Posted on

It’s Google’s World. We Just Live In It.

About 20 years ago, I typed Google.com into my web browser for the first time. It loaded a search bar and buttons. I punched in “D.M.V. sample test,” scrolled through the results and clicked on a site.

Wow, I thought to myself. Google’s minimalist design was a refreshing alternative to other search engines at the time — remember AltaVista, Yahoo! and Lycos? — which greeted us with a jumble of ads and links to news articles. Even better, Google seemed to show more up-to-date, relevant results.

And the entire experience took just a few seconds. Once I found the link I needed, I was done with Google.

Two decades later, my experience with Google is considerably different. When I do a Google search in 2020, I spend far more time in the internet company’s universe. If I look for chocolate chips, for example, I see Google ads for chocolate chips pop up at the top of my screen, followed by recipes that Google has scraped from across the web, followed by Google Maps and Google Reviews of nearby bakeries, followed by YouTube videos for how to bake chocolate chip cookies. (YouTube, of course, is owned by Google.)

It isn’t just that I am spending more time in a Google search, either. The Silicon Valley company has leveraged the act of looking for something online into such a vast technology empire over the years that it has crept into my home, my work, my devices and much more. It has become the tech brand that dominates my life — and probably yours, too.

On my Apple iPhone, I use Google’s apps for photo albums and maps, along with tools for calendar, email and documents. On my computer and tablet, the various web browsers I use feature Google as the default search bar. For work, I use Google Finance (to look up stock quotes), Google Drive (to store files), Google Meet (to teleconference) and Google Hangouts (to communicate).

In my home, Google is also everywhere. My Nest home security camera is made by Google. A Google voice service rings my door buzzer. To learn how to repair a gutter, I recently watched home improvement videos on YouTube. In online maps, Google has photos of my house taken from outer space and camera-embedded cars.

By my unofficial estimate, I spend at least seven hours a day on Google-related products.

Google’s prevalence has brought the company to a critical point. On Tuesday, the Justice Department sued it for anticompetitive practices, in the most significant antitrust action by the U.S. government against a technology company in decades. The government’s case focused on Google’s search and how it appeared to create a monopoly through exclusive business contracts and agreements that locked out rivals.

[embedded content]

Google said in a tweet that the lawsuit was “deeply flawed.” The company added, “People use Google because they choose to, not because they’re forced to or because they can’t find alternatives.”

To Gabriel Weinberg, the chief executive of DuckDuckGo, which offers a privacy-focused search engine, what I have experienced was Google’s plan all along.

“I don’t think it was happenstance,” he said. “They’ve been using their different products to maintain their dominance in their core market, which is search.”

That has created a privacy cost for many of us, Mr. Weinberg said. Google, he said, collects reams of information about us across its products, allowing it to stitch together detailed profiles about our behavior and interests.

So in 2012, Mr. Weinberg broke up with Google and purged his accounts. “I got to understand the privacy implications of building massive profiles on people — and the massive harm,” he said.

But Jeff Jarvis, a professor at the Craig Newmark Graduate School of Journalism and the author of “What Would Google Do?,” a book about the search giant’s rise, said there was still plenty of room outside Google’s world. For one, we don’t use Google for social media — we’re on Facebook and TikTok. Artificial intelligence, even the type that Google is developing, is still pretty unintelligent, he added.

“The internet is still very, very young,” Mr. Jarvis said.

To test that argument, I decided to catalog Google’s presence in our lives. Here are some results.

When we browse the web, we are probably interacting with Google without even realizing it. That’s because most websites that we visit contain Google’s ad technologies, which track our browsing. When we load a web article containing an ad served by Google, the company keeps a record of the website that loaded the ad — even if we didn’t click on the ad.

And guess what. Most ads we see are served by Google. Last year, the company and Facebook accounted for 59 percent of digital ad spending, according to the research firm eMarketer. Google dominates 63 percent of that slice of the pie.

Google’s ad technologies also include invisible analytics code, which runs in the background of many websites. About 74 percent of the sites we visit run Google analytics, according to an analysis by DuckDuckGo. So that’s even more data we are feeding about ourselves to Google, often without knowing it.

Let’s start with Android, the most popular mobile operating system in the world. People with Android devices inevitably download apps from Google’s Play store.

Android includes Google’s staple apps for maps and email, and Google search is prominently featured for looking up articles and digging through device settings. Google’s voice-powered virtual assistant is also part of Android devices.

