On April 29, 2024, the US Federal Communications Commission (FCC) fined the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure. Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million.
The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained.
This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access. Under the law, including section 222 of the Communications Act, carriers are required to take reasonable measures to protect certain customer information, including location information. Carriers are also required to maintain the confidentiality of such customer information and to obtain affirmative, express customer consent before using, disclosing, or allowing access to such information. These obligations apply equally when carriers share customer information with third parties.
“The protection and use of sensitive personal data such as location information is sacrosanct,” said Loyaan A. Egal, Chief of the FCC Enforcement Bureau and Chair of its Privacy and Data Protection Task Force. “
Excerpts from FCC Fines, ATT&T, Sprint, T-Mobile, and Verizon Nearly $200 billion for Illegally Sharing Access to Customers’ Location Data, FCC Press Release, Apr. 29, 2024
In November 2023, Michael Morell, a former deputy director of the Central Intelligence Agency (CIA), hinted at a big change in how the agency now operates. “The information that is available commercially would kind of knock your socks off…if we collected it using traditional intelligence methods, it would be top secret-sensitive. And you wouldn’t put it in a database, you’d keep it in a safe.”
In recent years, U.S. intelligence agencies, the military and even local police departments have gained access to enormous amounts of data through shadowy arrangements with brokers and aggregators. Everything from basic biographical information to consumer preferences to precise hour-by-hour movements can be obtained by government agencies without a warrant.
Most of this data is first collected by commercial entities as part of doing business. Companies acquire consumer names and addresses to ship goods and sell services. They acquire consumer preference data from loyalty programs, purchase history or online search queries. They get geolocation data when they build mobile apps or install roadside safety systems in cars. But once consumers agree to share information with a corporation, they have no way to monitor what happens to it after it is collected. Many corporations have relationships with data brokers and sell or trade information about their customers. And governments have come to realize that such corporate data not only offers a rich trove of valuable information but is available for sale in bulk.
Earlier generations of data brokers vacuumed up information from public records like driver’s licenses and marriage certificates. But today’s internet-enabled consumer technology makes it possible to acquire previously unimaginable kinds of data. Phone apps scan the signal environment around your phone and report back, hourly, about the cell towers, wireless earbuds, Bluetooth speakers and Wi-Fi routers that it encounters….The National Security Agency recently acknowledged buying internet browsing data from private brokers, and several sources have told me about programs allowing the U.S. to buy access to foreign cell phone networks. Those arrangements are cloaked in secrecy, but the data would allow the U.S. to see who hundreds of millions of people around the world are calling.
Car companies, roadside assistance services and satellite radio companies also collect geolocation data and sell it to brokers, who then resell it to government entities. Even tires can be a vector for surveillance. That little computer readout on your car that tells you the tire pressure is 42 PSI? It operates through a wireless signal from a tiny sensor, and government agencies and private companies have figured out how to use such signals to track people…
It’s legal for the government to use commercial data in intelligence programs because data brokers have either gotten the consent of consumers to collect their information or have stripped the data of any details that could be traced back to an individual. Much commercially available data doesn’t contain explicit personal information. But the truth is that there are ways to identify people in nearly all anonymized data sets. If you can associate a phone, a computer or a car tire with a daily pattern of behavior or a residential address, it can usually be associated with an individual.
And while consumers have technically consented to the acquisition of their personal data by large corporations, most aren’t aware that their data is also flowing to the government, which disguises its purchases of data by working with contractors. One giant defense contractor, Sierra Nevada, set up a marketing company called nContext which is acquiring huge amounts of advertising data from commercial providers. Big data brokers that have reams of consumer information, like LexisNexis and Thomson Reuters, market products to government entities, as do smaller niche players. Companies like Babel Street, Shadowdragon, Flashpoint and Cobwebs have sprung up to sell insights into what happens on social media or other web forums. Location data brokers like Venntel and Safegraph have provided data on the movement of mobile phones…
A group of U.S. lawmakers is trying to stop the government from buying commercial data without court authorization by inserting a provision to that effect in a spy law, FISA Section 702, that Congress needs to reauthorize by April 19. The proposal would ban U.S. government agencies from buying data on Americans but would allow law-enforcement agencies and the intelligence community to continue buying data on foreigners…But many in the national security establishment think that it makes no sense to ban the government from acquiring data that everyone from the Chinese government to Home Depot can buy on the open market. The data is valuable—in some cases, so valuable that the government won’t even discuss what it’s buying. “Picture getting a suspect’s phone, then in the extraction [of data] being able to see everyplace they’d been in the last 18 months plotted on a map you filter by date ranges,” wrote one Maryland state trooper in an email obtained under public records laws. “The success lies in the secrecy.”
