InsideSources

2018 was a big year for tech: besides a multitude of scandals from the likes of Facebook and Google, lawmakers and regulators at the state and federal level explored consumer data privacy, cybersecurity, election security, fintech and net neutrality legislation, to name a few.

Going into the new year with a Democratic House, experts expect to see movement on a privacy law, maybe some antitrust action taken against Big Tech, as well as maybe, finally, an election security bill and a symbolic push to legislate net neutrality.

Here’s a quick rundown of what tech trends to expect in five key areas in 2019:

 

1. Big banks will buy up fintechs, and expect a fintech IPO boom.

In 2018, the Department of the Treasury called for the regulation of fintech and the Office of the Comptroller of the Currency (OCC) announced it would allow fintech companies to apply for national bank charters — despite states’ efforts to lure fintechs into state bank charters.

But there’s been very little movement on the bank charter front, most likely because big banks are buying up fintech companies and will likely continue to do so in 2019, according to CB Insights, a research and analysis firm focusing on tech and innovation.

As big banks struggle to innovate, strategies are increasingly shifting to buy up the innovative startups that could soon become competitors.

The fintechs that don’t get acquired may start issuing IPOs, as up until this point the fintech industry has mainly focused on venture backing.

 

2. Congress will crack down on Big Tech with privacy law, potentially antitrust action.

Experts expect Democrats and Republicans alike to push a privacy legislation in the next congressional session. Some legislators have already hinted at their own drafts.

Sen. Brian Schatz (D-Hawaii) and the Center for Democracy and Technology have already released their own consumer-centric bills that focus on issues like consumer data protection and privacy, but they’re the first in a tidal wave of drafts and suggestions expected to flood Congress in the next few months.

The big point of tension will be between industry needs and safe harbors vs. consumer protections, and right now it’s unclear which way Congress will sway.

One thing both Democrats and Republicans agree on at the moment is the potential for antitrust action against some of the big tech companies, like Facebook and Google. The Trump administration has hinted at potential antitrust action, but breaking up the companies may be difficult to do in court given the current economic understanding of competition and consumer harm.

Regardless, Congress and the Federal Trade Commission (FTC) will likely look for ways to stop tech companies from getting quite so big and accumulating so much social influence.

 

3. More federal agencies will crack down on cybersecurity.

Numerous reports released over the last year show how terrible federal agencies are at protecting themselves from cybercriminals — and even the more vigilant agencies, like the Department of Defense, aren’t doing that well.

A recent Government Accountability Office (GAO) report found that some of the biggest agencies are doing better on the cybersecurity front, but there’s still a long way to go, and Congress knows this. The House Energy and Commerce Committee already released a cybersecurity strategy report detailing how it hopes to tackle cyber problems in 2019.

Thanks to a new law establishing a cybersecurity agency within the Department of Homeland Security (DHS), regulators may be able to help federal agencies improve as well as hold them accountable for poor cybersecurity.

Even the Securities and Exchange Commission (SEC) announced it would make cybersecurity a priority in 2019 to better protect financial markets.

These efforts don’t come a moment too soon as cyberattacks continue to ramp up and become more sophisticated and complex, according to the McAfee Labs 2019 Threat Predictions Report.

 

4. The 5G fight will escalate.

The Federal Communications Commission (FCC) has been working hard to allow the telecom industry to launch 5G wireless networks, but municipalities are fighting for the right to regulate 5G deployment themselves.

Part of the problem is the telecom industry needs more spectrum and there are still roadblocks to getting what it needs. It’s shaping up to be a tense year for the industry as it seeks to launch quickly and compete with China and other nations.

 

5. The net neutrality fight will continue with legislative efforts and lawsuits.

Many activist groups on both sides of the debate have been pushing for Congress to legislate net neutrality and end the ping-pong of rules from the FCC once and for all, but even if net neutrality-focused Democrats pass a bill in the House, it will likely die in the Senate or on the president’s desk.

Still, symbolic attempts to reinstate hard-line net neutrality rules will be popular with some liberal voters and could set the stage for future net neutrality legislation if Democrats win the White House in 2020.

