Tag: iab-information and network security

FBI takes down cybercrime forum that touted data connected to breach affecting US lawmakers | CNN Politics

[ad_1]

CNN
—

The FBI has arrested the alleged founder of a popular cybercriminal forum that touted data stolen in a hack affecting members of Congress and thousands of other people and taken the website down, the Justice Department said Friday.

The website – known as BreachForums – trafficked in the stolen data of millions of Americans until the FBI recently took it offline, the department said in a news release.

The alleged administrator of BreachForums, a 20-year-old New York man named Conor Brian Fitzpatrick, was arrested last week, according to the Justice Department. Fitzpatrick has been charged with conspiracy to commit access device fraud, which carries a sentence of five years in prison, the department said in the release.

The forum gained greater notoriety this month when a hacker posted data they claimed was stolen from a DC health insurance service – an incident that roiled Capitol Hill and exposed the personal data of tens of thousands of people from different walks of life. House of Representatives officials have said hundreds of staff were affected by the incident. The number of lawmakers affected is believed to be less than two dozen, a source familiar told CNN earlier this month.

Among the other victims of Fitzpatrick’s alleged hacking-related activities are a US electronic health care firm, a US internet services provider and a US-based investment firm, according to an affidavit filed in the US District Court for the Eastern District of Virginia. The affidavit did not name the companies.

Fitzpatrick made his initial appearance in federal court on Friday, the Justice Department said. Fitzpatrick was released on a $300,000 bail, according to court documents, which was cosigned by members of his family.

A judge ordered Fitzpatrick not to contact any victims or co-conspirators in the investigation, open any new lines of cryptocurrency nor possess the personal identification information of others.

Nina Ginsberg, an attorney listed for Fitzpatrick in court records, declined to comment. Fitzpatrick has not yet entered a formal plea.

It’s the latest move in a sustained international law enforcement effort to disrupt cybercriminal organizations that cost American business and residents billions of dollars a year. More than $10 billion in losses from online scams were reported to the FBI in 2022, the highest annual loss in the last five years, according to a recent FBI report.

BreachForums emerged last year after US and international law enforcement agencies shut down a similar forum, RaidForums, and arrested its alleged founder in the United Kingdom.

Despite the law enforcement crackdown, there are still several other online forums where criminals can hawk stolen data. And new illicit marketplaces will likely emerge, according to experts.

“While BreachForums is likely permanently offline, it will invariably be replaced by something else,” Brett Callow, threat analyst at cybersecurity firm Emsisoft, told CNN. “Whether that something is a Telegram channel or another Breach-style forum remains to be seen.”

US law enforcement agents have gotten increasingly adept at quietly infiltrating cybercriminal forums and collecting intelligence to feed indictments or arrests.

In the demise of RaidForums, US authorities had access to the website’s computer infrastructure for several months before the seizure was announced, a law enforcement official familiar with the matter previously told CNN.

The latest forum takedown is welcome news but “the resilience of the underground ecosystem as a whole remains mostly untouched as the criminal demand for illicit goods continues to rise,” Michael DeBolt, chief intelligence officer at security firm Intel 471, told CNN.

[ad_2]

Source link

March 24, 2023
TikTok collects a lot of data. But that’s not the main reason officials say it’s a security risk | CNN Business

[ad_1]

CNN
—

After TikTok CEO Shou Chew testified for more than five hours on Thursday before a Congressional committee, one thing was clear: US lawmakers remain convinced that TikTok is an urgent threat to national security.

The hearing, Chew’s first appearance before Congress, kicked off with a lawmaker calling for TikTok to be banned and remained combative throughout. A number of lawmakers expressed deep skepticism about TikTok’s efforts to safeguard US user data and ease concerns about its ties to China. Nothing Chew said appeared to move the needle.

The rhetoric inside and outside the hearing room highlighted the growing, bipartisan momentum for cracking down on the app in the United States. As the hearing was taking place, House Speaker Kevin McCarthy said he supports legislation that would effectively ban TikTok; Secretary of State Antony Blinken said TikTok should be “ended one way or another,” and the Treasury Department issued a statement vowing to “safeguard national security,” without mentioning TikTok by name.

Concerns about TikTok’s connections to China have led governments worldwide to ban the app on official devices, and those fears have factored into the increasingly tense US-China relationship. But the remarks across the federal government on Thursday, combined with a prior threat from the Biden administration to impose a nationwide ban unless TikTok’s Chinese owners sell their stakes, shows that a complete ban of the hugely popular app very much remains a live possibility.

However, more than two years after the Trump administration first issued a similar threat to TikTok, evidence remains unclear about whether the app is a national security threat. Security experts say the government’s fears, while serious, currently appear to reflect only the potential for TikTok to be used for foreign intelligence, not that it has been. There is still no public evidence the Chinese government has actually spied on people through TikTok.

TikTok doesn’t operate in China. But since the Chinese government enjoys significant leverage over businesses under its jurisdiction, the theory goes that ByteDance, and thus indirectly, TikTok, could be forced to cooperate with a broad range of security activities, including possibly the transfer of TikTok data.

“It’s not that we know TikTok has done something, it’s that distrust of China and awareness of Chinese espionage has increased,” said James Lewis, an information security expert at the Center for Strategic and International Studies. “The context for TikTok is much worse as trust in China vanishes.”

When Rob Joyce, the National Security Agency’s director of cybersecurity, was asked by reporters in December to articulate his security concerns about TikTok, he offered a general warning rather than a specific allegation.

“People are always looking for the smoking gun in these technologies,” Joyce said. “I characterize it much more as a loaded gun.”

Technical experts also draw a distinction between the TikTok app — which appears to operate very similarly to American social media in the amount of user tracking and data collection it performs — and TikTok’s approach to governance and ownership. It’s the latter that’s been the biggest source of concern, not the former.

The US government has said it’s worried China could use its national security laws to access the significant amount of personal information that TikTok, like most social media applications, collects from its US users.

The laws in question are extraordinarily broad, according to western legal experts, requiring “any organization or citizen” in China to “support, assist and cooperate with state intelligence work,” without defining what “intelligence work” means.

Should Beijing gain access to TikTok’s user data, one concern is that the information could be used to identify intelligence opportunities — for example, by helping China uncover the vices, predilections or pressure points of a potential spy recruit or blackmail target, or by building a holistic profile of foreign visitors to the country by cross-referencing that data against other databases it holds. Even if many of TikTok’s users are young teens with seemingly nothing to hide, it’s possible some of those Americans may grow up to be government or industry officials whose social media history could prove useful to a foreign adversary.

Another concern is that if China has a view into TikTok’s algorithm or business operations, it could try to exert pressure on the company to shape what users see on the platform — either by removing content through censorship or by pushing preferred content and propaganda to users. This could have enormous repercussions for US elections, policymaking and other democratic discourse.

Security experts say these scenarios are a possibility based on what’s publicly known about China’s laws and TikTok’s ownership structure, but stress that they are hypothetical at best. To date, there is no public evidence that Beijing has actually harvested TikTok’s commercial data for intelligence or other purposes.

Chew, the TikTok CEO, has publicly said that the Chinese government has never asked TikTok for its data, and that the company would refuse any such request. In Thursday’s hearing, Chew said that what US officials fear is a hypothetical scenario that has not been proven.

“I think a lot of risks that are pointed out are hypothetical and theoretical risks,” Chew said. “I have not seen any evidence. I am eagerly awaiting discussions where we can talk about evidence and then we can address the concerns that are being raised.”

If there’s a risk, it’s primarily concentrated in the relationship between TikTok’s Chinese parent, ByteDance, and Beijing. The main issue is that the public has few ways of verifying whether or how that relationship, if it exists, might have been exploited.

TikTok has been erecting technical and organizational barriers that it says will keep US user data safe from unauthorized access. Under the plan, known as Project Texas, the US government and third-party companies such as Oracle would also have some degree of oversight of TikTok’s data practices. TikTok is working on a similar plan for the European Union known as Project Clover.

But that hasn’t assuaged the doubts of US officials. Multiple lawmakers at the hearing specifically said they were not persuaded by Project Texas. That’s likely because no matter what TikTok does internally, China would still theoretically have leverage over TikTok’s Chinese owners. Exactly what that implies is ambiguous, and because it is ambiguous, it is unsettling.

In congressional testimony, TikTok has sought to assure US lawmakers it is free from Chinese government influence, but it has not spoken to the degree that ByteDance may be susceptible. TikTok has also acknowledged that some China-based employees have accessed US user data, though it’s unclear for what purpose, and it has disclosed to European users that China-based employees may access their data as part of doing their jobs.

Multiple privacy and security researchers who’ve examined TikTok’s app say there aren’t any glaring flaws suggesting the app itself is currently spying on people or leaking their information.

In 2020, The Washington Post worked with a privacy researcher to look under the hood at TikTok, concluding that the app does not appear to collect any more data than your typical mainstream social network. The following year, Pellaeon Lin, a Taiwan-based researcher at the University of Toronto’s Citizen Lab, performed another technical analysis that reached similar conclusions.

