Posted on

Decrypted: Apple and Facebook’s privacy feud, Twitter hires Mudge, mysterious zero-days

Trump’s election denialism saw him retaliate in a way that isn’t just putting the remainder of his presidency in jeopardy, it’s already putting the next administration in harm’s way.
In a stunning display of retaliation, Trump fired CISA director Chris Krebs last week after declaring that there was “no evidence that any voting system deleted or lost votes, changed votes or was in any way compromised,” a direct contradiction to the conspiracy-fueled fever dreams of the president who repeatedly claimed, without evidence, that the election had been hijacked by the Democrats. CISA is left distracted by …

Read More

Posted on

Trump fires top US cybersecurity official Chris Krebs for debunking false election claims

Chris Krebs, one of the most senior cybersecurity officials in the U.S. government, has been fired.

Krebs served as the director of the Cybersecurity and Infrastructure Security Agency (CISA) since its founding in November 2018 until he was removed from his position on Tuesday. It’s not immediately clear who is currently heading the agency. A spokesperson for CISA did not immediately comment.

President Trump fired Krebs in a tweet late on Tuesday, citing a statement published by CISA last week, which found there was “no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.” Trump, who has repeatedly made claims of voter fraud without providing evidence, alleged that CISA’s statement was “highly inaccurate.”

Shortly after, Twitter labeled Trump’s tweet for making a “disputed” claim about election fraud.

Reuters first reported the news of Krebs’ potential firing last week.

Krebs was appointed by President Trump to head the newly created cybersecurity agency in November 2018, just days after the conclusion of the midterm elections. He previously served as an undersecretary for CISA’s predecessor, the National Protection and Programs Directorate, and also held cybersecurity policy roles at Microsoft.

During his time in government, Krebs became one of the most vocal voices in election security, taking the lead during 2018 and in 2020, which largely escaped from disruptive cyberattacks, thanks to efforts to prepare for cyberattacks and misinformation that plagued the 2016 presidential election.

He was “one of the few people in this administration respected by everyone on both sides of the aisle,” said Sen. Mark Warner, a member of the Senate Intelligence Committee, in a tweet.

Krebs is the latest official to leave CISA in the past year. Brian Harrell, who oversaw infrastructure protection at the agency, resigned in August after less than a year on the job, and Jeanette Manfra left for a role at Google at the end of last year. Cyberscoop reported Thursday that Bryan Ware, CISA’s assistant director for cybersecurity, resigned for a position in the private sector.

Read More

Posted on

Animal Jam was hacked, and data stolen. Here’s what parents need to know

WildWorks, the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.

Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.

Here’s what we know.

WildWorks said in a detailed statement that a hacker stole 46 million Animal Jam records in early October but that it only learned of the breach in November.

The company said someone broke into one of its systems that the company uses for employees to communicate with each other, and accessed a secret key that allowed the hacker to break into the company’s user database. The bad news is that the stolen data is known to be circulating on at least one cybercrime forum, WildWorks said, meaning that malicious hackers may use (or be using) the stolen information.

The stolen data dates back to over the past 10 years, the company said, so former users may still be affected.

Much of the stolen data wasn’t highly sensitive, but the company warned that 32 million of those stolen records had the player’s username, 23.9 million records had the player’s gender, 14.8 million records contained the player’s birth year, and 5.7 million records had the player’s full date of birth.

But, the company did say that the hacker also took 7 million parent email addresses used to manage their kids’ accounts. It also said that 12,653 parent accounts had a parent’s full name and billing address, and 16,131 parent accounts had a parent’s name but no billing address.

Besides the billing address, the company said no other billing data — such as financial information — was stolen.

WildWorks also said that the hacker also stole player’s passwords, prompting the company to reset every player’s password. (If you can’t log in, that’s probably why. Check your email for a link to reset your password.) WildWorks didn’t say how it scrambled passwords, which leaves open the possibility that they could be unscrambled and potentially used to break into other accounts that have the same password as used on Animal Jam. That’s why it’s so important to use unique passwords for each site or service you use, and use a password manager to store your passwords safely.

The company said it was sharing information about the breach with the FBI and other law enforcement agencies.

So what can parents do?

  • Thankfully the data associated with kids accounts is limited. But parents, if you have used your Animal Jam password on any other website, make sure you change those passwords to strong and unique passwords so that nobody can break into those other accounts.
  • Keep an eye out for scams related to the breach. Malicious hackers like to jump on recent news and events to try to trick victims into turning over more information or money in response to a breach.

Read More

Posted on

Senate’s encryption backdoor bill is ‘dangerous for Americans,’ says Rep. Lofgren

A Senate bill that would compel tech companies to build backdoors to allow law enforcement access to encrypted devices and data would be “very dangerous” for Americans, said a leading House Democrat.

Law enforcement frequently spars with tech companies over their use of strong encryption, which protects user data from hackers and theft, but the government says makes it harder to catch criminals accused of serious crime. Tech companies like Apple and Google have in recent years doubled down on their security efforts by securing data with encryption that even they cannot unlock.

Senate Republicans in June introduced their latest “lawful access” bill, renewing previous efforts to force tech companies to allow law enforcement access to a user’s data when presented with a court order.

