Antitrust bill in Senate would help rein in Big Tech platforms, DOJ says

Antitrust bill in Senate would help rein in Big Tech platforms, DOJ says

Enlarge (credit: James Leynse/Corbis)

The Department of Justice is throwing its weight behind an antitrust bill working its way through the Senate, with the department saying that it needs new tools to help police markets dominated by platforms such as Amazon, Meta (formerly Facebook), Apple, and Google.

“The Department views the rise of dominant platforms as presenting a threat to open markets and competition, with risks for consumers, businesses, innovation, resiliency, global competitiveness, and our democracy,” Peter Hyun, acting assistant attorney general, wrote in a letter to the Senate. “Discriminatory conduct by dominant platforms can sap the rewards from other innovators and entrepreneurs, reducing the incentives for entrepreneurship and innovation.” The letter was first obtained by The Wall Street Journal.

The American Innovation and Choice Online Act, cosponsored by Sen. Amy Klobuchar (D-Minn.) and Sen. Chuck Grassley (R-Iowa), would limit Big Tech firms’ ability to “unfairly preference” their own products and services. For example, under the proposed bill, Amazon couldn’t boost search rankings of its private-label products, and Apple and Google couldn’t do the same for their apps in their app stores.

Read 7 remaining paragraphs | Comments

#amazon, #antitrust, #apple, #department-of-justice, #facebook, #google, #platforms, #policy

Amazon lied about using seller data, lawmakers say, urging DOJ investigation

Amazon lied about using seller data, lawmakers say, urging DOJ investigation

(credit: Getty Images)

Amazon lied to Congress about its use of third-party seller data, the House Judiciary Committee said today. In a letter to the Department of Justice, the committee chairs asked prosecutors to investigate the company for criminal obstruction of Congress.

“Amazon lied through a senior executive’s sworn testimony that Amazon did not use any of the troves of data it had collected on its third-party sellers to compete with them,” the letter says (emphasis in the original).

The committee said that not only was Amazon’s sworn testimony knowingly false but that repeated attempts to get Amazon to correct the record or to provide evidence to substantiate its claims were either rebuffed or ignored.

Read 8 remaining paragraphs | Comments

#amazon, #antitrust, #department-of-justice, #house-judiciary-committee, #policy

20 years later, unchecked data collection is part of 9/11’s legacy

Almost every American adult remembers, in vivid detail, where they were the morning of September 11, 2001. I was on the second floor of the West Wing of the White House, at a National Economic Council Staff meeting — and I will never forget the moment the Secret Service agent abruptly entered the room, shouting: “You must leave now. Ladies, take off your high heels and go!”

Just an hour before, as the National Economic Council White House technology adviser, I was briefing the deputy chief of staff on final details of an Oval Office meeting with the president, scheduled for September 13. Finally, we were ready to get the president’s sign-off to send a federal privacy bill to Capitol Hill — effectively a federal version of the California Privacy Rights Act, but stronger. The legislation would put guardrails around citizens’ data — requiring opt-in consent for their information to be shared, governing how their data could be collected and how it would be used.

But that morning, the world changed. We evacuated the White House and the day unfolded with tragedy after tragedy sending shockwaves through our nation and the world. To be in D.C. that day was to witness and personally experience what felt like the entire spectrum of human emotion: grief, solidarity, disbelief, strength, resolve, urgency … hope.

Much has been written about September 11, but I want to spend a moment reflecting on the day after.

When the National Economic Council staff came back into the office on September 12, I will never forget what Larry Lindsey, our boss at the time, told us: “I would understand it if some of you don’t feel comfortable being here. We are all targets. And I won’t appeal to your patriotism or faith. But I will — as we are all economists in this room — appeal to your rational self-interest. If we back away now, others will follow, and who will be there to defend the pillars of our society? We are holding the line here today. Act in a way that will make this country proud. And don’t abandon your commitment to freedom in the name of safety and security.”

There is so much to be proud of about how the country pulled together and how our government responded to the tragic events on September 11. First, however, as a professional in the cybersecurity and data privacy field, I reflect on Larry’s advice, and many of the critical lessons learned in the years that followed — especially when it comes to defending the pillars of our society.

Even though our collective memories of that day still feel fresh, 20 years have passed, and we now understand the vital role that data played in the months leading up to the 9/11 terrorist attacks. But, unfortunately, we failed to connect the dots that could have saved thousands of lives by holding intelligence data too closely in disparate locations. These data silos obscured the patterns that would have been clear if only a framework had been in place to share information securely.

So, we told ourselves, “Never again,” and government officials set out to increase the amount of intelligence they could gather — without thinking through significant consequences for not only our civil liberties but also the security of our data. So, the Patriot Act came into effect, with 20 years of surveillance requests from intelligence and law enforcement agencies crammed into the bill. Having been in the room for the Patriot Act negotiations with the Department of Justice, I can confidently say that, while the intentions may have been understandable — to prevent another terrorist attack and protect our people — the downstream negative consequences were sweeping and undeniable.

Domestic wiretapping and mass surveillance became the norm, chipping away at personal privacy, data security and public trust. This level of surveillance set a dangerous precedent for data privacy, meanwhile yielding marginal results in the fight against terrorism.

Unfortunately, the federal privacy bill that we had hoped to bring to Capitol Hill the very week of 9/11 — the bill that would have solidified individual privacy protections — was mothballed.

Over the subsequent years, it became easier and cheaper to collect and store massive amounts of surveillance data. As a result, tech and cloud giants quickly scaled up and dominated the internet. As more data was collected (both by the public and the private sectors), more and more people gained visibility into individuals’ private data — but no meaningful privacy protections were put in place to accompany that expanded access.

Now, 20 years later, we find ourselves with a glut of unfettered data collection and access, with behemoth tech companies and IoT devices collecting data points on our movements, conversations, friends, families and bodies. Massive and costly data leaks — whether from ransomware or simply misconfiguring a cloud bucket — have become so common that they barely make the front page. As a result, public trust has eroded. While privacy should be a human right, it’s not one that’s being protected — and everyone knows it.

This is evident in the humanitarian crisis we have seen in Afghanistan. Just one example: Tragically, the Taliban have seized U.S. military devices that contain biometric data on Afghan citizens who supported coalition forces — data that would make it easy for the Taliban to identify and track down those individuals and their families. This is a worst-case scenario of sensitive, private data falling into the wrong hands, and we did not do enough to protect it.

This is unacceptable. Twenty years later, we are once again telling ourselves, “Never again.” 9/11 should have been a reckoning of how we manage, share and safeguard intelligence data, but we still have not gotten it right. And in both cases — in 2001 and 2021 — the way we manage data has a life-or-death impact.