But even if TikTok collects about the same amount of information as Facebook or Twitter, that’s still quite a lot of data, including information about the videos you watch, comments you write, private messages you send, and — if you agree to grant this level of access — your exact geolocation and contact lists. TikTok’s privacy policy also says the company collects your email address, phone number, age, search and browsing history, information about what’s in the photos and videos you upload, and if you consent, the contents of your device’s clipboard so that you can copy and paste information into the app.

TikTok’s source code closely resembles that of its China-based analogue, Douyin, said Lin in an interview. That implies both apps are developed on the same code base and customized for their respective markets, he said. Theoretically, TikTok could have “privacy-violating hidden features” that can be turned on and off with a tweak to its server code and that the public might not know about, but the limitations of trying to reverse-engineer an app made it impossible for Lin to find out whether those configurations or features exist.

If TikTok used unencrypted communications protocols, or if it tried to access contact lists or precise geolocation data without permission, or if it moved to circumvent system-level privacy safeguards built into iOS or Android, then that would be evidence of a problem, Lin said. But he found none of those things.

“We did not find any overt vulnerabilities regarding their communication protocols, nor did we find any overt security problems within the app,” Lin said. “Regarding privacy, we also did not see the TikTok app exhibiting any behaviors similar to malware.”

TikTok has cited Lin’s research as part of its defense. But Citizen Lab came out swinging this week at the company’s characterizations of the paper, saying in a statement that TikTok has presented the research as “somehow exculpatory” when a key finding was that Lin couldn’t see what happens to user data after it is collected.

Chew, in a rare moment of apparent frustration, told lawmakers at the hearing that TikTok and Citizen Lab were really saying a version of the same thing. “Citizen Lab is saying they cannot prove a negative, which is what I’ve been trying to do for the last four hours,” he said.

TikTok has faced claims that its in-app browser tracks its users’ keyboard entries, and that this type of conduct, known as keylogging, could be a security risk. The privacy researcher who performed the analysis last year, Felix Krause, said that keylogging is not an inherently malicious activity, but it theoretically means TikTok could collect passwords, credit card information or other sensitive data that users may submit to websites when they visit them through TikTok’s in-app browser.

There is no public evidence TikTok has actually done that, however. TikTok has said the keylogging function is used for “debugging, troubleshooting, and performance monitoring,” as well as to detect bots and spam. Other research has shown that the use of keyloggers is extremely widespread in the technology industry. That does not necessarily excuse TikTok or its peers for using a keylogger in the first place, but neither is it proof positive that TikTok’s product, by itself, is any more of a national security threat than other websites.

There have also been a number of studies that report TikTok is tracking users around the internet even when they are not using the app. By embedding tracking pixels on third-party websites, TikTok can collect information about a website’s visitors, the studies have found. TikTok has said it uses the data to bolster its advertising business. And in this respect, TikTok is not unique: the same tool is used by US tech giants including Facebook-parent Meta and Google on a far larger scale, according to Malwarebytes, a leading cybersecurity firm.

At the hearing, Chew said the company does keystroke logging to “identify bots,” not to track what users say. He also repeatedly noted that TikTok does not collect more user data than most of its peers in the industry.

As with the keylogging tech, the fact TikTok uses tracking pixels does not on its own transform the company into a national security threat; the risk is that the Chinese government could compel or influence TikTok, through ByteDance, to abuse its data collection capabilities.

Separately, a report last year found TikTok was spying on journalists, snooping on their user data and IP addresses to find out when or if certain reporters were sharing the same location as company employees. TikTok later confirmed the incident and ByteDance fired several employees who had improperly accessed the TikTok data of two journalists.

The circumstances surrounding the incident suggest it was not the type of wide-scale, government-directed intelligence effort that US national security officials primarily fear. Instead, it appeared to be part of a specific internal effort by some ByteDance employees to hunt down leaks to the press, which may be deplorable but hardly uncommon for an organization under public scrutiny. (Nevertheless, the US government is reportedly investigating the incident.)

Joyce, the NSA’s top cyber official, told reporters in December that what he really worries about is “large-scale influence” campaigns leveraging TikTok’s data, not “individualized targeting through [TikTok] to do malicious things.”

To date, however, there’s no public evidence of that taking place.

TikTok may collect an extensive amount of data, much of it quietly, but as far as researchers can tell, it isn’t any more invasive or illegal than what other US tech companies do.

According to security experts, that’s more a reflection of the broad leeway we’ve given to tech companies in general to handle our data, not an issue that’s unique or specific to TikTok.

“We have to trust that those companies are doing the right thing with the information and access we’ve provided them,” said Peiter “Mudge” Zatko, a longtime ethical hacker and Twitter’s former head of security who turned whistleblower. “We probably shouldn’t. And this comes down to a concern about the ultimate governance of these companies.”

Lin told CNN that TikTok and other social media companies’ appetite for data highlights policy failures to pass strong privacy laws that regulate the tech industry writ large.

“TikTok is only a product of the entire surveillance capitalism economy,” Lin said. “And governments around the world are ignoring their duty to protect citizens’ private information, allowing big tech companies to exploit user information for gain. Governments should try to better protect user information, instead of focusing on one particular app without good evidence.”

Asked how he would advise policymakers to look at TikTok instead, Lin said: “What I would call for is more evidence-based policy.”

[ad_2]

Source link

March 24, 2023
China says it ‘firmly opposes’ a potential forced sale of TikTok | CNN Business

[ad_1]

Hong Kong
CNN
—

China said it would “firmly oppose” any forced sale of TikTok, in its first direct response to demands by the Biden administration that the app’s Chinese owners sell their share of the company or face a ban in its most important market.

The comments came as TikTok CEO Shou Chew testified in front of US lawmakers amid mounting scrutiny over the app’s ties to Beijing.

China’s commerce ministry said Thursday that a forced sale of TikTok would “seriously damage” global investors’ confidence in the United States.

“If the news [about a forced sale] is true, China will firmly oppose it,” Shu Jueting, a spokeswoman for the ministry, told a Thursday news conference in Beijing, adding that any potential deal would need approval from the Chinese government.

“The sale or divestiture of TikTok involves technology export, and administrative licensing procedures must be performed in accordance with Chinese laws and regulations,” she said.

“The Chinese government will make a decision in accordance with the law.”

Previously, Beijing didn’t weigh in directly on a potential forced sale. However, starting in 2020, it had signaled it wanted to protect Chinese technology by adding recommendation algorithms, which could include TikTok’s, to a list of technologies restricted for export.

On Thursday, Chew, in his first congressional hearing, sought to provide nuanced answers and tried to assuage lawmakers’ worries about the company and its parent, Beijing-based Bytedance.

But he was frequently interrupted and called evasive by lawmakers. After more than five hours of testimony, the lawmakers expressed deep skepticism about his company’s attempts to protect US user data and ease concerns about its ties to China.

That means there will likely be more calls by Washington to ban TikTok if the company does not spin itself off from its Chinese parent, analysts said.

The Chinese government may have veto power on the sale, according to Shu’s latest response and Beijing’s previous actions.

In December, Chinese officials proposed tightening the rules that govern the sale of content-based recommendation algorithms to foreign buyers.

TikTok’s algorithms, which keep users glued to the app, are believed to be key to its success. The algorithms give recommendations based on users’ behavior, thus pushing videos they actually like and want to watch.

Chinese regulators first added algorithms to the restricted list of technologies in August 2020, when the Trump administration threatened to ban TikTok unless it was sold.

Analysts and legal experts believe that Beijing may ultimately prefer for TikTok to leave the US market rather than surrender its algorithm.

See how TikTok compares to China’s heavily censored version, Douyin

[ad_2]

Source link

March 24, 2023
Inside Vice Media’s descent, why this advocacy group doesn’t want TikTok banned, and more on CNN Nightcap | CNN Business

[ad_1]

On this week’s “Nightcap” with CNN’s Jon Sarlin, Semafor’s Max Tani explains what’s going very wrong at Vice. Fight for the Future’s Evan Greer says the US should not ban TikTok. And “Winner Sells All” author Jason Del Rey explains Amazon’s recent hiccups. To get the day’s business headlines sent directly to your inbox, sign up for the Nightcap newsletter.

[ad_2]

Source link

March 23, 2023
TikTok CEO testifies before Congress for the first time | CNN Business

[ad_1]

CNN
—

TikTok CEO Shou Chew made his first appearance before Congress on Thursday and was immediately hit by intense criticism from lawmakers, including calls for the app to be banned.

Rep. Cathy McMorris Rodgers, the chair of the House Energy and Commerce Committee, opened Thursday’s hearing by tearing into TikTok, and telling Shou: “Your platform should be banned.”

“I expect today you’ll say anything to avoid this outcome,” she continued. “We aren’t buying it. In fact, when you celebrate the 150 million American users on TikTok, it emphasizes the urgency for Congress to act. That is 150 million Americans that the [Chinese Communist Party] can collect sensitive information on.”

In his opening remarks, Chew attempted to stress TikTok’s independence from China and played up its US ties. “TikTok itself is not available in mainland China, we’re headquarterd in Los Angeles and Singapore, and we have 7,000 employees in the U.S. today,” he said.