“It’s dangerous for Americans, because it will be hacked, it will be utilized, and there’s no way to make it secure,” Rep. Zoe Lofgren, whose congressional seat covers much of Silicon Valley, told TechCrunch at Disrupt 2020. “If we eliminate encryption, we’re just opening ourselves up to massive hacking and disruption,” she said.

Lofgren’s comments echo those of critics and security experts, who have long criticized efforts to undermine encryption, arguing that there is no way to build a backdoor for law enforcement that could not also be exploited by hackers.

Several previous efforts by lawmakers to weaken and undermine encryption have failed. Currently, law enforcement has to use existing tools and techniques to find weaknesses in phones and computers. The FBI claimed for years that it had thousands of devices that it couldn’t get into, but admitted in 2018 that it repeatedly overstated the number of encrypted devices it had and the number of investigations that were negatively impacted as a result.

Lofgren has served in Congress since 1995 during the first so-called “Crypto Wars,” during which the security community fought the federal government to limit access to strong encryption. In 2016, Lofgren was part of an encryption working group on the House Judiciary Committee. The group’s final report, bipartisan but not binding, found that any measures to undermine encryption “works against the national interest.”

Still, it’s a talking point that the government continues to push, even as recently as this year when U.S. Attorney General William Barr said that Americans should accept the security risks that encryption backdoors pose.

“You cannot eliminate encryption safely,” Lofgren told TechCrunch. “And if you do, you will create chaos in the country and for Americans, not to mention others around the world,” she said. “It’s just an unsafe thing to do, and we can’t permit it.”

Read More

Posted on

Trump Admin to Ban TikTok, WeChat From U.S. App Stores

WASHINGTON — The Trump administration said Friday it would bar the Chinese-owned mobile apps WeChat and TikTok from U.S. app stores as of midnight Sunday, a significant escalation in America’s tech fight with China that takes aim at two popular services used by more than 100 million people in the United States.

In a series of moves designed to render WeChat essentially useless within the United States, the government will also ban American companies from processing transactions for WeChat or hosting its internet traffic as of midnight Sunday.

Similar restrictions will go into effect for TikTok on Nov. 12 unless the company can assuage the administration’s concerns that the popular social media app poses a threat to U.S. national security. TikTok, which is owned by China’s ByteDance, is currently in talks to do a deal with the American software maker Oracle. The Commerce Department said the prohibitions could be lifted if TikTok resolves the administration’s national security concerns by the November deadline.

“Today’s actions prove once again that President Trump will do everything in his power to guarantee our national security and protect Americans from the threats of the Chinese Communist Party,” Commerce Secretary Wilbur Ross said in a statement.

The actions follow an Aug. 6 executive order by Mr. Trump, in which he argued that TikTok and WeChat collect data from American users that could be accessed by the Chinese government. The administration has threatened fines of up to $1 million and up to 20 years in prison for violations of the order.

TikTok spokesman Josh Gartner said in a statement that the company was disappointed in the Commerce Department’s decision.

“We will continue to challenge the unjust executive order, which was enacted without due process and threatens to deprive the American people and small businesses across the US of a significant platform for both a voice and livelihoods,” he said.

Tencent Holdings, which owns WeChat, said in a statement it was reviewing the new rules and had submitted a proposal to address the government’s national security concerns about the app. It said it would “continue to discuss with the government and other stakeholders in the U.S. ways to achieve a long-term solution.”

Oracle did not immediately respond to a request for comment.

Mr. Ross, in an interview on Fox Business Network on Friday morning, said that the ban would initially have a much greater impact on WeChat.

“For all practical purposes it will be shut down in the U.S., but only in the U.S., as of midnight Monday,” Mr. Ross said.

TikTok would also face some changes, but would still be allowed to function until Nov. 12, Mr. Ross said, at which point it would face the same ban as WeChat if there was no deal that satisfied the administration’s concerns.

“As to TikTok, the only real change as of Sunday night will be users won’t have access to improved updated apps, upgraded apps or maintenance,” he said.

That delay will allow users of the popular social media app — who are primarily young — to continue using the service ahead of the Nov. 3 election. TikTok has increasingly become a political force, with its users posting in support of their favored candidates and offering commentary on current events. It has also been utilized as a political tool — hundreds of teenage TikTok users claimed credit for low turnout at a rally for Mr. Trump in Tulsa, Okla. earlier this year.

Specifically, the U.S. government will ban American companies from transferring funds or processing payments through WeChat. It will also prohibit companies from offering internet hosting, content delivery networks, internet transit or peering services to WeChat, or using the app’s code in other software or services in the United States.

Many of the internet services targeted by the government’s order “are like the FedEx for the data business,” said Charlie Chai, an analyst for 86Research, a research firm focused on Chinese companies. “If no FedEx is willing to carry the data package for WeChat, then WeChat is dead” in the United States.

The actions take aim at two of China’s most popular and successful tech exports, which knit together nearly two billion people worldwide.

TikTok, which does not directly operate in China, has become a wildly popular platform for sharing viral videos in the United States. WeChat is at the center of digital life in China, functioning as a chat app, a payment platform and a news source for people in China and the Chinese diaspora around the world. It is also a conduit for Chinese propaganda and surveillance.