If legislative efforts don’t work, a few pending court cases could result in reinstatement of the FCC’s Title II net neutrality rules.

First there’s Mozilla v. FCC, for which the first oral arguments are scheduled for Feb. 1, 2019, and then there’s the Department of Justice’s lawsuit against the state of California for passing its own net neutrality rules, for which oral arguments have not yet been scheduled.

Experts disagree on how the net neutrality debate will shake out: some say net neutrality’s days are numbered, but others say the court cases could save it.

Follow Kate on Twitter

As part of a deal with the Securities and Exchange Commission, Tesla CEO Elon Musk will step down as Tesla’s chairman (but remain CEO) and both he and Tesla each will pay the SEC $20 million.  On Thursday, the SEC charged  the Tesla CEO with securities fraud for his “misleading tweets,” specifically one on August 7 that read, “Am considering taking Tesla private at $420. Funding secured.”

But the SEC settlement hasn’t settled questions raised about Musk’s erratic behavior or the consequences it could have on his high-flying tech brand.  Tesla is on the verge of finally making a profit, but Musk’s uncontrollable tweeting may undermine investor confidence and handicap the company from raising more capital in the future.

For months, Musk has snapped at reporters, mocked analysts and turned his Twitter account into a spectacle, as if he were the Donald Trump of Silicon Valley.

In July, Musk called out CNBC for being “relentlessly negative” about Tesla and calling its most recent article about Tesla “bogus.”

He slammed Business Insider reporter Linette Lopez for publishing “several false articles about Tesla,” and tweeted her asking, “Is it possible you’re serving as an inside trading source for one of Tesla’s biggest short-sellers? An ex-Tesla employee just went on record formally claiming you bribed him & he sent you valuable Tesla IP in exchange. Is this true?”

In Tesla’s Q1 2018 earnings call, the BBC reported Musk as tiring quickly of questions from financial analysts, finally shutting them down with, “Boring bonehead questions are not cool. Next. We’re going to go to YouTube. Sorry, these questions are so dry. They’re killing me.”

In a now-deleted tweet, Musk called one of the British divers who saved the 12 Thai boys stuck in a cave a “pedo,” after the diver said Musk’s offer to help rescue the boys was a “PR stunt.”

Granted, Musk has endured enormous pressure from investors and the media all year as Tesla raced to sort out supply chain problems and ramp up production of the Model 3.

All spring and summer, Musk ad Tesla pushed themselves to the limit to meet the production goal for the Model 3 by the second quarter. Tesla hit the goal, the stock price skyrocketed, and many analysts started predicting Tesla would soon — and finally — turn a profit.

But some experts think Musk’s inflammatory tweeting may counteract how far the company has come.

Musk detailed his plan to take Tesla private in a blog post published the same day as his tweet, verifying his seriousness about the plan but adding that “a final decision has not yet been made.”

Since that announcement, Tesla’s stock has gradually declined. Since the SEC announced its lawsuit, the stock has dropped 12 percent to $268.71 per share.

Three weeks later, Musk changed his mind. Tesla would remain public. According to CBS News, Musk’s tweet about taking Tesla private “erased $12 billion of the company’s value” to date.

Lawrence Greenberg, an adjunct professor of law at American University and a former Tesla stockholder, told InsideSources in an interview that he doesn’t believe the lawsuit will affect Tesla’s sales, but could have other consequences.

“If they do need to raise money [again in the future], this could be a distraction and unhelpful,” Greenberg said. “For people who are interested in holding for a very long time, assuming Tesla can achieve profitability, this could be just a bump in the road.”

Musk prides himself on his reputation for irreverence and it’s entirely possible he was joking around. In fact, the SEC complaint even claims he chose the $420 per share number as a marijuana joke to impress his girlfriend.

But even if it was intended as internet humor, Musk could still liable under the Securities Exchange Act of 1934.

“In order to violate the law, the statements have to be made in connection with the sale or purchase of a security, materially false or misleading, or omit something to make them false or misleading,” Greenberg said. “[There needs to be] intent to deceive or recklessness about whether the statement is deceptive. In this case it seems that the SEC has said that these statements were false, and given that he didn’t actually have everything lined up when he said he did, the argument would be from his side, well the statements weren’t material, they were just nonsensical spouting.”

