InsideSources

Digital rights advocates asked the U.S. Supreme Court Thursday to review the case of an American convicted with evidence gathered under FISA Section 702 — warrantless National Security Agency surveillance authority meant to spy on foreign nationals.

Privacy and digital rights groups including the Electronic Frontier Foundation (EFF) filed a petition Thursday with the nation’s highest court seeking review of the case of Mohammed Mohamud, an American citizen who was charged in 2012 with planning to car-bomb a Christmas tree lighting ceremony in Portland, Oregon. Information used to prosecute Mohamud was gathered using Section 702 of the 2008 Foreign Intelligence Surveillance Amendments Act.

Section 702 authorizes NSA to tap the physical infrastructure of internet service providers, like fiber connections, to intercept foreign emails, instant messages, and other communications belonging to foreign nationals as they exit and enter the U.S. But according to NSA, the program also “incidentally” sweeps up the communications of Americans corresponding with, and until recently, merely even mentioning foreign targets.

NSA is legally barred from searching through Americans’ communications without a warrant, but that wasn’t the case with Mohamud. His emails were intercepted specifically by a program dubbed PRISM, the existence of which was leaked to the press by former NSA contractor Edward Snowden in 2013. PRISM gives NSA access to communications transmitted over internet edge services like Google, Yahoo, or Facebook.

Mohamud learned after his conviction that his emails were gathered under Section 702 and sought to suppress the evidence, arguing its gathering violated his Fourth Amendment rights against search and seizure without a warrant. The U.S. Court of Appeals for the Ninth Circuit noted the government’s conduct was “quite aggressive at times” but upheld the search, a move EFF, the Center for Democracy and Technology and New America’s Open Technology Institute call “dangerous and unprecedented.”

“The ruling provides an end-run around the Fourth Amendment, converting sweeping warrantless surveillance directed at foreigners into a tool for spying on Americans,” Mark Rumold, a staff attorney for EFF, said Thursday. “Section 702 is unlike any surveillance law in our country’s history, it is unconstitutional, and the Supreme Court should take this case to put a stop to this surveillance.”

The groups add weight to a Supreme Court petition filed by Mohamud’s attorneys in July, and join a long list of battles from the courts to Congress over the legality of Section 702. Wikimedia and the ACLU are suing the government over the use of Section 702 in the Fourth Circuit Court of Appeals, and Congress has held several hearings this year to debate the law’s renewal ahead of its expiration at the end of December.

Section 702 is at the heart of a dispute between Oregon Democratic Sen. Ron Wyden and Director of National Intelligence Dan Coats, the nation’s top spy chief. Wyden has pressed Coats and his predecessor to provide an estimate of the number of Americans incidentally swept up in Section 702 that both claim is impossible to produce. The senator has further suggested the authority could be used to warrantlessly target Americans directly.

Congress’s concerns over Section 702 have become a point of rare bipartisanship for some. Kentucky Republican Sen. Rand Paul has fought alongside Wyden to peel back the curtain on Section 702. South Carolina Republican Sen. Lindsay Graham is grilling intelligence officials for information about what Section 702 gathers on lawmakers and other members of government, and if those intercepts can and are used to politically target government officials like former National Security Adviser Michael Flynn.

In testimony to Congress intelligence chiefs including NSA Director Mike Rogers have admitted Section 702 programs have a history of compliance issues, some highlighted by the Foreign Intelligence Surveillance Court, which approves more than 99 percent of the government’s secret surveillance requests.

The typically intel-friendly court chastised the government for an “institutional lack of candor” on a “very serious Fourth Amendment issue.” One such opinion said NSA has engaged in “significant overcollection . . . including the content of communications of non-target U.S. persons and persons in the U.S.”

As a result, NSA in April suspended a Section 702 practice known as “about” collection — when NSA sweeps up American emails and text messages exchanged with overseas users that simply mention search terms — like an email address belonging to a target — but isn’t to or from a target.

The agency recently told Congress it’s working on a technical solution to reengage about collection.

All of the pushback comes as intelligence leaders pressure Congress not just to renew Section 702 but implement it permanently. Top Republicans and Democrats have endorsed the idea, including Senate Majority Whip John Cornyn of Texas and Intelligence Committee Ranking Member Dianne Feinstein of California.