As of Friday morning, the Chinese government had not issued any statements, and it was not immediately clear if China would retaliate. China has long blocked access to such American social media as Twitter, Facebook and WhatsApp that it cannot readily monitor or censor.

Apple and Google did not immediately respond to requests for comment. Both have said in the past that they comply with the local laws in each country they serve.

Apple is the highest-profile American tech company in China, and could have the biggest target on its back if agrees to carry out the administration’s restrictions. Apple assembles most of its products in China, and the country is Apple’s biggest sales market after the United States, putting it at risk from any retaliation by Beijing.

Other tech companies responded to the announcement with concerns about potential retaliation that could hamstring U.S. services. Adam Mosseri, who leads Facebook’s Instagram product, said in a tweet that a TikTok ban “would be quite bad for Instagram, Facebook, and the internet more broadly.”

Facebook, which does not operate its services in China, has tried to leverage Washington’s fear of Chinese companies to its advantage, including citing it as a reason not to try and subject the U.S. tech giant to antitrust actions. But Mr. Mosseri said that the cost of other “countries making aggressive demands and banning us over the next decade outweigh slowing down one competitor today.”

Vanessa Pappas, TikTok’s interim global head, said in a response to Mr. Mosseri that Facebook should “publicly join our challenge and support our litigation” against the ban. TikTok sued the Trump administration over the ban last month, arguing that the move had denied it of due process.

Tech companies have raised concerns about arbitrarily blocking apps without a clear policy process and have suggested it infringes on the First Amendment, said Adam Segal, a cybersecurity expert at the Council on Foreign Relations.

Mr. Segal said it was not entirely clear why the administration had chosen to go after these two Chinese services, and not other similar ones. “A lot of it just feels to me to be improvisational,” he said.

In a call with reporters Friday, a senior official with the Commerce Department pushed back on the idea that a ban would curtail Americans’ freedom of speech, saying that the administration had chosen to target these apps in part because they are used to censor speech.

“We are not China. We are not attempting to censor speech. In fact, it’s the exact opposite,” the official said.

The Commerce Department declined to say whether the regulations could be used as a template for other Chinese companies, but noted that the secretary had the ability to prohibit other transactions by the companies in the future if it was determined to be in the interest of national security.

The administration is already taking a wider scope to review Tencent’s activities in the United States beyond WeChat. The government has sent letters asking a series of questions about data policies to several companies in which Tencent has partial ownership, including Epic Games, the maker of the popular game Fortnite, Riot Games and Spotify, according to people familiar with the situation.

Mr. Ross portrayed the threat from Chinese apps in stark terms, likening it to a window that allows Beijing to peer into the everyday lives of Americans.

“What they collect are data on locality, data on what you are streaming toward, what your preferences are, what you are referencing, every bit of behavior that the American side is indulging in becomes available to whoever is watching on the other side,” he said. “That’s what we’re trying to squelch.”

In its announcement, the Commerce Department said that both WeChat and TikTok collected information from their users including location data, network activity and browsing histories. As Chinese companies, they are also subject to China’s policy of “civil-military fusion” and mandatory cooperation with Chinese intelligence services, it said.

Cybersecurity experts have debated the extent to which the bans would address national security threats. Many other Chinese-owned companies gather data from mobile users in the United States, as do Facebook, Google and other non-Chinese services.

James Lewis, a senior vice president at the Center for Strategic and International Studies, said the administration’s moves seemed aimed at pushing ByteDance to give the U.S. more control over TikTok.

“It looks like it’s largely a continuation of the pressure tactics to get ByteDance to make a deal,” said Mr. Lewis. “WeChat is sort of the human sacrifice of this deal. They’ve gone nuclear on them.”

TikTok has been downloaded nearly 200 million times in the U.S., about 9 percent of the app’s downloads outside of China, according to Sensor Tower, an app analytics firm. WeChat has been downloaded nearly 22 million times in the U.S. since 2014, or about 7 percent of its downloads outside of China, Sensor Tower said.

The ability of the U.S. to enforce the ban remains an open question. As Chinese authorities know, internet bans are easier declared than enforced. While the U.S. rules block the app from stores within the country, workarounds will likely materialize. Users could switch their settings to access to an app store outside the U.S., or switch to other Tencent apps, like a messaging service called QQ.

A Commerce Department official on Friday acknowledged that such workarounds were possible, and said the department’s focus would be not on policing individual users but gradually limiting the ability of the apps to operate in the United States over time.

The official declined to discuss enforcement but said that the administration hoped to work with American tech companies, noting that “every company that this touches is becoming increasingly aware of the challenges that these applications pose.”

Apple and Google regularly remove apps from their app stores for a variety of reasons, including security flaws, violations of the companies’ rules and, in some places, requests from the government.

In China, Apple has appeared to pull thousands of apps from its App Store in the country under orders from the government, including certain gaming apps and news apps like The New York Times. Last year, Apple removed an app from its App Store in Hong Kong that helped protesters there track police after it was criticized by Chinese state media.