“Still, we have heard important concerns about the potential for unwanted foreign access to US data and potential manipulation of the TikTok US ecosystem,” Chew said. “Our approach has never been to dismiss or trivialize any of these concerns. We have addressed them with real action.

Chew’s moment in the hot seat comes as some lawmakers are renewing calls for the app to be banned in the United States due to perceived national security concerns because of its ties to China through its parent company, ByteDance. TikTok acknowledged to CNN last week that federal officials are demanding the app’s Chinese owners sell their stake in the social media platform, or risk facing a US ban of the app. A number of countries, including the US, have already instituted a ban of the app on government devices due to the security concerns.

TikTok doesn’t operate in China. But since the Chinese government enjoys significant leverage over businesses under its jurisdiction, the theory goes that ByteDance, and thus indirectly, TikTok, could be forced to cooperate with a broad range of security activities, including possibly the transfer of TikTok data.

With his appearance, Chew may hope to reassure Americans and temper the heated rhetoric in Washington about the app – but the first two hours of the hearing showed just how challenging a task that might be.

Much of Chew’s attempts to stress that his company is not an arm of the Chinese government appeared to fall on deaf ears. Numerous members of Congress interrupted the chief executive’s testimony to say they simply don’t believe him.

“To the American people watching today, hear this: TikTok is a weapon by the Chinese Communist Party to spy on you, manipulate what you see and exploit for future generations,” said Rep. McMorris Rodgers.

In an exchange with Rep. Anna Eshoo, Chew talked up TikTok’s ongoing efforts to protect US user data and said he has “seen no evidence that the Chinese government has access to that data; they have never asked us, we have not provided it.”

“I find that actually preposterous,” Eshoo fired back.

“I have looked in — and I have seen no evidence of this happening,” Chew responded. “Our commitment is to move their data into the United States, to be stored on American soil by an American company, overseen by American personnel. So the risk would be similar to any government going to an American company, asking for data.”

“I don’t believe that TikTok — that you have said or done anything to convince us,” Eshoo said.

Perhaps no exchange sums up Thursday’s hearing like a moment following Rep. Kat Cammack’s lengthy critique of TikTok’s content moderation and links to China.

“Can I respond, Chair?” Chew asked McMorris Rodgers after Cammack’s time was up.

McMorris Rodgers considered Chew for a brief moment.

“No. We’re going to move on,” she said.

As lawmakers doubled down on their questions about TikTok’s data collection practices, Chew also emphasized that the data TikTok collects is data “that’s frequently collected by many other companies in our industry.”

“We are committed to be very transparent with our users about what we collect,” Chew said. “I don’t believe what we collect is more than most players in the industry.”

Independent researchers have backed Chew’s assertions. In 2020, The Washington Post worked with a privacy researcher to look under the hood at TikTok, concluding that the app does not appear to collect any more data than your typical mainstream social network. The following year, Pellaeon Lin, a Taiwan-based researcher at the University of Toronto’s Citizen Lab, performed another technical analysis that reached similar conclusions.

Still, even if TikTok collects about the same amount of information as Facebook or Twitter, that’s still quite a lot of data, including information about the videos you watch, comments you write, private messages you send, and — if you agree to grant this level of access — your exact geolocation and contact lists.

While national security was expected to be the primary focus of the hearing, multiple lawmakers also highlighted concerns about TikTok’s impact on children.

Democratic ranking member of the committee Rep. Frank Pallone, for example, said Thursday: “Research has found that TikTok’s algorithms recommend videos to teens that create and exacerbate feelings of emotional distress, including videos promoting suicide, self-harm and eating disorders.”

Rep. Bob Latta, a Republican from Ohio, accused TikTok of promoting a video on the so-called “blackout challenge” or choking challenge to the feed of a 10-year-old girl from Pennsylvania, who later died after trying to mimic the challenge in the video.

Republican Rep. Gus Bilirakis of Florida also said there is a lack of adequate content moderation, which leaves room for kids to be exposed to content that promotes self harm.

“Your technology is literally leading to death,” Bilirakis said to TikTok CEO Shou Chew.

Citing examples of harmful content served to children, he said, “it is unacceptable, sir, that even after knowing all these dangers, you still claim that TikTok is something grand to behold.”

TikTok, for its parts, has launched a number of features in recent months to provide additional safeguards for younger users, including setting a new 60-minute default for daily time limit for those under the age of 18. Even that feature, however, was criticized by lawmakers as being too easy for teens to bypass.

[ad_2]

Source link

March 23, 2023
China may prefer TikTok to be banned than fall into US hands | CNN Business

[ad_1]

Hong Kong
CNN
—

Nearly three years after the Trump administration threatened to ban TikTok if its Chinese owner didn’t sell the company to American investors, the video app is once again facing an existential threat.

TikTok CEO Shou Zi Chew will appear later Thursday before US lawmakers, many of whom want the app banned in the United States because of the risk they say it presents to national security. The clamor for a sale is growing louder again.

But an outright divestment isn’t in the cards, according to analysts and legal experts, not least because the Chinese government views TikTok’s technology as sensitive and has taken steps since 2020 to ensure it can veto any sale by its Beijing-based owner, ByteDance.

At issue is who owns the keys to TikTok’s algorithms and the vast troves of data collected from the 150 million people in the United States who use the app each month.

The Chinese government considers some advanced technology, including content recommendation algorithms, to be critical to its national interest. In December, Chinese officials proposed tightening the rules that govern the sale of that technology to foreign buyers.

“Beijing will have no say in the US decision to mandate the sale of TikTok, but it will retain the ultimate approval authority over such a sale,” said Brock Silvers, chief investment officer for Kaiyuan Capital.

“It also seems extremely unlikely that Beijing will accept any deal that removes TikTok’s algorithm[s] from its direct control and regulatory authority,” he said.

TikTok’s algorithms, which keep users glued to the app, are believed to be key to its success. The algorithms give recommendations based on users’ behavior, thus pushing videos they actually like and want to watch.

Chinese regulators first added algorithms to the restricted list of technologies in August 2020, when the Trump administration threatened to ban TikTok unless it was sold.

Back then, Chinese state media published a commentary by a professor of trade at the University of International Business and Economics who said the updated rules meant ByteDance would need a license from Beijing to sell its technology.

“Some cutting-edge technologies might impact national security and public welfare, and need to be included in [export control] management,” Cui Fan told Xinhua.

The intended sale of TikTok in 2020 to Oracle and Walmart hit a snag after Beijing added algorithms to its export control list. The Biden administration eventually rescinded the Trump-era executive order targeting TikTok, but replaced it with a broader directive focused on investigating technology linked to foreign adversaries, including China.

Now, the company is once again caught up in a geopolitical struggle between Washington and Beijing.

“The TikTok hearings in the United States mark the beginnings of a regulatory meat-grinder facing all [Chinese] tech companies,” said Alex Capri, a research fellow at the Hinrich Foundation.

A senior official from the Chinese regulator of digital and traditional media visited Bytedance’s offices last week. He urged the company to improve the use of “recommendation algorithms” to spread “positive energy” and strengthen the review of online content, according to a statement from the regulator posted on its website.

The visit highlights Beijing’s resolve to keep its most powerful internet companies on a tight leash. It also has more direct levers to pull.

In April 2021, a Chinese government entity acquired a “golden share” of 1% in a Beijing subsidiary of ByteDance, according to business data platform Qichacha. The subsidiary controls operating licenses for Douyin, TikTok’s sister app in China, and Toutiao, a news aggregation app.

“TikTok’s algorithms make it truly unique in terms of data harvesting and strategic analytics, therefore, I don’t see Beijing allowing it to fall into the hands of US interests,” said Capri.

“Unless they can somehow still access TikTok’s data through other means and methods, including ongoing cyber intrusion and other forms of back-door access.”

Chinese regulators have been gradually tightening their control over algorithm technology more generally.

Starting in March 2022, an unprecedented regulation came into effect requiring internet companies to register recommendation algorithms with the Cyberspace Administration, the powerful internet regulator that reports to President Xi Jinping.

At the beginning of 2023, rules governing “deep synthesis algorithms” also took effect. They will restrict the use of AI-powered image, audio and text-generation software. Such technologies underpin popular apps such as ChatGPT.

These regulatory developments suggest that TikTok’s recommendation algorithms will be subject to China’s export controls, said Winston Ma, an adjunct professor at New York University School of Law.

TikTok has been erecting technical and organizational barriers that it says will keep user data safe from unauthorized access.

Under the plans, known as Project Texas, the US government and third-party companies such as Oracle would also have some degree of oversight of TikTok’s data practices. TikTok is working on a similar plan for the European Union known as Project Clover.

But that hasn’t reassured US officials, likely because no matter what TikTok does internally, China would still theoretically have leverage over TikTok’s Chinese owners. (Similar measures taken by Huawei didn’t prevent it from being kicked out of Western 5G markets.)

And the concerns would remain even if TikTok is sold to an American buyer, Capri said.

“A change of TikTok’s ownership solves nothing,” he said. “The real issue is general data security and who ultimately has access to that data, by whatever means, regardless of legal ownership.”

