Three House Democrats questioned the Department of Homeland Security on Monday over a reported Immigration and Customs Enforcement contract with a spyware provider that they warn potentially “threatens Americans’ freedom of movement and freedom of speech.”

Their letter follows publication of a notice that ICE had lifted a stop-work order on a $2 million deal with Israeli spyware company Paragon Solutions, a contract that the Biden administration had frozen one year ago pending a review of its compliance with a spyware executive order.

Paragon is the maker of Graphite, and advertises it as having more safeguards than competitors that have received more public and legal scrutiny, such as NSO Group’s Pegasus, a claim researchers have challenged. A report earlier this year found suspected deployments of Graphite in countries across the globe, with targets including journalists and activists. WhatsApp also notified users this year about a Paragon-linked campaign targeting them. The tool can infect phones without its target having to click on any malicious lure, then mine data from them.

“Given the Trump Administration’s disregard for constitutional rights and civil liberties in pursuit of rapid mass deportation, we are seriously concerned that ICE will abuse Graphite software to target immigrants, people of color, and individuals who express opposition to ICE’s repeated attacks on the rule of law,” the three congressional Democrats, two of whom serve as ranking members of House Oversight and Government Reform subcommittees, wrote Monday.

The trio behind the letter are Reps. Summer Lee of Pennsylvania, top Democrat on the Subcommittee on Federal Law Enforcement; Ohio Rep. Shontel Brown, ranking member of the Subcommittee on Cybersecurity, Information Technology and Government Innovation; and Rep. Yassamin Ansari of Arizona.

Their letter pointed to two Supreme Court rulings — Riley v. California from 2014 and Carpenter v. United States from 2018 — that addressed warrantless surveillance of cellular data. “Allowing ICE to utilize spyware raises serious questions about whether ICE will respect Fourth Amendment protections against warrantless search and seizure for people residing in the U.S.,” the lawmakers wrote.

The trio also asked for communications and documents about ICE’s use of spyware, as well as legal discussions about ICE using spyware and its compliance with the 2023 Biden executive order. They also sought a list of data surveillance targets.

ICE’s surveillance tactics have long drawn attention, but they’ve gained more attention in the Trump administration, which has sought to vastly expand the agency. ICE has conducted raids that have often swept in U.S. citizens. Other federal contracting records have pointed to ICE’s intentions to develop a 24/7 social media surveillance regime.

DHS and ICE did not immediately answer requests for comment about the Democrats’ letter. ICE has not provided answers about the contract in other media inquiries. 

404 Media is suing for information about the ICE contract.

The post House Dems seek info about ICE spyware contract, wary of potential abuses appeared first on CyberScoop.

Federal courts are upgrading their cybersecurity on a number of fronts, but multifactor authentication for the system that gives the public access to court data poses “unique challenges,” the Administrative Office of the United States Courts told Sen. Ron Wyden in a letter this week.

Wyden, D-Ore., wrote a scathing August letter to the Supreme Court in response to the latest major breach of the federal judiciary’s electronic case filing system. The director of the Administrative Office of the United States Courts responded on behalf of the Supreme Court.

It is “simply not the case” that the courts have, in the words of Wyden, “ignored” advice from experts on securing the Case Management/Electronic Case Files (CM/ECF) system, wrote Robert Conrad Jr., director of the office.

“Substantial planning for the modernization effort began in 2022, and we are now approaching the development and implementation phase of the project,” he wrote in the Sept. 30 letter. “We expect implementation will begin in the next two years in a modular and iterative manner.”

In recent years, the office has been testing technical components on its modernization effort, and is centralizing the operation of data standards to enable security, Conrad said.

Wyden took the office to task for not enabling phishing-resistant multifactor authentication (MFA). Conrad wrote that the office was in the process of rolling out MFA to the 5 million users of PACER, the public case data system.

“The Judiciary has unique challenges in implementing MFA due to the significant diversity of users,” he responded. “PACER users range from sophisticated, high-volume data aggregators and well-resourced law firms to journalists and ordinary citizens, to indigent litigants. All PACER users need access to court records, but some do not have traditional forms of MFA they can use. The design and implementation of our MFA implementation requires consideration of these unique needs.”