And in Russia, the messaging app Telegram complained in 2018 that Apple removed it there because of the app’s dispute with the Russian government.

Because of Apple and Google’s dominance of the smartphone market — they make the software that backs nearly all the world’s smartphones — governments can target the companies to try to roll out such bans, which otherwise could prove tricky to enforce given the open nature of the internet.

Apple, in particular, has been used as a tool by governments because it only allows apps and software to be downloaded onto iPhones via its App Store. That means forcing Apple to remove an app would effectively stop any new user from downloading it.

People who already have the app on their phones can continue to use it. Yet eventually the app will become obsolete on those phones because the app’s developer will not be able to update it to make it compatible with updates Apple and Google make to their smartphone software.

On Google’s Android software, users can download apps and software from outside of its official Google Play Store. That means requiring Google to pull an app from the Play Store would only create a hurdle for some users to downloading that app on Android devices.

Android underpins most of the world’s smartphones, in part because of its dominance in many developing countries like India, but Apple and Google roughly split the U.S. market.

Experts said that the bans on providing hosting and other services to WeChat’s American service could quickly disable the app for users in the United States.

Mr. Lewis said that it appeared the app’s payment functions would not work under the rules. Whether users would be able to message other people would hinge on how effective the administration had been at banning companies from connecting users in the United States with WeChat’s infrastructure in China.

“And it looks to me like they’re certainly trying,” he said.

Read More

Posted on

Explaining Trump Ban on TikTok, WeChat

The Trump administration is pushing forward with its plan to ban the Chinese social media apps TikTok and WeChat from American app stores.

The Commerce Department on Friday announced that beginning on Sunday, it would prohibit downloads of WeChat and TikTok in U.S. app stores, and ban transactions made through WeChat. The Commerce Department said the move would protect Americans for national security reasons.

So what does that mean for you?

The details of the prohibition are set to have a significant impact on people who use TikTok and WeChat. TikTok, which has more than 50 million active users in the United States, according to the research firm App Annie, is mostly popular here among teenagers who post short dance videos; WeChat, which has about 3.5 million active users here, is a messaging app with a host of features including a mobile wallet service.

Here’s what you need to know.

The immediate effects of the action: As of Sunday, Americans will no longer be able to download TikTok or WeChat from the Apple and Google Play app stores. WeChat users in the United States will not be able to use the messaging app for sending payments, among other features.

Image
Credit…Thomas Peter/Reuters

If you have TikTok downloaded on your phone, you are fine — for now. The Commerce Department will wait until Nov. 12 — after the election — to pursue a full ban on TikTok.

However, if you have deleted the TikTok app from your phone, beginning on Sunday you won’t be able to download it again, even if you have a TikTok account. You also won’t be able to receive any software updates that fix bugs and add features.

The prohibition is more immediate for WeChat users. Starting on Sunday, not only will you not be able to download the WeChat app or software updates from the App Store or Google Play, you also won’t be able to send payments to family members or businesses that use WeChat as a payment method.

The Commerce Department also forbade some business transactions between WeChat and American entities, including companies that provide internet hosting services for WeChat — in other words, the infrastructure that makes WeChat work well in the United States.

Yes. Apps like WeChat and TikTok are not static. They are live internet services that require maintenance, which include security and bug fixes, and if you stop receiving updates, they may eventually cease to work properly. So even if you are grandfathered in, so to speak, this type of prohibition could effectively ban you from using the apps alongside other TikTok and WeChat users around the globe. (Best-case scenario, the apps will continue to work, but poorly.)

The situation may be even more dire for WeChat users. Because of the ban on transactions between American businesses and WeChat, the service may begin to degrade on Sunday. Messages may begin sending slowly or even time out.

For TikTok users, that service degradation won’t happen unless a full ban is implemented on Nov. 12.

Nothing practical. TikTok is attempting to reach a deal with Oracle, an American tech company, and others before November to avoid a ban.

Google Android users may try to “sideload” future versions of the WeChat and TikTok apps on to their devices, a process that involves changing some security settings to download apps from outside Google’s official app store.

Apple phones also have methods to install unauthorized applications. But sideloading and installing apps through unofficial channels is impractical, because it can compromise device security, and it is not simple for many people to do.

Apple and Google users could also try to download the apps from foreign app stores by traveling to other countries. Or they could use a virtual private network, a service that creates a virtual tunnel to shield your browsing information from your internet service provider, to manipulate their device location. Again, this is impractical.

Ana Swanson contributed reporting from Washington.

Posted on

How the NSA is disrupting foreign hackers targeting COVID-19 vaccine research

The headlines aren’t always kind to the National Security Agency, a spy agency that operates almost entirely in the shadows. But a year ago, the NSA launched its new Cybersecurity Directorate, which in the past year has emerged as one of the more visible divisions of the spy agency.

At its core, the directorate focuses on defending and securing critical national security systems that the government uses for its sensitive and classified communications. But the directorate has become best known for sharing some of the more emerging, large-scale cyber threats from foreign hackers. In the past year the directorate has warned against attacks targeting secure boot features in most modern computers, and doxxed a malware operation linked to Russian intelligence. By going public, NSA aims to make it harder for foreign hackers to reuse their tools and techniques, while helping to defend critical systems at home.