In a recent interview, Snowden said using Section 702 to surveil Americans requires the agency to engage in little more than “word games.” Privacy advocates suspect the loophole created by Section 702 likely amounts to millions or even hundreds of millions of warrantless interceptions belonging to Americans.

Follow Giuseppe on Twitter

A complaint filed at the Federal Communications Commission could make it difficult for law enforcement to use cell-site simulators, also known as Stingrays, to conduct widespread cellphone surveillance.

The complaint filed in August alleges the devices, designed to masquerade as cell towers and connect to cellphones in range to collect call, text, photo, location and other data, interfere with emergency calls and are racially discriminatory.

Civil rights groups including New America Foundation’s Open Technology Institute, Center for Media Justice and Color of Change filed the complaint in response to Baltimore police’s admission in court they’ve used Stingrays for years without first obtaining search warrants, as a Maryland court later deemed necessary.

Laura Moy, director of the Georgetown Law Center on Privacy and Technology, filed the complaint on behalf of the groups, which describes the use of Stingrays as a breach of the Communications Act.

“The basis of our complaint is that police departments operating these devices are operating them without the appropriate license to use the licensed spectrum over which the device transmits,” Moy said during a panel discussion Wednesday.

Using the unauthorized device on airwaves licensed by the FCC to a wireless carrier technically gives the agency authority to take enforcement action against police.

“As far as we know,” Moy continued, “there are no police departments that are operating these devices, these fake cellphone towers, who have licenses to transmit in that licensed spectrum that has already been licensed to phone carriers.”

Stingrays, originally developed for counterterrorism purposes, have seen increasing use across the country for routine police work with little oversight. Departments must enter into non-disclosure agreements with the FBI in order to obtain Stingrays and the federal government routinely evades testifying on their operation and use as a matter of policy, citing national security. Federal officials have forced states to drop criminal cases to avoid disclosing Stingray-related evidence and in one case ordered U.S. Marshals to physically seize such documents before they could go to court.

The FCC complaint accuses police using Stingrays of violating two provisions of the Communications Act by operating on licensed spectrum without authorization and willfully interfering with the operation of a network.

Though the nature of the secrecy surrounding the devices makes the level of interference hard to determine, Moy said police testimony in court has revealed Stingrays can cause calls to drop, make it impossible to complete calls and drain batteries faster.

Moy said disproportionate policing in communities of color like Baltimore, where the complaint is based, means “any harms caused by the use of the devices are occurring disproportionately in communities of color.”

The complaint is sitting in “limbo” as a result of the presidential transition, according to Moy. Complaint filers had meetings at various offices of the agency last year, and though Moy isn’t sure of the complaint’s future, she’s hopeful the agency’s new Republican leadership may be inclined to take action.

“We’re hopeful though that the new FCC will take a hard look at this issue, particularly given some of the Republican commissioners’ statements on their interest in privacy and security,” Moy said.

She added the information phone carriers collect from subscribers is also protected under the Communications Act. Rules regarding the protection of that information, known as Customer Proprietary Network Information (CPNI) rules, were part of the basis for new rules passed by the FCC in October to limit internet provider collection of subscriber data without customer permission.

Both Republican commissioners on the FCC voted against those rules based on the notion they unfairly benefit the content provider side of the market, which has no such restrictions. Civil rights groups like those who filed the complaint support the rules.

Republican commissioners have also indicated a desire to leave areas like security in cyber to agencies with a more clearly defined role, and the Trump administration is reportedly looking to steer the FCC largely away from consumer protection. It’s unclear how Republicans, in their new majority at the FCC, will look upon the complaint.

House Oversight Committee Chairman Jason Chaffetz reintroduced two bills Wednesday to limit police use of Stingrays by requiring law enforcement to obtain warrants to use the devices and geolocation data collected by them in secret.

Follow Giuseppe on Twitter

Subscribe for the Latest From InsideSources Every Morning

Net neutrality advocates came out in force Thursday to stump for the Federal Communications Commission’s proposed privacy rules for internet providers, including several with ties to FCC Chairman Tom Wheeler’s office, who urged the agency to vote on adoption next week.