Even if you own an Apple iPhone, as I do, Google looms large.

Google has been the default search bar on the iPhone’s Safari browser since 2007. Gmail is the most popular email service in the world, with more than 1.5 billion users, so chances are you use it on your iPhone. And good luck finding a service other than YouTube for watching those cooking and music videos on your phone.

In fact, Google owns 10 of the 100 most-downloaded apps in the Google and Apple app stores, according to App Annie, a mobile analytics firm.

Outside smartphones, Google is the dominant force on our personal computers. By some estimates, more than 65 percent of us use Google’s Chrome web browser. And in education, our schools have chosen the Chromebook, low-cost PCs that run Google’s operating system, as the most widely used tech tool for students.

This can be brief: YouTube is by far the largest video-hosting platform. Period. About 215 million Americans watch YouTube, spending 27 minutes a day on the site, on average. That’s up from 22 minutes a few years ago, according to eMarketer.

Another way you might watch Google videos is through YouTube TV, a streaming service that offers a modest bundle of TV channels. Released in 2017, YouTube TV had more than two million users last year, according to Google. That’s not far behind Sling TV, a similar bundle service introduced by Dish in 2015, which had about 2.6 million subscribers last year.

If you recently bought an internet-connected gadget for your home, chances are that Google is behind it. After all, the company offers Google Home, one of the most popular smart speakers and powered by Google’s virtual assistant, and it owns Nest, the smart-home brand that makes internet-connected security cameras, smoke alarms and thermostats.

We often interact with Google even when we use an app that lacks a clear connection with it. That’s because Google provides the cloud infrastructure, or the server technology that lets us stream videos and download files, to other brands. If you’re using TikTok in the United States, guess what: You’re in Google’s cloud. (TikTok may soon switch cloud providers under a deal with Oracle.)

Even Mr. Weinberg, who quit Google, said he had been unable to shake its services entirely. He said he still watched the occasional Google-hosted video when there was no alternative.

“If somebody’s sending a video that I need to watch and it’s only on YouTube, then that’s just the reality,” he said.

Posted on

Trump says ‘nobody gets hacked’ but forgot his hotel chain was hacked — twice

According to President Trump speaking at a campaign event in Tucson, Arizona, on Monday, “nobody gets hacked.” You don’t need someone who covers security day in and day out to call bullshit on this one.

“Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password,” Trump said, referencing the recent suspension of C-SPAN political editor Steve Scully, who admitted falsely claiming his Twitter account was hacked this week after sending a tweet to former White House communications director Anthony Scaramucci.

There’s a lot to unpack in those two-dozen words. But aside from the fact that not all hackers are male (and it’s sexist to assume that), and glossing over the two entirely contrasting sentences, Trump also neglected to mention that his hotel chain was hacked twice — once over a year-long period between 2014 and 2015 and again between 2016 and 2017.

We know this because the Trump business was legally required to file notice with state regulators after each breach, which they did.

In both incidents, customers of Trump’s hotels had their credit card data stolen. The second breach was blamed on a third-party booking system, called Sabre, which also exposed guest names, emails, phone numbers and more.

The disclosures didn’t say how many people were affected. Suffice it to say, it wasn’t “nobody.”

A spokesperson for the Trump campaign did not return a request for comment.

It’s easy to ignore what could be considered a throwaway line: To say that “nobody gets hacked” might seem harmless on the face of it, but to claim so is dangerous. It’s as bad as saying something is “unhackable” or “hack-proof.” Ask anyone who works in cybersecurity and they’ll tell you that no person or company can ever make such assurances.

Absolute security doesn’t exist. But for those who don’t know any different, it’s an excuse not to think about their own security. Yes, you should use a password manager. Absolutely turn on two-factor authentication whenever you can. Do the basics, because hackers don’t need an IQ score of 197 to break into your accounts. All they need is for you to lower your guard.

If “nobody gets hacked” as Trump claims, it makes you wonder whatever happened to the 400-pound hacker the president mentioned during his first White House run.

Read More

Posted on

EU’s Google-Fitbit antitrust decision deadline pushed into 2021

The deadline for Europe to make a call on the Google -Fitbit merger has been pushed out again — with EU regulators now having until January 8, 2021, to take a decision.

The latest change to the provisional deadline, spotted earlier by Reuters, could be the result of one of the parties asking for more time.