For spies and police officers alike, it is better for people to remain in the dark about what happens to the data generated by their daily activities—because if it were widely known how much data is collected and who buys it, it wouldn’t be such a powerful tool. Criminals might change their behavior. Foreign officials might realize they’re being surveilled. Consumers might be more reluctant to uncritically click “I accept” on the terms of service when downloading free apps. And the American public might finally demand that, after decades of inaction, their lawmakers finally do something about unrestrained data collection.
Excerpts from Byron Tau, US Spy Agencies Know Your Secrets. They Bought Them, WSJ, Mar. 8, 2024
Worldcoin is appealing a decision from Spain that temporarily banned it from scanning people’s eyes in exchange for cryptocurrency tokens…The Spanish Data Protection Agency, or AEPD, ordered a precautionary measure prohibiting Worldcoin’s activities in the country for up to three months after it received several complaints on the collection of data from minors, and what it said were other infringements.
Worldcoin operates as an open-source protocol, according to its website. Users download a wallet app that supports a digital identity known as World ID. To get their identity verified, users stand in front of a physical imaging device known asthe orbthat relies on sensors to scan their eyes “to verify humanness and uniqueness.” More than 4 million users across 120 countries signed up for World ID, with orb verifications taking place in 36 countries, according to Worldcoin’s website.
The AEPD said its precautionary measure effectively called on Tools for Humanity—the company of which OpenAI Chief Executive Sam Altman is a co-founder—to cease the collection and processing of personal data through its Worldcoin project and to stop using the data it had gathered so far in Spain.
Excerpts from Mauro Orru, Sam Altman’s Eye-Scanning Worldcoin Venture Appeals, WSJ, Mar. 7, 2024
Under an executive order issued on February 28, 2024, specific classes of Americans’ sensitive data, including genomic, biometric, personal health, geolocation, financial and certain types of personal identifiers, will generally be barred from being sold or transferred in vast tranches to “countries of concern” or vendors known to supply data to them. The countries of concern are China, Russia, North Korea, Iran, Cuba and Venezuela, and have a record of misusing data on Americans, an official said.
In 2023, the U.S. intelligence community issued a groundbreaking report acknowledging that the vast amount of Americans’ personal data available for sale, which are often bought and repackaged by data brokers and then resold through a labyrinthine ecosystem of vendors and resellers, has provided a valuable stream of intelligence for the U.S. government and adversaries alike. The report, commissioned by Director of National Intelligence Avril Haines, admitted that such streams created significant threats to privacy, and had rapidly grown in scale such that they had begun to replicate the results of intrusive surveillance techniques, such as hacking, that are typically more targeted.
The executive order is notably silent on the purchasing of commercially available data sets by the U.S. government.
Excerpts from Dustin Volz, U.S. Limits Sales of Americans’ Personal Data to China, Other Adversaries, WSJ, Feb. 129, 2024
The California Privacy Protection Agency—created under a ballot initiative in 2020 and the only regulator in the nation solely dedicated to privacy issues—will examine the growing amalgamation of data collected by smart vehicles and whether the business practices of the companies collecting that data comply with state law. “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” Ashkan Soltani, the agency’s executive director, said in a statement in July 2023.
