The U.S. House Committee on Energy and Commerce this week sent a letter to Apple [PDF] inquiring about the accuracy of the App Privacy labels that Apple asked developers to start adding to apps back in December.
In the letter, the committee asks Apple about reports suggesting that some App Privacy labels are offering “misleading and false information.” The query was prompted by a January story from The Washington Post that found over a dozen apps with inaccurate privacy labels.
Apple requires developers to provide information on all of the data that an app collects, but developers are self-submitting the privacy label details on an honor system, without verification from Apple itself. Apple has said that it routinely audits the information that’s provided and works with developers to correct inaccuracies, but it’s impossible for the company to verify every app’s privacy listing.
App developers that do get audited and are found to have failed to disclose accurate privacy information can have future app updates rejected or in some situations, the apps can be removed from the App Store entirely if not brought into compliance.
Committee members Frank Pallone and Jan Schakowsky told Apple that a privacy label is “no protection if it is false,” in the letter that urges Apple to improve App Privacy labels.
“According to recent reports, App Privacy labels can be highly misleading or blatantly false. Using software that logs data transmitted to trackers, a reporter discovered that approximately one third of evaluated apps that said they did not collect data had inaccurate labels. A privacy label is no protection if it is false. We urge Apple to improve the validity of its App Privacy labels to ensure consumers are provided meaningful information about their apps’ data practices and that consumers are not harmed by these potentially deceptive practices.”
Apple has been asked to provide the following details on its App Privacy system:
- Details on the process by which Apple audits the privacy information provided by app developers and how frequently audits are conducted;
- How many of the apps audited since the implementation of the App Privacy label were found to have provided inaccurate or misleading information;
- Whether Apple ensures that App Privacy labels are corrected upon the discovery of inaccuracies or misleading information; and
- Details regarding Apple’s enforcement policies when an app fails to provide accurate privacy information for the App Privacy label.
The committee asks that Apple send the requested information by February 23, so Apple has two weeks to craft a response.
Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
Cyberattack exposes lack of required defenses on U.S. pipelines
The shutdown of the biggest U.S. fuel pipeline by a ransomware attack highlights a systemic vulnerability: Pipeline operators have no requirement to implement cyber defenses.
The U.S. government has had robust, compulsory cybersecurity protocols for most of the power grid for about 10 years to prevent debilitating hacks by criminals or state actors.
But the country’s 2.7 million miles (4.3 million km) of oil, natural gas and hazardous liquid pipelines have only voluntary measures, which leaves security up to the individual operators, experts said.
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” Richard Glick, the chairman of the Federal Energy Regulatory Commission (FERC), said.
Protections could include requirements for encryption, multifactor authentication, backup systems, personnel training and segmenting networks so access to the most sensitive elements can be restricted.
FERC’s authority to impose cyber standards on the electric grid came from a 2005 law but it does not extend to pipelines.
Colonial Pipeline, the largest U.S. oil products pipeline and source of nearly half the supply on the East Coast, has been shut since Friday after a ransomware attack the FBI attributed to DarkSide, a group cyber experts believe is based in Russia or Eastern Europe.
The outage has led to higher gasoline prices in the U.S. South and worries about wider shortages and potential price gouging ahead of the Memorial Day holiday.
Colonial did not immediately respond to a query about whether cybersecurity standards should be mandatory.
The American Petroleum Institute lobbying group said it was talking with the Transportation Security Administration (TSA), the Energy Department and others to understand the threat and mitigate risk.
Cyber oversight of pipelines falls to the TSA, an office of the Department of Homeland Security (DHS), which has provided voluntary security guidelines to pipeline companies.
The General Accountability Office, the congressional watchdog, said in a 2019 report that the TSA only had six full-time employees in its pipeline security branch through 2018, which limited the office’s reviews of cybersecurity practices.
The TSA said it has since expanded staff to 34 positions on pipeline and cybersecurity. It did not immediately respond to a request for comment on whether it supports mandatory protections.
When asked by reporters whether the Biden administration would put in place rules, DHS Secretary Alejandro Mayorkas said it was discussing administrative and legislative options to “raise the cyber hygiene across the country.”
