Thinking about it, they'd still be able to invest in foreign businesses with no US presence, since, technically, those businesses wouldn't be subject to Section 230.
Of course, that might not be a great look for the state.
"U.S. officials say Huawei Technologies Co. can covertly access mobile-phone networks around the world through “back doors” designed for use by law enforcement"
Yup. They're talking about "Communications Assistance for Law Enforcement Act" (CALEA) Lawful Intercept interfaces. These are backdoors built into telco equipment specifically in order to allow for easy electronic surveillance in accordance with US Federal Law.
So the US Government is claiming is that a telco equipment vendor (Huawei, in this case) has the ability to access the backdoors the US Government requires be built into telco equipment, to which the short reply should be:
"Of course they do - Huawei is required by the US Government to install the back door, which necessarily gives them access to the source code supporting it, and therefore access to the LI interface."
Funny that other, US-based telco equipment vendors in the exact same position aren't also being held up as spies.
This is a timely, real-world example of why "good-guy access only" crypto is a bad idea - provided by none other than the US Government itself.
It's definitely circumstantial, but a win7 VM that I use on a regular basis got an updated version of c:windowssystem32crypt32.dll this morning after I ran windows update on the system.
The timestamps on the file show a modification date of 12/10/2019 12:32AM, and a local file creation date of 1/14/2020 11:32AM.
I'm pretty sure that file hadn't been touched since I did a new install on the VM back in the June time frame, and outside of this vulnerability there aren't a lot of reasons that MS would have re-built it and distributed it if it hadn't been subject to the same vulnerability.
Actually, the trigger for HIPAA coverage isn't actually medical treatment, it's insurance billing. (Remember, it's the "Health Insurance Portability and Accountability Act".
Covered Entities are generally directly associated with insurance billing, and Business Associates get looped in by providing services to Covered Entities.
There are a limited number of places that offer medical services and are strictly private payer, so they wouldn't come under HIPAA unless they're also working in conjunction with a CE.
23&me, Family Tree DNA, etc, don't bill insurance, so they don't fall under HIPAA as Covered Entities. And since their tests aren't CLIA validated, there's pretty much no chance of their results being used in clinical decision making, so they almost certainly don't have Business Associate Agreements in place with any Covered Entities.
Google isn't a covered entity, but if the doctor publicizes the fact that this person actually did visit him in a professional capacity, that would violate HIPPA laws.
1/ HIPAA, Not HIPPA
2/ HIPAA would probably be a factor, but it's not a given. There are a few cases where HIPAA wouldn't be in play, legally speaking.
3/ Google does sign Business Associate Agreements with HIPAA Covered Entities, which means there are instances where HIPAA is a factor for Google.
4/ Even if HIPAA isn't in play, there should be a at least one and possibly several licensing/accrediting bodies that are.
5/ HIPAA and 1-star reviews notwithstanding, this guy is going to put himself out of business with his own actions. And deservedly so.
It would be interesting to ask how many of those 6900 inaccessible devices have completely stalled an investigation.
Fortunately, I just use it for hiding from my ISP and not for privacy.
This is the piece most people miss - they fail to accurately determine what their threat model is, and then get upset when they pick the wrong countermeasure(s).
VPN's are not one-size-fits-all.
PureVPN is probably just fine if you're trying to hide your porn habit from your moderately technical partner/spouse/parent/child, hiding your job search from your boss, want to watch the newest episode of the Orville from a geo-restricted IP address, or just don't want Verizon selling your browsing history to a marketing firm.
If you're planning on doing something where subpoenas or warrants could get involved, VPN Platforms recommended by sites like Techdirt are probably not your best option. Additional research (from a location not trivially tied to you) is strongly recommended.
The VPN logs only showed when he was online, and from what IP addresses, and at what times.
In other words, the VPN logs only contained metadata.
This is a perfect example as to why it's so disingenuous when the Law Enforcement and Intelligence communities claim it's no big deal because they're only collecting metadata and not content.
Exactly. Duration of the stream would be an indicator, as well.
If the telco sees multiple sequential constant-ish rate downloads with minimal return traffic, lasting either 20-23 minutes or 45-49 minutes (standard 30/60 minute US tv time block, minus commercials) and they can be reasonably certain it's video.
Coupled with many VPN platforms being trivially fingerprinted and identifiable by the types of network equipment in use by telco's, and it gets to be pretty easy to either QOS the user or the VPN platform down to an "acceptable" rate by the telco.
They don't have to be exact, just close enough. And since 3rd party VPN performance is generally pretty lacking, being locked to a 10mbps stream may not actually be noticeable to the user.
I'd suggest that it's a mistake to equate the technical capabilities of an overworked, multi-tasked School District network administrator with the technical capabilities of a telco network analyst.
Yes, you can tunnel everything except the metadata.
Having worked on the telco engineering side: Metadata is pretty much always sufficient to perform whatever network management function is needed. If Verizon wants to rate limit video traffic encapsulated in an IPSec, SSL, l2tp, or whatever tunnel technology tunnel, it's a safe bet that they can.
Leaving aside the question of finding a VPN platform that can be used to stream 4k video, it should be noted that a VPN doesn't necessarily help here.
Practically speaking, there are a limited # of activities one can utilize a mobile phone for that will consume as much data as a video stream on a sustained basis.
If you run a 1080p or better video stream over your mobile device for any real length of time, Verizon will be able to make some very intelligent guesses as to what you're doing without having to know the specifics.
From a technical perspective, Verizon is probably using QOS to rate limit streams identified as Netflix traffic to 10mbps.
The Netflix client registers packet loss and sends feedback to netflix, which then downgrades video quality until the client no longer reports dropped packets. This results in a graduated step-down in video quality from 4k -> 1080 -> 720 -> 480.
On the Verizon side, it's just math: determine how much bandwidth is needed for each video tier and drop anything above that value.
"They would get the phone and lock themselves in their room and change who they were," he said.
With one of his sons, then 12, he thought the problem became bad enough to warrant taking the phone away.
Yeah. A 12 year old boy locking himself away in his bedroom is more likely to be caused by puberty than a smartphone.
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.