Last month the deadline for a decision was extended until December 23 — potentially pushing the decision out beyond a year after Google announced its intention to buy Fitbit, back in November 2019. So if the tech giant was hoping for a simple and swift regulatory rubberstamping its hopes have been diminishing since August when the Commission announced it was going to dig into the detail. Once bitten and all that.

The proposed Fitbit acquisition also comes as Alphabet, Google’s parent, is under intense antitrust scrutiny on multiple fronts on home turf.

Google featured prominently in a report by the House Judiciary Committee on big tech antitrust concerns earlier this month, with US lawmakers recommending a range of remedies — including breaking up platform giants.

European lawmakers are also in the process of drawing up new rules to regulate so-called ‘gatekeeper’ platforms — which would almost certainly apply to Google. A legislative proposal on that is expected before the end of this year, which means it may appear before EU regulators have taken a decision on the Google-Fitbit deal. (And one imagines Google isn’t exactly stoked about that possibility.)

Both competition and privacy concerns have been raised against allowing Google get its hands on Fitbit users’ data.

The tech giant has responded by offering a number of pledges to try to convince regulators — saying it would not use Fitbit health and wellness data for ads and offering to have data separation requirements monitored. It has also said it would commit to maintain third parties’/rivals’ access to its Android ecosystem and Fitbit’s APIs.

However rival wearable makers have continued to criticize the proposed merger. And, earlier this week, consumer protection and human rights groups issued a joint letter — urging regulators to only approve the takeover if “merger remedies can effectively prevent [competition and privacy] harms in the short and long term”.

One thing is clear: With antitrust concerns now writ large against ‘big tech’ the era of ‘friction-free’ acquisitions looks to be behind Google et al.

Read More

Posted on

France’s Health Data Hub to move to European cloud infrastructure to avoid EU-US data transfers

France’s data regulator CNIL has issued some recommendations for French services that handle health data, as Mediapart first reported. Those services should avoid using American cloud hosting companies altogether, such as Microsoft Azure, Amazon Web Services and Google Cloud.

Those recommandations follow a landmark ruling by Europe’s top court in July. The ruling, dubbed Schrems II, struck down the EU-US Data Privacy Shield. Under the Privacy Shield, companies could outsource data processing from the EU to the US in bulk. Due to concerns over US surveillance laws, that mechanism is no longer allowed.

The CNIL is going one step further by saying that services and companies that handle health data should also avoid doing business with American companies — it’s not just about processing European data in Europe. Once again, this is all about avoiding falling under U.S. regulation and rulings.

The regulator sent those recommendations to one of France’s top courts (Conseil d’État). SantéNathon, a group of organizations and unions, originally notified the CNIL over concerns about France’s Health Data Hub.

France is currently building a platform to store health data at the national level. The idea is to build a hub that makes it easier to study rare diseases and use artificial intelligence to improve diagnoses. It is supposed to aggregate data from different sources and make it possible to share some data with public and private institutions for those specific cases.

The technical choices have been controversial as the French government originally chose to partner with Microsoft and its cloud platform Microsoft Azure.

Microsoft, like many other companies, relies on Standard Contractual Clauses for EU-US data transfers. But the Court of Justice of the EU has made it clear that EU regulators have to intervene if data is being transferred to an unsafe country when it comes to privacy and surveillance.

The CNIL believes that an American company could process data in Europe but it would still fall under FISA702 and other surveillance laws. Data would still end up in the hands of American authorities. In other words, it is being extra careful with health data for now, while Schrems II is still unfolding.

“We’re working with health minister Olivier Véran on transferring the Health Data Hub to French or European platforms following the Privacy Shield bombshell,” France’s digital minister Cédric O told Public Sénat.

The French government is now looking at other solutions for the Health Data Hub. In the near future, if France’s top court confirms the CNIL’s recommendations, it could also have some effects for French companies that handle health data, such as Doctolib and Alan.

Read More

Posted on

Harry and Meghan Get an Apology After Suing Paparazzi

LOS ANGELES — The case of the unauthorized backyard photographs of Archie Harrison Mountbatten-Windsor has been solved. And the legal outcome, unveiled on Thursday by his parents, Prince Harry and Meghan, has left one of Hollywood’s biggest paparazzi agencies with its tail between its legs.

In July, the couple filed an invasion-of-privacy lawsuit over photographs taken with a drone and zoom cameras of the 14-month-old Archie as he played with his maternal grandmother in their backyard. At the time, the family was staying at a secluded estate in Beverly Hills owned by the entertainment mogul Tyler Perry. They did not name the defendants in the lawsuit because they did not know who they were.