Wyden also took issue with the lack of public explanations about the series of court breaches. Conrad wrote that the breaches are “sensitive from both a law enforcement and national security perspective,” and need to be kept confidential, but noted that the courts have briefed congressional Judiciary, Appropriations and Intelligence committees on a classified basis.

“Even after back-to-back catastrophic hacks of the federal court system, Chief Justice [John Roberts] continues to stonewall Congress and cover up the judiciary’s gross negligence that has enabled these hacks,” Wyden said in response to the Conrad letter. “It is long past time for the courts to follow the same minimum cybersecurity standards as the executive branch, but since Chief Justice Roberts and the Judicial Conference refuse to set such requirements, Congress must step in and legislate.”

Court Watch was the first to report on the contents of the letter.

The post Federal judiciary touts cybersecurity work in wake of latest major breach appeared first on CyberScoop.

Rebecca Slaughter’s return-to-work orders have been put on hold for the second time this year, after the U.S. Supreme Court stepped in to block a lower court ruling that ordered her reinstatement at the Federal Trade Commission.

Last week a lower court ruled that Slaughter had been illegally fired by President Donald Trump, citing a 90-year-old Supreme Court precedent upholding the FTC’s independence from the executive branch and preventing presidents from firing commissioners for political reasons.

On Monday, Chief Justice John Roberts halted that order while the Supreme Court considers the case. Roberts provided no explanation for the Supreme Court’s reversal, but ordered the parties in the case to respond by Sept. 15.

Slaughter, who has remained vocal on FTC business and last week expressed her eagerness to return, has been through this once already. Earlier this year, she was briefly reinstated to the FTC by a lower court, only to have that order reversed by another court days later.

Alvaro Bedoya, the other Democratic FTC commissioner Trump purported to fire, has since resigned due to the financial difficulties tied to fighting his dismissal. He described the fight as a lose-lose situation:  He is no longer receiving a federal salary as commissioner, and is also prohibited by conflict-of-interest rules from accepting other employment in the meantime.

Bedoya has said that beyond the immediate fates of their jobs, the commissioners are ultimately fighting for an FTC that they believe works in the best interests of the public and is supported by Supreme Court precedent. He has argued the agency — which regulates and enforces against unfair or deceptive business practices, technology, data privacy and other issues — must be insulated from political pressure. 

In an online post last week, Slaughter said her top priority was reinstating the FTC’s Click to Cancel rule, a Biden-era regulation that would have forced companies to provide a simple and straightforward means to cancel their paid subscriptions.

Roberts’ order does not specify how the Supreme Court intends to rule on the case. Legal experts and former FTC officials have said it’s no secret that the Trump administration is looking for the court’s conservative majority to overturn Humphrey’s Executor v. the United States, which was unanimously upheld by the Supreme Court in 1935.

The high court’s decision this week to reverse the D.C. District Court of Appeals ruling is also notable because the court voted 2-1 that Slaughter — not the government — deserved the benefit of the doubt while the case was being adjudicated, citing unambiguously clear and binding legal precedent that had not yet been overturned.

That the Supreme Court overturned it anyway suggests they may agree with D.C. Appeals court Judge Neomi Rao, who wrote in her dissent that forcing FTC staff to acknowledge Slaughter’s legitimacy in the face of presidential orders “directly interferes with the President’s supervision of the Executive Branch and therefore goes beyond the power of the federal courts.”

If the Supreme Court does ultimately side with the administration, it would track with what observers such as Berin Szóka, a technology lawyer and president of the think tank TechFreedom, predicted earlier this year. Szóka, who has supported Slaughter and Bedoya’s efforts, wrote in March that “the fired Democratic FTC Commissioners may win early battles in their lawsuits but, in all likelihood, will ultimately lose at the Supreme Court — unfortunately.”

Roberts and the Supreme Court’s conservative majority have “made clear it will not apply Humphrey’s, if it remains good law at all, to today’s more powerful FTC,” Szóka wrote.

The post Supreme Court blocks FTC commissioner Slaughter’s reinstatement appeared first on CyberScoop.

For the second time, a court has ruled that President Donald Trump’s attempted firing of Federal Trade Commission members Rebecca Slaughter and Alvaro Bedoya was illegal and ordered the agency to reinstate the commissioners.