Public Knowledge (PK), an advocacy organization that helped lead the push for the FCC’s net neutrality rules adopted last year, hosted the press call alongside representatives from the Consumer Federation of America (CFA) and New America’s Open Technology Institute (OTI), consumer protection and tech policy organizations with a link to FCC leadership through Gigi Sohn, who found and led Public Knowledge as its president and CEO before becoming a counselor in Wheeler’s office in 2013.

Those on the call pushed back against critics of the rules calling for the FCC to copy the Federal Trade Commission’s privacy rules for web services like Google and Facebook, which require users to opt-in to collection of sensitive data like Social Security numbers, financial and medical information, but only opt-out for other less-sensitive information gathered for product improvement and targeted advertising.

The FCC rules require broadband connection providers like Verizon and Comcast to get opt-in consent before collecting almost all information from consumers, though changes to the proposal last month did establish tiers of sensitivity for opt-in and opt-out consent — a concession to opponents those on the call criticized.

“Rather than assuming information is not sensitive unless it is, we think we should assume communication information is sensitive, unless it’s not,” Laura Moy, a fellow at OTI, told reporters. Moy previously worked as a staff attorney at PK.

Moy said while the FTC rules are beholden to other standards, the law backing the FCC rules — set down in Communications Act authority that gives the agency power to regulate how public utilities (only telephone companies until net neutrality reclassified internet providers) collect and use Customer Proprietary Network Information (information needed to provide service including who customers call and when) — have no requirements for tiers of sensitivity.

Providers argue the FCC’s blanket opt-in requirement to track browsing history and app usage, even when they don’t include sensitive data, will unfairly burden their ability to market new services and products to consumers based on their preferences — restrictions edge providers like Google, regulated by the FTC, don’t have.

“Our advocacy on this issue has been that all of it is sensitive,” Moy said, describing how seemingly innocuous metadata can be compiled over a broad view (which some argue providers have, though experts dispute this point) to create a detailed profile on a subscriber.

“We’re really troubled by the fact the FCC seems to have gone in this direction because we don’t think it makes any sense that there is going to be a distinction,”  said Susan Grant, privacy lead for CFA — where Sohn’s replacement at PK, Gene Kimmelman, served as legislative director.

“Things that are considered not sensitive I hope we wouldn’t be able to even fill a handful with, and that [they] would be construed very, very narrowly,” Grant said.

Joining advocates was Massachusetts Democrat Sen. Ed Markey, who sits on the Senate Commerce, Science and Transportation Committee charged with overseeing the regulator.

“Every click Americans make online paints a detailed picture of their lives,” said Markey, who’s lobbied the agency on other high-profile proposals like the recently stalled vote to mandate cable providers get rid of set-top boxes in favor of free apps.

Markey likened an internet provider’s ability to track subscriber browsing habits to Russia’s recent hack of the Democratic National Committee and the presidential campaign of Democratic nominee Hillary Clinton, saying it was the government’s job to ensure no one compromises Americans’ privacy.

The senator put on public display his own admiration for Sohn during the 2011 Public Knowledge Roast, where he literally sang her praises.

“Gigi is a public media powerhouse who packs more telecom punch per pound than any other human being on the planet,” Markey said. “Gigi relentlessly battles against media consolidation by the world’s communications colossi, but in fact, Gigi is the smartest human to terrorize a giant since David hit Goliath on the forehead.”

Wheeler scheduled a vote on the privacy proposal for the FCC’s open meeting Oct. 27.

Follow Giuseppe on Twitter

Wireless lobbyists and consumer groups, recently at odds over the Federal Communications Commission’s net neutrality rules, have joined forces to push the FCC to approve sharing airwaves for 5G networks.

The Competitive Carriers Association, which includes T-Mobile among its members, and CTIA, whose members include AT&T and Verizon, filed comments with the FCC alongside digital consumer advocacy groups Public Knowledge and New America’s Open Technology Institute this summer urging the commission to approve a request by Ligado Networks to share spectrum used by GPS devices to roll out a 5G cell network.