The filing allowed their lawyer, Michael J. Kump, to send fact-finding subpoenas to the three biggest celebrity news agencies in Los Angeles: Backgrid, Splash News and X17.

The culprit turned out to be X17, which, according to a settlement agreement filed in Los Angeles County Superior Court, has agreed to turn over the photos to the family, destroy any copies in its archives or databases and never again traffic in any photos of the couple or their son taken by similar means “in any private residence or the surrounding private grounds.”

X17 will also pay a portion of the family’s legal fees, according to Mr. Kump.

In blunt terms, Harry and Meghan, who have clashed repeatedly with the British news media over privacy concerns, sent a stark message to American paparazzi agencies with the case: You come after us, and we will come after you.

“We apologize to the Duke and Duchess of Sussex and their son for the distress we have caused,” X17 said in a statement. “We were wrong to offer these photographs and commit to not doing so again.”

Mr. Kump said in a statement, “All families have a right, protected by law, to feel safe and secure at home.”

The couple, who resettled in California this year after a dramatic decampment from the House of Windsor, sued under a so-called paparazzi law, by which a person can be held liable civilly for intruding airspace to take photographs of a person on private property. The law was enacted in 1998 and last updated in 2015. It also covers wild driving by celebrity photographers while stalking their subjects — the kind of behavior that bedeviled Harry’s mother, Princess Diana, who died in 1997 after her sedan crashed while trying to escape paparazzi on motorcycles.

Harry and Meghan — beloved by millions of fans, who see them as daring and modern, and vilified by an equally vehement faction that sees their tradition-spurning actions as unbecoming — have taken an unusually hard-line approach with the tabloid news media. In April, complaining of “an economy of click bait and distortion” and coverage that was “distorted, false and invasive beyond reason,” they told four leading British tabloid publishers that they would no longer deal with them. Meghan has sued the publisher of The Mail on Sunday, the sister paper of The Daily Mail, for publishing a private letter that she had sent to her estranged father in 2018. Another lawsuit, aimed at Splash News, involves photographs that were taken of Meghan and Archie this year in Vancouver, British Columbia.

In the X17 case, Harry and Meghan discovered that someone was shopping photos of their son to outlets around the world and had claimed they had been taken in public, according to the complaint, which noted that Archie had not been in public since the family arrived in Southern California. The photographs were published in the German magazine Bunte. Lawyers for the couple were able to move quickly enough to prevent their publication in the United States and Britain, however.

“Some paparazzi and media outlets have flown drones a mere 20 feet above the house, as often as three times a day, to obtain photographs of the couple and their young son in their private residence (some of which have been sold and published),” the lawsuit said. “Others have flown helicopters above the backyard of the residence, as early as 5:30 a.m. and as late as 7:00 p.m., waking neighbors and their son, day after day. And still others have even cut holes in the security fence itself to peer through it.”

X17, owned by François Navarre and his wife, Brandy, describes itself on its website as “Hollywood’s leading celebrity photo agency, servicing tens of thousands of media outlets around the world with our high quality photos and videos.” Variety magazine has characterized the operation as “a veritable spider web of photographers and undercover informants.” In 2003, Mr. Navarre had to pay Jennifer Aniston $550,000 to settle an invasion-of-privacy lawsuit over photos of her sunbathing topless in her backyard.

“Yeah, sure, it’s always a question of private life versus public life,” Mr. Navarre told The Los Angeles Times in 2007. “But you have an easy way to escape that. Get out of Los Angeles.”

In August, Harry and Meghan did just that, moving from Mr. Perry’s home in Beverly Hills to one in Montecito, an oceanside enclave about an hour northwest of Malibu. The couple bought the seven-acre estate for $14.7 million. It is gated and shrouded by trees.

The paparazzi helicopters have followed.

Posted on

Tech-publisher coalition backs new push for browser-level privacy controls

Remember ‘Do Not Track‘? The tracker-loving adtech industry hopes you don’t recall that decade+ doomed attempt to bake user-friendly privacy controls into browsers. But a coalition of privacy-forward tech companies, publishers and advocacy groups has taken the wraps off of a push to develop a new standard that gives Internet users a super simple way to put digital guardrails around their data.

The effort to bake in a new browser-level privacy signal to stop the sale of personal data — which has been christened: Global Privacy Standard (GPC) — is being led by the ex-CTO of the FTC, Ashkan Soltani, and privacy researcher Sebastian Zimmeck.