The true test, he said, is whether user data can be effectively ring-fenced and privacy and security can be achieved through data segregation, encryption and other means.

As for a solution, Silvers expects both sides to try to “finesse a compromise” where US concerns are addressed, but Beijing still retains control over TikTok.

But, he believes Beijing would ultimately prefer for TikTok leave the US market rather than surrender its algorithm.

“If any Chinese company is to have any chance of surviving increased scrutiny from Western governments, they will have to entrust their data to third party security firms and endure rigorous third party audits and government intrusion, in addition to transferring ownership,” Capri said.

“This is really an existential crisis for Chinese firms operating in the West.”

[ad_2]

Source link

March 22, 2023
TikTok says it has 150 million US users amid renewed calls for a ban | CNN Business

[ad_1]

CNN
—

TikTok now has 150 million monthly active users in the United States, CEO Shou Chew confirmed on Tuesday, in a clear attempt to highlight the platform’s vast and growing reach in the country amid renewed calls for a ban.

“That’s almost half the US coming to TikTok to connect, to create, to share, to learn, or just to have some fun,” Chew said in a TikTok video on Tuesday. The figure also includes about five million businesses that use TikTok to reach customers, Chew said.

The new disclosure comes just days before Chew is scheduled to appear before a Congressional committee to defend the fate of the app in the United States. A growing number of lawmakers in the United States and abroad have raised national security concerns about the short-form video app because of TikTok’s ties to China through its parent company, ByteDance.

TikTok acknowledged to CNN last week week that federal officials are demanding the app’s Chinese owners sell their stake in the social media platform, or risk facing a US ban of the app. In 2020, when the Trump administration made a similar threat, TikTok said it had 100 million US users.

“Now, this comes at a pivotal moment for us,” Chew said in the video Tuesday. “Some politicians have started talking about banning TikTok, now this could take TikTok away from all 150 million of you.”

“I’ll be testifying before Congress later this week to share all that we’re doing to protect Americans using the app and deliver on our mission to inspire creativity and to bring joy,” Chew added.

The Singaporean chief executive ended his brief video by appealing to users on the app to leave comments on the clip telling lawmakers directly, “What you want your elected representatives to know about what you love about TikTok.”

Chew is scheduled to appear before the House Energy and Commerce Committee on Thursday morning to “testify on TikTok’s consumer privacy and data security practices, the platforms’ impact on kids, and its relationship with the Chinese Communist Party,” according to a statement last week from the committee.

[ad_2]

Source link

March 21, 2023
Lawmakers say TikTok is a national security threat, but evidence remains unclear | CNN Business

[ad_1]

CNN
—

As TikTok CEO Shou Zi Chew prepares for his first congressional grilling on Thursday, much of the focus will undoubtedly be on the short-form video app’s potential national security risks.

Concerns about TikTok’s connections to China have led governments worldwide to ban the app on official devices, and those fears have factored into the increasingly tense US-China relationship. The Biden administration has threatened TikTok with a nationwide ban unless its Chinese owners sell their stakes in the company.

But more than two years after the Trump administration first issued a similar threat to TikTok, security experts say the government’s fears, while serious, currently appear to reflect only the potential for TikTok to be used for foreign intelligence, not that it has been. There is still no public evidence the Chinese government has actually spied on people through TikTok.

TikTok doesn’t operate in China. But since the Chinese government enjoys significant leverage over businesses under its jurisdiction, the theory goes that ByteDance, and thus indirectly, TikTok, could be forced to cooperate with a broad range of security activities, including possibly the transfer of TikTok data.

“It’s not that we know TikTok has done something, it’s that distrust of China and awareness of Chinese espionage has increased,” said James Lewis, an information security expert at the Center for Strategic and International Studies. “The context for TikTok is much worse as trust in China vanishes.”

When Rob Joyce, the National Security Agency’s director of cybersecurity, was asked by reporters in December to articulate his security concerns about TikTok, he offered a general warning rather than a specific allegation.

“People are always looking for the smoking gun in these technologies,” Joyce said. “I characterize it much more as a loaded gun.”

Technical experts also draw a distinction between the TikTok app — which appears to operate very similarly to American social media in the amount of user tracking and data collection it performs — and TikTok’s approach to governance and ownership. It’s the latter that’s been the biggest source of concern, not the former.

The US government has said it’s worried China could use its national security laws to access the significant amount of personal information that TikTok, like most social media applications, collects from its US users.

The laws in question are extraordinarily broad, according to western legal experts, requiring “any organization or citizen” in China to “support, assist and cooperate with state intelligence work,” without defining what “intelligence work” means.

Should Beijing gain access to TikTok’s user data, one concern is that the information could be used to identify intelligence opportunities — for example, by helping China uncover the vices, predilections or pressure points of a potential spy recruit or blackmail target, or by building a holistic profile of foreign visitors to the country by cross-referencing that data against other databases it holds. Even if many of TikTok’s users are young teens with seemingly nothing to hide, it’s possible some of those Americans may grow up to be government or industry officials whose social media history could prove useful to a foreign adversary.

Another concern is that if China has a view into TikTok’s algorithm or business operations, it could try to exert pressure on the company to shape what users see on the platform — either by removing content through censorship or by pushing preferred content and propaganda to users. This could have enormous repercussions for US elections, policymaking and other democratic discourse.

Security experts say these scenarios are a possibility based on what’s publicly known about China’s laws and TikTok’s ownership structure, but stress that they are hypothetical at best. To date, there is no public evidence that Beijing has actually harvested TikTok’s commercial data for intelligence or other purposes.

Chew, the TikTok CEO, has publicly said that the Chinese government has never asked TikTok for its data, and that the company would refuse any such request.

If there’s a risk, it’s primarily concentrated in the relationship between TikTok’s Chinese parent, ByteDance, and Beijing. The main issue is that the public has few ways of verifying whether or how that relationship, if it exists, might have been exploited.

TikTok has been erecting technical and organizational barriers that it says will keep US user data safe from unauthorized access. Under the plan, known as Project Texas, the US government and third-party companies such as Oracle would also have some degree of oversight of TikTok’s data practices. TikTok is working on a similar plan for the European Union known as Project Clover.

But that hasn’t assuaged the doubts of US officials, likely because no matter what TikTok does internally, China would still theoretically have leverage over TikTok’s Chinese owners. Exactly what that implies is ambiguous, and because it is ambiguous, it is unsettling.

In congressional testimony, TikTok has sought to assure US lawmakers it is free from Chinese government influence, but it has not spoken to the degree that ByteDance may be susceptible. TikTok has also acknowledged that some China-based employees have accessed US user data, though it’s unclear for what purpose, and it has disclosed to European users that China-based employees may access their data as part of doing their jobs.

Multiple privacy and security researchers who’ve examined TikTok’s app say there aren’t any glaring flaws suggesting the app itself is currently spying on people or leaking their information.

In 2020, The Washington Post worked with a privacy researcher to look under the hood at TikTok, concluding that the app does not appear to collect any more data than your typical mainstream social network. The following year, Pellaeon Lin, a Taiwan-based researcher at the University of Toronto’s Citizen Lab, performed another technical analysis that reached similar conclusions.

But even if TikTok collects about the same amount of information as Facebook or Twitter, that’s still quite a lot of data, including information about the videos you watch, comments you write, private messages you send, and — if you agree to grant this level of access — your exact geolocation and contact lists. TikTok’s privacy policy also says the company collects your email address, phone number, age, search and browsing history, information about what’s in the photos and videos you upload, and if you consent, the contents of your device’s clipboard so that you can copy and paste information into the app.

TikTok’s source code closely resembles that of its China-based analogue, Douyin, said Lin in an interview. That implies both apps are developed on the same code base and customized for their respective markets, he said. Theoretically, TikTok could have “privacy-violating hidden features” that can be turned on and off with a tweak to its server code and that the public might not know about, but the limitations of trying to reverse-engineer an app made it impossible for Lin to find out whether those configurations or features exist.

If TikTok used unencrypted communications protocols, or if it tried to access contact lists or precise geolocation data without permission, or if it moved to circumvent system-level privacy safeguards built into iOS or Android, then that would be evidence of a problem, Lin said. But he found none of those things.

“We did not find any overt vulnerabilities regarding their communication protocols, nor did we find any overt security problems within the app,” Lin said. “Regarding privacy, we also did not see the TikTok app exhibiting any behaviors similar to malware.”

TikTok has faced claims that its in-app browser tracks its users’ keyboard entries, and that this type of conduct, known as keylogging, could be a security risk. The privacy researcher who performed the analysis last year, Felix Krause, said that keylogging is not an inherently malicious activity, but it theoretically means TikTok could collect passwords, credit card information or other sensitive data that users may submit to websites when they visit them through TikTok’s in-app browser.

There is no public evidence TikTok has actually done that, however. TikTok has said the keylogging function is used for “debugging, troubleshooting, and performance monitoring,” as well as to detect bots and spam. Other research has shown that the use of keyloggers is extremely widespread in the technology industry. That does not necessarily excuse TikTok or its peers for using a keylogger in the first place, but neither is it proof positive that TikTok’s product, by itself, is any more of a national security threat than other websites.