By law, the FTC governs by a bipartisan 3-2 split, with the president’s party getting an extra seat and controlling the chair. But earlier this year, Trump attempted to fire just Bedoya and Slaughter, leaving only Republican-appointed members on the commission.

A district court temporarily reinstated Slaughter but that decision was reversed in another court ruling just days later. Bedoya eventually resigned his position, citing financial difficulties. 

Now, the District Court of Appeals for the District of Columbia has ruled 2-1 that the attempted firings ran afoul of the law, this time saying the government was likely to lose its case on the merits. 

In their opinion, Judges Cornelia Pillard and Patricia Millett specifically cited the precedent set by the Supreme Court in Humphrey’s Executor v. United States, a 1935 case in which justices unanimously ruled that FTC commissioners could only be fired for specific cause.

That precedent, the judges wrote, remains the law of the land until the Supreme Court says otherwise.  

“The government has no likelihood of success on appeal given controlling and directly on point Supreme Court precedent,” Pillard and Millett wrote. “Specifically, ninety years ago, a unanimous Supreme Court upheld the constitutionality of the Federal Trade Commission Act’s for-cause removal protection for Federal Trade Commissioners.”

After Trump’s attempted firings in March, Slaughter and Bedoya quickly challenged the legality of the move in court, saying they were fired “not because they were inefficient, neglectful of their duties, or engaged in malfeasance, but simply because their ‘continued service on the FTC is’ supposedly ‘inconsistent with [his] Administration’s priorities.’”

While Humphrey’s Executor remains the law of the land, the administration and some former officials have argued that the FTC now plays a far more important policy role in the executive branch than it did in 1935, when the court cited the “quasi-legislative” and “quasi-judicial” functions of the agency.

The current Supreme Court, they argue, does not share the same views, pointing to a 2020 case where the court majority suggested that the conclusions about the FTC’s role in Humphrey’s Executor “has not withstood the test of time.”

“No administration until now has wanted to push the limits on that but the current administration has made clear they think it’s wrongly decided,” one former FTC official, who requested anonymity to speak candidly, told CyberScoop in March.

The DC District Court of Appeals said the government “acknowledges that Humphrey’s Executor ‘remains binding on this Court’” but argues that the court should disregard that precedent.”

“Over the ensuing decades — and fully informed of the substantial executive power exercised by the Commission — the Supreme Court has repeatedly and expressly left Humphrey’s Executor in place, and so precluded Presidents from removing Commissioners at will,” Pillard and Millett wrote.

Millett and Pillard argued that the FTC in 1935 had the same core authorities and mission as it does today: to promulgate rules and regulations, investigate violations of federal law, issue subpoenas and enforce violations.

The “present-day Commission exercises the same powers that the Court understood it to have in 1935 when Humphrey’s Executor was decided,” they added, and “bucking such precedent is not within this court’s job description.”

The D.C. District Court likely won’t have the last word. The administration continues to appeal and most observers expect the matter to ultimately reach the Supreme Court. In the meantime, Slaughter said she intends to return to her job this week.

“Amid the efforts by the Trump admin to illegally abolish independent agencies, [including] the Federal Reserve, I’m glad the court has recognized that he is not above the law,” Slaughter wrote on X Tuesday after the decision. “I’m eager to get back first thing tomorrow to the work I was entrusted to do on behalf of the American people.”

In a dissent, Judge Neomi Rao referred to the FTC as a “so-called independent agency” and disagreed with the court majority, saying she believed the government would ultimately prevail on the merits.

The circuit court “need not definitively determine whether Slaughter’s removal was lawful” because in previous cases this year where officials fired by the president were reinstated by courts, the Supreme Court has intervened on the administration’s behalf — at least while the cases are winding through the court system.

By forcing FTC staff to ignore the president’s directive and treat Slaughter as commissioner in good standing, the district court’s decision “directly interferes with the President’s supervision of the Executive Branch and therefore goes beyond the power of the federal courts,” Rao wrote.

The post Court rules ‘fired’ FTC commissioners be reinstated — again appeared first on CyberScoop.

Sen. Ron Wyden on Monday urged Supreme Court Chief Justice John Roberts to seek an independent review of federal court cybersecurity following the latest major hack,  accusing the judiciary of “incompetence” and “covering up” its “negligence” over digital defenses.