“[T]he commission should initiate a rulemaking to consider making the 1675-1680 MHz band available via auction for shared commercial use, and to adopt associated service and auction rules,” CTIA said in comments to the FCC. “Repurposing this band for shared commercial use is one more step the commission can take to help accommodate the explosive growth in demand for mobile broadband.”

Public Knowledge and New America said the proposal would bring more competition to the wireless market — a win for consumers.

“In a mobile broadband marketplace which has continued to consolidate over the intervening years, the public interest benefits of additional competition, whether wholesale or direct to consumers, are more palpable than ever,” both groups told the FCC in a joint filing. “[P]ublic interest advocates have explained that additional competition in the mobile broadband space would enable a new ecosystem of hardware, software, and applications, bring much needed competition to a relatively uncompetitive marketplace, and foster the potential for innovation, increased consumer welfare, and job creation.”

Ligado asked the FCC in May to use 40 megahertz of its spectrum to launch a ground-based wireless network, which it would combine with its satellite-based communications system to launch a 5G cellular network.

“By deploying 40 megahertz of smart capacity on midband spectrum, we can create a model of at least a partial 5G network — a next-generation, hybrid satellite-terrestrial network — that will enable 5G use cases and mobile applications that require ultra-reliable, highly secure and pervasive connectivity,” Ligado president and CEO Doug Smith wrote in a May blog post.

Ligado operates a satellite communications network for emergency response, remote monitoring and “other mission-critical applications” for government and industry clients. The company is asking the FCC to modify some licenses of its mid-band spectrum in the 1.6 gigahertz band, near frequencies used by GPS devices, for shared use.

While cellular networks typically operate on low-band spectrum where it’s easiest for signals to travel far distances, carriers expect to run out of much of that spectrum in the next five years as more Americans adopt smartphones to use bandwidth-heavy applications like video streaming.

To keep up with demand carriers including AT&T, Verizon and others are already working on technology to make use of mid and high-band spectrum, where signals weaken, and where carriers plan to use new technology to harness the upper bands to send communications that only have to travel shorter distances.

Though the FCC approved a plan in August to help carriers deploy 5G networks 10 to 100 times faster than today’s 4G LTE, the agency previously denied a similar request by Ligado predecessor LightSquared to launch a 4G service with Sprint, citing concerns it would interfere with GPS devices that operate in the middle bands.

The denial sent LightSquared into bankruptcy in 2012, from which it emerged late last year. In December the company said it successfully worked out shared use agreements with GPS providers Garmin, Trimble Navigation and Deere & Co. to dispel any fears of interference, and that could eventually free up more than 50 MHz of spectrum for cellular use.

The company rebranded itself as Ligado in February. In its new plan pitched to the FCC in May, the company assured the Federal Aviation Administration it would maintain power levels that won’t interfere with air traffic. Ligado also said it would support an FCC auction of spectrum adjacent to its mid-band spectrum, under the condition the winning bidder pays for “high-speed Internet access and cloud-based distribution of weather data” for academics and non-profits, and that it address interference concerns expressed by the National Oceanic and Atmospheric Administration. NOAA transmits data in the middle bands.

“While moving this spectrum forward toward the future, Ligado will also ensure that its current users, both licensed and those ‘listening in,’ are not harmed,” Ligado told the FCC in August. “If Ligado prevails at auction, it will meet all FCC requirements imposed on the licensee in connection with the band, will ensure that NOAA’s operations are protected, and will make sure that non-NOAA users continue to enjoy access to the NOAA data they currently use.”

FCC Chairman Tom Wheeler’s 5G plan adopted in July asks for additional comments on approving the use of more high-band spectrum and spectrum sharing.

Follow Giuseppe on Twitter

The Federal Communications Commission fined Verizon Wireless $1.35 million Monday for tracking wireless customers Web browsing habits with technology left available to third-party advertisers without consumers’ knowledge or consent.

The agency’s settlement with the carrier concludes an FCC Enforcement Bureau investigation launched in December 2014 to examine Verizon’s use of so-called “supercookies,” or permanent identifiers installed in its devices to track customers as they surf from site to site.

