Recently, the Hamilton City Council in Ohio proposed a new local ordinance that would specifically prohibit the use of drones to commit voyeurism in response to complaints from a resident that someone in his neighborhood was harassing individuals with a drone by recording images. The complainant explained to the Council that a man was operating a drone and peering into windows in his neighborhood, flying over children playing in their yards and even chasing a woman down a street. The resident took video footage of the drone operations and reported the operator’s actions to the police, but no specific law or regulation applied to this operator’s activity.

The proposed law would make it illegal to use drones “to invade the privacy of another’s home, office, enclosed space or the private space of another.” Further, drone flights over properties (such as individual homes) would be prohibited without the owner’s consent, along with flying over crime scenes or emergency scenes. The proposed law would also make it illegal to operate drones “in a manner that recklessly endangers persons, wildlife, or property or in a manner that harasses, disturbs, intimidates, annoys or threatens persons.”

Lastly, the proposed law would ban drone flights over public parks and schools as well as municipal buildings and property owned by the City of Hamilton School District, Hamilton Parks Conservancy, or the City of Hamilton. An exception for TVHamilton drones would be included in the law.

Other ordinances limiting drone flights can be found in this part of Ohio, including in Youngstown, Cleveland, Cleveland Heights and the Sandusky County Park District (and of course, many similar ordinances exist across the country). Whether this new proposal is ultimately adopted, it serves as a strong reminder to check local laws and regulations before you fly a drone.

We have noted before how important it is to update the operating system (OS) on your mobile phone as soon as you receive notice from the manufacturer. This week, Apple issued an update to the iOS that is considered urgent.

Apple released two patches this week to address two security vulnerabilities in iPhones, including to protect against Pegasus spyware and WebKit, which is related to how Safari is displayed on screens.

The first patch aims to prohibit a zero-click exploit that launches code in iMessage that allows spyware to be deployed and used against users. This vulnerability is concerning because it does not require the user to open a link for the malicious code to be deployed and have access to the mobile device.

The second patch is designed to fix a vulnerability discovered by a security researcher, which allows threat actors to use malicious web content to exploit iPhones and iPads.

Message today: UPDATE YOUR iPHONE OPERATING SYSTEM ASAP. To do so, plug in your phone, go to Settings, click on General, then click on Software Settings and download iOS 14.8.

On August 25, 2021, the FBI issued a Flash Alert to warn companies, especially in the health care industry, about the proliferation of attacks by threat actors using Hive ransomware.

According to the Flash Alert, Hive was first observed in June 2021: “Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.”

“After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks.'”

The Flash Warning provides technical details, indicators of compromise, the content of a sample ransom note, and recommended mitigation techniques. The FBI also requests that all victims provide information to the FBI if they have suffered an attack using Hive.

When GDPR became effective three years ago, companies took notice of the fines and penalties attached to violations of the stringent privacy law—4 percent of global annual sales. The fines have been racking up, including the most recent one by the Irish Data Protection Commission against WhatsApp—$266 million. WhatsApp is owned by Facebook.

The fine follows what the Data Protection Commission says were violations by WhatsApp in the way it provided notice on how it was processing users’ and non-users’ data and how the data was being shared between WhatsApp and other Facebook-owned companies.

WhatsApp stated after the announcement of the fine that it disagrees with it and that it will appeal the decision.

In 20 years, could it be possible that 50 percent of all domestic ships on Japan’s coastal waters will be piloting themselves? Absolutely. A public interest organization in Japan, the Nippon Foundation, seeks to accomplish just that. The Foundation is backing Japan’s development of autonomous ships with the goal of making up 50 percent of Japan’s local fleet by 2040.

To reach this goal, in February 2022, a group of vessels, including Japan’s largest shipping company, Nippon Yusen, will test the use of a container ship autonomously piloting itself from Tokyo Bay to Ise (a small coastal city). While many autonomous ships have attempted journeys before, this one is different. This journey will be 236 miles and will be the first autonomous ship test in an area with heavy marine traffic. To conduct this test, the team will gather data such as weather and radar points at a support center on land. The support center will then send directions back to the ship. If there are any complications, the ship’s steering can be remotely taken over by the team at the support center.

By 2030, it is predicted that the global autonomous shipping industry could grow to a value of about $166 billion. Japan Marine Science general manager said that “[w]hen it comes to the automation of ships, our mission is to have Japan lead the rest of the world.” Japan is trying to position itself as the leader based on a need. Japan’s workforce continues to shrink and age. For example, in Japan’s domestic tanker industry about 40 percent of crews are aged 55 or older. Further, based on estimates of the Nippon Foundation, autonomous ships (and the artificial intelligence that they use) will improve efficiencies enough to have a positive effect of about $9 billion for Japan’s economy in 2040. Of course, the use of autonomous ships also increases safety as well with about 70 percent of maritime accidents resulting from human error.

The biggest challenge to the widespread use of this technology will be creating and implementing a regulatory environment and industry standards for autonomous shipping; even if the technology is ready and available, these regulatory hurdles could impact practical use in the near future.

In a second case against stalkerware apps and the first where the FTC has banned a company from doing business, the FTC announced on September 1, 2021, that it has “banned SpyFone and its CEO…from the surveillance business over allegations that the stalkerware app company secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack.”

According to the FTC’s press release, “The company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence. SpyFone’s lack of basic security also exposed device owners to hackers, identity thieves, and other cyber threats.”

The FTC has ordered SpyFone to delete any “illegally harvested information and notify device owners that the app had been secretly installed.”

To learn more about how spyware works and to protect yourself from it, see this consumer-friendly blog post by snoopza.

According to a report issued on August 24, 2021, by Unit 42 of Palo Alto Networks Ransomware Groups to Watch: Emerging Threats, four emerging ransomware groups “are currently affecting organizations and show signs of having the potential to become more prevalent in the future.”

