Tag Archives: privacy

Insufficient

Posted on by
Reply

Recall that Oracle and ByteDance have a proposal on the table for Oracle to take a minority partnership position in ByteDance’s TikTok.  In response to objections to that, some

Trump administration officials are looking to give American investors a majority share of the company that will take over the Chinese-owned video-sharing app TikTok[.]

Senators Marco Rubio (R, FL), Rick Scott (R, FL), Thom Tillis (R, NC), Roger Wicker (R, MI), Dan Sullivan (R, AK), and John Cornyn (R, TX), object to that, too.

Any deal between an American company and ByteDance must ensure that TikTok’s US operations, data, and algorithms are entirely outside the control of ByteDance or any Chinese-state directed actors, including any entity that can be compelled by Chinese law to turn over or access US consumer data.

The Senators are absolutely correct. Any fraction of ownership by a People’s Republic of China company that’s greater than zero is too much; giving, as it would, the PRC’s intelligence community access to all the data TikTok scoops up from the individuals and businesses that use it.

Internet Security

Posted on by
1

There is a move afoot—and it’s making significant progress—to develop and deploy a quantum computing Internet.

A group led by the US Department of Energy and the University of Chicago plans to develop a nationwide quantum internet that could be functional in about a decade and with the potential to securely transmit sensitive information related to national security and financial services.
“What we’re moving forward on is building out quantum networks [to] someday…turn into a full second internet, a parallel internet to the digital internet,” said Paul Dabbar, the Energy Department’s Under Secretary for Science.

That would be terrific if it actually comes to fruition. Especially this part:

“Literally anything that would be transmitted encrypted today would be suitable for the quantum internet in the future,” Mr [JPMorgan Chase & Co’s Managing Director, Head of Research and Engineering, Marco] Pistoia said in an email.

Of course, that includes the personal and business correspondence of US citizens.

A problem I have with such a development, though, is this:

“A quantum network, because of physics, is by definition completely secure,” Mr Dabbar said.

No. A quantum network is not the network to end all networks. Such a network is not because of physics…by definition completely secure.

A quantum network is completely secure because of physics as we understand physics today. Security is, and always will be, an arms race between the cryptographers and their evolutions on the one hand, and the hackers and their evolutions on the other.

The biggest threat to security is just this sort of complacency.

There are other problems, and they are not unique to quantum networks, either. One such is a basic denial of service attack, where the hacker doesn’t care a single bit about encryption—at least not directly—but only in denying user access to the network or any node on it. The motive for that denial may be petty vandalism, “protest,” extortion—give me that document you’ve got encrypted on your quantum subnet (so much for quantum encryption)—to any number of other not yet imagined reasons.

Another is the phishing expedition wherein an employee is suckered into taking some action that grants the hacker access to the network.

Then there’s that personal communication secrecy—a citizen’s wish to keep his private communications private, including from the prying eyes of Government. Quantum network use would extend the tension between a citizen’s right to keep private things private and Government’s often entirely legitimate, even urgent, need to know. That, though, is just part of the noise of republican democracy.

By all means, develop and deploy the quantum Internet; it would be a huge step forward in data protection. Sooner is better.

But don’t be complacent about its security. And don’t let up on the need to protect against other forms of attack.

Some Thoughts on TikTok

Posted on by
Reply

TikTok is a video messaging app that was developed in the People’s Republic of China and is owned by ByteDance, another PRC company. The Wall Street Journal published a Q&A on the app last Tuesday.

I have some thoughts, too.

For background, here are some of the data that TikTok collects just because you’re using it.

…location data and your internet address, according to its privacy policy, and it tracks the type of device you are using to access its platform. It stores your browsing and search history as well as the content of messages you exchange with others on the app.

How to locate your device in the Net, where you’ve been virtually, and what you say in your correspondence. That’s just for starters.

If you opt in, TikTok says it can collect your phone and social-network contacts, your GPS position, and your personal information such as age and phone number along with any user-generated content you post, such as photos and videos. It can store payment information, too. TikTok also gets a sense of what makes you tick. It can track the videos you like, share, watch….

Your physical location, and all that personally identifying information. It exposes your contacts, too, without their having any opportunity to reject “opting in.”

Now, some of the rest of the story:

Why is the US concerned?
Beijing performing mass data collection on American citizens….
…a vast database of information that could be used for espionage…if TikTok’s user data could be obtained by the Chinese government, that would enhance any such efforts. “You can use [artificial intelligence tools] to sort through it and find an awful lot of data….”