Verizon used the unique and undeletable identifiers to more effectively deploy targeted advertising to consumers and left the tool open to use by a third party advertising partner. The headers — inextricably tied to a users’ individual devices — differ from traditional cookies, which can be deleted.

According to the investigation Verizon introduced the identifiers as early as December 2012 but failed to disclose the practice until October 2014.

After the disclosure Verizon said third-party advertisers were unlikely to use the supercookies to build consumer profiles until it was revealed last January a Verizon third-party advertising partner discovered the identifiers and used them to restore cookies intentionally deleted by customers from their devices, “in effect overriding customers’ privacy choices,” the agency said in a statement Monday.

Verizon acknowledged the issue but didn’t update its privacy policy or offer customers the choice of opting out until March 2015.

In addition to paying the $1 million-plus fine Verizon ongoing will have to inform customers about the presence of the supercookies on their devices and seek their consent before tracking their data or let them opt out of tracking altogether.

“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online,” FCC Enforcement Bureau Chief Travis LeBlanc said Monday.

“Privacy and innovation are not incompatible,” he continued. “This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate. I would like to acknowledge Verizon Wireless’s cooperation during the course of this investigation and its willingness to make changes to its practices for the benefit of its customers.”

In a press release the agency cited Communications Act Section 222 as the basis for its action — the same legislation the agency described as the basis for upcoming privacy regulations to govern the use of consumer data by Internet service providers including Verizon, AT&T, Comcast, Cox and Time Warner Cable, which could be announced as soon as this month.

Section 222 gives the FCC authority over how common carriers like telephone networks use customer proprietary network information — personal data on customers carriers retain due to the nature of their relationship in facilitating private communications.

When the FCC reclassified ISPs as common carriers as part of its net neutrality rulemaking last year, it forbore from applying Section 222 to ISPs, describing the rules as too telephone centric, and opted instead to draft new privacy rules for broadband later.

A panel of experts challenged the FCC’s wisdom and legal ability to implement such rules last week, suggesting new technology like virtual private networks and encryption block much of the data ISPs can see already and that the FCC should follow the FTC’s example with flexible standards and case-by-case enforcement.

A group of privacy, civil liberties and net neutrality advocates including the American Civil Liberties Union, Public Knowledge and New America’s Open Technology Institute challenged those claims and called for new rules in a letter to FCC Chairman Tom Wheeler Monday.

“Regardless of encryption, ISPs still receive data related to the frequency, timing, location, and volume of a user’s Internet access,” the letter reads. “This information can reveal intimate details about the subscriber, such as when a user has recently become employed or given birth to a child.”

“Moreover, many Internet users do not even know what VPNs are, much less how to use them. Consumers should not be forced to pay for extra precautions to protect their privacy.”

The dozen groups said ISPs engage in prolific data mining as part of business practices aimed at monetizing consumers personal information, and that the FTC’s approach — making companies disclose their practices via lengthy and legal language-heavy user privacy agreements, and case-by-case enforcement — isn’t enough.

“Research shows that consumers rarely read privacy policies; when they do, these complex legal documents are difficult to understand,” the groups wrote. “Moreover, emphasizing notice or disclosure favors the interests of businesses over consumers and fails to establish meaningful privacy safeguards.”

During a speech last Thursday FCC Wireline Competition Bureau Chief Matthew DelNero said the the move is backed by years of regulatory agency precedent, including at the FCC, and pointed to three chief areas the rules will address — “transparency, choice and data security.”

Follow Giuseppe on Twitter

Obama administration officials met in Washington Thursday to lay out President Obama’s new proposals for boosting private and public sector cybersecurity, including improving the Department of Homeland Security’s Einstein automatic threat detection system — a program one official said is based on quarter-century old technology.

“I came to government from a career in the private sector about two-and-a-half years ago, and the first thing they said to me when I got in was, ‘You’re a scientist, look at this Einstein thing, and tell us about it — and by the way, the technology’s 10 years old,'” DHS’s chief cyber official Dr. Phyllis Schneck told a New America Foundation Open Technology Institute panel Thursday.

In 2003 DHS rolled out the first iteration of Einstein, which automatically detects and prevents cyber intrusions. Since then, the program has been repeatedly criticized by officials and experts in and out of government as outdated and over budget.