This is not to say we aren’t making progress: The White House and U.S. Department of Defense have turned a spotlight on cybersecurity and Zero Trust data protection this year, with an executive order to spur action toward fortifying federal data systems. The good news is that we have the technology we need to safeguard this sensitive data while still making it shareable. In addition, we can put contingency plans in place to prevent data that falls into the wrong hands. But, unfortunately, we just aren’t moving fast enough — and the slower we solve this problem of secure data management, the more innocent lives will be lost along the way.

Looking ahead to the next 20 years, we have an opportunity to rebuild trust and transform the way we manage data privacy. First and foremost, we have to put some guardrails in place. We need a privacy framework that gives individuals autonomy over their own data by default.

This, of course, means that public- and private-sector organizations have to do the technical, behind-the-scenes work to make this data ownership and control possible, tying identity to data and granting ownership back to the individual. This is not a quick or simple fix, but it’s achievable — and necessary — to protect our people, whether U.S. citizens, residents or allies worldwide.

To accelerate the adoption of such data protection, we need an ecosystem of free, accessible and open source solutions that are interoperable and flexible. By layering data protection and privacy in with existing processes and solutions, government entities can securely collect and aggregate data in a way that reveals the big picture without compromising individuals’ privacy. We have these capabilities today, and now is the time to leverage them.

Because the truth is, with the sheer volume of data that’s being gathered and stored, there are far more opportunities for American data to fall into the wrong hands. The devices seized by the Taliban are just a tiny fraction of the data that’s currently at stake. As we’ve seen so far this year, nation-state cyberattacks are escalating. This threat to human life is not going away.

Larry’s words from September 12, 2001, still resonate: If we back away now, who will be there to defend the pillars of our society? It’s up to us — public- and private-sector technology leaders — to protect and defend the privacy of our people without compromising their freedoms.

It’s not too late for us to rebuild public trust, starting with data. But, 20 years from now, will we look back on this decade as a turning point in protecting and upholding individuals’ right to privacy, or will we still be saying, “Never again,” again and again?

#column, #counter-terrorism, #department-of-justice, #digital-rights, #mass-surveillance, #national-security, #opinion, #policy, #privacy, #taliban, #zero-trust

Biden nominates another Big Tech enemy, this time to lead the DOJ’s antitrust division

The Biden administration tripled down on its commitment to reining in powerful tech companies Tuesday, proposing committed Big Tech critic Jonathan Kanter to lead the Justice Department’s antitrust division.

Kanter is a lawyer with a long track record of representing smaller companies like Yelp in antitrust cases against Google. He currently practices law at his own firm, which specializes in advocacy for state and federal antitrust enforcement.

“Throughout his career, Kanter has also been a leading advocate and expert in the effort to promote strong and meaningful antitrust enforcement and competition policy,” the White House press release stated. Progressives celebrated the nomination as a win, though some of Biden’s new antitrust hawks have enjoyed support from both political parties.

The Justice Department already has a major antitrust suit against Google in the works. The lawsuit, filed by Trump’s own Justice Department, accuses the company of “unlawfully maintaining monopolies” through anti-competitive practices in its search and search advertising businesses. If successfully confirmed, Kanter would be positioned to steer the DOJ’s big case against Google.

In a 2016 NYT op-ed, Kanter argued that Google is notorious for relying on an anti-competitive “playbook” to maintain its market dominance. Kanter pointed to Google’s long history of releasing free ad-supported products and eventually restricting competition through “discriminatory and exclusionary practices” in a given corner of the market.

Kanter is just the latest high profile Big Tech critic that’s been elevated to a major regulatory role under Biden. Last month, Biden named fierce Amazon critic Lina Khan as FTC chair upon her confirmation to the agency. In March, Biden named another noted Big Tech critic, Columbia law professor Tim Wu, to the National Economic Council as a special assistant for tech and competition policy.

All signs point to the Biden White House gearing up for a major federal fight with Big Tech. Congress is working on a set of Big Tech bills, but in lieu of — or in tandem with — legislative reform, the White House can flex its own regulatory muscle through the FTC and DOJ.

In new comments to MSNBC, the White House confirmed that it is also “reviewing” Section 230 of the Communications Decency Act, a potent snippet of law that protects platforms from liability for user-generated content.

#amazon, #biden, #biden-administration, #big-tech, #chair, #columbia, #competition-law, #congress, #department-of-justice, #doj, #federal-trade-commission, #google, #government, #joe-biden, #lawyer, #lina-khan, #msnbc, #section-230, #tc, #tim-wu, #white-house, #yelp

US blames China for Exchange server hacks and ransomware attacks

The Biden administration has formally accused China of the mass-hacking of Microsoft Exchange servers earlier this year, which prompted the FBI to intervene as concerns rose that the hacks could lead to widespread destruction.

The mass-hacking campaign targeted Microsoft Exchange email servers with four previously undiscovered vulnerabilities that allowed the hackers — which Microsoft already attributed to a China-backed group of hackers called Hafnium — to steal email mailboxes and address books from tens of thousands of organizations around the United States.

Microsoft released patches to fix the vulnerabilities, but the patches did not remove any backdoor code left behind by the hackers that might be used again for easy access to a hacked server. That prompted the FBI to secure a first-of-its-kind court order to effectively hack into the remaining hundreds of U.S.-based Exchange servers to remove the backdoor code. Computer incident response teams in countries around the world responded similarly by trying to notify organizations in their countries that were also affected by the attack.

In a statement out Monday, the Biden administration said the attack, launched by hackers backed by China’s Ministry of State Security, resulted in “significant remediation costs for its mostly private sector victims.”

“We have raised our concerns about both this incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the statement read.

The National Security Agency also released details of the attacks to help network defenders identify potential routes of compromise. The Chinese government has repeatedly denied claims of state-backed or sponsored hacking.

The Biden administration also blamed China’s Ministry of State Security for contracting with criminal hackers to conduct unsanctioned operations, like ransomware attacks, “for their own personal profit.” The government said it was aware that China-backed hackers have demanded millions of dollars in ransom demands against hacked companies. Last year, the Justice Department charged two Chinese spies for their role in a global hacking campaign that saw prosecutors accuse the hackers of operating for personal gain.

Although the U.S. has publicly engaged the Kremlin to try to stop giving ransomware gangs safe harbor from operating from within Russia’s borders, the U.S. has not previously accused Beijing of launching or being involved with ransomware attacks.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” said Monday’s statement.