There have also been a number of studies that report TikTok is tracking users around the internet even when they are not using the app. By embedding tracking pixels on third-party websites, TikTok can collect information about a website’s visitors, the studies have found. TikTok has said it uses the data to bolster its advertising business. And in this respect, TikTok is not unique: the same tool is used by US tech giants including Facebook-parent Meta and Google on a far larger scale, according to Malwarebytes, a leading cybersecurity firm.

As with the keylogging tech, the fact TikTok uses tracking pixels does not on its own transform the company into a national security threat; the risk is that the Chinese government could compel or influence TikTok, through ByteDance, to abuse its data collection capabilities.

Separately, a report last year found TikTok was spying on journalists, snooping on their user data and IP addresses to find out when or if certain reporters were sharing the same location as company employees. TikTok later confirmed the incident and ByteDance fired several employees who had improperly accessed the TikTok data of two journalists.

The circumstances surrounding the incident suggest it was not the type of wide-scale, government-directed intelligence effort that US national security officials primarily fear. Instead, it appeared to be part of a specific internal effort by some ByteDance employees to hunt down leaks to the press, which may be deplorable but hardly uncommon for an organization under public scrutiny. (Nevertheless, the US government is reportedly investigating the incident.)

Joyce, the NSA’s top cyber official, told reporters in December that what he really worries about is “large-scale influence” campaigns leveraging TikTok’s data, not “individualized targeting through [TikTok] to do malicious things.”

To date, however, there’s no public evidence of that taking place.

TikTok may collect an extensive amount of data, much of it quietly, but as far as researchers can tell, it isn’t any more invasive or illegal than what other US tech companies do.

According to security experts, that’s more a reflection of the broad leeway we’ve given to tech companies in general to handle our data, not an issue that’s unique or specific to TikTok.

“We have to trust that those companies are doing the right thing with the information and access we’ve provided them,” said Peiter “Mudge” Zatko, a longtime ethical hacker and Twitter’s former head of security who turned whistleblower. “We probably shouldn’t. And this comes down to a concern about the ultimate governance of these companies.”

Lin told CNN that TikTok and other social media companies’ appetite for data highlights policy failures to pass strong privacy laws that regulate the tech industry writ large.

“TikTok is only a product of the entire surveillance capitalism economy,” Lin said. “And governments around the world are ignoring their duty to protect citizens’ private information, allowing big tech companies to exploit user information for gain. Governments should try to better protect user information, instead of focusing on one particular app without good evidence.”

Asked how he would advise policymakers to look at TikTok instead, Lin said: “What I would call for is more evidence-based policy.”

[ad_2]

Source link

March 21, 2023
Google suspends Chinese shopping app Pinduoduo over malware | CNN Business

[ad_1]

Hong Kong
CNN
—

Google has suspended Pinduoduo, a popular Chinese budget shopping app, from its Play Store after finding malware in versions of the app.

In a Tuesday statement, Google said versions of the app that are not in the Play Store have been found to contain malware.

“We have suspended the Play version of the app for security concerns while we continue our investigation,” a Google spokesperson said.

It has also enforced Google Play Protect, which scans apps installed on Android phones for harmful behavior, on the allegedly malicious apps, according to the statement.

“Google Play Protect enforcement has been set to block installation attempts of these identified malicious apps. Users that have malicious versions of the app downloaded to their devices are warned and prompted to uninstall the app,” the spokesperson said.

In a statement to CNN, Pinduoduo said it was informed by Google Play on Tuesday morning that its app had been “temporarily suspended” because the current version is “not compliant with Google’s Policy.” It said Google Play did not share more details.

“We are communicating with Google for more information. We have been told that there are several other apps that have been suspended as well,” a Pinduoduo spokesperson said.

In a later statement Pinduoduo said it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google.”

It reiterated that “there are several apps that have been suspended from Google Play at the same time.”

CNN has asked Google for information on whether other apps have also been suspended.

Malware, short for malicious software, refers to any software developed to steal data or damage computer systems and mobile devices. When hidden in apps, it can be used to gain unauthorized access to information on a user’s phone.

Pinduoduo is one of China’s most popular e-commerce platforms, with approximately 900 million users. It made its name with a group buying business model, allowing people to save money by enlisting friends to buy the same item in bulk.

Riding on the domestic success of Pinduoduo, its US-listed parent company PDD last year launched Temu, an online shopping platform in the United States.

Temu, which runs an online superstore for virtually everything — from home goods to apparel to electronics — has quickly become the most downloaded app in the US for both iOS and Android.

Since its rollout in September, the app had been downloaded 24 million times as of last month, racking up more than 11 million monthly active users, according to Sensor Tower.

Google did not mention Temu in its statement. The app is still available to download on the Play Store.

[ad_2]

Source link

March 21, 2023
UK bans TikTok on government devices | CNN Business

[ad_1]

Washington
CNN
—

The United Kingdom banned TikTok from official government devices on Thursday, adding to similar restrictions imposed by allies in Canada, the European Union and the United States.

The social media app is not widely used by UK officials, according to a government announcement, but the measure reflects concerns about TikTok’s links to China through its parent company, ByteDance, and the possibility that the Chinese government could pressure the companies to hand over users’ personal information.

“This is a proportionate move based on a specific risk with government devices,” UK Cabinet Office Minister Oliver Dowden told lawmakers Thursday.

In a statement Thursday, TikTok expressed disappointment at the decision.

“We believe these bans have been based on fundamental misconceptions and driven by wider geopolitics, in which TikTok, and our millions of users in the UK, play no part,” a spokesperson said. “We remain committed to working with the government to address any concerns but should be judged on facts and treated equally to our competitors.”

The company has said it is voluntarily working to address the security concerns by taking technical and bureaucratic measures to wall off US and EU user data from its global operations. It has also said that it has not received any request from the Chinese government for user information and would resist such calls.

In the statement Thursday, TikTok said: “We have begun implementing a comprehensive plan to further protect our European user data, which includes storing UK user data in our European data centres and tightening data access controls, including third-party independent oversight of our approach.”

The UK announcement comes a day after TikTok said the US government had requested the company’s Chinese owners sell their shares or else risk a ban.

In December, President Joe Biden signed legislation prohibiting TikTok on federal government devices, joining what has become a list of more than half of US states.

US lawmakers have proposed expanding the Biden administration’s authority to enact a nationwide ban on TikTok. A bipartisan group of senators this month unveiled legislation that would give the Commerce Department broad latitude to review and ban technologies linked to foreign adversaries, a proposal the White House quickly welcomed.

[ad_2]

Source link

March 19, 2023
The US government is once again threatening to ban TikTok. What you should know | CNN Business

[ad_1]

CNN
—

Nearly two-and-a-half years after the Trump administration threatened to ban TikTok in the United States if it didn’t divest from its Chinese owners, the Biden administration is now doing the same.

TikTok acknowledged to CNN this week that federal officials are demanding the app’s Chinese owners sell their stake in the social media platform, or risk facing a US ban of the app.

The new directive comes from the multiagency Committee on Foreign Investment in the United States (CFIUS), following years of negotiations between TikTok and the government body. (CFIUS is the same group that previously forced a sale of LGBTQ dating app Grindr from Chinese ownership back in 2019.)

The ultimatum from the US government represents an apparent escalation in pressure from Washington as more lawmakers once again raise national security concerns about the app. Suddenly, TikTok’s future in the United States appears more uncertain – but this time, it comes after years in which the app has only broadened its reach over American culture.

Here’s what you should know.

Some in Washington have expressed concerns that the app could be infiltrated by the Chinese government to essentially spy on American users or gain access to US user data. Others have raised alarms over the possibility that the Chinese government could use the app to spread propaganda to a US audience. At the heart of both is an underlying concern that any company doing business in China ultimately falls under Chinese Communist Party laws.

Other concerns raised are not unique to TikTok, but more broadly about the potential for social media platforms to lead younger users down harmful rabbit holes.

If this latest development is giving you déjà vu, that’s because it echoes the saga TikTok already went through in the United States that kicked off in 2020, when the Trump administration first threatened it with a ban via executive order if it didn’t sell itself to a US-based company.

Oracle and Walmart were suggested as buyers, social media creators were in a frenzy, and TikTok kicked off a lengthy legal battle against the US government. Some critics at the time blasted then-president Donald Trump’s crusade against the app as political theater rooted in xenophobia, calling out Trump’s unusual suggestion that the United States should get a “cut” of any deal if it forced the app’s sale to an American firm.

The Biden administration eventually rescinded the Trump-era executive order targeting TikTok, but replaced it with a broader directive focused on investigating technology linked to foreign adversaries, including China. Meanwhile, CFIUS continued negotiations to strike a possible deal that would allow the app to continue operating in the United States. Then scrutiny began to kick up again in Washington.

Lawmakers renewed their scrutiny of TikTok for its ties to China through its parent company, ByteDance, after a report last year suggested US user data had been repeatedly accessed by China-based employees. TikTok has disputed the report.

In rare remarks earlier this month at a Harvard Business Review conference, TikTok CEO Shou Chew doubled down on the company’s prior commitments to address the lawmakers’ concerns.