“It basically blocks things that it knows are bad,” said Schneck, who serves as deputy undersecretary for cybersecurity and communications for the National Protection and Programs Directorate. “That technology, as I sat down and told folks later, is not 10 years old. And they looked at me and got ready for a large defensive discussion, and I said that in fact, it’s about 25 years old.”

A January report analyzing the $6 billion program from the Government Accountability Office found one of the system’s major flaws is it’s ability to detect and thwart only known cyber threats, as opposed to new, previously unencountered attacks.

Einstein was the subject of significant congressional scrutiny following the massive cybersecurity breach detected last year at the Office of Personnel Management, where sensitive information belonging to more than 20 million past and present federal employees and contractors was left vulnerable.

“I’ll go ahead and say the letters O-P-M — I wasn’t going to, but I said it,” Schneck said. “That piece of the event that’s so well reported was actually just discovered while that agency was making US-CERT [United States Computer Emergency Readiness Team] changes and mitigations and improvements to their network.”

Schneck defended the program as a single piece of a larger federal cybersecurity endeavor that spans all government agencies. The blocking part of the program has expanded from 20 percent to 50 percent in the last year, while the detection portion already covers everything, according to the undersecretary, who previously worked for McAfee.

“Einstein didn’t block it, we hadn’t seen it before — that is part of the program,” Schneck said of the OPM hack. “That’s like a vaccine. Everybody’s got a Measles vaccine — we don’t stop getting a Measles vaccine because there are other diseases, because the measles is still out there.”

The deputy undersecretary said after they found the OPM threat, Einstein allowed them to rewind web traffic back years to discover the same intrusion in other agencies, including at the Department of the Interior.

Future plans for improving the program include big investments in Silicon Valley, where DHS opened its first office last week to partner with the private sector on developing new defensive technologies as part of the White House’s Cybersecurity National Action Plan announced earlier this week.

The plan also includes increasing the nation’s cybersecurity budget over last year’s by $5 billion for a total of $19 billion, the creation of a presidential commission to plan and oversee a long-term cybersecurity improvement plan and the creation of a federal chief information security officer — a position most major companies designate to oversee their cybersecurity — to lead the changes.

“It is no secret that too often government IT is like an Atari game in an Xbox world,” President Obama wrote in a Wall Street Journal op-ed Tuesday. “The Social Security Administration uses systems and code from the 1960s. No successful business could operate this way. Going forward, we will require agencies to increase protections for their most valued information and make it easier for them to update their networks.”

Schneck said DHS is taking the lead role in enacting those changes.

“We are already using analytics to detect things we haven’t seen before,” Schneck said. “So my analogies are going from a system of vaccines — which is very necessary, the Measles are still out there — but we’re going to be building an immune system, taking all of our networks and turning that into an ecosystem where, when your body gets a cold, your body fights it.”

“We are definitely ready,” Schneck said.

Follow Giuseppe on Twitter

Representatives from T-Mobile, Verizon, Facebook, a former Federal Communications Commission Chairman and others met in Washington Thursday to debate what could be the future of mobile Internet, or the next big fight in net neutrality: zero-rating.

The term has been steadily brewing into the next hotbed of debate over how Internet service providers (ISPs) send data downstream to customers since January, when T-Mobile CEO John Legere called critics of the “un”carrier’s new “Binge On” unlimited video streaming program “jerks” espousing “bullshit” over the possibility the program may violate the FCC’s new net neutrality rules.

That’s because Binge On, like other programs including Verizon’s FreeBee and Facebook’s Free Basics, allows for free unlimited data streaming of certain content providers choosing to partner with the company (in T-Mobile’s case, that includes heavyweights Netflix, Hulu, HBO, Showtime, Starz, ESPN and more), which doesn’t count against a customer’s monthly data cap — essentially “zero-rating” specific data.

T-Mobile began offering Binge On at no extra cost to customers in November, allowing customers “to watch unlimited HBO, Hulu, Netflix, Sling TV and more…without eating into their LTE data,” according to Legere. The catch? T-Mobile achieves this by “optimizing” (the uncarrier’s word) all video streamed on the company’s network, whether the edge provider partners with T-Mobile or not, by reducing video quality to 480p at 1.5 megabits-per-second (essentially DVD quality).