The statement also said that the China-backed hackers engaged in extortion and cryptojacking, a way of forcing a computer to run code that uses its computing resources to mine cryptocurrency, for financial gain.

The Justice Department also announced fresh charges against four China-backed hackers working for the Ministry of State Security, which U.S. prosecutors said were engaged in efforts to steal intellectual property and infectious disease research into Ebola, HIV and AIDS, and MERS against victims based in the U.S., Norway, Switzerland and the United Kingdom by using a front company to hide their operations.

“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft,” said deputy attorney general Lisa Monaco.

#attorney-general, #biden, #biden-administration, #china, #computer-security, #computing, #cyberattacks, #cybercrime, #cyberwarfare, #department-of-justice, #doj, #federal-bureau-of-investigation, #government, #hacker, #hacking, #healthcare, #internet-security, #microsoft, #national-security-agency, #norway, #russia, #security, #switzerland, #technology, #united-kingdom, #united-states

Biden’s sweeping executive order takes on big tech’s ‘bad mergers,’ ISPs and more

The Biden administration just introduced a sweeping, ambitious plan to forcibly inject competition into some consolidated sectors of the American economy — the tech sector prominent among them — through executive action.

“Today President Biden is taking decisive action to reduce the trend of corporate consolidation, increase competition, and deliver concrete benefits to America’s consumers, workers, farmers, and small businesses,” a new White House fact sheet on the forthcoming order states.

The order, which Biden will sign Friday, initiates a comprehensive “whole-of-government” approach that loops in more then twelve different agencies at the federal level to regulate monopolies, protect consumers and curtail bad behavior from some of the world’s biggest corporations.

In the fact sheet, the White House lays out its plans to take matters to regulate big business into its own hands at the federal level. As far as tech is concerned, that comes largely through emboldening the FTC and the Justice Department — two federal agencies with antitrust enforcement powers.

Most notably for big tech, which is already bracing for regulatory existential threats, the White House explicitly asserts here that those agencies have legal cover to “challenge prior bad mergers that past Administrations did not previously challenge” — i.e. unwinding acquisitions that built a handful of tech companies into the behemoths they are today. The order calls on antitrust agencies to enforce antitrust laws “vigorously.”

Federal scrutiny will prioritize “dominant internet platforms, with particular attention to the acquisition of nascent competitors, serial mergers, the accumulation of data, competition by ‘free’ products, and the effect on user privacy.” Facebook, Google and Amazon are particularly on notice here, though Apple isn’t likely to escape federal attention either.

“Over the past ten years, the largest tech platforms have acquired hundreds of companies—including alleged ‘killer acquisitions’ meant to shut down a potential competitive threat,” the White House wrote in the fact sheet. “Too often, federal agencies have not blocked, conditioned, or, in some cases, meaningfully examined these acquisitions.”

The biggest tech companies have regularly defended their longstanding strategy of buying up the competition by arguing that because those acquisitions went through without friction at the time, they shouldn’t be viewed as illegal in hindsight. In no uncertain terms, the new executive order makes it clear that the Biden administration isn’t having any of it.

The White House also specifically singles out internet service providers for scrutiny, ordering the FCC to prioritize consumer choice and institute broadband “nutrition labels” that clearly state speed caps and hidden feeds. The FCC began working on the labels in the Obama administration but the work was scrapped after Trump took office.

The order also directly calls on the FCC to restore net neutrality rules, which were stripped in 2017 to the widespread horror of open internet advocates and most of the tech industry outside of the service providers that stood to benefit.

The White House will also tell the FTC to create new privacy rules meant to guard consumers against surveillance and the “accumulation of extraordinarily amounts of sensitive personal information,” which free services like Facebook, YouTube and others have leveraged to build their vast empires. The White House also taps the FTC to create rules that protect smaller businesses from being pre-empted by large platforms, which in many cases abuse their market dominance with a different sort of data-based surveillance to out-compete up-and-coming competitors.

Finally, the executive order encourages the FTC to put right to repair rules in place that would free consumers from constraints that discourage DIY and third-party repairs. A new White House Competition Council under the Director of the National Economic Council will coordinate the federal execution of the proposals laid out in the new order.

The antitrust effort from the executive branch mirrors parallel actions in the FTC and Congress. In the FTC, Biden has installed a fearsome antitrust crusader in Lina Khan, a young legal scholar and fierce Amazon critic who proposes a philosophical overhaul to the way the federal government defines monopolies. Khan now leads the FTC as its chair.

In Congress, a bipartisan flurry of bills intended to rein in the tech industry are slowly wending their way toward becoming law, though plenty of hurdles remain. Last month, the House Judiciary Committee debated the six bills, which were crafted separately to help them survive opposing lobbying pushes from the tech industry. These legislative efforts could modernize antitrust laws, which have failed to keep pace with the modern realities of giant, internet-based businesses.

“Competition policy needs new energy and approaches so that we can address America’s monopoly problem,” Sen. Amy Klobuchar, a prominent tech antitrust hawk in Congress, said of the executive order. “That means legislation to update our antitrust laws, but it also means reimagining what the federal government can do to promote competition under our current laws.”

Citing the acceleration of corporate consolidation in recent decades, the White House argues that a handful of large corporations dominates across industries, including healthcare, agriculture and tech and consumers, workers and smaller competitors pay the price for their outsized success. The administration will focus antitrust enforcement on those corners of the market as well as evaluating the labor market and worker protections on the whole.

“Inadequate competition holds back economic growth and innovation… Economists find that as competition declines, productivity growth slows, business investment and innovation decline, and income, wealth, and racial inequality widen,” the White House wrote.

 

#amazon, #america, #biden, #biden-administration, #big-tech, #broadband, #competition-law, #congress, #department-of-justice, #executive, #facebook, #federal-communications-commission, #federal-government, #federal-trade-commission, #google, #government, #healthcare, #internet-service-providers, #lina-khan, #president, #tc, #white-house, #youtube

Google faces a major multi-state antitrust lawsuit over Google Play fees

A group of 37 attorneys general filed a second major multi-state antitrust lawsuit against Google Wednesday, accusing the company of abusing its market power to stifle competitors and forcing consumers into in-app payments that grant the company a hefty cut.

New York Attorney General Letitia James is co-leading the suit alongside with the Tennessee, North Carolina and Utah attorneys general. The bipartisan coalition represents 36 U.S. states, including California, Florida, Massachusetts, New Jersey, New Hampshire, Colorado and Washington, as well as the District of Columbia.

“Through its illegal conduct, the company has ensured that hundreds of millions of Android users turn to Google, and only Google, for the millions of applications they may choose to download to their phones and tablets,” James said in a press release. “Worse yet, Google is squeezing the lifeblood out of millions of small businesses that are only seeking to compete.”