Furthermore, Musk’s Twitter account is often treated as a mouthpiece for real company announcements and updates that are corroborated by official company materials like earnings calls, SEC filings and press releases.

“I believe Tesla has said people should be looking to the kinds of announcements they make on Twitter, and if the company has indicated that these [tweets] are company statements, it makes it much harder to say, oh that’s just Elon, he spouts whatever comes to the front of his brain at any given time,” Greenberg said. “There is some risk here. On paper the SEC has a legitimate argument.”

Musk’s recklessness may not dampen sales, but could absolutely ruin Tesla’s chances of raising more capital in the future and maintaining investor confidence — which, if the company doesn’t turn a profit soon, could come back to bite him.

“Being the wild card has made him able to accomplish a lot of great things, but if you look at the dinosaurs, getting really big was a major survival strategy until it wasn’t,” Greenberg said. “I think if he’d known what was going to happen, he probably would have abstained from making that tweet.”

Follow Kate on Twitter

The Federal Communications Commission’s (FCC) recent “cyberattack” fiasco doesn’t surprise experts, given how terribly prepared they think smaller federal agencies are for most cyberattacks.

Large private sector companies routinely grapple with cybersecurity and fending off cybercrime, so for smaller federal agencies that may not have the resources to outsource cybersecurity to federal contractors — especially independent agencies like the FCC, the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Federal Election Commission (FEC), the Social Security Administration (SSA) and the Environmental Protection Agency (EPA) — cybersecurity is a major, constant struggle.

A recent Tenable survey of 2,100 organizations found that only 48 percent have semi-adequate to adequate cybersecurity measures in place, while 33 percent do the bare minimum.

On Tuesday, the House passed bipartisan legislation that would establish the Continuous Diagnostics Mitigation division within the Department of Homeland Security, which would endeavor to protect federal agencies from cyberattacks.

Part of the problem according to Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, is that organizations tend to have the wrong focus in cybersecurity.

“Most organizations are focused on trying to prevent cybercrime, but resistance is futile,” he told InsideSources. “You can try to prevent as hard as you can, and that will make you less of a low-hanging fruit, but anyone who is diligently trying will find a way to work around. Most organizations private or public are pouring 90 percent of their energy into the prevention side.”

Trying to prevent cyberattacks, Madnick says, is a waste of time, because you’ll be attacked regardless.

“My sense is people are not very well prepared for a variety of reasons, because people think of being prepared in terms of what they’ve experienced in the past,” he said. “The problem with cyberattacks is they’re always something you’ve never seen before. Both private and public tend to be very poorly prepared. Most people, when a problem occurs, they kind of scurry to try to deal with it.”

The deck is stacked against most organizations: according to an August Malwarebytes study, 10 percent of cybersecurity professionals are engaged in “Black Hat” activity and 50 percent know or have known someone engaged in “Black Hat” activity.

This is especially alarming for federal agencies handling sensitive information. Because cybercrime is such a lucrative business for many cybersecurity professionals, it is now harder to trust whoever is handling your cybersecurity.

Furthermore, Madnick said 50 percent of organizations who have experienced a cyberattack don’t know they’ve been attacked, which adds to the confusion and explains why some — like the FCC and DNC — jumped to conclusions as soon as they noticed anything remotely off.

Madnick has experience with state government and local government information technology (IT) systems, and said most government entities’ resources and funding for cybersecurity is “relatively minimal,” which is especially concerning ahead of midterms.

Despite the mad dash to improve elections security this year, Madnick doubts federal, state and local governments have done enough, based on how outdated their IT systems are.

“That’s a very scary system because it involves local authorities, state authorities, federal authorities, and I suspect none of them have put in the time and energy needed,” he said, despite the news coverage.

Large federal agencies suffer cyberattacks but have more resources and better cybersecurity measures in place to handle them. Smaller federal agencies, on the other hand, are “ripe to be pilfered with.” Some may regularly experience attacks without even realizing it.

“There was a report that the Department of Energy had been attacked 20-some times in the past year,” Madnick said. “Not all the attacks were successful, but they were information-gathering attacks, a lot of their internal documents were being stolen.”