Critics including the pro-net neutrality digital rights group Electronic Frontier Foundation say T-Mobile’s optimizing is essentially throttling — one of the three bright line rules the FCC explicitly forbade in its net neutrality rules to prevent ISPs from favoring certain content over others.

“Even if the commission’s order is upheld in its entirety, the ability of mobile carriers to exclude certain content from data caps, or the buckets that determine what a user pays each month, remains undecided and increasingly controversial,” Michael Calabrese, director of Open Technology Institute’s Wireless Future Project said at an event hosted by OTI Thursday.

Though the rest of the rules face uncertainty until the D.C. Circuit Court of Appeals’ likely mid-March ruling, the agency opted for a regulatory light-touch approach to zero-rating, which it will judge on a case-by-case basis, according to Chairman Tom Wheeler.

Kevin Martin, Facebook’s vice president for mobile and global access and a former FCC chair himself, said the agency took the right approach to zero-rating — a technique that in Facebook’s case, is aimed at getting the poorest regions in the world online by giving a free, albeit limited, option to users who would otherwise have no other access.

Of the roughly 4 billion unconnected people in the world, 2 billion of them live within an area covered by a mobile provider, and it’s those 2 billion Facebook is targeting with Free Basics. As the name implies, it gives users free, limited Internet access minus bandwidth-heavy services like high-resolution photos, music and video streaming. The social network giant partners with any providers who meet those standards and want to participate, and publishes all the program’s limitations in an effort to be “transparent,” according to Martin.

“It’s not exclusive, it’s non-discriminatory, and in this instance it’s really a non-commercial kind of program. Facebook doesn’t actually pay for any of the data utilized by those consumers,” Martin said, drawing a distinction between Free Basics, sponsored data programs like those offered by AT&T and Verizon — where edge providers pay the carriers to exempt their apps from data caps — and from T-Mobile, which eats the cost of customers’ unlimited data use.

In areas where local operators have deployed Free Basics, Martin said they saw a 50 percent increase in the number of users getting online. Fifty percent of those new users typically go on to purchase a data subscription of some type.

T-Mobile’s senior vice president of government affairs Kathleen Ham, another FCC veteran and former chief of the agency’s wireless bureau, said Binge On helps customers avoid hitting their data caps, and that some participating video providers have seen a 79 percent increase in viewership. She added the extra data has led to a 33 percent increase in the number of hours watched even among video services not participating in Binge On.

“Since we’ve launched the program … 34 petabytes of video traffic has crossed T-Mobile’s network,” Ham said. “That’s the equivalent of 109 million episodes of DVD-quality ‘Game of Thrones.'”

Ham said 93 percent of T-Mobile customers approve of the program, 92 percent say they are watching more video, and anyone at any time can opt out of Binge On, now the default option.

“We’re also confident it fits within the guardrails of the commission’s general conduct standard, which said the rules were flexible enough to accommodate innovation, investment, and we’re taking the FCC at its word on that,” Ham said, adding the program allows T-Mobile, which has about a 16 percent share of the wireless market, to compete with AT&T and Verizon, which sport double that.

Verizon’s vice president of public policy David Young compared the programs to toll-free numbers, and added zero-rating data is “just like free shipping — it’s not getting there faster, just someone else is paying for it.”

Senior counsel and director of open Internet policy at OTI Sarah Morris said zero-rating helps alleviate the artificial scarcity users frequently associate with data caps, which often inhibit them from using data on security updates to improve cybersecurity, and disproportionately affect poor and minority communities that often rely on mobile as their only source of connectivity.

Policy director for the pro-net neutrality group Free Press Matt Wood pointed out that if T-Mobile can zero-rate video under a certain bandwidth, why doesn’t the company zero-rate all data under the same parameters, and let the consumer decide how to use their data instead of T-Mobile.

“Should there be a relationship between my ISP and every website or app I might want to visit? No,” Wood said. “The problem with comparing sponsored data to the 800 numbers is that the Internet never had a toll to begin with.”