In December, 35 states filed a separate antitrust suit against Google, alleging that the company engaged in illegal behavior to maintain a monopoly on the search business. The Justice Department filed its own antitrust case focused on search last October.

In the new lawsuit, embedded below, the bipartisan coalition of states allege that Google uses “misleading” security warnings to keep consumers and developers within its walled app garden, the Google Play store. But the fees that Google collects from Android app developers are likely the meat of the case.

“Not only has Google acted unlawfully to block potential rivals from competing with its Google Play Store, it has profited by improperly locking app developers and consumers into its own payment processing system and then charging high fees,” District of Columbia Attorney General Karl Racine said.

Like Apple, Google herds all app payment processing into its own service, Google Play Billing, and reaps the rewards: a 30 percent cut of all payments. Much of the criticism here is a case that could — and likely will — be made against Apple, which exerts even more control over its own app ecosystem. Google doesn’t have an iMessage equivalent exclusive app that keeps users locked in in quite the same way.

While the lawsuit discusses Google’s “monopoly power” in the app marketplace, the elephant in the room is Apple — Google’s thriving direct competitor in the mobile software space. The lawsuit argues that consumers face pressure to stay locked into the Android ecosystem, but on the Android side at least, much of that is ultimately familiarity and sunk costs. The argument on the Apple side of the equation here is likely much stronger.

The din over tech giants squeezing app developers with high mobile payment fees is just getting louder. The new multi-state lawsuit is the latest beat, but the topic has been white hot since Epic took Apple to court over its desire to bypass Apple’s fees by accepting mobile payments outside the App Store. When Epic set up a workaround, Apple kicked it out of the App Store and Epic Games v. Apple was born.

The Justice Department is reportedly already interested in Apple’s own app store practices, along with many state AGs who could launch a separate suit against the company at any time.

#android, #app-store, #apple, #apple-inc, #attorney-general, #california, #colorado, #companies, #computing, #department-of-justice, #epic-games, #florida, #fortnite, #google, #google-play, #google-play-billing, #google-play-store, #letitia-james, #massachusetts, #new-hampshire, #new-jersey, #new-york, #north-carolina, #search, #social, #tc, #technology, #tennessee, #the-battle-over-big-tech, #united-states, #utah, #washington

Department of Justice opens investigation into EV startup Lordstown Motors

Lordstown Motors continues to stumble. The beleaguered electric vehicle startup is now being investigated by the Department of Justice, in addition to an ongoing investigation by the Securities and Exchange Commission.

The investigation, first broke by the Wall Street Journal on Friday, is still in its early stages, according to unnamed sources. It is being conducted by the U.S. attorney’s office in Manhattan.

The probe is just the latest series of woes for the startup, which recently said it had to cut production volumes for its debut electric pickup, Endurance, by half – from around 2,200 vehicles to 1,000. Just a few weeks after it made that announcement, there followed news of a corporate shakeup: the resignation of founding CEO Steve Burns and CFO Julio Rodriguez. Burns started the company as an offshoot of his previous startup, Workhorse Group.

Lordstown had a strong start, with investments from General Motors that helped it purchase a 6.2 million square-foot factory from the leading automaker in late 2019. Lordstown made positive headlines last August, when it announced it would go public via a merger with a special purpose acquisition company (SPAC). The deal injected the EV startup with around $675 million in gross proceeds and skyrocketed its market value to $1.6 billion. Less than a year later, Lordstown informed the SEC that it does not have sufficient capital to manufacture Endurance.

Then, in March, the short-seller firm Hindenburg Research released a report disputing the company’s claims that it had booked 100,000 pre-orders for the electric pickup. It wrote that “extensive research reveals that the company’s orders appear largely fictitious and used as a prop to raise capital and confer legitimacy.” The SEC opened its investigation in the wake of these accusations.

The WSJ story is unclear on the scope of the inquiry and Lordstown Motors did not respond to a request for comment by press time. TechCrunch will update the story if it responds.

#automotive, #department-of-justice, #drama, #investigations, #lordstown-motors, #startups, #steve-burns, #tc, #transportation

DOJ files 7 new charges against alleged Capital One hacker

The U.S. Department of Justice (DOJ) has filed seven new charges against Paige Thompson, the former Amazon Web Services (AWS) engineer accused of hacking Capital One and stealing the personal data of more than 100 million Americans.

The new charges, which include six counts of computer fraud and abuse and one count of access device fraud, were revealed in court documents filed earlier this month, obtained by The Record. The previous indictment charged Thompson with one count each of wire fraud and computer crime and abuse, which meant she faced five up to five in prison and a fine of up to $250,000. As a result of the additional charges, Thompson now faces up to 20 years of jail time.

The superseding indictment has also expanded the number of victimized companies from the four listed in the 2019 indictment to eight. In addition to Capital One, a U.S. state agency, a U.S. public research university and an international telecommunications conglomerate, the list now includes a data and threat protection company, an organization that specializes in digital rights management (DRM), a provider of higher education learning technology, and a supplier of call center solutions. The companies have not been named, but security firm CyberInt previously said that Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may all be victims of the breach.

Thompson, who used the handle “erratic” online and was identified after boasting about her activities on GitHub, remains accused of using her knowledge from her previous employment as a software engineer at Amazon to create a program that identified which customers of a cloud computing company (the indictment doesn’t name the company, but it has been identified as Amazon Web Services) had misconfigured firewalls. Once the tool found its target misconfiguration, Thompson allegedly exploited it to extract privileged account credentials.

The prior indictment alleges that once Thompson gained access to victims’ cloud infrastructure using the stolen credentials, she then accessed and downloaded data to a server at her residence in Seattle. It remains unclear whether any of the information was passed to third parties.

In the case of the Capital One breach, which the company confirmed in July 2019, the stolen data comprised 106 million credit card applications, which included names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data. Capital One, which replaced its cybersecurity chief four months after the incident, was fined $80 million in August 2020 for the security breach and its failure to keep its users’ financial data secure.

Prosecutors also allege that Thompson copied and stole data from at least 30 entities in total that used the same cloud provider, and claim that, in some cases, she used this access to set up cryptocurrency mining operations using victims’ cloud computing power – a practice known as cryptojacking.

Thompson pleaded not guilty and was released on pre-trial bond in August 2019. She was initially set to face trial in November 2019, but the trial was delayed to March 2020 due to the huge amount of information the prosecution had to analyze.