But six months after the directorate started its work, COVID-19 was declared a pandemic and large swathes of the world — and the U.S. — went into lockdown, prompting hackers to shift gears and change tactics.

“The threat landscape has changed,” Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch at Disrupt 2020. “We’ve moved to telework, we move to new infrastructure, and we’ve watched cyber adversaries move to take advantage of that as well,” she said.

Publicly, the NSA advised on which videoconferencing and collaboration software was secure, and warned about the risks associated with virtual private networks, of which usage boomed after lockdowns began.

But behind the scenes, the NSA is working with federal partners to help protect the efforts to produce and distribute a vaccine for COVID-19, a feat that the U.S. government called Operation Warp Speed. News of NSA’s involvement in the operation was first reported by Cyberscoop. As the world races to develop a working COVID-19 vaccine, which experts say is the only long-term way to end the pandemic, NSA and its U.K. and Canadian partners went public with another Russian intelligence operation aimed at targeting COVID-19 research.

“We’re part of a partnership across the U.S. government, we each have different roles,” said Neuberger. “The role we play as part of ‘Team America for Cyber’ is working to understand foreign actors, who are they, who are seeking to steal COVID-19 vaccine information — or more importantly, disrupt vaccine information or shake confidence in a given vaccine.”

Neuberger said that protecting the pharma companies developing a vaccine is just one part of the massive supply chain operation that goes into getting a vaccine out to millions of Americans. Ensuring the cybersecurity of the government agencies tasked with approving a vaccine is also a top priority.

Here are more takeaways from the talk, and you can watch the interview in full below:

Why TikTok is a national security threat

TikTok is just days away from an app store ban, after the Trump administration earlier this year accused the Chinese-owned company of posing a threat to national security. But the government has been less than forthcoming about what specific risks the video sharing app poses, only alleging that the app could be compelled to spy for China. Beijing has long been accused of cyberattacks against the U.S., including the massive breach of classified government employee files from the Office of Personnel Management in 2014.

Neuberger said that the “scope and scale” of TikTok’s app’s data collection makes it easier for Chinese spies to answer “all kinds of different intelligence questions” on U.S. nationals. Neuberger conceded that U.S. tech companies like Facebook and Google also collect large amounts of user data. But that there are “greater concerns on how [China] in particular could use all that information collected against populations other than its own,” she said.

NSA is privately disclosing security bugs to companies

The NSA is trying to be more open about the vulnerabilities it finds and discloses, Neuberger said. She told TechCrunch that the agency has shared a “number” of vulnerabilities with private companies this year, but “those companies did not want to give attribution.”

One exception was earlier this year when Microsoft confirmed NSA had found and privately reported a major cryptographic flaw in Windows 10, which could have allowed hackers to run malware masquerading as a legitimate file. The bug was so dangerous that NSA reported the vulnerability to Microsoft, which patched the bug.

Only two years earlier, the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.

As a spy agency, NSA exploits flaws and vulnerabilities in software to gather intelligence on the enemy. It has to run through a process called the Vulnerabilities Equities Process, which allows the government to retain bugs that it can use for spying.

Read More

Posted on

TikTok Accepts Deal Revisions as Trump Prepares to Review Proposal

WASHINGTON — The Chinese company that owns TikTok has accepted the Trump administration’s changes to a deal designed to mitigate the White House’s concerns that the popular app poses a national security threat, two people with knowledge of the talks said.

The Treasury Department, which leads a group reviewing the deal for national security purposes, provided TikTok’s owner, ByteDance, with revisions to its proposal on Wednesday, one of the people said. Some of the revisions were intended to address how TikTok’s data and source code would be handled and secured, one of the people said. The two sides have agreed in principle, but are still discussing some technical details, the other person said.

The exact ownership structure of TikTok under the proposed deal is unclear. President Trump and some members of his administration have said ByteDance cannot retain a majority stake in TikTok if their concerns are to be satisfied. Oracle, the Silicon Valley business software maker, is set to be a technology partner for TikTok while taking an ownership stake in the app, but would not own it outright, people with knowledge of the situation have said.

Any resolution on ownership could involve some tricky math. The percentage of TikTok owned by non-American interests depends partly on how officials treat the portion of ByteDance, a privately held company, that is already backed by American investors, one person said.

TikTok would also go public on an American stock market in about a year if the deal went through, the person said. While that plan is not a formal part of the proposal being vetted by the government, it is something the Trump administration is aware of, the person said.

The deal still requires approval from Mr. Trump. As of early Thursday afternoon, the president had not been briefed on it. One person familiar with the deliberations said the meeting had not been scheduled but would happen “soon.”

An executive order signed by Mr. Trump essentially mandates that TikTok strike a deal to sell its U.S. operations by Sunday or risk having all of its commercial transactions halted in the United States. TikTok has became a point of contention between the United States and China, which have increasingly battled over trade, security and tech dominance.