They’ve got early backing from The New York Times; The Washington Post; Financial Times; WordPress-owner Automattic; dev community Glitch; privacy search engine DuckDuckGo; anti-tracking browser Brave; Firefox maker Mozilla; tracker blocker Disconnect; privacy tool maker Abine; Digital Content Next; Consumer Reports; and digital rights group the Electronic Frontier Foundation.

“In the initial experimental phase, individuals can download browsers and extensions from AbineBraveDisconnectDuckDuckGo, and EFF in order to communicate their ‘do not sell or share’ preference to participating publishers,” they write in a press release unveiling the effort.

“Additionally, we are committed to developing GPC into an open standard that many other organizations will support and are in the process of identifying the best venue for this proposal,” they add.

This ‘DNT’-esque initiative is, at least initially, being tailored toward California’s Consumer Privacy Act (CCPA) — which gives Internet users in the state the right to opt out of having their data sold on (with the potential for further strengthening if a November ballot measure, called Prop24, gets passed).

The law also requires businesses to respect user opt-out preferences via a signal from their browser — reviving the potential for a low friction, browser-level control which was what supporters of DNT always hoped it would be.

The aim for the group steering GPC is to develop a standard for a browser-level opt-out for the sale of personal data that businesses subject to CCPA would be legally compelled to respond to — assuming they succeed in getting the standard accepted as legally binding under California’s law.

“We look forward to working with AG Becerra to make GPC legally binding under CCPA,” they write on that.

We’ve reached out to AG Becerra’s office for a response on the launch. He has also just tweeted approvingly — calling the proposal “a first step towards a meaningful global privacy control that will make it simple and easy for consumers to exercise their privacy rights online”.

“CA DOJ is encouraged to see the technology community developing a global privacy control in furtherance of the CCPA and consumer privacy rights,” he added in a follow on tweet.

At the same time — and as GPC’s name implies — the ambition is to develop a standard that’s able to flex to mesh with privacy regimes elsewhere, such as Europe’s GDPR framework (which provides citizens with a suite of protective and access rights around their data, though not a carbon-copy CCPA opt-out for the sale of data).

“While they don’t specifically call for a GPC, I think there’s a potential for EU DPAs [data protection agencies] to consider a mechanism like this as a valid way for consumers to invoke their rights under GDPR, including the objection to sale,” Soltani tells TechCrunch. “Also the spec was designed to be extensible in case the laws vary slightly from CCPA — permitting users to object to specific uses in GDPR — or even the new rights that will come about if CPRA (Prop24) passes next month.”

One big and obvious question looming over this effort is why not simply revive DNT as a vehicle for expressing the CCPA opt-out signal?

Much effort and resource has been expended over the years to try to make DNT fly. Not entirely without success, given it was able to gain widespread backing from browser makers — falling apart from lack of compliance on the other side of the coin given the lack of legal compulsion.

However now, with robust legal regimes in place protecting people’s digital data (at least in Europe and California), you could argue there’s an opportunity to revive DNT and make it stick this time. (And, indeed, some EU parliamentarians have, in recent years, suggested Do Not Track settings could be used to express consent to processing as part of a planned reform of EU ePrivacy rules — likely with an eye on tidying up the consent pop-up clutter that’s been supercharged by GDPR compliance efforts.)

However the answer to why GPC, rather than DNT 2.0, seems to be partly related to all the baggage accumulated around Do Not Track — whose pithy call to action can still send insta-shudders down adtech exec spines. (Whereas ‘Global Privacy Control’ is certainly boring-sounding enough that it could have been dreamt up by an adtech lobbyist and may, therefore, put fewer industry noses out of joint.)

More seriously, the potential for using DNT to express opt-out signals was discussed by California lawmakers when they were drawing up CCPA, and industry feedback taken in — and the message they got back was that most businesses were ignoring it, which in turn led to a feeling that a revived DNT would just continue to be ignored.

Hence the law may demand a more precision instrument to carry the torch for user privacy, is the thinking.

We also understand the GPC effort had intended and expected to be able to use DNT as the opt out mechanism. But in the end, given the concern around compliance, they decided a CCPA-specific mechanism was needed to circumvent this problem of businesses tuning out the broader DNT signal.