“The Chinese government has actually never asked us for US user data,” Chew said, “and we’ve said this on the record, that even if we where asked for that, we will not provide that.” Chew added that “all US user data is stored, by default, in the Oracle Cloud infrastructure” and “access to that data is completely controlled by US personnel.”

As for the concerns that the Chinese government might use the app to spew propaganda to a US audience, Chew emphasized that this would be bad for business, noting that some 60% of TikTok’s owners are global investors. “Misinformation and propaganda has no place on our platform, and our users do not expect that,” he said.

In response to the CFIUS divestiture request, a TikTok spokesperson told CNN this week that a change in ownership wouldn’t impact how US user data is accessed.

“If protecting national security is the objective, divestment doesn’t solve the problem,” TikTok spokesperson Maureen Shanahan said in a statement. “A change in ownership would not impose any new restrictions on data flows or access. The best way to address concerns about national security is with the transparent, US-based protection of US user data and systems, with robust third-party monitoring, vetting, and verification, which we are already implementing.”

TikTok is really only a national security risk insofar as the Chinese government may have leverage over TikTok or its parent company. China has national security laws that require companies under its jurisdiction to cooperate with a broad range of security activities. The main issue is that the public has few ways of verifying whether or how that leverage has been exercised. (TikTok doesn’t operate in China, but ByteDance does.)

Privacy and security researchers who have looked under the hood at TikTok’s app say that, as far as they can tell, TikTok isn’t much different from other social networks in terms of the data it collects or how it communicates with company servers. That’s still a lot of personally revealing information, but it doesn’t imply that TikTok’s app itself is inherently malicious or a kind of spyware.

That’s why the concern really focuses on TikTok and ByteDance’s relationship to the Chinese government, and why the Biden administration is pushing for TikTok’s Chinese owners to sell their shares.

India banned TikTok in the summer of 2020, following a violent border clash between the country and China, in a move that abruptly disconnected the more than 200 million users the app had amassed there.

While stopping short of banning the app on personal devices, a number of other countries, including the United States, Canada and United Kingdom have recently enacted bans of TikTok on official, government devices.

Late last year, President Joe Biden signed legislation prohibiting TikTok on federal government devices, and more than half of US states have enacted a similar mandate at the state level. A TikTok spokesperson previously blasted this ban as “little more than political theater.”

“The ban of TikTok on federal devices passed in December without any deliberation, and unfortunately that approach has served as a blueprint for other world governments,” the spokesperson added.

[ad_2]

Source link

March 18, 2023
New Zealand joins US push to curb TikTok use on official phones with parliament ban | CNN Business

[ad_1]

Hong Kong
CNN
—

New Zealand will ban TikTok on all devices with access to its parliament by the end of this month, becoming the latest country to impose an official bar on the popular social media platform owned by a Beijing-based tech conglomerate.

Led by the United States, a growing number of Western nations are imposing restrictions on the use of TikTok on government devices citing national security concerns.

Rafael Gonzalez-Montero, chief executive of New Zealand’s parliamentary service, said in a Friday statement that the risks of keeping the video-sharing app “are not acceptable.”

“This decision has been made based on our own experts’ analysis and following discussion with our colleagues across government and internationally,” he wrote.

“On advice from our cyber security experts, Parliamentary Service has informed members and staff the app TikTok will be removed from all devices with access to the parliamentary network,” he added.

But those who need the app to “perform their democratic duties” may be granted an exception, he said.

CNN has reached out to TikTok and its Beijing-based owner ByteDance for comment.

In an email to members of parliament seen by CNN, Gonzalez-Montero told lawmakers that the app would be removed from their corporate devices on March 31, after which they would not be able to re-download it.

He also instructed legislators to uninstall the app from their private devices adding that failure to comply may render them unable to access the parliamentary network.

New Zealand lawmaker Simon O’Connor, who is also a co-chair of the Inter-Parliamentary Alliance on China (IPAC), told CNN that he welcomed the decision, calling it “a good one”.

“I – and IPAC as a whole – have had serious concerns about data privacy for some time,” he said, adding that TikTok’s replies to his previous enquiries about data security had been “unsatisfactory”.

IPAC is a cross-border group formed by legislators from democratic countries that is focused on relations with China and is often critical of Beijing’s leaders.

New Zealand’s decision came on the heels of similar actions already taken by its Western allies, despite the country’s track record of a more cautious approach when it comes to dealing with Beijing, in part because China is such a significant trade partner.

The United States, UK and Canada have ordered the removal of the app from all government phones, citing cybersecurity concerns.

All three countries are part of the the so-called “Five Eyes” alliance that cooperates with each other on intelligence gathering and sharing. Australia and New Zealand make up the five.

The Chinese video-sharing app is also barred in all three of the European Union’s main government institutions.

Tik Tok has become one of the world’s most successful social media platforms and is hugely popular among younger people.

The short video sharing app has more than 100 million users in the United States alone.

New Zealand’s latest move came just hours after TikTok acknowledged that the Biden administration had threatened to ban its operation nationwide unless its Chinese owners agreed to spin off their share of the social media platform.

US officials have raised fears that the Chinese government could use its national security laws to pressure TikTok or its parent company ByteDance into handing over the personal information of TikTok’s US users, which might then benefit Chinese intelligence activities or influence campaigns.

China has accused the United States of “unreasonably suppressing” TikTok and spreading “false information” about data security.

FBI Director Christopher Wray told the US Senate Intelligence Committee earlier this month that he feared the Chinese government could use TikTok to sway public opinion in the event that China invaded Taiwan, the self-ruled island that Beijing claims sovereignty over despite never having ruled it.

TikTok has repeatedly denied posing any sort of security risk and has said it is willing to work with regulators to address any concerns they might have.

[ad_2]

Source link

March 16, 2023
Biden administration demands TikTok’s Chinese owners spin off their share or face US ban | CNN Business

[ad_1]

CNN
—

The Biden administration has threatened to ban TikTok from the United States unless the app’s Chinese owners agree to spin off their share of the social media platform, TikTok acknowledged Wednesday evening.

The apparent ultimatum by a US multiagency panel known as the Committee on Foreign Investment in the United States (CFIUS) marks a possible turning point in the long-running negotiations between federal officials concerned about TikTok’s links to China and a wildly popular social media company with more than 100 million US users.

The recent divestiture request was first reported Wednesday by the Wall Street Journal; TikTok later confirmed to CNN that CFIUS had contacted the company, adding that it did not dispute the Journal’s report. But TikTok declined to discuss specifics of the US government’s request, including details around its timing.

“If protecting national security is the objective, divestment doesn’t solve the problem,” TikTok spokesperson Maureen Shanahan said in a statement. “A change in ownership would not impose any new restrictions on data flows or access. The best way to address concerns about national security is with the transparent, US-based protection of US user data and systems, with robust third-party monitoring, vetting, and verification, which we are already implementing.”

TikTok has been negotiating with CFIUS — a group composed of the Departments of Treasury, Justice, Homeland Security, Defense and Commerce, among others — for more than two years on a deal that might allow the app to continue operating in the US market in the face of security and privacy concerns. US officials have raised fears that the Chinese government could use its national security laws to pressure TikTok or its Chinese parent ByteDance into handing over the personal information of TikTok’s US users, which might then benefit Chinese intelligence activities or influence campaigns.

The Treasury Department, which chairs CFIUS, declined to comment.

The talks with TikTok have stretched on without resolution, prompting criticism of the Biden administration by some US lawmakers who have pushed to ban the app through legislation.

Late last year, Congress passed, and President Joe Biden signed, legislation blocking TikTok from US government devices, following in the footsteps of numerous state governments. Since then, the European Union and Canada have also followed suit, reflecting growing suspicion among western governments to TikTok. But so far, there has been no evidence that the Chinese government has actually accessed TikTok user data, and no government has enacted a broader ban targeting TikTok on personal devices.

TikTok has sought to address policymakers’ concerns with voluntary technical and bureaucratic safeguards that it says will help ensure US user data may only be accessed by US employees. Part of that initiative, which the company calls Project Texas, involves storing personal data with the US cloud giant Oracle. TikTok launched a similar push in Europe this month that it calls Project Clover.

That has not stopped TikTok’s US critics. Some US lawmakers have moved to expand Biden’s authority to impose a nationwide TikTok ban on top of the restrictions targeting US government devices, and independent of the CFIUS process — a proposal the White House quickly welcomed. The heat will likely intensify next week as TikTok CEO Shou Chew is expected to face a grilling before the House Energy and Commerce Committee.

Wednesday’s development suggests a shift has occurred in the typically opaque CFIUS talks, though the exact nature of the movement remains unclear, according to Harry Broadman, a former CFIUS official.

“It could be that the divestiture demand is the end of the discussion, but it’s also equally likely that the divestiture is a component of what CFIUS wants in terms of safeguarding national security,” Broadman said. “Unless I’m in the room at CFIUS, it’s really hard to know where the discussions are, and frankly, what’s discussed in public does not often coincide with what’s going on around the table.”