Follow Giuseppe on Twitter

Cybersecurity firms submitted their final comments to the Commerce Department before midnight Monday on a proposal to restrict exports of tech designed to test and detect hacker intrusions  — a move companies and industry reps say will severely weaken global cybersecurity.

The Commerce Department’s Bureau of Industry and Security proposed implementing the multinational Wassenaar Arrangement in May. The rule change would amend the department’s Export Administration Regulations to limit the global sale of cyber surveillance and intrusion technology, and force companies to acquire a license to export the tech anywhere overseas with the exception of Canada.

Both the 2013 international agreement and Commerce’s proposal are intended to reduce the spread of weaponized software, but as companies including Cisco and Symantec have pointed out in the last week, the same technology is used in cybersecurity research to surveil and prevent attacks.

According to the Federal Register, the rule change applies to technology incorporating “encryption and cryptanalysis,” and requires manufacturers to register such products with Commerce. In some cases, companies would have to provide the source code for products in applications for export.

“Cisco needs access to the very tools and techniques that attackers use if we have any hope of maintaining the security of our products and services throughout their anticipated lifecycles,” Eric Wenger, Cisco’s director for cybersecurity and privacy, wrote in a blog post Monday.

“The development of new export control requirements must, therefore, be done carefully and based upon the needs of legitimate security researchers. Otherwise, we will leave network operators blind to the attacks that may be circulating in the criminal underground — and ultimately blind to the very weaponized software that the proposed rule intends to constrain.”

Symantec, FireEye, WhiteHat, Iconic Security, Synack, Global Velocity and others made similar criticisms last week with the launch of their new trade group, the Coalition for Responsible Cybersecurity.

“The current threat landscape requires real-time security analysis, testing and deployment of protections,” Cheri McGuire, Symantec’s vice president of global government affairs and cybersecurity policy, said in a statement from the group. “Asking a multinational corporation who is at risk of a cyberattack to wait months for a license to be able to test its network defenses, or to receive the latest protections because its security provider is hampered from communicating across borders, is downright dangerous.”

RELATED: Symantec, FireEye, Others Join Together to Fight New Export Restrictions on Cybersecurity Tech

Activist organizations including the Electronic Frontier Foundation, the Center for Democracy and Technology, Human Rights Watch, New America Foundation’s Open Technology Institute and others jointly filed their own comments shortly before the deadline Monday night, and urged the department to tailor the rule more narrowly to keep exported tech out of the hands of repressive governments with a poor track record of surveilling citizens and violating privacy.

In its filing the group asked Commerce “to narrow application of the rule only to those circumstances that implicate the human rights and foreign intelligence concerns” and “reduce the likelihood of adverse effects on security research and practices.”

The NGOs went on to point out the export restriction’s relevance to another recent cybersecurity issue — requests by the FBI and other law enforcement agencies for back doors into consumer encryption products.

“There has long been apprehension about export controls among those in the technical community who remember the ‘Crypto Wars’ of the 1990s: an infamous battle over the broad and messy restrictions placed on cryptography exports,” the group recalled, adding that the rule should not limit the global community’s access to encryption products meant to safeguard privacy and security online.

RELATED: Cryptologists Warn Giving FBI Encryption ‘Back Doors’ Threatens Global Cybersecurity

“Although the United States has relaxed most limits on the export of encryption since 1999, further liberalization of encryption controls is still required and similar concerns about complexity and the risk of overreach with export controls should not be overlooked.”

Conservative tech policy think tank TechFreedom asked BIS in a Tuesday statement to “weigh the costs and benefits of its proposed rule, share that analysis in a public report,” and “seek public comment on both before issuing its final rule.”

“As with all regulation, intentions matter less than results,” TechFreedom President Berin Szoka said. “Restricting the sharing of cybersecurity technologies across borders is a double-edged sword. The intention is noble: to prevent repressive governments from acquiring technologies that can be used as instruments of cyberwarfare or to spy on and censor their own citizens.”

“It’s difficult, if not impossible, to restrict the sharing of offensive capabilities without restricting defensive capabilities, too. One person’s weapon is another’s countermeasure.”

The Commerce Department did not respond to a request for comment.

Follow Giuseppe on Twitter