Wyden, D-Ore., wrote his letter in response to news this month that hackers had reportedly breached and stolen sealed case data from federal district courts dating back to at least July, exploiting vulnerabilities left unfixed for five years. Alleged Russian hackers were behind both the attack and another past major intrusion, and may have lurked in the systems for years.

“The federal judiciary’s current approach to information technology is a severe threat to our national security,” Wyden said. “The courts have been entrusted with some of our nation’s most confidential and sensitive information, including national security documents that could reveal sources and methods to our adversaries, and sealed criminal charging and investigative documents that could enable suspects to flee from justice or target witnesses. Yet, you continue to refuse to require the federal courts to meet mandatory cybersecurity requirements and allow them to routinely ignore basic cybersecurity best practices.”

That, Wyden said, means someone from the outside must conduct a review, naming the National Academy of Sciences as the organization Roberts should choose.

The Administrative Office of the U.S. Courts said on Aug. 7 that it was taking steps to improve cybersecurity “in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system,” but was vague about specific changes. In that statement the office touted its collaboration with Congress and federal agencies about cyber defenses.

But Wyden said in his letter the judiciary “stonewalls” congressional oversight. He cited another intrusion in 2020, revealed by then-House Judiciary Chair Jerrold Nadler, D-N.Y., by “three hostile foreign actors,” where Wyden said the judiciary still hasn’t said what happened.

“There is no legitimate need to keep Congress or the public in the dark about that incident so many years later,” Wyden wrote. “I strongly suspect that the judiciary is covering up its own negligence and incompetence which resulted in the security vulnerabilities that the hackers exploited.”

Wyden especially faulted the courts for its slow, under-reliance on strong multifactor authentication, saying the variety the judiciary adopted was not phishing-resistant.

“The glacial speed with which the federal judiciary adopted this inferior cyberdefense, years after government agencies and businesses have migrated to superior solutions, highlights the fact that the judiciary’s cybersecurity problems are not technical, but rather, are the result of incompetence and the total absence of accountability,” he said.

The press office for the Supreme Court did not immediately respond to a request for comment on Wyden’s letter.

The post Blistering Wyden letter seeks review of federal court cybersecurity, citing ‘incompetence,’ ‘negligence’ appeared first on CyberScoop.

A federal court has upheld the Federal Communications Commission’s authority to impose stricter data breach notification regulations on the telecom sector, including requirements that the industry notifies customers when their personally identifiable information is exposed in a hack.

In a 2-1 decision, the U.S. Sixth Circuit Court of Appeals concluded that the FCC did not overstep its statutory authority last year when it updated existing data breach notification requirements to require telecoms to report on any customer PII lost during a data breach.

In its opinion, the majority wrote that “based on the statutory text, context, and structure, [existing law] gives the FCC the authority to impose reporting requirements in the event of a data breach of customer PII.”

In 2024, the FCC under the Biden administration updated federal regulations on the telecom sector when reporting on the impact of a data breach.

Under previous rules, telecoms were only required to report to the government when a breach exposed customer proprietary network information, which includes any customer information concerning the quantity, technical configuration, type, destination, location and amount of use of a telecommunication service.

The 2024 order concluded that telecoms are also responsible for safeguarding customer PII — a customer’s name, address, date of birth, etc. — along with “any information that is linked or reasonably linkable to an individual or device.” 

The expanded regulations were quickly challenged in court by trade groups representing telecommunications firms, including the Ohio Telecom Association, the Texas Association of Business and USTelecom.

In a consolidated case before the Sixth Circuit, the groups argued  that the FCC lacked authority under the two laws they cited to include customer PII in data breach reporting requirements. They further argued that the 2024 order violated the Congressional Review Act, as Congress had formally moved to block a larger set of FCC Net Neutrality rules in 2016 that included a similar section on data breach notification.

In its decision, the court’s majority disagreed with the telecom group’s argument that the FCC lacked the legal power to regulate poor data privacy practices or to make rules that go beyond information specified by Congress in the Communications Act.

But the court concluded that Congress clearly intended for the federal government, and specifically the FCC, to regulate telecoms’ data privacy. Laws like the Federal Trade Commission Act not only give the FTC similar authority to regulate inadequate data privacy among other industries, they also specifically exempt telecommunications carriers because that industry’s data privacy regulation falls under FCC jurisdiction.