Regulators in Europe also have opened investigations into how the auto industry uses personal information from cars such as location data. In February 2023, Tesla agreed to offer a software update in Europe to change camera settings in cars after the Dutch privacy regulator investigated the company. Tesla disabled vehicles’ external security cameras by default until a driver turns on the function to record activity outside a car and changed the camera settings so they only save the last 10 minutes of footage recorded from outside the cars, compared with one hour of footage they previously had saved. The Dutch regulator also said it was a privacy violation for the cameras to extensively record people outside of cars without their knowledge. The Tesla update also included features to warn people inside and outside of cars that the external cameras are recording. Headlights blink if the cameras are recording and a message is displayed on a touch screen inside the cars.
Automobiles represent the latest frontier for regulators, raising fresh questions about who will control the data generated by vehicles as they move through the world. Numerous companies are in a position to access the data—including the automakers themselves, companies that make or run in-car navigation or infotainment systems, satellite radio companies and in-vehicle security and emergency services providers. Insurance companies have also been encouraging consumers to share information about their driving behavior, sometimes in exchange for a discount.
All the data has commercial potential. In some cases, it can be used by insurers in determining how to set rates, evaluate risk and gauge safe driving behavior…In some cases, data brokers make vehicle data available for sale—stripping it of personal information such as names. People’s movement patterns are often unique, however, and their real-world identities can be inferred in large-scale location data sets even when the data is stripped of personal information.
Law-enforcement agencies also can now obtain the historical location of suspects, usually with a warrant. The sensors on modern cars have raised national-security concerns as well. China in 2021 banned certain officials from owning or driving Tesla vehicles citing concerns that data the cars gather could be a source of national-security leaks.
Byron Tau, California Opens Privacy Probe Into Who Controls, Shares the Data Your Car Is Collecting, WSJ, July 31, 2023
The latest developments in a high-profile criminal probe by US special counsel John Durham show the extent to which the world’s internet traffic is being monitored by a coterie of network researchers and security experts inside and outside the US government. The monitoring is made possible by little-scrutinized partnerships, both informal and formal, among cybersecurity companies, telecommunications providers and government agencies.
The U.S. government is obtaining bulk data about network usage, according to federal contracting documents and people familiar with the matter, and has fought disclosure about such activities. Academic and independent researchers are sometimes tapped to look at data and share any findings with the government without warrants or judicial authorization…
Unlike the disclosures by former intelligence contractor Edward Snowden from nearly a decade ago, which revealed U.S. intelligence programs that relied on covert access to private data streams, the sharing of internet records highlighted by Mr. Durham’s probe concerns commercial information that is often being shared with or sold to the government in bulk. Such data sets can possess enormous intelligence value, according to current and former government officials and cybersecurity experts, especially as the power of computers to derive insights from massive data sets has grown in recent years.
Such network data can help governments and companies detect and counter cyberattacks. But that capability also has privacy implications, despite assurances from researchers that most of the data can’t be traced back to individuals or organizations.
At issue are several kinds of internet logs showing the connections between computers, typically collected on networking devices such as switches or routers. They are the rough internet equivalent of logs of phone calls—showing which computers are connecting and when, but not necessarily revealing anything about the content of the transmissions. Modern smartphones and computers generate thousands of such logs a day just by browsing the web or using consumer apps…
“A question worth asking is: Who has access to large pools of telecommunications metadata, such as DNS records, and under what circumstances can those be shared with the government?…Surveillance takes the path of least resistance…,” according to Julian Sanchez, a senior fellow at the Cato Institute.
Excerpts from Byron Tau et al., Probe Reveals Unregulated Access to Data Streams, WSJ, Feb.. 28, 2022
Most of Africa’s data are currently stored elsewhere, zipping down undersea cables that often make landfall in the French city of Marseille….An upheaval is overdue. Africa has more internet users than America, but only as much data-center space as Switzerland. The boom is partly driven by regulation. Two dozen African countries have passed data-protection laws, or are planning to do so. They often require certain data, such as personal information, to be kept in the country. Another boost comes from competition, says Jan Hnizdo of Teraco, a leading data center in South Africa, where liberalization of the telecoms industry created space for such firms to flourish.
Capital is pouring in. Teraco is building Africa’s largest stand-alone data center in Johannesburg, with backing from foreign funds. Actis, a private-equity firm, is putting $250m into the industry, starting with a majority stake in a Nigerian company, Rack Centre. American investors founded Raxio with an eye on less fashionable markets, from Uganda to Mozambique.
