Hillicon Valley: Hacker group targeted electric grid | House Democrats press CBP over facial recognition program | Senators offer bill to protect health data | Groups file FCC complaint over carriers’ use of location data

by Harper Neidig, Olivia Beavers, Emily Birnbaum, Maggie Miller - 06/14/19 5:43 PM ET

Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.

Welcome! Follow the cyber team, Olivia Beavers (@olivia_beavers) and Maggie Miller (@magmill95), and the tech team, Harper Neidig (@hneidig) and Emily Birnbaum (@birnbaum_e).

SHOCK TO THE SYSTEM: Xenotime, a group of hackers that has previously targeted oil and gas companies, has been targeting the U.S. electric grid in recent months, according to new research released Friday by cybersecurity group Dragos.

Dragos reported that the Xenotime group began “probing” the networks of electric utilities in both the U.S. and countries in the Asia-Pacific region in late 2018.

The report noted that none of the probes resulted in the group gaining access to an electric utility’s system, but wrote that “the persistent attempts, and expansion in scope is cause for definite concern.”{mosads}

Dragos added that while none of the probing has been successful, this type of activity could be evidence of the group preparing for future cyberattacks.

The company recommended that owners and operators of industrial control system companies, including U.S. electric, gas and oil utilities, should prepare for attempts to be hacked by the Xenotime group, and bolster their cybersecurity capabilities in response.

Read more here.

REINING IN THE FACIAL REC: Over 20 House Democrats in a letter on Friday pressed the Department of Homeland Security over Border Patrol’s use of facial recognition technology on U.S. citizens in airports, arguing the rapidly expanding program has not been enabled by any congressional mandate.

Customs and Border Protection (CBP), which has been rolling out the face-scanning program in a growing number of airports across the U.S., has argued that it is operating under a congressional mandate and executive order from the president. But those orders ask CBP to roll out a biometrics program for “foreign nationals,” not U.S. citizens, the lawmakers say.

“We write to express concerns about reports that the U.S. Customs and Border Protection (CBP) is using facial recognition technology to scan American citizens under the Biometric Exit Program,” the group of progressive lawmakers, who sit on multiple committees, wrote, referring to CBP’s facial recognition tech program.

“This is an unprecedented and unauthorized expansion of the agency’s authority,” they wrote. “As such, we urge the agency to allow for public input and establish privacy safeguards.”

A CBP spokeswoman confirmed to The Hill that it has received the letter.

The group of Democrats behind the letter are led by Reps. Susan Wild (D-Pa.), Emanuel Cleaver (D-Mo.) and Yvette Clarke (D-N.Y.). The group includes progressives such as Rep. Alexandria Ocasio-Cortez (D-N.Y.), Rashida Tlaib (D-Mich.) and Ilhan Omar (D-Minn.).

Lawmakers on both sides of the aisle in recent weeks have dramatically intensified their scrutiny of facial recognition technology, particularly by CBP and the FBI, saying the technology poses privacy and civil rights issues that have not been resolved. At a pair of House Oversight and Reform Committee hearings over the past month, Republicans and Democrats raised concerns that the government has implemented programs around facial recognition tech without any congressional regulation or oversight.

Read more here.

IMPOSTERS!: U.S. Customs and Border Protection (CBP) said Friday it has processed more than 19 million travelers using facial recognition technology in airports and at borders, but has only identified a little over 100 “imposters” whose identities do not match their ID documents.

A CBP spokesperson told The Hill the agency has “successfully intercepted six imposters” at airports and “identified 135 imposters” at pedestrian border crossings in the past several years since it began implementing facial recognition scanning. The technology has been more successful at land borders than airports so far.

“With facial comparison biometrics, CBP is changing solving a security challenge while adding a convenience for travelers,” the spokesperson said.

One of the top purposes of the facial recognition technology program, dubbed “Biometric Entry/Exit,” is to identify people who are in the U.S. illegally, such as those who have overstayed their visa.

The agency previously said it has identified more than 7,000 people overstaying their visa through the program so far.

The statement from CBP came in response to the letter from 23 House Democrats on Friday.

Read more here.

PRIVACY FAIL: Public interest groups are alleging that major phone carriers violated privacy laws by sharing their customers’ location data without their permission.