“Contrary to Petitioners’ assertions, this is not a situation in which an agency has “claim[ed] to discover in a long-extant statute an unheralded power to regulate ‘a significant portion of the American economy,’” the majority wrote. “Rather, it is part of the FCC’s longstanding, flexible, and incremental application of [existing law] to data regulation in the evolving environment of data collection and retention.”

Former FCC officials and legal experts told CyberScoop that while the ultimate fate of the regulation is still uncertain, the Sixth Circuit’s decision is a clear win for the agency’s authority to regulate cybersecurity and data privacy.

In an interview with CyberScoop, Loyaan Egal, former chief of the FCC’s enforcement bureau, said he believes “most people thought this new expansion of data breach notification requirements was more than likely probably going to be rejected by the court, and surprisingly it wasn’t.”

Telecom groups could appeal the ruling to the Supreme Court. Current FCC Chair Brendan Carr was one of two commissioners to vote against the data breach notification rules last year. However, after taking the gavel this year, Carr has not moved to rescind the rules, and the FCC continues to vigorously defend their validity in court.

Over the past year, policymakers have been dealing with fallout from Chinese hackers that have systematically compromised U.S. telecommunications infrastructure.

Several sources told CyberScoop that the emergence of the Salt Typhoon and Volt Typhoon campaigns over the past year, as well as the revelation that hacking groups maintained access to telecom networks by exploiting widespread cybersecurity vulnerabilities, may have upended attempts to kill cybersecurity-related regulations like the FCC data breach rules.

Rick Halm, a cybersecurity attorney at law firm Clark Hill, said the FCC’s authority to regulate cybersecurity and data privacy has to be viewed through the lens of the persistent threats the sector is facing from hackers and foreign spies.

“I see this ruling against the backdrop of the looming national cybersecurity threat of Chinese infiltration of critical infrastructure in preparation to inflict damage if an actual conflict erupts,” Halm said.

Chevron’s dead, but cybersecurity regulations live on

In reaching its conclusion, the court cited Loper Bright Enterprises vs. Raimondo — a  2024 Supreme Court case that said, courts, not federal agencies, have the authority to interpret congressional laws — at least 15 times.

When the Supreme Court ended the practice of automatically deferring to agencies’ interpretations of laws, many worried the shift could jeopardize the legality of cybersecurity regulations. That’s because many rules, like the FCC’s data breach regulations, depend on applying old laws to new technologies, which might not meet stricter legal scrutiny. 

But in this instance, the Sixth Circuit used its independent authority to agree with the  FCC: regulating how firms handle and protect PII is a core part of the agency’s responsibilities.

Peter Hyun, a former chief of staff and acting enforcement chief at the FCC, told CyberScoop that “as a substantive matter, this was a clear signal that the FCC did not overreach here.”

“In other words it is in its rightful lane, looking at the practices of these telecom carriers in order to ensure they were protecting customer information and PII,” he said.

However, other observers think future cybersecurity regulations will now face tougher standards.

“I think that this opinion is a warning shot to both the FCC and other federal agencies that you better be able to firmly tie any data privacy or cybersecurity rules directly to a clear statutory premise,” Halm said.

The court also determined that the agency did not violate the Congressional Review Act by proposing “substantially similar” regulation to data privacy regulations that had been formally blocked by Congress in 2016.

While the blocked 2016 order did include similar data breach notification requirements, the court determined it was “far more expansive, imposing a broad array of privacy rules on broadband Internet access services” than the FCC’s 2024 rule.

“The data breach notification requirements were a mere subset of the broader compendium of privacy rules in [the 2016] Order,” the majority wrote. “The 2024 Order, by contrast, addresses only data breach reporting requirements. The two rules are not substantially the same.”

The Sixth Circuit’s ruling appears to reaffirm “a narrower reading of the CRA than some companies would have liked,” Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals, told CyberScoop.

The majority’s conclusion earned a rebuke from Judge Richard Griffin, who wrote in his dissent that “our interpretation of the [Congressional Review Act] ought to elevate the will of Congress over that of an administrative agency.”

The post Court upholds FCC data breach reporting rules on telecom sector appeared first on CyberScoop.