Data centers need power, and lots of it. Keeping their equipment cool consumes almost as much energy as running it, which is why centers are usually in chilly places such as Scandinavia or America’s Pacific north-west. Most of Africa is hot and has a lot of power cuts…To keep servers running, many centers use polluting and expensive diesel generators. Yet the potential gains from offering better connectivity and faster internet services in Africa outweigh the difficulties. Microsoft and Amazon are bringing their cloud services to the region, and have opened data centres of their own in South Africa. Huawei has helped build one for the government of Senegal. Google and Facebook are both involved in projects to lay new cables around Africa’s coasts.
Excerpts from Seeding the cloud: Data centers are Taking root in Africa, Economist, Dec. 4, 2021
Many countries are wrestling with how to regulate digital records. Some economies, including in Europe, emphasize the need for data privacy, while others, such as China and Russia, put greater focus on government control. The U.S. currently doesn’t have a single federal-level law on data protection or security; instead, the Federal Trade Commission is broadly empowered to protect consumers from unfair or deceptive data practices.
Behind China’s moves is a growing sense among leaders that data accumulated by the private sector should in essence be considered a national asset, which can be tapped or restricted according to the state’s needs, according to the people involved in policy-making. Those needs include managing financial risks, tracking virus outbreaks, supporting state economic priorities or conducting surveillance of criminals and political opponents. Officials also worry companies could share data with foreign business partners, undermining national security.
Beijing’s latest economic blueprint for the next five years, released in March 2021, emphasized the need to strengthen government sway over private firms’ data—the first time a five-year plan has done so. A key element of Beijing’s push is a pair of laws, one passed in June 2021, the Data Security Law, and the other a proposal updated by China’s legislature in Apr0il 2021. Together, they will subject almost all data-related activities to government oversight, including their collection, storage, use and transmission. The legislation builds on the 2017 Cybersecurity Law that started tightening control of data flows.
The law will “clearly implement a more stringent management system for data related to national security, the lifeline of the national economy, people’s livelihood and major public interests,” said a spokesman for the National People’s Congress, the legislature. The proposed Personal Information Protection Law, modeled on the European Union’s data-protection regulation, seeks to limit the types of data that private-sector firms can collect. Unlike the EU rules, the Chinese version lacks restrictions on government entities when it comes to gathering information on people’s call logs, contact lists, location and other data.
In late May 2021, citing concerns over user privacy, the Cyberspace Administration of China singled out 105 apps—including ByteDance’s video-sharing service Douyin and Microsoft Corp.’s Bing search engine and LinkedIn service—for excessively collecting and illegally accessing users’ personal information. The government gave the companies named 15 days to fix the problems or face legal consequences….
Beijing’s pressure on foreign firms to fall in line picked up with the 2017 Cybersecurity Law, which included a provision calling for companies to store their data on Chinese soil. That requirement, at least initially, was largely limited to companies deemed “critical infrastructure providers,” a loosely defined category that has included foreign banks and tech firms….Since 2021, Chinese regulators have formally made the data-localization requirement a prerequisite for foreign financial institutions trying to get a foothold in China. Citigroup Inc. and BlackRock Inc. are among the U.S. firms that have so far agreed to the rule and won licenses to start wholly-owned businesses in China…
Senior officials have publicly likened Tesla to a “catfish” rather than a “shark,” saying the company could uplift the auto sector the way working with Apple and Motorola Mobility LLC helped elevate China’s smartphone and telecommunications industries. To ensure Tesla doesn’t become a security risk, China’s Cyberspace Administration recently issued a draft rule that would forbid electric-car makers from transferring outside China any information collected from users on China’s roads and highways. It also restricted the use of Tesla cars by military personnel and staff of some state-owned companies amid concerns that the vehicles’ cameras could send information about government facilities to the U.S. In late May 2021, Tesla confirmed it had set up a data center in China and would domestically store data from cars it sold in the country. It said it joined other Chinese companies, including Alibaba and Baidu Inc., in the discussion of the draft rules arranged by the CyberSecurity Association of China, which reports to the Cyberspace Administration…
Increasingly, China’s president, Mr. Xi, leaned toward voices advocating greater digital control. He now labels big data as another essential element of China’s economy, on par with land, labor and capital. “From the point of view of the state, anti-data monopoly must be strengthened,” said Li Lihui, a former president of state-owned Bank of China Ltd. and now a member of China’s legislature. He said he expects China to establish a “centralized and unified public database” to underpin its digital economy.