The trial was later rescheduled to October 2020 due to the pandemic, then to June 2021, then October 2021, and now to March 14, 2022, with prosecutors still citing the need for more time to analyze the data collected from Thompson’s devices.

 

#aws, #capital-one, #cryptojacking, #data-breach, #department-of-justice, #hacking, #security

Microsoft says a third of its government data requests have secrecy orders

Microsoft’s customer security chief says as many as one-third of all government demands that the company receives for customer data are issued with secrecy clauses that prevents it from disclosing the search to the subject of the warrant.

The figure was disclosed in testimony by Microsoft’s Tom Burt ahead of a House Judiciary Committee on Wednesday, as lawmakers weigh a legislative response to efforts by the Justice Department under the Trump administration to secretly obtain call and email records as part of an investigation into the leaks of classified information to reporters at The New York Times, The Washington Post, and CNN.

Burt said that such secrecy orders “have unfortunately become commonplace,” and that Microsoft regularly receives “boilerplate secrecy orders unsupported by any meaningful legal or factual analysis.”

In his testimony, Burt said that since 2016 Microsoft received between 2,400 to 3,500 secrecy orders each year, or 7-10 a day. Microsoft said in its transparency report that it received close to 11,200 legal orders from U.S. authorities last year.

By comparison, the U.S. courts approved 2,395 warrants with secrecy clauses a decade ago in 2010, which Burt said is fewer than the number of secrecy orders Microsoft alone received in any of the past five years.

“These are just the demands that Microsoft, just one cloud service provider, received. Multiply those numbers by every technology company that holds or processes data, and you may get a sense of the scope of the government’s overuse of secret surveillance,” Burt’s testimony says. “We are not suggesting that secrecy orders should only be obtained through some impossible standard. We simply ask that it be a meaningful one.”

Much of the controversy over secrecy orders came of late when secrecy orders served on Apple, Google, and Microsoft expired in recent weeks, allowing the companies to disclose to the news agencies that the Justice Department under the Trump administration had sought to obtain their records by demanding the data from the tech companies that host the data.

President Biden pledged to stop the collection of journalists’ phone and email records, while also dropping some secrecy provisions. But lawmakers are likely to note that legislative change would be needed to codify policy into law.

Microsoft’s Burt said the company will “do everything it can to prevent the misuse of secrecy orders.” The software and cloud giant also sued the Justice Department in 2016 to challenge the constitutionality of gag orders.

#apple, #biden, #companies, #computing, #department-of-justice, #google, #microsoft, #president, #security, #technology, #the-new-york-times, #the-washington-post, #trump-administration, #united-states

FBI launches operation to remotely remove Microsoft Exchange server backdoors

A Texas court has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.

The Justice Department announced the operation on Tuesday, which it described as “successful.” It’s believed this is the first known case of the FBI effectively cleaning up private networks following a cyberattack.

In March, Microsoft discovered a new China state-sponsored hacking group — Hafnium — targeting Exchange servers run from company networks. The four vulnerabilities when chained together allowed the hackers to break into a vulnerable Exchange server and steal its contents. Microsoft fixed the vulnerabilities but the patches did not close the backdoors from the servers that had already been breached. Within days, other hacking groups began hitting vulnerable servers with the same flaws to deploy ransomware.

The number of infected servers dropped as patches were applied. But hundreds of Exchange servers remained vulnerable because the backdoors are difficult to find and eliminate, the Justice Department said in a statement.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the statement said. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

The FBI said it’s attempting to contact owners of servers from which it removed the backdoors by email.

Assistant attorney general John C. Demers said the operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.”

The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.

Neither the FBI nor the Justice Department commented by press time.

#backdoor, #china, #computing, #cryptography, #cybercrime, #cyberwarfare, #department-of-justice, #federal-bureau-of-investigation, #hacking, #justice-department, #malware, #microsoft, #ransomware, #security, #security-breaches, #spyware, #technology, #texas, #united-states

Toyota fined $180 million for 10 years of noncompliance with EPA regs

Toyota fined $180 million for 10 years of noncompliance with EPA regs

(credit: Toyota)

On Thursday, Toyota reached a settlement with the US government over a decade of noncompliance with Clean Air Act reporting regulations. Under the law, defects or recalls that affect vehicle emissions equipment have to be reported to the Environmental Protection Agency.

But, says EPA assistant administrator Susan Bodine, “[f]or a decade Toyota failed to report mandatory information about potential defects in their cars to the EPA, keeping the agency in the dark and evading oversight.  EPA considers this failure to be a serious violation of the Clean Air Act.”

Manufacturers are supposed submit emissions defect information reports if they know of an emissions defect that affects at least 25 or more vehicles (or engines) of a particular model in a given model year. They also have to submit voluntary emissions recall reports when beginning a recall to fix an emissions problem, as well as quarterly reports on the progress of the recall.

Read 3 remaining paragraphs | Comments

#car-emissions, #cars, #department-of-justice, #environmental-protection-agency, #toyota

Visa will not acquire Plaid after running into regulatory wall

Visa and Plaid called off their agreement this afternoon, ending the consumer credit giant’s takeover of the data-focused fintech API startup.

The deal, valued at $5.3 billion at the time of its announcement, first broke cover on January 13th, 2020, or nearly one year ago to the day. However, the American Department of Justice filed suit to block the deal in November of 2020, arguing that the combination would “eliminate a nascent competitive threat that would likely result in substantial savings and more innovative online debit services for merchants and consumers.”

At the time Visa argued that the government’s point of view was “flawed.”

However, today the two companies confirmed the deal is officially off. In a release Visa wrote that it could have eventually executed the deal, but that “protracted and complex litigation” would take lots of time to sort out.

It all got too hard, in other words.

Plaid was a bit more upbeat in its own notes, writing that in the last year it has seen “an unprecedented uptick in demand for the services powered by Plaid.” Given the fintech boom that 2020 saw, as consumers flocked to free stock trading apps and neobanks, that Plaid saw growth last year is not surprising; after all, Plaid’s product sits between consumers and fintech companies, so if those parties were executing more transactions, the API startup likely saw more demand for its own offerings.

TechCrunch reached out to Plaid for comment on its plans as an independent company, also asking how quickly it grew during 2020.

While the Visa-Plaid deal was merely a single transaction, its scuttling doesn’t bode well for other fintech startups and unicorns that might have eyed an exit to a wealthy incumbent. The Department of Justice, in other words, may have undercut the chances of M&A exits for a number of fintech-focused startups – or at least created more skittishness around that possible exit path.

If so, expected exit valuations for fintech upstarts could fall. And that could ding both fintech-focused venture capital activity, and the price at which startups in the niche can raise funds. If the Visa-Plaid deal was a huge boon to fintech companies that used it as a signpost to help raise money at new, higher valuations, the inverse may also prove true.