“Getting privacy online should be simple and accessible to everyone, period,” said Gabriel Weinberg, CEO & founder of DuckDuckGo in a supporting statement. “Global Privacy Control (GPC) takes us one step closer to making this vision a reality by creating a simple universal setting for users to express their preference for privacy. DuckDuckGo is proud to be a founding member of this effort and starting today, the GPC will be launching in our mobile browser and desktop browser extensions, making the setting available to over ten million consumers.”

“Mozilla is pleased to support the Global Privacy Control initiative. People’s data rights must be recognized and respected, and this is a step in the right direction. We look forward to working with the rest of the web standards community to bring these protections to everyone,” added Selena Deckelmann, VP of Firefox Desktop.

The full spec of the proposed GPC standard can be found here.

Read More

Posted on

This is how police request customer data from Amazon

Anyone can access portions of a web portal, used by law enforcement to request customer data from Amazon, even though the portal is supposed to require a verified email address and password.

Amazon’s law enforcement request portal allows police and federal agents to submit formal requests for customer data along with a legal order, like a subpoena, a search warrant, or a court order. The portal is publicly accessible from the internet, but law enforcement must register an account with the site in order to allow Amazon to “authenticate” the requesting officer’s credentials before they can make requests.

Only time sensitive emergency requests can be submitted without an account, but this requires the user to “declare and acknowledge” that they are an authorized law enforcement officer before they can submit a request.

The portal does not display customer data or allow access to existing law enforcement requests. But parts of the website still load without needing to log in, including its dashboard and the “standard” request form used by law enforcement to request customer data.

The portal provides a rare glimpse into how Amazon handles law enforcement requests.

This form allows law enforcement to request customer data using a wide variety of data points, including Amazon order numbers, serial numbers of Amazon Echo and Fire devices, credit cards details and bank account numbers, gift cards, delivery and shipping numbers, and even the Social Security number of delivery drivers.

It also allows law enforcement to obtain records related to Amazon Web Services accounts by submitting domain names or IP addresses related to the request.

Assuming this was a bug, we sent Amazon several emails prior to publication but did not hear back.

Amazon is not the only tech company with a portal for law enforcement requests. Many of the bigger tech companies with millions or even billions of users around the world, like Google and Twitter, have built portals to allow law enforcement to request customer and user data.

Motherboard reported a similar issue earlier this month that allowed anyone with an email address to access law enforcement portals set up by Facebook and WhatsApp.

Read More

Posted on

Big tech has 2 elephants in the room: Privacy and competition

The question of how policymakers should respond to the power of big tech didn’t get a great deal of airtime at TechCrunch Disrupt last week, despite a number of investigations now underway in the United States (hi, Google).

It’s also clear that attention- and data-monopolizing platforms compel many startups to use their comparatively slender resources to find ways to compete with the giants — or hope to be acquired by them.

But there’s clearly a nervousness among even well-established tech firms to discuss this topic, given how much their profits rely on frictionless access to users of some of the gatekeepers in question.

Dropbox founder and CEO Drew Houston evinced this dilemma when TechCrunch Editor-in-Chief Matthew Panzarino asked him if Apple’s control of the iOS App Store should be “reexamined” by regulators or whether it’s just legit competition.

“I think it’s an important conversation on a bunch of dimensions,” said Houston, before offering a circular and scrupulously balanced reply in which he mentioned the “ton of opportunity” app stores have unlocked for third-party developers, checking off some of Apple’s preferred talking points like “being able to trust your device” and the distribution the App Store affords startups.

“They also are a huge competitive advantage,” Houston added. “And so I think the question of … how do we make sure that there’s still a level playing field and so that owning an app store isn’t too much of an advantage? I don’t know where it’s all going to end up. I do think it’s an important conversation to be had.”

Rep. Zoe Lofgren (D-CA) said the question of whether large tech companies are too powerful needs to be reframed.

“Big per se is not bad,” she told TC’s Zack Whittaker. “We need to focus on whether competitors and consumers are being harmed. And, if that’s the case, what are the remedies?”

In recent years, U.S. lawmakers have advanced their understanding of digital business models — making great strides since Facebook’s Mark Zuckerberg answered a question two years ago about how his platform makes money: “Senator, we sell ads.”

A House antitrust subcommittee hearing in July 2020 that saw the CEOs of Google, Facebook, Amazon and Apple answer awkward questions and achieved a higher dimension of detail than the big tech hearings of 2018.