The Center for Strategic and International Studies’ (CSIS) Vice President James Lewis — an expert in cybersecurity who previously worked for the Commerce and State Departments — said cybersecurity has “been a struggle since the first computer was installed” in federal agencies.

“The intelligence agencies and the military do an 80 percent job, anybody else is catch as catch can,” he told InsideSources. “Agencies don’t want to give up their independence, so we have a lot of agencies that just don’t have the resources or the people, and that’s a guaranteed vulnerability. Bigger agencies do better, like the Treasury, Department of Justice (DOJ, Department of Defense (DOD, but not all of them.”

Lewis thinks the biggest problem for the smaller, independent agencies is their size and the fact that they tend to handle cybersecurity in-house.

“They really need to outsource a lot of these functions either to another agency or the private sector,” he said. “That’s kind of a budget thing but also a strategy thing.”

Some agencies may need bigger budgets, but Lewis also said some agencies may not be able to outsource simply because of the nature of their authorization. Many agencies aren’t permitted to outsource much of their data simply because it is so sensitive.

“The ways the laws were written 30 years ago require an agency to maintain some control of data storage,” Lewis said. “The federal government’s guidelines for agencies to move data into the clou is 1400 pages long, and that’s a problem right there, you have a rulebook that’s so complicated no one can figure it out.”

FedRAMP, which helps an agency transfer its data to the cloud, requires a lengthy authorization process that may be burdensome for small, independent agencies.

For some agencies, then, amending existing regulations regarding how they handle their data could allow them to pursue better cybersecurity measures.

“If you’re posed to safeguard people’s data, you have to think about when you move it to a cloud service provider. It’s not impossible, but it does take money and thought,” Lewis said. “You have to have someone to manage these contracts. You have privacy concerns. The old thing was, I’m an agency, I have data, I put it in a file and it’s safe. When they moved that over to the digital mindset, it becomes, do I want to move that outside of my own agency boundaries.”

In the meantime, Madnick said all organizations need to rethink cybersecurity and be more proactive about regular screenings, because getting attacked is inevitable. The severity of an attack, however, can be mitigated.

“You need to start backwards, and say what it is that you don’t want to go wrong,” Madnick said. “And what mechanism can you put in place to make sure that doesn’t happen or minimize how much damage it can do. I don’t think most organizations are doing that, because it’s not normal. I think we have this naive assumption that if we prevent enough we won’t have to prepare. I do think we can do a heck of a lot better job in preparations.”

Follow Kate on Twitter

House lawmakers on Tuesday grilled representatives from federal agencies, law enforcement and prosecutors over their request for “carve-outs” to a bill aimed at reforming a 30-year-old law giving the government access to Americans’ 6-month-old emails.

The House Judiciary Committee convened Tuesday to hear testimony from public agencies and private companies on the Email Privacy Act — legislation to update the 1986 Electronic Communications Privacy Act (ECPA)’s provision allowing law enforcement to subpoena Americans’ emails after they’re 180-days old.

A bipartisan supermajority of more than 300 House members support the legislation, introduced two years ago by Kansas Republican Rep. Kevin Yoder, over measures requiring agencies to establish a probable cause and obtain a criminal warrant to access emails, as well as notify a subscriber they’re the subject of an investigation.

Regulators, investigators and attorneys say those reforms will diminish a valuable tool and make it significantly more difficult to obtain evidence and keep the subjects of investigations off guard, and testified to lawmakers on the need for exceptions to the new rules, especially in emergency cases.

RELATED: Federal Privacy Regulator Asks Senate for Warrantless Access to Americans’ Emails

Several committee members, including Wisconsin Republican and USA Freedom Act author Rep. Jim Sensenbrenner made it clear he believed the government isn’t entitled to anymore “carve-outs” in regard to Americans’ Fourth Amendment privacy protections.

“Even under ECPA as it was written almost 30 years ago the SEC could only subpoena email content after it was older than 180 days,” Sensenbrenner told Andrew Ceresney, enforcement director at the Securities and Exchange Commission — one of the agencies seeking exceptions to the bill.