Some Republican lawmakers, such as Senators Marco Rubio of Florida, Thom Tillis of North Carolina and John Cornyn of Texas, have criticized any deal that would leave ByteDance in control of TikTok’s code or algorithms as inadequate in addressing national security concerns. That has raised questions of whether Mr. Trump could face criticism for the Oracle-TikTok proposal while running for re-election.

At a news conference on Wednesday, Mr. Trump said he was “not going to be happy” if ByteDance still owned a majority of TikTok as part of its deal with the government.

TikTok and a spokeswoman for the Treasury Department declined to comment. Oracle did not immediately respond to a request for comment. ByteDance’s acceptance of the Treasury Department’s changes to its proposal was reported earlier by Bloomberg. The plan to take TikTok public was earlier reported by CNBC.

While rushing to secure a deal, TikTok is also hunting for a permanent chief executive to replace Kevin Mayer, who resigned in late August, citing the changing political pressures of the role. Vanessa Pappas, the general manager of TikTok in North America, took over in the interim.

Among those whom TikTok has talked to about the job is Kevin Systrom, a founder and former chief executive of Instagram, people briefed on the matter said. Talks are preliminary, and no final decisions have been made, they said.

The parties to a deal expect to name an American chief executive of the new TikTok entity, one person familiar with the matter said.

Mr. Systrom left Instagram, which Facebook owns, in 2018. He did not respond to a request for comment on Thursday.

The drama over TikTok is part of a battle between Washington and Beijing over who will control central aspects of the internet. American officials say that because China has laws that require tech companies to provide the government with access to data, its internet companies pose a national security risk.

The Trump administration’s early efforts focused on the equipment that delivers internet connections around the world, by trying to keep products made by Huawei and ZTE out of American networks and those used by U.S. allies. More recently, it has begun to scrutinize consumer technology companies. The administration forced a Chinese company to sell Grindr, a gay dating app, this year, for example.

In a series of executive orders last month, Mr. Trump made it clear that ByteDance must sell TikTok or face an outright ban of the app. Another executive order threatened to ban WeChat, a messaging platform owned by the Chinese internet giant Tencent.

Beijing responded with new export restrictions that appeared to ban the sale of TikTok’s valuable video recommendation algorithm, a move that cast a shadow over the talks in the United States.

David McCabe and Ana Swanson reported from Washington, and Erin Griffith and Mike Isaac from San Francisco.

Posted on

TikTok’s Proposed Deal Under Review by Trump Administration

WASHINGTON — After more than six weeks, two White House executive orders, new Chinese regulations and multiple bidders, a deal for the social media app TikTok has boiled down to one main strategy: mitigation.

TikTok, which is owned by the Chinese internet company ByteDance, said on Monday that it had offered a proposal to the Treasury Department that aimed to address the Trump administration’s concerns that the app could give the Chinese government access to sensitive data.

The proposal is far from an outright sale of TikTok’s U.S. operations, as President Trump suggested in an Aug. 6 executive order. Instead, ByteDance designed a proposal to alleviate the pressure it was facing from China and the United States and to mollify all sides. Specifically, it structured the deal to satisfy some of Mr. Trump’s concerns while dodging new Chinese regulations that could allow Beijing to block an outright sale of TikTok, people with knowledge of the discussions said.

Under the terms, TikTok would bring on Oracle, a business software firm that is close with the White House, as a “trusted technology partner.” That role could involve Oracle’s handling TikTok user data not just in the United States but also around the world, one person familiar with the matter said.

Oracle would also most likely gain a stake in TikTok, one person with knowledge of the proposal said. While the size of any Oracle investment in TikTok was unclear, Oracle would not be the app’s outright owner, another person said. And TikTok would also not transfer ownership of its valuable recommendation algorithm to Oracle, one person said. Beijing has essentially forbidden such a move.

The exact ownership structure for TikTok was still being debated, but some of ByteDance’s current investors are expected to be shareholders of the app, the people added. The deal would give U.S.-based investors voting control over TikTok, even though they may not own a majority of its shares, one person added. Such an arrangement could address concerns from the Committee on Foreign Investment in the United States, which scrutinizes investments with a foreign entity and makes a distinction between control and ownership of U.S.-based companies.

TikTok would also establish its headquarters in the United States. (It currently has offices in Los Angeles.) With discussions still underway, it’s possible that central details could still change.

The proposal now hinges on gaining the support of Mr. Trump, who previously said he was willing to ban TikTok if the app’s U.S. operations were not sold by a Sept. 20 deadline set by his executive order. Mr. Trump’s advisers, including Treasury Secretary Steven Mnuchin and Commerce Secretary Wilbur Ross, seem inclined to accept the kind of deal that ByteDance has offered, people familiar with their thinking said.

Image
Credit…Ng Han Guan/Associated Press

Mr. Mnuchin and Mr. Ross, who are both playing a prominent role in reviewing ByteDance’s proposal, have come to favor a solution that would reduce national security and data risks by moving some of TikTok’s key operations out of China, rather than killing the company outright, those people said. There are few strong voices in the administration speaking out against such a deal, with the trade adviser Peter Navarro, a China hawk and one of TikTok’s more vocal critics, playing a minimal role in recent discussions.