Nonetheless, there still seems to be a lack of consensus among lawmakers over how exactly to grapple with big tech, even though the issue elicits bipartisan support, as was in plain view during a Senate Judiciary Committee interrogation of Google’s ad business earlier this month.

On stage, Lofgren demonstrated some of this tension by discouraging what she called “bulky” and “lengthy” antitrust investigations, making a general statement in favor of “innovation” and suggesting a harder push for overarching privacy legislation. She also advocated at length for inalienable rights for U.S. citizens so platform manipulators can’t circumvent rules with their own big data holdings and some dark pattern design.

Read More

Posted on

How the NSA is disrupting foreign hackers targeting COVID-19 vaccine research

The headlines aren’t always kind to the National Security Agency, a spy agency that operates almost entirely in the shadows. But a year ago, the NSA launched its new Cybersecurity Directorate, which in the past year has emerged as one of the more visible divisions of the spy agency.

At its core, the directorate focuses on defending and securing critical national security systems that the government uses for its sensitive and classified communications. But the directorate has become best known for sharing some of the more emerging, large-scale cyber threats from foreign hackers. In the past year the directorate has warned against attacks targeting secure boot features in most modern computers, and doxxed a malware operation linked to Russian intelligence. By going public, NSA aims to make it harder for foreign hackers to reuse their tools and techniques, while helping to defend critical systems at home.

But six months after the directorate started its work, COVID-19 was declared a pandemic and large swathes of the world — and the U.S. — went into lockdown, prompting hackers to shift gears and change tactics.

“The threat landscape has changed,” Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch at Disrupt 2020. “We’ve moved to telework, we move to new infrastructure, and we’ve watched cyber adversaries move to take advantage of that as well,” she said.

Publicly, the NSA advised on which videoconferencing and collaboration software was secure, and warned about the risks associated with virtual private networks, of which usage boomed after lockdowns began.

But behind the scenes, the NSA is working with federal partners to help protect the efforts to produce and distribute a vaccine for COVID-19, a feat that the U.S. government called Operation Warp Speed. News of NSA’s involvement in the operation was first reported by Cyberscoop. As the world races to develop a working COVID-19 vaccine, which experts say is the only long-term way to end the pandemic, NSA and its U.K. and Canadian partners went public with another Russian intelligence operation aimed at targeting COVID-19 research.

“We’re part of a partnership across the U.S. government, we each have different roles,” said Neuberger. “The role we play as part of ‘Team America for Cyber’ is working to understand foreign actors, who are they, who are seeking to steal COVID-19 vaccine information — or more importantly, disrupt vaccine information or shake confidence in a given vaccine.”

Neuberger said that protecting the pharma companies developing a vaccine is just one part of the massive supply chain operation that goes into getting a vaccine out to millions of Americans. Ensuring the cybersecurity of the government agencies tasked with approving a vaccine is also a top priority.

Here are more takeaways from the talk, and you can watch the interview in full below:

Why TikTok is a national security threat

TikTok is just days away from an app store ban, after the Trump administration earlier this year accused the Chinese-owned company of posing a threat to national security. But the government has been less than forthcoming about what specific risks the video sharing app poses, only alleging that the app could be compelled to spy for China. Beijing has long been accused of cyberattacks against the U.S., including the massive breach of classified government employee files from the Office of Personnel Management in 2014.

Neuberger said that the “scope and scale” of TikTok’s app’s data collection makes it easier for Chinese spies to answer “all kinds of different intelligence questions” on U.S. nationals. Neuberger conceded that U.S. tech companies like Facebook and Google also collect large amounts of user data. But that there are “greater concerns on how [China] in particular could use all that information collected against populations other than its own,” she said.

NSA is privately disclosing security bugs to companies

The NSA is trying to be more open about the vulnerabilities it finds and discloses, Neuberger said. She told TechCrunch that the agency has shared a “number” of vulnerabilities with private companies this year, but “those companies did not want to give attribution.”

One exception was earlier this year when Microsoft confirmed NSA had found and privately reported a major cryptographic flaw in Windows 10, which could have allowed hackers to run malware masquerading as a legitimate file. The bug was so dangerous that NSA reported the vulnerability to Microsoft, which patched the bug.

Only two years earlier, the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.

As a spy agency, NSA exploits flaws and vulnerabilities in software to gather intelligence on the enemy. It has to run through a process called the Vulnerabilities Equities Process, which allows the government to retain bugs that it can use for spying.