And this:

A TikTok spokesman said that the Chinese government has never asked the company for user data and that it would refuse such a request. “TikTok has an American CEO and is owned by a private company that is backed by some of the best-known US investors[.]”

This is a disingenuous claim. What the PRC has or has not done in the past in this regard is wholly irrelevant to what it can do. The more important thing, too, is what it can do. Under a PRC 2017 national intelligence law, all PRC companies and people are required to comply with any and all intel community requests for intel-related information. What is intel-related is determined by the intel community. Under the just-passed Hong Kong national security law, the PRC government has arrogated to itself the authority to go after any entity or person it deems a national security threat—wherever that entity or person is located, under whatever sovereign nation jurisdiction that entity or person resides, in the world.

TikTok, owned by ByteDance, is as subject to those laws as is ByteDance.

Does TikTok share any information with ByteDance, its China-based parent?
TikTok stores its data on American users on servers in the US and Singapore, but its website says that information can be shared with ByteDance or other affiliates.

Not only can be shared, but will be. Nor will it matter what firewalls ByteDance might claim to have erected between it and its subordinate—limiting the number of employees who have access to user data and the scenarios where data access is enabled, for instance—the parent organization can tear them down at will. And can be expected to, as necessary, to satisfy information demands from the PRC’s intel community.

As for those “other affiliates”—some of them may well be within the PRC.

What happens to your data if you quit TikTok?
Users can ask TikTok to delete their data, and the company has said in its policy that it will respond in a manner consistent with applicable law upon verifying your identity.

Users are supposed to believe TikTok’s wide-eyed innocent claim to have complied, even though they have no means of independently verifying TikTok’s assertion. But the kicker is that manner consistent with applicable law caveat. Two of those applicable laws are the PRC’s security laws mentioned above.

This is not a bit of software that should appear anywhere on anyone’s device.

A Federal Surveillance Law Lapse

Posted on by
Reply

A fairly broad range of FISA surveillance authorities held by the Federal government has lapsed, and that

has begun to limit the FBI’s ability to pursue some terrorism and espionage suspects….

Disagreements among the House, Senate, and White House over how much to renew and the degree of additional controls to be applied to what’s renewed combined with the Wuhan Virus situation to let Congress adjourn for the season and the situation without action.

I’m undismayed by this turn of events. In the first place, when Congress returns, it’s quite likely to work out these differences and renew the FISA authorities in some form—which, if done correctly, won’t be all bad.

However, given the decision by far too many in the FBI to not bother discriminating between suspects and political opponents, the lapse isn’t all bad, either. It’ll be worth the time if only necessary authorities are renewed, proper controls are put in place, and the miscreants in the FBI are terminated for cause along with those whose miscreancy was criminal brought to trial.

Wuhan Virus Tracking

Posted on by
Reply

Many nations are using cell phone data and/or apps installed on cell phones to track folks known to be infected in order to identify those persons’ contacts and to build up anticipatory data of pending and developing hotspots. This is intended to facilitate more efficient targeting of medical resources, to more efficiently target more limited populations, and so to more quickly free up economic resources and activity.

The US Federal government, working with the Centers for Disease Control and Prevention, is creating a portal that will compile phone geolocation data to help authorities predict where outbreaks could next occur and determine where resources are needed, though the effort faces privacy concerns.
… Alphabet Inc’s Google said Thursday it would share a portion of its huge trove of data on people’s movements.
Massachusetts Institute of Technology researchers have developed an app to track Covid-19 patients and the people they interact with, and are in talks with the federal government about its use, The Wall Street Journal has reported.

The EU is going even further, developing and propagating apps that track individuals, ostensibly with their permission.

These moves are being sold as necessary for the present situation, even though they badly risk individual privacy—cue Ben Franklin.

Such sales pitches would be believable—and stipulate arguendo that the tradeoff might be minimally acceptable—if these surveillance moves had sunset clauses in them. Such surveillances need to be automatically terminated after some specified period of time or at some easily measurable milestone—Wuhan Virus infection rate drops below a particular threshold, for instance. Sunset clauses also must include destruction of the surveillance databases, with that being verifiable by anyone who asks—the present FOIA procedures would provide an example of how that would work.

Unfortunately, sunset clauses are notably absent from these moves toward government surveillance of us citizens—the danger of which is emphasized by the example of the People’s Republic of China and by our own FBI’s abuse of its surveillance authorities, along with our own FISA Court judges’ cynical acceptance of those abuses.