“Aren’t you asking this committee to expand a legal authority that was found unconstitutional in the more limited form?” Sensenbrenner asked in reference to a 2010 Sixth Circuit Court ruling, United States v. Warshak, when the court found warrantless government demands to Internet service providers for consumer emails in violation of the Fourth Amendment.

“We are not,” Ceresney said before Sensenbrenner jumped in.

“Why aren’t you? Because you would like to be able to issue subpoenas on email content that’s less than 180-days old.”

“We would defer if Congress decided,” Ceresney started before the Wisconsin representative cut him off.

“No, no, no, no, the thing is I think the court has decided, and you’re not happy with the court’s decision, and what you’re testimony says is that you’d like to expand something that’s already been held unconstitutional,” Sensenbrenner said.

The Wisconsin Republican went on to ask Ceresney if it was truthful to testify the SEC would lose enforcement power as a result of the Email Privacy Act since his agency admitted to not using the authority after the 2010 Warshak ruling.

“I think this is a slam dunk for Congress to make a determination,” Sensenbrenner continued. “Because we already have something that everybody seems to think is OK except a few people who would like to expand the dragnet.”

Georgia Republican Rep. Doug Collins took issue with a claim by Tennessee Bureau of Investigation Special Agent Richard Littlehale that certain ISPs never provide records without a legal process no matter the circumstance, countering the narrative by Google and others that they voluntarily share information when they identify a potential threat.

“Can you identify the service providers that have a policy of categorically rejecting emergency requests in the absence of compulsory legal process?” Collins asked.

“I’ve made a decision not to identify in the examples that I give specific providers because I don’t want to highlight a vulnerability in a public forum,” Littlehale said.

“You can submit that in a non-public forum, but I’m really concerned here we’re making a categorical statement without categorical proof,” Collins continued.

“You said in your testimony, ‘Providers make a decision never to provide records in the absence of legal process no matter the circumstance.’ That’s a very direct statement against the business practices of Internet providers. Is it true? Is it not true? Do you have evidence? Or do you not have evidence?”

“I have been told that by providers, yes,” Littlehale maintained.

“Well I was told that there was a Santa Claus but I found out real quickly there wasn’t,” Collins said.

The Center for Democracy and Technology’s vice president of policy, Chris Calbrese, said lowering the standard for a subpoena to a civil, rather than criminal standard, as requested by investigators, would invite more access into Americans’ private data, stored in greater abundance in the digital realm rather than the physical today.

“We’re talking about a much lower standard, a much greater number of ways we can access information,” Calabrese said. “That means that we’re potentially opening up the cloud to much greater invasion by civil agencies, even than we would by criminal agencies, and I think that’s exactly backwards.”

Texas Republican and author of several pieces of anti-surveillance legislation Rep. Ted Poe likened the issue to mailing a letter, and said emails and ISPs shouldn’t be subject to any less protection than a letter traveling via the Post Office.

“It makes no sense to me that the right of privacy is protected for six months, but it’s not protected more than six months,” Poe said. “And when we enter the digital age, I don’t buy the argument, ‘Well, we’re in the digital age, you’ve got to give up some of your constitutional rights,’ so we can have government investigate things, whether its civil investigation, whether its criminal investigation.”

The issues of encryption — thrust back into the spotlight in the wake of the Paris attacks — and storing data overseas also came up, with Paul Rosenzweig of Red Branch Consulting, a homeland security consulting group, and Richard Salgado, director of law enforcement and information security at Google, agreeing carve-outs like those proposed Tuesday would push more people to adopt encryption and move data outside the U.S., making communications even more difficult for investigators to obtain.

“To the extent this Congress does not take steps to protect that privacy by law, encryption is essentially citizens engaging in self-help,” Rosenzweig said. “Encryption is an idea, it’s a mathematical truth, it’s not suppressible, so if we do not regularize access through things like the proposal before you that will provide comfort to citizens, they’re going to engage even more, I think, in self-help.”

“I think that’s a natural consequence of the misimpression that U.S. government has such easy access to the data of providers,” Salgado added. “It’s not true, and this bill will help make it clear, and help prevent the fleeing of users to other services based on this misperception.”

Follow Giuseppe on Twitter