate Judiciary Chairman Dick Durbin, D-Ill., tweeted in May after unsealed court documents showed wrongful FBI uses of the database.

In addition to their public testimony on Tuesday, intelligence officials will also provide a classified briefing on Section 702 to Senate Judiciary members. Testifying at Tuesday’s hearing will be officials from the CIA, NSA, FBI, Office of the Director of National Intelligence and Department of Justice.

The post Section 702 data helped take down Colonial Pipeline hacker, Biden administration says appeared first on CyberScoop.