Read More

Posted on

Instagram CEO, ACLU slam TikTok and WeChat app bans for putting US freedoms into the balance

As people begin to process the announcement from the U.S. Department of Commerce detailing how it plans, on grounds of national security, to shut down TikTok and WeChat — starting with app downloads and updates for both, plus all of WeChat’s services, on September 20, with TikTok following with a shut down of servers and services on November 12 — the CEO of Instagram and the ACLU are among those that are speaking out against the move.

The CEO of Instagram, Adam Mosseri, wasted little time in taking to Twitter to criticize the announcement. His particular beef is the implication the move will have for US companies — like his — that also have built their businesses around operating across national boundaries.

In essence, if the U.S. starts to ban international companies from operating in the U.S., then it opens the door for other countries to take the same approach with U.S. companies.

Meanwhile, the ACLU has been outspoken in criticizing the announcement on the grounds of free speech.

“This order violates the First Amendment rights of people in the United States by restricting their ability to communicate and conduct important transactions on the two social media platforms,” said Hina Shamsi, director of the American Civil Liberties Union’s National Security Project, in a statement today.

Shamsi added that ironically, while the U.S. government might be crying foul over national security, blocking app updates poses a security threat in itself.

“The order also harms the privacy and security of millions of existing TikTok and WeChat users in the United States by blocking software updates, which can fix vulnerabilities and make the apps more secure. In implementing President Trump’s abuse of emergency powers, Secretary Ross is undermining our rights and our security. To truly address privacy concerns raised by social media platforms, Congress should enact comprehensive surveillance reform and strong consumer data privacy legislation.”

Vanessa Pappas, who is the acting CEO of TikTok, also stepped in to endorse Mosseri’s words and publicly asked Facebook to join TikTok’s litigation against the U.S. over its moves.

We agree that this type of ban would be bad for the industry. We invite Facebook and Instagram to publicly join our challenge and support our litigation,” she said in her own tweet responding to Mosseri, while also retweeting the ACLU. (Interesting how Twitter becomes Switzlerland in these stories, huh?) “This is a moment to put aside our competition and focus on core principles like freedom of expression and due process of law.”

The move to shutter these apps has been wrapped in an increasingly complex set of issues, and these two dissenting voices highlight not just some of the conflict between those issues, but the potential consequences and detriment of acting based on one issue over another.

The Trump administration has stated that the main reason it has pinpointed the apps has been to “safeguard the national security of the United States” in the face of nefarious activity out of China, where the owners of WeChat and TikTok, respectively Tencent and ByteDance, are based:

“The Chinese Communist Party (CCP) has demonstrated the means and motives to use these apps to threaten the national security, foreign policy, and the economy of the U.S.,” today statement from the U.S. Department of Commerce noted. “Today’s announced prohibitions, when combined, protect users in the U.S. by eliminating access to these applications and significantly reducing their functionality.”

In reality, it’s hard to know where the truth actually lies.

In the case of the ACLU and Mosseri’s comments, they are highlighting issues of principles but not necessarily precedent.

It’s not as if the US would be the first country to take a nationalist approach to how it permits the operation of apps. Facebook and its stable of apps, as of right now, are unable to operate in China without a VPN (and even with a VPN things can get tricky). And free speech is regularly ignored in a range of countries today.

But the US has always positioned itself as a standard bearer in both of these areas, and so apart from the self-interest that Instagram might have in advocating for more free market policies, it points to wider market and business position that’s being eroded.

The issue, of course, is a little like an onion (a stinking onion, I’d say), with well more than just a couple of layers around it, and with the ramifications bigger than TikTok (with 100 million users in the U.S. and huge in pop culture beyond even that) or WeChat (much smaller in the U.S. but huge elsewhere and valued by those who do use it).

The Trump administration has been carefully selecting issues to tackle to give voters reassurance of Trump’s commitment to “Make America Great Again,” building examples of how it’s helping to promote U.S. interests and demote those that stand in its way. China has been a huge part of that image building, positioned as an adversary in industrial, defence and other arenas. Pinpointing specific apps and how they might pose a security threat by sucking up our data fits neatly into that strategy.

But are they really security threats, or are they just doing the same kind of nefarious data ingesting that every social app does in order to work? Will the US banning them really mean that other countries, up to now more in favor of a free market, will fall in line and take a similar approach? Will people really stop being able to express themselves?

Those are the questions that Trump has forced into the balance with his actions, and even if they were not issues before, they have very much become so now.

Read More