[ad_2]

Source link

March 16, 2023
FBI says $10 billion lost to online fraud in 2022 as crypto investment scams surged | CNN Politics

[ad_1]

CNN
—

More than $10 billion in losses from online scams were reported to the FBI in 2022, the highest annual loss in the last five years, according to a new report from the bureau.

The more than $3 billion jump in reports of online fraud from 2021 to 2022 was driven by a near-tripling in reports of cryptocurrency investment fraud, the FBI said in its annual Internet Crime Report.

The report tallies a wide variety of fraud complaints – from marketing scams to ransomware – and is a metric for US policymakers in measuring how much hacking and other schemes are costing the American economy.

While people in their 30s filed the most fraud complaints last year, the burden of many digital scams fell on the elderly. People over 60 accounted for $724 million, or more than two-thirds of the reported losses from “call center fraud,” according to the FBI. Such fraud occurs when scammers call someone impersonating tech support or government agencies.

Ransomware, which locks computers until hackers are paid off, accounted for about $34 million in adjusted losses reported to the FBI last year. The relatively modest figure compared to other forms of fraud could be due to the fact that many victim organizations still do not report ransomware attacks to the FBI.

A popular type of ransomware called Hive was used in 87 attacks last year, according to the FBI. The bureau seized Hive operatives’ computer infrastructure earlier this year, but not before hackers affiliated with the ransomware extorted more than $100 million from hospitals, schools and other victims around the world.

While ransomware tends to get the headlines, a different hacking scheme known as business email compromise (BEC) leads to far more money stolen from victims in aggregate. A BEC scheme typically involves someone tricking a victim into wiring them money, often by impersonating a customer or a relative.

One of the more high-profile examples of BEC fraud last year cost the city of Lexington, Kentucky, about $4 million in federal funding for housing assistance.

BEC scams accounted for about $2.7 billion in adjusted losses in 2022, compared to about $2.4 billion in 2021, according to FBI data.

[ad_2]

Source link

March 13, 2023
Snap stock surges as Congress renews efforts to ban TikTok | CNN Business

[ad_1]

CNN
—

Investors are betting that Washington’s mounting scrutiny on TikTok could be good news for rival Snapchat.

Shares of Snapchat’s parent company surged nearly 10% on Monday and another 5% in early trading Tuesday following news that US senators are planning to introduce legislation that could make it easier to ban rival app TikTok.

Virginia Democratic Sen. Mark Warner is expected to unveil bipartisan legislation Tuesday afternoon that expands President Joe Biden’s authority to ban TikTok and other suspected information technology risks from the United States, a person familiar with the matter told CNN. The bill is expected to have nearly a dozen co-sponsors from both sides of the aisle.

The stock surge suggests some on Wall Street are taking the possibility of a TikTok ban more seriously, after years of chatter in the nation’s capital about cracking down on the short-form video app due to security concerns related to its Chinese parent company.

It also highlights how lawmakers’ efforts to address the perceived threat of TikTok could ultimately benefit large US tech platforms, including dominant companies that some in Washington also want to rein in for other reasons.

Angelo Zino, senior equity analyst CFRA Research, wrote in a note Monday that the “biggest beneficiaries of a TikTok ban” would be Snapchat, Facebook-parent Meta, and YouTube.

“TikTok’s emphasis on short-form videos has increased engagement/time spent by consumers and has upended the entire industry, creating a headwind for META/SNAP,” Zino wrote. “Given TikTok’s growing engagement/user growth, it has been taking an increasing portion of the digital ad dollars pie from other social media players.”

In recent years, TikTok’s popularity has led a number of major US apps to imitate some of its features, including the launch of Instagram’s Reels and YouTube’s Shorts.

Shares of YouTube’s parent company Alphabet were essentially flat on Tuesday. Meta, which is up 50% so far this year thanks to its commitment to “efficiency,” was up slightly in early trading Tuesday, likely because of a report claiming it’s planning more layoffs.

A TikTok ban, or the possibility of it, may just be one more positive for Meta’s stock this year.

– CNN’s Brian Fung contributed to this report.

[ad_2]

Source link

March 11, 2023
Capitol Hill data breach more ‘extensive’ than previously known | CNN Politics

[ad_1]

CNN
—

A sweeping cybersecurity breach of congressional members’ private information was more extensive than previously known and affects not only House lawmakers and their staff but also Senate employees.

The Senate sergeant-at-arms alerted Senate staff about the breach Thursday in an email obtained by CNN.

The compromised data is “extensive,” and includes sensitive data such as Social Security numbers, home addresses and information on Senate employees’ health insurance plans, the sergeant-at-arms said in the email, which urged Senate staff to freeze their family credit to guard against fraud.

Law enforcement gave the sergeant-at-arms a list of Senate employees whose data was stolen, the email said, and the sergeant-at-arms was contacting those employees so they could protect themselves from fraud.

Hundreds of US House members and staff also had their personally identifiable information stolen in the breach, which affected a DC health insurance service, CNN reported Wednesday.

Punchbowl News first reported on the sergeant-at-arms’ email.

The revelation that Senate staff also had their data stolen will only increase pressure from Capitol Hill on DC Health Link, the affected insurance service, to provide a full accounting of how the breach occurred.

DC Health Link said Wednesday it had “initiated a comprehensive investigation” of the incident and is working with law enforcement. The FBI is involved in the investigation, the bureau said.

It’s unclear how the data was accessed or who was responsible for the breach, but it immediately raised concerns among lawmakers that they could become the victims of identity theft, as many other Americans have in recent years.

House Speaker Kevin McCarthy and House Minority Leader Hakeem Jeffries have written a letter to DC Health Link expressing their concern over the breach, McCarthy previously told CNN.

Others were less alarmed.

“I can’t get all that worked up about this, honestly,” a Senate staffer told CNN Thursday night.

China “got all my data already in the OPM hack,” the staffer added, referring to the 2014-2015 breach of the Office of Personnel Management that compromised millions of US government personnel records. US officials have blamed Chinese hackers for the breach, a charge Beijing denied.

On a popular cybercrime forum this week, someone claimed to have sold the data belonging to DC Health Link. The advertisement for the stolen data, which CNN reviewed, claimed the leak affected 170,000 people and included Social Security numbers.

CNN was unable to independently verify those claims.

[ad_2]

Source link

March 9, 2023
Hundreds of US lawmakers and staff affected by data breach | CNN Politics

[ad_1]

CNN
—

Hundreds of US House members and staff had their personally identifiable information stolen in a breach of a DC health care insurance service, the House chief administrative officer told lawmakers Wednesday in a letter obtained by CNN.

The FBI is investigating the “significant data breach,” which occurred Tuesday and potentially involved thousands of enrollees in the DC Health Link marketplace, House Chief Administrative Officer Catherine Szpindor told lawmakers in the letter.

“It is important to note that at this time, it does not appear that Members or the House of Representatives were the specific target of the attack,” Szpindor wrote.

DC Health Link confirmed in a statement that “data for some DC Health Link customers has been exposed on a public forum.”

“We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement. Concurrently, we are taking action to ensure the security and privacy of our users’ personal information,” the statement said, adding that DC Health Link will provide identity and credit monitoring services for impacted customers as well as credit monitoring services for all of its customers “out of an abundance of caution.”

The FBI said in a statement Wednesday that it is “aware of this incident and is assisting. As this is an ongoing investigation, we do not have any additional information to provide at this time.”

House Speaker Kevin McCarthy told CNN that the breach, which was first reported by Punchbowl News, is a “real concern.”

“Leader Hakeem Jeffries and I sent a letter to the DC Health about the concern we have here,” the California Republican said, noting that he does not know how many members may have been affected.

On a popular cybercrime forum this week, someone claimed to have sold the data belonging to DC Health Link. The advertisement for the stolen data, which CNN reviewed, claimed the leak affected 170,000 people and included Social Security numbers.

CNN was unable to independently verify those claims. The user advertising the data did not immediately respond Wednesday night when CNN asked in an online chat how much they sold the data for.

The advertisement was removed from the cybercrime forum later Wednesday night. It was not immediately clear why.

The user has been on the cybercrime forum for months and earned a reputation for selling compromised databases, Michael DeBolt, chief intelligence officer at security firm Intel471, told CNN.

“Like other financially motivated actors, (this actor) is opportunistic rather than seeking to target specific regions or sectors,” DeBolt said.

Contractors that store data belonging to US lawmakers could face greater scrutiny following this week’s breach.

The Committee on House Administration Republicans tweeted that Chairman Bryan Steil “is aware of the breach” and is working with Szpindor, the House chief administrative officer, “to ensure the vendor takes necessary steps to protect the (personally identifiable information) of any impacted member, staff, and their families.”

The top Democrat on the panel, Rep. Joe Morelle of New York, told CNN the data breach is “egregious” and that the FBI discovered it because the information ended up on the “dark web.”

He said in addition to investigating what happened, Congress needs to figure out how to allocate more resources so those who contract with the government can better protect this type of information.

“We are deeply concerned about DC Health Link’s data breach and the impact on our Members and staff. We will continue to communicate any updates we receive from law enforcement to impacted Members and staff,” a CAO spokesperson said in a statement.

This story has been updated with additional information.