#department-of-justice, #fundings-exits, #plaid, #startups, #tc, #visa

Cases against Facebook are reportedly coming… when FTC decides how

Giant monitors displaying the Facebook logo hang from the ceiling of an empty convention center.

Enlarge / All Facebook, no matter which way you look. (credit: Michael Short | Bloomberg | Getty Images)

After well over a year spent investigating Facebook, state and federal regulators are more than ready to start launching a slate of cases against Facebook, new reports say—that is, as soon as the agencies can agree on how they actually want to do it.

New suits against Facebook should come before the end of January, The Wall Street Journal writes. Both the Federal Trade Commission and a coalition of attorneys general for 47 states and territories are expected to take some kind of action.

The state and the federal probes are basically looking into two overall buckets of potentially anticompetitive behavior. The first has to do with Facebook’s effects on other businesses that could or do compete with it. That’s the investigation that delves into mergers and acquisitions, both large and small, as well as Facebook’s behavior toward companies that refuse a buyout.

Read 10 remaining paragraphs | Comments

#antitrust, #competition, #department-of-justice, #doj, #facebook, #federal-trade-commission, #ftc, #google, #instagram, #justice-department, #lawsuits, #policy, #whatsapp

DOJ says it seized over $1 billion in bitcoin from the Silk Road drugs marketplace

Two days ago, about $1 billion worth of bitcoin that had sat dormant since the seizure of the Silk Road marketplace in 2013, one of the biggest underground drug websites on the dark web, suddenly changed hands.

Who took it? Mystery over. It was the U.S. government.

In a statement Thursday, the Justice Department confirmed it had seized the 70,000 bitcoins generated in revenue from drug sales on the Silk Web marketplace. At the time of the seizure, the bitcoin was worth more than $1 billion.

“Silk Road was the most notorious online criminal marketplace of its day. The successful prosecution of Silk Road’s founder in 2015 left open a billion-dollar question. Where did the money go? Today’s forfeiture complaint answers this open question at least in part,” said U.S. Attorney David Anderson in remarks.

“$1 billion of these criminal proceeds are now in the United States’ possession,” he said.

Silk Road was for a time the “most sophisticated and extensive criminal marketplace on the Internet,” per the Justice Department statement. In 2013, its founder and administrator Ross Ulbricht was arrested and the site seized. Ulbricht was convicted in 2015 and sentenced to two life terms and an additional 40 years, for his role in the operation. Prosecutors said the site had close to 13,000 listings for drugs and other illegal services, and generated millions of bitcoin.

The Justice Department said Thursday that the seized bitcoin would be subject to forfeiture proceedings.

#computing, #cryptocurrency, #dark-web, #department-of-justice, #free-software, #internet, #ross-ulbricht, #security, #silk-road, #u-s-government, #united-states

DOJ files antitrust lawsuit challenging Visa’s $5.3 billion acquisition of Plaid

The Department of Justice has filed an antitrust lawsuit challenging Visa’s proposed $5.3 billion acquisition of Plaid .

News of the DOJ’s investigation first broke last month.

“By acquiring Plaid, Visa would eliminate a nascent competitive threat that would likely result in substantial savings and more innovative online debit services for merchants and consumers,” the DOJ wrote in its lawsuit.

The deal would violate Section 2 of the Sherman Act “and must be stopped,” the DOJ wrote in its filing, published by Bloomberg Law.

In a statement, Visa said it “strongly disagrees” with the DOJ’s “legally flawed” arguments.

“This action reflects a lack of understanding of Plaid’s business and the highly competitive payments landscape in which Visa operates,” the statement read. “The combination of Visa and Plaid will deliver substantial benefits for consumers seeking access to a broader range of financial-related services, and Visa intends to defend the transaction vigorously.”

“As we explained to the DOJ, Plaid is not a payments company. Visa’s business faces intense competition from a variety of players – but Plaid is not one of them. Plaid is a data network that enables individuals to connect their financial accounts to the apps and services they use to manage their financial lives, and its capabilities complement Visa’s. Together, Visa and Plaid will deliver better digital experiences and more choice for consumers in managing their money and financial data. Visa is confident that this transaction is good for consumers and good for competition,” the statement added.

Plaid co-founders William Hockey and Zach Perret. Image Credit: Plaid

As the Justice Department argues, Visa’s monopoly power in online debit is protected by barriers to entry and expansion. New challengers to Visa need connections with millions of consumers to attract merchants and need connections to thousands of merchants to attract new consumers, the DOJ said.

DOJ lawyers pointed to Mastercard’s inability to seize more than a quarter of the online debit market as a sign of Visa’s continued dominance. “Mastercard has neither gained significant share from Visa nor restrained Visa’s monopoly,” the lawyers wrote.

Visa also set up technical barriers by entering into restrictive agreements with merchants and banks to prevent competitors from growing their share of the online debit market.

“These entry barriers, coupled with Visa’s long-term restrictive contracts with banks, are nearly insurmountable, meaning Visa rarely faces any significant threats to its online debit monopoly. Plaid is such a threat,” according to the DOJ.

Companies like Venmo, Acorns, and Betterment are just some of the big startups that use Plaid to build their services.

“While Plaid’s existing technology does not compete directly with Visa today, Plaid is planning to leverage that technology, combined with its existing relationships with banks and consumers, to facilitate transactions between consumers and merchants in competition with Visa,” according to the DOJ.

And Visa was well aware of Plaid’s potential to disrupt its business. As early as March 2019, nearly nine months before the acquisition was announced, the vice president of corporate development and head of strategic opportunities expressed concerns about Plaid’s business.

“I don’t want to be IBM to their Microsoft,” the executive said, according to the lawsuit filed by DOJ. Visa’s chief executive also clearly acknowledged that Plaid was a threat.

The company estimated that Plaid could cost Visa’s debit business between $300 million and $500 million by 2024 if it were to continue operating as an independent company. It was, in the words of Visa’s executives an “[e]xistential risk” to its U.S. debit business and it could have forced Visa to accept lower margins — something that would be a boon to businesses and consumers.

#credit-cards, #debit-cards, #department-of-justice, #finance, #merchant-services, #payment-cards, #plaid, #tc, #united-states, #visa, #zach-perret

Apple search crawler activity could signal a Google competitor, or a bid to make Siri a one-stop-shop

Encouraged by the spate of antitrust activity brewing in both the Justice Department and on Capitol Hill, Apple may be developing a search competitor to Google, according to a report in the Financial Times.