President Joe Biden is hoping Congress will pass a $2.3 billion infrastructure package, and pipeline requirements could be put into that legislation. But experts said there was no quick fix.
“The hard part is who do you tell what to do and what do you tell them to do,” Christi Tezak, an analyst at ClearView Energy Partners, said.
U.S. Representatives Fred Upton, a Republican, and Bobby Rush, a Democrat, said on Wednesday they have reintroduced legislation requiring the Department of Energy to ensure the security of natural gas and hazardous liquid pipelines. Such legislation could get folded into a wider bill.
The power grid is regulated by FERC, and mostly organized into nonprofit regional organizations. That made it relatively easy for legislators to put forward the 2005 law that allows FERC to approve mandatory cyber measures.
A range of public and private companies own pipelines. They mostly operate independently and lack a robust federal regulator.
Their oversight falls under different laws depending on what they carry. Products include crude oil, fuels, water, hazardous liquids and – potentially – carbon dioxide for burial underground to control climate change. This diversity could make it harder for legislators to impose a unified requirement.
Tristan Abbey, a former aide to Republican Senator Lisa Murkowski who worked at the White House national security council under former President Donald Trump, said Congress is both the best and worst way to tackle the problem.
“Legislation may be necessary when jurisdiction is ambiguous and agencies lack resources,” said Abbey, now president of Comarus Analytics LLC.
But a bill should not be seen as a magic wand, he said.
“Standards may be part of the answer, but federal regulations need to mesh with state requirements without stifling innovation.”
(Reporting by Timothy Gardner; Editing by Cynthia Osterman and Marguerita Choy)
U.S. senator asks firms about sales of hard disk drives to Huawei
A senior Republican U.S. senator on Tuesday asked the chief executives of Toshiba America Electronic Components, Seagate Technology, and Western Digital Corp if the companies are improperly supplying Huawei with foreign-produced hard disk drives.
Senator Roger Wicker, the ranking member of the Commerce Committee, said a 2020 U.S. Commerce Department regulation sought to “tighten Huawei’s ability to procure items that are the direct product of specified U.S. technology or software, such as hard disk drives.”
He said he was engaged “in a fact-finding process… about whether leading global suppliers of hard disk drives are complying” with the regulation.
(Reporting by David Shepardson, Editing by Rosalba O’Brien)
Colonial Pipeline hackers stole data on Thursday
The hackers who caused Colonial Pipeline to shut down on Friday began their cyberattack against the top U.S. fuel pipeline operator a day earlier and stole a large amount of data, Bloomberg News reported citing people familiar with the matter.
The attackers are part of a cybercrime group called DarkSide and took nearly 100 gigabytes of data out of Colonial’s network in just two hours on Thursday, Bloomberg reported late Saturday, citing two people involved in the company’s investigation.
Colonial did not immediately reply to an email from Reuters seeking comment outside usual U.S. business hours.
Colonial Pipeline shut its entire network, the source of nearly half of the U.S. East Coast’s fuel supply, after a cyber attack that involved ransomware.
(Reporting by Aakriti Bhalla in Bengaluru; Editing by Himani Sarkar)
Italy lifts COVID quarantine for EU, UK and Israel from Sunday
New York Rangers get OK to interview Gerard Gallant for coaching job
WHO urges rich countries to donate shots instead of vaccinating children
Silver investment demand jumped 12% in 2019
Iran anticipates renewed protests amid social media shutdown
Europe kicks off vaccination programs | All media content | DW | 27.12.2020 – Deutsche Welle
News23 hours ago
China uses coercive policies in Xinjiang to drive down Uyghur birth rates
Health22 hours ago
U.S. CDC says Fully vaccinated people can remove their masks in most places
Politics22 hours ago
U.S., UK, Germany clash with China at U.N. over Xinjiang
News22 hours ago
India’s coronavirus tally surpasses 24 million as mutant spreads across globe
Health23 hours ago
COVID-19 far from under control in Americas
Real eState23 hours ago
Towns grapple with big-city-like real estate boom
Business23 hours ago
Cargojet tells pilots it may shift some work to U.S.
Business22 hours ago
Canadian National beats Canadian Pacific with $33.6 billion Kansas City bid