[ad_2]

Source link

March 8, 2023
US senators unveil bipartisan bill empowering Biden to ban TikTok and other services | CNN Business

[ad_1]

Washington
CNN
—

A dozen US senators unveiled bipartisan legislation Tuesday expanding President Joe Biden’s legal authority to ban TikTok nationwide, marking the latest in a string of congressional proposals threatening the social media platform’s future in the United States.

The legislation, called the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act, does not target TikTok specifically for a ban. But it aims to give the US government new powers, up to and including a ban, against foreign-linked producers of electronics or software that the Commerce Department deems to be a national security risk.

The proposed law takes a wide-ranging approach to fears that companies with ties to China could be pressured by that country’s government into handing over Americans’ sensitive personal information or communications records. In the case of TikTok, lawmakers have said China’s national security laws could force TikTok’s Chinese parent, ByteDance, to provide access to TikTok’s US user data.

TikTok CEO Shou Chew said this week the company has never received such a request from the Chinese government and would never comply with one. The company has taken voluntary steps to wall off US user data from the rest of its global organization, including by hosting that data on servers operated by the US tech giant Oracle. The company is also negotiating a possible agreement with the Biden administration that could allow TikTok to continue operating in the United States under certain conditions.

In a statement, TikTok spokesperson Brooke Oberwetter said a US government ban would stifle American speech and would be “a ban on the export of American culture and values to the billion-plus people who use our service worldwide.”

But that has not stopped many policymakers from seeking tougher measures against the company.

Last week, the House Foreign Affairs Committee advanced a bill that would require the Biden administration to issue a nationwide TikTok ban if an assessment of the platform found potential risks to US user data — risks that multiple administration officials have already said exist.

Another bill led by Sen. Marco Rubio would ban transactions by social media companies based in or under the “substantial influence” of countries considered US foreign adversaries.

Tuesday’s bill, unveiled by Senate Intelligence Committee Chairman Mark Warner and South Dakota Republican Sen. John Thune, is less prescriptive — granting the Commerce Department wide discretion to identify, and then to mitigate, perceived risks stemming from foreign-linked technology companies. That latitude would reflect an entirely new authority granted to the Secretary of Commerce, not authority derived from the International Emergency Economic Powers Act.

The legislation would cover a broad range of technologies in addition to social media, Warner said, including artificial intelligence, financial technology services, quantum computing and e-commerce. It would also improve upon an ad hoc scramble focused on individual companies, and provide the US government with a systematic legal structure for addressing tech-driven spying threats, Warner said.

In recent years, US concerns about Chinese espionage have largely focused on telecommunications companies such as Huawei and ZTE, who produce wireless gear for cellular networks. But those have expanded to include makers of surveillance cameras and, more recently, apps and software makers such as TikTok.

“Instead of playing whack-a-mole on Huawei one day, ZTE the next, Kasperky, TikTok — we need a more comprehensive approach to evaluating and mitigating these threats posed by these foreign technologies from these adversarial nations,” said Warner, adding that the bill was crafted in consultation with the Departments of Commerce, Defense, Justice and Treasury, along with US intelligence officials, the Federal Communications Commission and the White House.

In a statement, National Security Adviser Jake Sullivan endorsed the bill, calling it “a systematic framework for addressing technology-based threats to the security and safety of Americans.”

“This will help us address the threats we face today, and also prevent such risks from arising in the future,” Sullivan said.

Warner added that the legislation has “sparked a lot of interest” from other senators beyond the 12 co-sponsors and among some members of the House in both parties.

[ad_2]

Source link

March 7, 2023
US introduces new rules to protect water systems from hackers | CNN Politics

[ad_1]

Washington
CNN
—

The US Environmental Protection Agency on Friday announced new requirements for public water facilities to boost their cybersecurity while expressing concern that many facilities have failed to take basic steps to protect themselves from hackers.

The new EPA memo requires state governments to audit the cybersecurity practices of public water systems — and then use state regulatory authorities to force water systems to add security measures if existing ones are deemed insufficient.

“Cyberattacks that are targeting water systems pose a real and significant threat to our security,” EPA Assistant Administrator Radhika Fox told reporters Thursday.

It’s the latest move in a full-court press by the Biden administration to use its regulatory and policy powers to try to raise the cyber defenses of US critical infrastructure that is frequently targeted by cybercriminals and foreign government-backed hackers.

The EPA memo comes a day after the White House released a national cybersecurity strategy that calls for software makers to be held liable when their products leave gaping holes for hackers to exploit.

A wakeup call for cybersecurity in the water sector came mere weeks into the Biden administration, in February 2021, when a hacker infiltrated a Florida water treatment facility and tried to increase the amount of sodium hydroxide to a potentially dangerous level, according to local authorities.

The facility stopped the attack before harm could be done, but the episode alarmed officials in Washington and led to greater federal scrutiny of the water sector’s security practices.

The FBI and US Cybersecurity and Infrastructure Security Agency have warned about multiple ransomware attacks on the computer networks of water and wastewater facilities from California to Maine.

That greater public attention on the issue has brought improvements; the Water Information Sharing and Analysis Center (WaterISAC), an industry hub for cyber threat data and best practices, says its membership now includes facilities that provide water to most of the US.

“Multiple water sector associations embrace the need to help water systems bolster cyber resilience,” Jennifer Lyn Walker, the WaterISAC’s director of infrastructure cyber defense, told CNN. “The larger systems have been leading the charge for years, so I think we can adapt that effort toward the medium and smaller systems for the greater good of the sector.”

But the sprawling US water sector, which includes more than 148,000 public water systems, has sometimes struggled with funding and personnel to protect systems.

At public water systems, “top-down authorization for major cybersecurity projects, unfortunately, usually only happen after an incident,” Chris Grove, director of cybersecurity strategy at industrial security firm Nozomi Networks, told CNN.

“Within the municipalities that manage the public water systems, they are choosing between a library expansion, cameras for the police, or cybersecurity for water and wastewater treatment systems,” Grove said.

[ad_2]

Source link

March 3, 2023
Chinese city claims to have destroyed 1 billion pieces of personal data collected for Covid control | CNN

[ad_1]

Hong Kong
CNN
—

A Chinese city says it has destroyed a billion pieces of personal data collected during the pandemic, as local governments gradually dismantle their coronavirus surveillance and tracking systems after abandoning the country’s controversial zero-Covid policy.

Wuxi, a manufacturing hub on China’s eastern coast and home to 7.5 million people, held a ceremony Thursday to dispose of Covid-related personal data, the city’s public security bureau said in a statement on social media.

The one billion pieces of data were collected for purposes including Covid tests, contact tracing and the prevention of imported cases – and they were only the first batch of such data to be disposed, the statement said.

China collects vast amounts of data on its citizens – from gathering their DNA and other biological samples to tracking their movements on a sprawling network of surveillance cameras and monitoring their digital footprints.

But since the pandemic, state surveillance has pushed deeper into the private lives of Chinese citizens, resulting in unprecedented levels of data collection. Following the dismantling of zero-Covid restrictions, residents have grown concerned over the security of the huge amount of personal data stored by local governments, fearing potential data leaks or theft.

Last July, it was revealed that a massive online database apparently containing the personal information of up to one billion Chinese citizens was left unsecured and publicly accessible for more than a year – until an anonymous user in a hack forum offered to sell the data and brought it to wider attention.

In the statement, Wuxi officials said “third-party audit and notary officers” would be invited to take part in the deletion process, to ensure it cannot be restored. CNN cannot independently verify the destruction of the data.

Wuxi also scrapped more than 40 local apps used for “digital epidemic prevention,” according to the statement.

During the pandemic, Covid apps like these dictated social and economic life across China, controlling whether people could leave their homes, where they could travel, when businesses could open and where goods could be transported.

But following the country’s abrupt exit from zero-Covid in December, most of these apps faded from daily life.

On December 12, China scrapped a nationwide mobile tracking app that collected data on users’ travel movements. But many local pandemic apps run by the municipal or provincial governments, such as the ubiquitous Covid health code apps, have remained in place – although they are no longer in use.

Wuxi claims to be the first municipality in China to have destroyed Covid-related personal data from citizens. On Weibo, China’s Twitter-like platform, users called for other local governments to follow suit.

Yan Chunshui, deputy head of Wuxi’s big data management bureau, said the disposal was meant to better protect citizens’ privacy, prevent data leaks and free up data storage space.

Kendra Schaefer, the head of tech policy research at the Beijing-based consultancy Trivium China, said the data collection related to local-level Covid apps was often messy, and those apps were difficult and expensive to manage for local governments.

“Considering the cost and difficulty managing such apps, coupled with concerns expressed by the public over data security and privacy – not to mention the political win local governments get by symbolically putting zero-Covid to bed – dismantling those systems is par for the course,” Schaefer said.

In many cases, she added, the big data departments at local governments were overwhelmed dealing with Covid data, so scaling back simply makes sense economically.

“Many cities have not yet deleted their Covid data – or have not done so publicly – not because I believe they intend to keep it, but because it simply hasn’t been that long since zero-Covid was halted,” Schaefer said.

[ad_2]

Source link

March 3, 2023