Excerpts from China’s New Power Play: More Control of Tech Companies’ Troves of Data, WSJ, June 12, 2021
U. S. government agencies from the military to law enforcement have been buying up mobile-phone data from the private sector to use in gathering intelligence, monitoring adversaries and apprehending criminals. Now, the U.S. Air Force is experimenting with the next step.
The Air Force Research Laboratory is testing a commercial software platform that taps mobile phones as a window onto usage of hundreds of millions of computers, routers, fitness trackers, modern automobiles and other networked devices, known collectively as the “Internet of Things.” SignalFrame,a Washington, D.C.-based wireless technology company, has developed the capability to tap software embedded on as many as five million cellphones to determine the real-world location and identity of more than half a billion peripheral devices. The company has been telling the military its product could contribute to digital intelligence efforts that weave classified and unclassified data using machine learning and artificial intelligence.
The Air Force’s research arm bought the pitch, and has awarded a $50,000 grant to SignalFrame as part of a research and development program to explore whether the data has potential military applications, according to documents reviewed by The Wall Street Journal. Under the program, the Air Force could provide additional funds should the technology prove useful.
SignalFrame has largely operated in the commercial space, but the documents reviewed by the Journal show the company has also been gunning for government business. A major investor is Razor’s Edge, a national-security-focused venture-capital firm. SignalFrame hired a former military officer to drum up business and featured its products at military exhibitions, including a “pitch day” sponsored by a technology incubator affiliated with U.S. Special Operations command in Tampa, Fla.
SignalFrame’s product can turn civilian smartphones into listening devices—also known as sniffers—that detect wireless signals from any device that happens to be nearby. The company, in its marketing materials, claims to be able to distinguish a Fitbit from a Tesla from a home-security device, recording when and where those devices appear in the physical world. Using the SignalFrame technology, “one device can walk into a bar and see all other devices in that place,” said one person who heard a pitch for the SignalFrame product at a marketing industry event…
“The capturing and tracking of unique identifiers related to mobile devices, wearables, connected cars—basically anything that has a Bluetooth radio in it—is one of the most significant emerging privacy issues,” said Alan Butler, the interim executive director and general counsel of the Electronic Privacy Information Center, a group that advocates for stronger privacy protections. “Increasingly these radios are embedded in many, many things we wear, use and buy,” Mr. Butler said, saying that consumers remain unaware that those devices are constantly broadcasting a fixed and unique identifier to any device in range.
Byron Tau, Military Tests New Way of Tracking, WSJ, Nov. 28, 2020
Social-media firms make almost all their money from advertising. This pushes them to collect as much user data as possible, the better to target ads. Critics call this “surveillance capitalism”. It also gives them every reason to make their services as addictive as possible, so users watch more ads…
The new owner could turn TikTok from a social-media service to a digital commonwealth, governed by a set of rules akin to a constitution with its own checks and balances. User councils (a legislature, if you will) could have a say in writing guidelines for content moderation. Management (the executive branch) would be obliged to follow due process. And people who felt their posts had been wrongfully taken down could appeal to an independent arbiter (the judiciary). Facebook has toyed with platform constitutionalism now has an “oversight board” to hear user appeals…
Why would any company limit itself this way? For one thing, it is what some firms say they want. Microsoft in particular claims to be a responsible tech giant. In January 2020 its chief executive, Satya Nadella, told fellow plutocrats in Davos about the need for “data dignity”—ie, granting users more control over their data and a bigger share of the value these data create…Governments increasingly concur. In its Digital Services Act, to be unveiled in 2020, the European Union is likely to demand transparency and due process from social-media platforms…In the United States, Andrew Yang, a former Democratic presidential candidate, has launched a campaign to get online firms to pay users a “digital dividend”. Getting ahead of such ideas makes more sense than re-engineering platforms later to comply.