The groups filed a complaint with the Federal Communications Commission (FCC) against all four national wireless providers — Verizon, AT&T, Sprint and T-Mobile — over practices that had been detailed in media reports over the past year, and urged the agency to crack down.

“The wireless carriers have been engaging in serious violations of their customers’ privacy. But the law is clear on this issue: wireless carriers need consent from their customers before they can disclose customer location data to third parties,” Eric Null, a senior counsel for New America’s Open Technology Institute, said in a statement. “The carriers’ practices have been public for over a year now, and the FCC has been asleep at the wheel. The wireless carriers have violated the law, it’s time to hold them accountable.”

The Open Technology Institute was joined by Free Press and the Center on Privacy and Technology at Georgetown Law in filing the complaint, which was first reported by Motherboard.

Motherboard and The New York Times have both published stories in the past year detailing how third-party aggregators traffic in customer location data obtained from the wireless industry that can often wind up in the wrong hands.

A story from Motherboard earlier this year showed how easy it was for bounty hunters to obtain someone’s precise location using only a phone number.

All four wireless companies named in the complaint either declined to comment or didn’t respond when contacted by The Hill.

Read more here.

AN APPLE A DAY: Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska) on Friday introduced legislation aimed at safeguarding the privacy of consumer health data, specifically the data involved in DNA testing kits and health tracking apps.

The Protecting Personal Health Data Act would require the secretary of Health and Human Services to create regulations for health data tracking apps, wearable devices such as FitBits and genetic testing kits. The regulations would include a clause to enable consumers to review, change and delete any health data collected by companies.

The legislation would also create a National Task Force on Health Data Protection to evaluate and provide input on any potential cybersecurity and privacy risks of consumer products that use customer health data.

The bill is being introduced in the wake of reports of health data being shared in ways that could violate consumers’ privacy. This includes a report in February that various apps are sharing sensitive health data with Facebook, and reports from The Washington Post that a pregnancy tracking app was selling data about users to their employers and that health apps focused on depression and addiction were selling this data to Google and Facebook.

“New technologies have made it easier for people to monitor their own health, but health tracking apps and home DNA testing kits have also given companies access to personal, private data with limited oversight,” Klobuchar, who is seeking the 2020 Democratic presidential nomination, said in a statement on the legislation.

Read more here.

ICYMI, DEEPFAKES EDITION: The House Intelligence Committee heard alarming testimony Thursday that deepfake videos could be weaponized by foreign adversaries to sow divisions in the United States.

Clint Watts, a former FBI special agent and senior fellow for Alliance for Securing Democracy at the German Marshall Fund, warned lawmakers that Russia and China will likely both work to develop “synthetic media capabilities” for use against the U.S. and other adversaries.

“China’s artificial intelligence capabilities rival the U.S., are powered by enormous data troves to include vast amounts of information stolen from the U.S., and the country has already shown a propensity to employ synthetic media in television broadcast journalism,” he said.

Chairman Adam Schiff (D-Calif.) described the videos as a “nightmarish scenario” to legislate.

He also called on social media companies to take action, adding that waiting until after the 2020 elections would be too late.

Republicans also voiced concerns about deepfake videos during the hearing but expressed fears that filters to control the videos could treat conservatives unfairly.

Rep. Devin Nunes (Calif.), the top Republican on the committee, said the filters, if left in the hands of tech companies, would be created by left-wing partisans.

“How do you put in filters to these tech oligarch companies?” Nunes asked at one point in the hearing. “There are only a few of them … that are not developed by [the] partisan left-wing,” he continued

Nunes added that “most of the time it is conservatives who get banned and not Democrats.”

Rep. Will Hurd (R-Texas), a former CIA officer, told reporters the government should do “basic research” on how to combat deepfakes that can be shared with both agencies and the private sector.

He said social media companies should work on their ability to identify the creators of deepfakes, while the State Department or FBI should focus on prosecuting actors linked to foreign countries.

Rep. Jim Himes (D-Conn.) cautioned that the government will have to avoid over-reaching when it comes to policing deepfake videos, warning parody or satiric videos should not be censored.

“I think it’s a really hard question, but I would really urge and will urge the Congress to proceed very, very carefully, because as scary as deepfake technology is, the prospect of damaging our rights to free expression, the right to satirize politicians is also pretty scary,” Himes told reporters.