That would be a move ripe with irony as the push for an end to anti-competitive practices is seemingly creating greater competition among the largest companies which already dominate the technology industry rather than between those established companies and more nimble upstarts.

Signs of Apple’s resurgent interest search technologies can be found in both a subtle but significant change to the latest version of the iOS 14 iPhone operating system and increasing activity from Apple’s spidering tools that are used to scour the web and refine search functionality, the Financial Times reported.

Apple is now showing its own search results and linking directly to websites when users type queries from its home screen in iOS 14. For context, this is a behavior that has been known for a while as people have seen the feature pop up in beta versions of iOS. And the search volume being up on Apple’s crawler is something that Jon Henshaw of Coywolf had noted back in August.

Sources cited by the Financial Times said that the change marked a significant step-change in Apple’s in-house search development and could be the basis for a broader push into search.

The Cupertino, Calif.-based company certainly has the expertise. A little less than three years ago it nabbed Google’s head of search, John Giannandrea in what was widely seen as an attempt to shore up Apple’s foundations in artificial intelligence and voice search via Siri. Because of the way that Apple is organized internally, it’s unlikely that Giannandrea will be devoting full-time effort to both a potential “search product” and Siri . But it’s within the realm of possibility that he could be lending his expertise to a team working on a separate feature.

Any development of a search tool would be a third way for Apple, which now uses Google as its default search service thanks to a lucrative contract between the two (one that’s also at the heart of a Justice Department inquiry into Google’s purported anti-competitive activities around search). The only other major search services on the market rely on Microsoft’s Bing to power their results.

While the signs do point to an actual uptick in activity, there could be an explanation for Apple’s crawler activity that’s less heavy on corporate skunkworks skulduggery and more in line with goals that Apple’s stated pretty clearly.

While the story about Apple getting into direct competition with Google on search makes for a great headline, the uptick in activity could be explained equally as rationally by Siri getting more search queries and being more of an interlocutor between Apple and search services like Google or Microsoft’s Bing. This disintermediation is something that Google began years ago and has even modified and expanded over the years to combat the same kind of behavior from Siri.

Making Siri a one-stop-shop could inoculate Apple in the scenario where they are forced to enable a search provider choice in the iOS onboarding flow by regulation. It won’t do anything to help Google though, who pays Apple billions because iOS users are worth way more than any other mobile web users to its business. Google, for its part, says that when people have a choice they still pick Google anyway. Perhaps another reason why making Siri the search equivalent of an overtalker is the strong play for Apple.

TechCrunch has reached out to Apple for comment and will update when we hear back.

 

 

#apple, #apple-inc, #artificial-intelligence, #california, #computing, #cupertino, #department-of-justice, #google, #google-search, #google-voice-search, #iphone, #itunes, #john-giannandrea, #messages, #microsoft-bing, #operating-system, #search-results, #siri, #software, #tc, #techcrunch, #the-financial-times, #voice-search

The DOJ investigating Visa’s $5.3 billion bid for Plaid on antitrust grounds

It’s not just big tech that’s getting the antitrust treatment from the Department of Justice.

Late Monday afternoon, the Department of Justice tipped its hand that it was investigating Visa’s proposed $5.3 billion acquisition of the venture-backed Plaid, which allows applications to connect with a users’ bank account.

It’s a tool that powers a good chunk of the new fintech offerings from a whole slew of products and the Justice Department has apparently spent the past year looking into how the deal would effect the broader market for new financial services offerings coming from a number of tech startups.

The revelation that the DOJ was taking a closer look at the Plaid acquisition came from a petition filed in the U.S. Court for the District of Massachusetts to compel Bain & Co., the consulting firm that worked on Visa’s bid for Plaid, to comply with the agency’s civil investigative demand.

The DOJ is alleging that Bain has withheld documents demanded under the CID by asserting that it had some privilege over the documents — effectively stalling the DOJ’s investigation.

“American consumers rely on the Antitrust Division to investigate mergers promptly and thoroughly,”  said Assistant Attorney for the Antitrust Division Makan Delrahim, in a statement.  “Collecting relevant third-party documents and data is essential to the division’s ability to analyze these transactions.  Too often, third parties seek to flout these requirements, hoping the division will lose interest and focus its enforcement efforts elsewhere.”

DOJ first asked Bain for documents related to Visa’s pricing strategy and competition against other debit card networks in June. The feds intended to use that information to analyze the effects of Visa’s attempted acquisition on the broader financial services market. Bain refused to produce the documents by claiming that the information was privileged.

Visa’s bid for Plaid isn’t the only big fintech acquisition that’s in the DOJ’s sights, according to a report in The Wall Street Journal. Federal regulators are also looking at MasterCard’s $1 billion bid for the fintech startup Finicity, and Intuit’s $7 billion pitch to acquire the credit advisory and lending marketplace, Credit Karma Inc.

“The division’s petition against Bain is aimed at securing relevant documents and making clear that the division will hold third parties to the deadlines and specifications in the CIDs we issue,” Delrahim said. “Third parties, like Bain, must comply fully and expeditiously with our civil investigative demands and provide the documents and data we need to discharge our duties and serve the American people.”

#att, #bain-co, #companies, #credit-cards, #department-of-justice, #finance, #intuit, #massachusetts, #mastercard, #merchant-services, #payment-cards, #plaid, #tc, #the-wall-street-journal, #visa

What we know about the DOJ’s antitrust case against Google so far

Multistory glass building with huge Google logo.

Enlarge / If the company got broken up, maybe each business would take a different color with them when they go. (credit: JHVEPhoto | Getty Images)

The Justice Department today filed a landmark antitrust case against Google. The hotly anticipated, long-awaited lawsuit accuses Google of using its market dominance to force unfair contract terms on suppliers and competitors, to the detriment of competition and the marketplace.

The suit might just be the biggest thing in antitrust since the DOJ sued Microsoft in the 1990s… or it might not. Even though the investigation that led here has been going on for 16 months, a suit like this is the beginning, not the end, of the process. So here’s everything we know—and more importantly, everything we still don’t—about what this blockbuster case really means.

What does the suit allege?

The complaint (PDF) lays out the case that Google used “exclusionary agreements and anticompetitive conduct” to become dominant in the search marketplace, and then kept abusing that market dominance to prevent nascent rivals from gaining enough of a toehold potentially to become real competition.

Read 39 remaining paragraphs | Comments

#antitrust, #department-of-justice, #explainers, #faq, #google, #justice-department, #policy

Equity Shot: The DoJ, Google, and the suit could mean for startups

Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast where we unpack the numbers behind the headlines.

