Cyber Week in Review: May 3, 2024

NETmundial+10 conference in São Paulo, Brazil

This past Tuesday and Wednesday, the NETmundial+10 conference took place in São Paulo, Brazil, drawing representatives from the United Nations, academia, government, and private sector leaders. The event brought together more than four hundred participants from sixty countries, with most panels focused on strengthening the Internet Governance Forum (IGF) and promoting information integrity internationally. Additionally, the conference focused on addressing hate speech and misinformation, with Brazilian Minister of Science, Technology, and Innovation Lucianna Santos stating, “there is still a lot to advance so that we can achieve an agenda based on reducing asymmetries [between regions] and recognizing meaningful access to the internet as a fundamental right.” The event was organized by the Secretariat of Communication of the Presidency of the Republic of Brazil in partnership with UNESCO. International gatherings will continue to inform internet governance landscape throughout 2024. Notable upcoming events are WSIS+20, occurring in May in Geneva, the UN Summit of the Future in September in New York, and the Internet Governance Forum in December in Riyadh.

FCC fines three carriers $196 million for illegally sharing access to customer’s location data

The Federal Communications Commission (FCC) has collectively fined Verizon, T-Mobile, and AT&T $196 million for illegally sharing customer geo-location data with third parties—including prisons—without consent. The FCC investigation originated from a 2018 probe by Sen. Ron Wyden (D-OR), who called on the FCC to investigate Verizon after finding that correctional officers misused customer location data to spy on millions of Americans. The FCC accused the companies of violating Section 222 of the Communications Act, which requires carriers to protect and maintain confidentiality of customer location information. The FCC Chairwoman, Jessica Rosenworcel, states that the “carriers failed to protect the information entrusted to them.” All three carriers have rejected the accusations, with AT&T stating that the decision “perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged.” T-Mobile argued that the company discontinued geo-location tracking more than five years ago. All three carriers are expected to appeal the fines.

Biden Administration announces HIPAA final rule

In another executive action aimed at strengthening protections for Americans’ personal data, the Biden Administration  announced a new rule that clarifies and strengthens healthcare privacy for people seeking lawful abortions and prohibits the use or disclosure of personal health information to investigate individuals. The rule expands the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to explicitly prevent healthcare providers from disclosing medical information about patients to law enforcement. Supporters of the rule argue that the new regulation would protect reproductive freedom; Jennifer Klein, director of the White House Gender Policy Council, stated that “no one should have their medical records used against them, their doctor, or their loved one just because they sought or received lawful reproductive health care.” The new regulation follows a statement signed by nineteen Republican attorneys general who believed the draft Final Rule “would unlawfully interfere with states.” The rule is expected to be contested and face legal challenges from anti-abortion advocates.

European police organizations release statement against end-to-end encryption

Thirty-two European police chiefs and the Director General of the UK National Crime Agency (NCA) released a statement expressing concerns regarding how end-to-end encryption prevents law enforcement from investigating crime. The statement conveyed that technology companies and governments share a social responsibility to allow police access to messaging platforms for evidence collection, with Europol Executive Director Catherine de Bolle stating, “If police lose the ability to collect evidence, our society will not be able to protect people from becoming victims of crime.” The NCA estimates that without access to Meta’s messaging platforms, criminal reports—92 of reports from Facebook and 85 percent—will be lost to end-to-end encryption, inhibiting their ability to investigate criminal activity. The European Parliament has previously rejected attempts to ban end-to-end encryption, including in 2023, when it rejected the Child Sexual Abuse Regulation (CSAR) draft bill.

WhatsApp threatens to pull services from India

WhatsApp and its parent company, Meta, filed a plea in the Delhi High Court, challenging India’s 2021 Information Technology Rules for social media intermediaries. The rules require WhatsApp to disclose the “first originator of information” when authorities request it, and Meta has said doing so would violate user privacy and break end-to-end encryption on its apps. If WhatsApp complies with the rules, opponents of the rule believe forced user decryption may violate Articles 14, 19, and 21 of the Constitution of India, which uphold freedom of speech, equality before the law, and protection of personal liberty. WhatsApp’s threat to leave India would hurt one of the largest markets for the company, which serves over 900 million people in the country. The Indian government argues that exceptions to accessing encrypted messages would enhance national security and prevent crimes against women and children. The Delhi High Court is currently hearing the challenge by WhatsApp and has acknowledged that “privacy rights were not absolute” under Indian law. The next hearing in the case is scheduled for August 2024.

Cecilia Marrinan is the intern for the Digital and Cyberspace Policy Program.