ByteDance’s carefully designed proposal and the shifting views of Mr. Trump’s advisers indicate how they are more willing to compromise to mitigate an increasingly fractious situation over a video app that is beloved by American teenagers and influencers. On Sunday, ByteDance rejected a deal from Microsoft, in which Microsoft had proposed essentially taking over control of TikTok’s algorithm.

“This way D.C. is happy, Beijing’s happy with no algorithm being sold, and ByteDance and TikTok, along with Oracle, all have smiles on their faces,” said Daniel Ives, a technology analyst at Wedbush Securities. “This is a very tight balancing act for ByteDance because they’re trying to, by the thread of a needle, keep their company as a stand-alone.”

In its statement on Monday, TikTok said the proposal that was in front of the Treasury Department would “enable us to continue supporting our community of 100 million people in the U.S. who love TikTok for connection and entertainment.” Oracle confirmed that it was “part of the proposal submitted by ByteDance to the Treasury Department,” but declined to elaborate.

Mr. Mnuchin described on CNBC on Monday how Oracle would be a “trusted technology partner” for TikTok and said the software company had made “many representations for national security issues.” The White House declined to comment, and the Department of Commerce did not immediately respond to a request for comment.

Other parties may still be interested in participating in a deal. Walmart, which had been working on a TikTok bid with Microsoft, said on Sunday in a statement that it “continues to have an interest in a TikTok investment and continues discussions with ByteDance leadership and other interested parties.”

In China, state media reports said on Monday that ByteDance would not sell TikTok in full to Oracle or any other bidders, suggesting that the company’s valuable algorithm would not trade hands. Last month, Beijing issued regulations that effectively said ByteDance would need a license to sell its technology to an American suitor.

At a regularly scheduled news briefing on Monday, Wang Wenbin, a spokesman for China’s Foreign Ministry, also criticized the American treatment of TikTok.

“TikTok has been rounded up and hunted in the United States, in a classic example of a government-coerced transaction,” Mr. Wang said. “This fully lays bare certain American politicians’ true intentions to seize by force, as well as the ugly face of economic bullying.”

Mr. Trump, who delights in being unpredictable, has a history of surprise decisions in his dealings with China. In recent years, he announced tariffs on hundreds of billions of dollars of products during a trade war and pardoned Chinese companies like ZTE at the request of China’s president, Xi Jinping.

Now he will essentially have to be persuaded to accept the type of compromise that he previously rejected. This summer, TikTok and its investors pressed the administration to allow them to address any concerns over national security by reconfiguring their operations, including moving their headquarters and data storage out of China. But Mr. Trump said no.

It is possible that Mr. Trump will face criticism from China skeptics in both parties if he takes a deal that doesn’t sever TikTok from ByteDance entirely.

In a letter on Monday to Mr. Mnuchin, Senator Josh Hawley, Republican of Missouri, urged the government to reject ByteDance’s proposal. He said ByteDance “can still pursue a full sale of TikTok, its code and its algorithm” to an American company.

“Or perhaps, given constraints imposed by Chinese law, the only feasible way to maintain Americans’ security is to effectively ban the TikTok app in the United States altogether,” Mr. Hawley said.

David McCabe and Ana Swanson reported from Washington, and Erin Griffith from San Francisco. Raymond Zhong contributed reporting from Taipei, Taiwan.

Posted on

Oracle Chosen as TikTok’s Tech Partner, as Microsoft’s Bid Is Rejected

WASHINGTON — The Chinese owner of TikTok has chosen Oracle to be the app’s technology partner for its U.S. operations and has rejected an acquisition offer from Microsoft, according to Microsoft officials and other people involved in the negotiations, as time runs out on an executive order from President Trump threatening to ban the popular app unless its American operations are sold.

It was unclear whether TikTok’s choice of Oracle as a technology partner would mean that Oracle would also take a majority ownership stake of the social media app, the people involved in the negotiations said. Microsoft had been seen as the American technology company with the deepest pockets to buy TikTok’s U.S. operations from its parent company, ByteDance, and with the greatest ability to address national security concerns that led to Mr. Trump’s order.

“ByteDance let us know today they would not be selling TikTok’s U.S. operations to Microsoft,” Microsoft said in a statement. “We are confident our proposal would have been good for TikTok’s users, while protecting national security interests.”

ByteDance declined to comment. A spokeswoman for Oracle did not immediately respond to a request for comment.

The fast-moving series of events on Sunday came as the clock ticks down on the executive order from Mr. Trump, which said that TikTok essentially needed to strike a deal to sell its U.S. operations by Sept. 20 or risk being blocked in the United States. But sale talks had been in a holding pattern because China issued new regulations last month that would bar TikTok from transferring its technology to a foreign buyer without explicit permission from the Chinese government. And any resulting deal could still be a geopolitical piñata between the United States and China.

The Chinese regulations helped scuttle the bid by Microsoft. The software giant had said in August that it would insist on a series of protections that would essentially give it control of the computer code that TikTok uses for the American and many other English-speaking versions of the app.

Microsoft said the only way it could both protect the privacy of TikTok users in the United States and prevent Beijing from using the app as a venue for disinformation was to take over that computer code, and the algorithms that determine what videos are seen by the 100 million Americans who use it each month.