The four emerging groups identified by Unit 42 include:

AvosLocker, a Ransomware as a Service that arrived on the scene in June 2021 using a blue beetle logo for communications. According to Unit 42, AvosLocker “has low detection rates and is capable of handling large files,” and operates an extortion site with demands between $50,000 and $75,000. It is actively trying to recruit affiliates.

Hive Ransonware also started operating in June 2021 and “is double-extortion ransomware.” Hive “has already shown notable disregard for its victims’ welfare, attacking organizations including healthcare providers and mid-size organizations ill-equipped for managing a ransomware attack.” Twenty-eight victims have been listed on their leak site.

HelloKitty Linux Edition, a ransomware group that has existed since 2020, usually targets Windows systems, but in July 2021, Unit 42 found that HelloKitty has developed a Linux variant “targeting VBMware’s ESXi hypervisor, which is widely used in cloud and on-premises data centers.”

Lockbit 2.0 (aka ABCD ransomware), another Ransomware as a Service, has launched a marketing campaign to recruit new affiliates and “claims to offer the fastest encryption on the ransomware market,” It has listed 52 victims on its leak site.

Unit 42 confirms what we are seeing: as law enforcement takes the bad guys out of the picture one by one, new threat actors step into the void, and how “old groups can re-emerge and remain persistent threats.”

This week the Federal Communications Commission (FCC) proposed its highest financial penalty against lobbyist and political consultant group, John M. Burkman, Jacob Alexander Wohl, and J.M. Burkman & Associates LLC (the Group), for allegedly making over 1,000 robocalls to voters without obtaining prior express consent as required by the Telephone Consumer Protection Act (TCPA). The FCC has suggested a $5,134,500 penalty for these calls.

The FCC was first made aware of these robocalls in September 2020. According to the FCC, the Group made these calls in August and September of last year explaining to voters that if they vote by mail their “personal information will be part of a public database that will be used by police departments to track down old warrants and be used by credit card companies to collect outstanding debts.”. The FCC also said that the messages did identify Burkman and Wohl by name and listed Burkman’s personal cellphone number as the calling party on the recipients’ caller ID.

In 2019, the TCPA was amended by the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to not require the FCC to warn robocallers before violations could be counted toward a proposed fine. The action against this Group is the first one that the FCC has taken against an entity in line with that amendment.

The FCC said that by making these pre-recorded calls to voters without the consent of the individuals receiving the call is a TCPA violation regardless of the content of the calls. The Group also faces pending litigation related to the same claims.

Yesterday (August 25, 2021), the Cybersecurity and Infrastructure Security Agency (CISA) issued a fact sheet offering suggestions to government agencies and private companies on how to prevent and respond to a ransomware attack.

The fact sheet, entitled Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches provides organizations with tips to prevent and respond to ransomware. CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations listed in this fact sheet to reduce their risk to ransomware and protect sensitive and personal information. Review for additional resources.”

The fact sheet includes tips such as maintaining an offline, encrypted back-up of data, develop an incident response plan, implement auditing, regular scans and software updates, block phishing attempts, and practice “good cyber hygiene.”

The guidance sets forth some examples of good cyber hygiene, including:

  1. Ensuring antivirus and anti-malware software and signatures are up to date.
  2. Implementing application allowlisting.
  3. Ensuring user and privileged accounts are limited through account use policies, user account control, and privileged account management.
  4. Employing MFA for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.
  5. Implementing cybersecurity best practices from CISA’s Cyber Essentials and the CISA-MS-ISAC Joint Ransomware Guide.

The fact sheet also offers suggestions on the topics “Protecting Sensitive and Personal Information” and “Responding to Ransomware-Caused Data Breaches.”

Finally, it provides additional resources listed on the website. This is a free and valuable roadmap for organizations to read and consider using to prepare for and respond to a ransomware attack.

As a former Assistant Attorney General, I have a soft place in my heart for Attorneys General as consumer protection advocates. Most state AGs have the primary jurisdiction to enforce compliance with consumer protection laws in their states. Some are more aggressive than others, such as New Mexico Attorney General Hector Balderas, who recently sued Rovio Entertainment, the maker of Angry Birds, alleging that Rovio violated the Children’s Online Privacy Protection Act (COPPA) by collecting data on players under the age of 13 and disclosing it to advertisers.

According to Balderas’s allegations, Rovio monetizes children by collecting data while they are playing Angry Birds and uses the data for targeted advertising, also known as behavioral advertising.

Although the case is in its infancy, it is a reminder to parents, grandparents, and caretakers of children under the age of 13 that there are laws in place that require consent of parents or guardians of minors under the age of 13 for the collection of their data during their online activity. If you are a caretaker for a child under the age of 13, whether you are a parent or otherwise, it is important to keep track of the consents given in the past, or when you give consent for the child to use an online platform, such as a game. The consents are there as protections for children’s information and the use and sale of it. Laws such as COPPA have been enacted by Congress for the protection of children, but if parents and other caretakers are not paying attention and availing themselves of the protection, they may unwittingly fail to protect the child’s data.

Before giving consent for a child to use an online platform that collects, uses, or sells their data, read the online platform’s privacy policy to see what they are doing with the data. Do you agree with how they are sharing your child’s online activity data? Are they selling it?

If you have already given consent and your child uses an online platform frequently, go back and read the privacy policy to see if it has changed or if you still agree with it (or read it for the first time). Talk to your child about online activity and how their information is being collected, used and sold. Educate your child about the consequences of online activity.

Although AGs do their best to protect all of us as consumers, we can’t rely on them alone. We have to take responsibility to protect ourselves and our children from harm, including harm associated with online activity.