Increasingly sophisticated technology that detects nuances in sound inaudible to humans is capturing clues about people’s likely locations, medical conditions and even physical features.Law-enforcement agencies are turning to those clues from the human voice to help sketch the faces of suspects. Banks are using them to catch scammers trying to imitate their customers on the phone, and doctors are using such data to detect the onset of dementia or depression. That has… raised fresh privacy concerns, as consumers’ biometric data is harnessed in novel ways.
“People have known that voice carries information for centuries,” said Rita Singh, a voice and machine-learning researcher at Carnegie Mellon University who receives funding from the Department of Homeland Security…Ms. Singh measures dozens of voice-quality features—such as raspiness or tremor—that relate to the inside of a person’s vocal tract and how an individual voice is produced. She detects so-called microvolumes of air that help create the sound waves that make up the human voice. The way they resonate in the vocal tract, along with other voice characteristics, provides clues on a person’s skull structure, height, weight and physical surroundings, she said.
Nuance’s voice-biometric and recognition software is designed to detect the gender, age and linguistic background of callers and whether a voice is synthetic or recorded. It helped one bank determine that a single person was responsible for tens of millions of dollars of theft, or 18% of the fraud the firm encountered in a year, said Brett Beranek, general manager of Nuance’s security and biometrics business.
Audio data from customer-service calls is also combined with information on how consumers typically interact with mobile apps and devices, said Howard Edelstein, chairman of behavioral biometric company Biocatch. The company can detect the cadence and pressure of swipes and taps on a smartphone. How a person holds a smartphone gives clues about their age, for example, allowing a financial firm to compare the age of the normal account user to the age of the caller…
If such data collected by a company were improperly sold or hacked, some fear recovering from identity theft could be even harder because physical features are innate and irreplaceable.
Sarah Krouse, What Your Voice Reveals About You, WSJ, Aug. 13, 2019
A new front has opened in the battle between the U.S. and China over control of global networks that deliver the internet. This one is beneath the ocean. While the U.S. wages a high-profile campaign to exclude China’s Huawei Technologies Co. from next-generation mobile networks over fears of espionage, the company is embedding itself into undersea cable networks that ferry nearly all of the world’s internet data.
About 380 active submarine cables—bundles of fiber-optic lines that travel oceans on the seabed—carry about 95% of intercontinental voice and data traffic, making them critical for the economies and national security of most countries.
The Huawei Marine’s Undersea Cable Network majority owned by Huawei Technologies, has worked on some 90 projects to build or upgrade submarine cables around the world…US o fficials say the company’s knowledge of and access to undersea cables could allow China to attach devices that divert or monitor data traffic—or, in a conflict, to sever links to entire nations. Such interference could be done remotely, via Huawei network management software and other equipment at coastal landing stations, where submarine cables join land-based networks, these officials say.
Huawei Marine said in an email that no customer, industry player or government has directly raised security concerns about its products and operations.Joe Kelly, a Huawei spokesman, said the company is privately owned and has never been asked by any government to do anything that would jeopardize its customers or business. “If asked to do so,” he said, “we would refuse.”
The U.S. has sought to block Huawei from its own telecom infrastructure, including undersea cables, since at least 2012. American concerns about subsea links have since deepened—and spread to allies—as China moves to erode U.S. dominance of the world’s internet infrastructure…..Undersea cables are owned mainly by telecom operators and, in recent years, by such content providers as Facebook and Google. Smaller players rent bandwidth.Most users can’t control which cable systems carry their data between continents. A handful of switches typically route traffic along the path considered best, based on available capacity and agreements between cable operators.
In June 2017, Nick Warner, then head of Australia’s Secret Intelligence Service, traveled to the Solomon Islands, a strategically located South Pacific archipelago. His mission, according to people familiar with the visit, was to block a 2016 deal with Huawei Marine to build a 2,500-mile cable connecting Sydney to the Solomons. Mr. Warner told the Solomons’ prime minister the deal would give China a connection to Australia’s internet grid through a Sydney landing point, creating a cyber risk, these people said. Australia later announced it would finance the cable link and steered the contract to an Australian company. In another recent clash, the U.S., Australia and Japan tried unsuccessfully in September 2018 to quash an undersea-cable deal between Huawei Marine and Papua New Guinea.