“We would have made significant changes to ensure the service met the highest standards for security, privacy, online safety and combating disinformation,” Microsoft said in its statement.

Image
Credit…Tom Brenner/Reuters

Oracle has said nothing publicly about what it would do with TikTok’s underlying technology, which is written by a Chinese engineering team in Beijing — and which Secretary of State Mike Pompeo has charged is answerable to Chinese intelligence agencies. That is a major concern of American intelligence agencies, led by the National Security Agency and United States Cyber Command, which warned internally that whoever controls the computer code could channel — or censor — a range of politically sensitive information to specific users.

ByteDance and TikTok have denied that they help the Chinese government.

TikTok has become the latest flash point between Washington and Beijing over the control of technology that affects American lives. The Trump administration had already banned the Chinese telecom giant Huawei from selling next-generation, or 5G, networks and equipment in the United States, citing the risk of a foreign power controlling the infrastructure on which all internet communications flow.

But TikTok took the battle in new directions. For the first time, the United States was trying to stop a Chinese cultural phenomenon, with an intense following among American teenagers and millennials, which carries with it the possibility of future influence.

Even if Oracle may try to close a deal, it is unclear whether Beijing would create new obstacles to the process. And election-year politics have hung over the negotiations from the start. Unlike many other technology companies, Oracle has cultivated close ties with the Trump administration. Its founder, Larry Ellison, hosted a fund-raiser for Mr. Trump this year, and its chief executive, Safra Catz, served on the president’s transition team and has frequently visited the White House.

Last month, Mr. Trump said he would support Oracle buying TikTok. He called Oracle a “great company” and said the firm, which specializes in enterprise software, could successfully run TikTok.

“I think that Oracle would be certainly somebody that could handle it,” he said.

Image

Credit…Rozette Rago for The New York Times

Along with Amazon, Oracle tried to win a $10 billion contract to run the Pentagon’s cloud services, one of the most hotly contested technology contracts issued by the Trump administration. Microsoft ultimately won that.

Oracle was also poised to provide the administration with a system earlier this year to help with a planned study that would have enabled the wide release of the malaria drug hydroxychloroquine to treat Covid-19. While doctors had warned the drug could have dangerous side effects, Mr. Trump had promoted its possible use to treat patients infected by the coronavirus.

Oracle’s relationship with the administration has drawn scrutiny. In August, a Department of Labor whistle-blower said that Mr. Trump’s labor secretary, Eugene Scalia, had intervened in a pay discrimination case involving the company.

On a call to discuss Oracle’s earnings last week, Ms. Catz preemptively told analysts that she and Mr. Ellison would not discuss reports about their bid for TikTok.

The rise of TikTok in the United States has been remarkably rapid; it has taken off in just the past two years. ByteDance, founded in 2012, has raised billions of dollars in funding, valuing it at $100 billion, according to PitchBook, which tracks private companies. Its investors include Tiger Global Management, KKR, NEA, SoftBank’s Vision Fund and GGV Capital.

In July, as pressure from the U.S. government escalated, ByteDance began discussions with investors to carve out TikTok.

But the deal quickly become a free-for-all with bids from various corporations and investment entities around the world and new demands from the U.S. and Chinese governments.

As the deal progressed, two of ByteDance’s largest backers, Sequoia Capital and General Atlantic, have sought to retain their holdings in its valuable subsidiary while saving TikTok from a ban in the United States. Both firms are represented on ByteDance’s board of directors.

In late August the firms teamed up with Oracle to bid against Microsoft. Microsoft, meanwhile, teamed up with Walmart to make its bid.

In an interview, Brad Smith, Microsoft’s president and chief legal officer, said that as he studied TikTok, it became evident that there were two distinct potential security threats.

The first was that Chinese authorities, using existing and new national security laws, could order TikTok to turn over user data. TikTok tracks everything that its hundreds of millions of users watch to funnel them more videos and other material. Given that users cannot opt out of that tracking, the only solution would be to move the data on Americans to servers that are solely in the United States, Mr. Smith said.

(TikTok currently uses a major server in Virginia, but backs up some of its data in Singapore, and there are questions about whether Chinese authorities could reach into any of those huge pools of user data.)

Microsoft would have located that data in the United States — and, in all likelihood, so would Oracle.

“Then Microsoft engineers began to see a second potential vulnerability: disinformation,” Mr. Smith said, one that has also been identified by Australian researchers. The only way to assure that TikTok’s Chinese engineers were not designing code and algorithms to affect what users saw, or did not see, would be for Microsoft to take over the code and the algorithms.

“We proposed to control the data sets and the algorithms from the day of the acquisition, including by moving source code for the algorithms to the United States,” Mr. Smith said.

Microsoft then would have worked over the course of a year with TikTok’s Chinese engineers so that it would vet any subsequent changes and make them reviewable by the U.S. government for security purposes before it was released into production, he said.

That is the approach favored by the National Security Agency and the Pentagon, according to intelligence officials. But it is exactly what the Chinese object to, which Beijing made clear in its new regulations last month.

David E. Sanger and David McCabe reported from Washington; Erin Griffith reported from San Francisco.