U.S. and allied officials point to China’s record of cyber intrusions, growing Communist Party influence inside Chinese firms and a recent Chinese law requiring companies to assist intelligence operations. Landing stations are more exposed in poorer countries where cyber defenses tend to be weakest, U.S. and allied officials said. And network management systems are generally operated using computer servers at risk of cyber intrusion. Undersea cables are vulnerable, officials said, because large segments lie in international waters, where physical tampering can go undetected. At least one U.S. submarine can hack into seabed cables, defense experts said. In 2013, former National Security Agency contractor Edward Snowden alleged that Britain and the U.S. monitored submarine cable data. The U.S. and its allies now fear such tactics could be used against them. American and British military commanders warned recently that Russian submarines were operating near undersea cables. In 2018, the U.S. sanctioned a Russian company for supplying Russian spies with diving equipment to help tap seabed cables.
The Ionian Sea Submarine Cable Project (Greece)
China seeks to build a Digital Silk Road, including undersea cables, terrestrial and satellite links, as part of its Belt and Road plan to finance a new global infrastructure network. Chinese government strategy papers on the Digital Silk Road cite the importance of undersea cables, as well as Huawei’s role in them. A research institute attached to China’s Ministry of Industry and Information Technology, in a paper published in September, praised Huawei’s technical prowess in undersea cable transmission and said China was poised to become “one of the world’s most important international submarine cable communication centers within a decade or two.” China’s foreign and technology ministries didn’t respond to requests for comment…
Huawei Marine Networks
Bjarni Thorvardarson, then chief executive of the cable’s Ireland-based operator, said U.S. authorities raised no objections until 2012, when a congressional report declared Huawei Technologies a national security threat. Mr. Thorvardarson wasn’t convinced. “It was camouflaged as a security risk, but it was mostly about a preference for using U.S. technology,” he said. Under pressure, Mr. Thorvardarson dropped Huawei Marine from Project Express in 2013. The older cable network continued to use Huawei equipment.
The company is now the fourth-biggest player in an industry long dominated by U.S.-based SubCom and Finnish-owned Alcatel Submarine Networks. Japan’s NEC Corp is in third place.Huawei Marine is expected to complete 28 cables between 2015 and 2020—nearly a quarter of all those built globally—and it has upgraded many more, according to TeleGeography, a research company.
Excerpts from America’s Undersea Battle With China for Control of the Global Internet Grid , WSJ, Mar. 12, 2019
Free-Speech advocates were aghast—and data-privacy campaigners were delighted—when the European Court of Justice (ECJ) embraced the idea of a digital “right to be forgotten” in May 2014. It ruled that search engines such as Google must not display links to “inadequate, irrelevant or no longer relevant” information about people if they request that they be removed, even if the information is correct and was published legally.
The uproar will be even louder should France’s highest administrative court, the Conseil d’État, soon decide against Google. The firm currently removes search results only for users in the European Union. But France’s data-protection authority, CNIL, says this is not enough: it wants Google to delete search links everywhere. Europe’s much-contested right to be forgotten would thus be given global reach. The court… may hand down a verdict by January.
The spread of the right to be forgotten is part of a wider trend towards the fragmentation of the internet. Courts and governments have embarked on what some call a “legal arms race” to impose a maze of national or regional rules, often conflicting, in the digital realm
The internet has always been something of a subversive undertaking. As a ubiquitous, cross-border commons, it often defies notions of state sovereignty. A country might decide to outlaw a certain kind of service—a porn site or digital currency, say—only to see it continue to operate from other, more tolerant jurisdictions.
As long as cyberspace was a sideshow, governments did not much care. But as it has penetrated every facet of life, they feel compelled to control it. The internet—and even more so cloud computing, ie, the storage of vast amounts of data and the supply of myriad services online—has become the world’s über-infrastructure. It is creating great riches: according to the Boston Consulting Group, the internet economy (e-commerce, online services and data networks, among other things) will make up 5.3% of GDP this year in G20 countries. But it also comes with costs beyond the erosion of sovereignty. These include such evils as copyright infringement, cybercrime, the invasion of privacy, hate speech, espionage—and perhaps cyberwar.
IIn response, governments are trying to impose their laws across the whole of cyberspace. The virtual and real worlds are not entirely separate. The term “cloud computing” is misleading: at its core are data centres the size of football fields which have to be based somewhere….
New laws often include clauses with extraterritorial reach. The EU’s General Data Protection Regulation will apply from 2018 to all personal information on European citizens, even if the company holding it is based abroad.
In many cases, laws seek to keep data within, or without, national borders. China has pioneered the blocking of internet addresses with its Great Firewall, but the practice has spread to the likes of Iran and Russia. Another approach is “data localisation” requirements, which mandate that certain types of digital information must be stored locally or remain in the country. A new law in Russia, for instance, requires that the personal information of Russian citizens is kept in national databases…Elsewhere, though, data-localisation polices are meant to protect citizens from snooping by foreign powers. Germany has particularly stringent data-protection laws which hamper attempts by the European Commission, the EU’s civil service, to reduce regulatory barriers to the free flow of data between member-states.
Fragmentation caused by government action would be less of a concern if other factors were not also pushing in the same direction–new technologies, such as firewalls and a separate “dark web”, which is only accessible using a special browser. Commercial interests, too, are a dividing force. Apple, Facebook, Google and other tech giants try to keep users in their own “walled gardens”. Many online firms “geo-block” their services, so that they cannot be used abroad….
Internet experts distinguish between governance “of” the internet (all of the underlying technical rules that make it tick) and regulation “on” the internet (how it is used and by whom). The former has produced a collection of “multi-stakeholder” organisations, the best-known of which are ICANN, which oversees the internet’s address system, and the Internet Engineering Task Force, which comes up with technical standards…..
Finding consensus on technical problems, where one solution often is clearly better than another, is easier than on legal and political matters. One useful concept might be “interoperability”: the internet is a network of networks that follow the same communication protocols, even if the structure of each may differ markedly.
Excerpts from Online governance: Lost in the splinternet, Economist, Nov. 5, 2016
On its website, ProfitBricks touts what it calls “100 percent German data protection,” underneath the black, red, and gold colors of the German flag. “Having a German cloud helps tremendously,” says Markus Schaffrin, an IT security expert at Eco, a lobbying group for Internet companies. “Germany has some of the most stringent data-protection laws, and cloud-service providers with domestic data centers are of course highlighting that.”
The companies known as the Mittelstand—the small and midsize enterprises that form the backbone of the German economy—are rapidly embracing the idea of the networked factory. Yet they remain wary of entrusting intellectual property to a cloud controlled by global technology behemoths and possibly subject to government snooping. “Small and medium enterprises are afraid that those monsters we sometimes call Internet companies will suck out the brain of innovation,” says Joe Kaeser, chief executive officer of Siemens, which in March began offering cloud services using a network managed by German software powerhouse SAP.
In a case being closely watched in Germany, the U.S. Department of Justice has demanded that Microsoft hand over e-mails stored on a data server in Ireland. The software maker argues that the U.S. has no jurisdiction there; the U.S. government says it does, because Microsoft is an American company. …
U.S. companies aren’t ceding the market. Microsoft will offer its Azure public cloud infrastructure in German data centers, with T-Systems acting as a trustee of customer data. The companies say the arrangement will keep information away from non-German authorities. And IBM in December opened a research and sales hub for Watson, its cloud-based cognitive computing platform, in Munich—a move intended to reassure Mittelstand buyers about the security of their data. “If a customer wants data never to leave Bavaria, then it won’t,” says Harriet Green, IBM’s general manager for Watson. “I’m being invited in by many, many customers in Germany, because fear about security is very, very real.”
Excerpts from Building a National Fortress in the Cloud, Bloomberg, May 19, 2016
Law-In-Action 