It’s a big day in tech because the US Federal Government is going after Google on anti-competitive grounds. Sure, the timing appears crassly political and the case is not picking up huge plaudits thus far for its air-tightness, but that doesn’t mean we can ignore it.

So Danny and I got on the horn to chat it up for about 10 minutes to fill you in. For reference, you can read the full filing here, in case you want to get your nails in. It’s not a complicated read. Get in there.

As a pair we dug into what stood out from the suit, what we think about the historical context, and also noodled at the end about what the whole situation could mean for startups; it’s not all good news, but adding lots of competitive space to the market would be a net-good for upstart tech companies in the long-run.

And consumers. Competition is good.

You can read TechCrunch’s early coverage of the suit here, and our look at the market’s reaction here. Let’s go!

Equity drops every Monday at 7:00 a.m. PT and Thursday afternoon as fast as we can get it out, so subscribe to us on Apple PodcastsOvercastSpotify and all the casts.

#department-of-justice, #equity-podcast, #google, #government, #startups

Investors appear to shrug at antitrust lawsuit aimed at Google

Investors do not seem concerned that the Department of Justice filed an antitrust suit against Google earlier today.

The suit, seen by some as a stunt near the election, is one of a multi-part push to change the face of the technology industry, which has seen its wealth and power expand in recent years. For example, technology companies now constitute nearly 40% of the value of the S&P 500, ahead of a 1999-era 37% share, according to The Wall Street Journal.

At the same time, the rising tide lifting many tech boats has provided huge gains to its largest players as well. Alphabet, Microsoft, Amazon and Apple are each worth north of $1 trillion apiece, making them historically valuable companies even amidst an economic downturn.

Those market caps do not appear to be in danger.

Today after lunch during regular trading hours the tech-heavy Nasdaq Composite index is up 0.86%, while Alphabet is up 0.91%, directly in line with broader trading. Shares of Alphabet initially rose this morning before giving back their gains. However, since those morning lows, shares of the tech giant have recovered to edge ahead of the market.

Investor reaction could shift regarding Google’s antitrust liabilities in time. The Department of Justice suit is hardly the only legal issue that the search giant is currently grappling with. But not today.

#alphabet, #antitrust, #department-of-justice, #google, #government, #tc

Justice Dept. files long-awaited antitrust suit against Google

Will the sun ever set on the Google empire?

Enlarge / Will the sun ever set on the Google empire? (credit: 400tmax | Getty Images)

The Department of Justice today filed a landmark antitrust suit against Google, alleging that the company behaved anticompetitively and unfairly pushed out rivals in its search businesses.

A company does not have to be a literal monopoly, with no available competition of any kind, to be in violation of antitrust law. The law is instead primarily concerned with what a company does to attain dominance and what it does with that dominant position once it’s at the top. And according to the DOJ’s complaint (PDF), Google did indeed abuse its outsized market power to tilt the playing field in its favor and keep potential rivals out.

“Google is the gateway to the Internet,” Deputy Attorney General Jeffrey Rosen said in a call with reporters. “It has maintained its power through exclusionary practices that are harmful to competition.”

Read 6 remaining paragraphs | Comments

#alphabet, #antitrust, #competition, #department-of-justice, #doj, #google, #justice-department, #lawsuits, #policy

John McAfee arrested, indicted on tax evasion charges, sued for fraud

John McAfee gesticulating on his yacht outside Havana, Cuba, during an interview with AFP in June 2019.

Enlarge / John McAfee gesticulating on his yacht outside Havana, Cuba, during an interview with AFP in June 2019. (credit: Adalberto Roque | AFP | Getty Images)

Noted cybersecurity eccentric John McAfee is under arrest in Spain awaiting extradition to the United States after being indicted on federal tax evasion charges.

The Department of Justice unsealed the indictment (PDF) yesterday, following McAfee’s arrest by Spanish authorities at Barcelona’s airport over the weekend.

The filing alleges that McAfee deliberately not only avoided paying federal taxes from tax years 2014 through 2018 but also tried to hide considerable assets from the IRS. He allegedly hid those assets—including a yacht, a vehicle, real estate, bank accounts, and cryptocurrency—by purchasing and titling them under “the name of a nominee.”

Read 10 remaining paragraphs | Comments

#department-of-justice, #doj, #john-mcafee, #justice-department, #mcafee, #policy, #sec, #securities-and-exchange-commission

Justice Dep’t. sends its Section 230 rewrite to Congress

Cartoon hands hold out a band-aid over the words Section 230.

Enlarge (credit: Aurich Lawson / Getty Images)

The Department of Justice today dropped a proposed “recalibration” of one of the most important laws governing the US Internet into Congress’s lap and urged legislators to act to remove a liability protection on which nearly every website and app currently relies.

Attorney General Bill Barr sent the proposed legislation—an extension of his June wish list—to Speaker of the House Nancy Pelosi and Vice President Mike Pence (in his role as President of the Senate) this morning.

“For too long Section 230 has provided a shield for online platforms to operate with impunity,” Barr said in a written statement. “Ensuring that the internet is a safe, but also vibrant, open, and competitive environment is vitally important to America,” he added. “We therefore urge Congress to make these necessary reforms to Section 230 and begin to hold online platforms accountable both when they unlawfully censor speech and when they knowingly facilitate criminal activity online.”

Read 24 remaining paragraphs | Comments

#congress, #department-of-justice, #doj, #justice-department, #laws, #legislative-proposal, #policy, #section-230

States, DOJ reportedly meeting this week to plan Google antitrust suit

Google's in everything. Perhaps too much everything, regulators now worry.

Enlarge / Google’s in everything. Perhaps too much everything, regulators now worry. (credit: Omar Marques | SOPA Images | LightRocket | Getty Images)

Multiple investigations into Google parent Alphabet’s competition practices may finally be reaching a head, as state and federal regulators meet today to plan next steps for one or more lawsuits against the company.

Attorneys from the Department of Justice are meeting today with attorneys general from several different states about imminent plans to file an antitrust suit against Google, the Washington Post and Bloomberg report.

The DOJ began its antitrust probe of “market-leading online platforms” a little more than a year ago, without naming names. Google was widely assumed to be one of the targets, and the company confirmed last September that it was indeed under investigation.

Read 4 remaining paragraphs | Comments

#alphabet, #antitrust, #department-of-justice, #doj, #google, #justice-department, #lawsuits, #policy

Justice Department says WeChat users won’t be penalized under Trump’s executive order

In a Wednesday filing in federal court, the United States government said that users who use or download WeChat “to convey personal or business information” will not be subject to penalties under President Donald Trump’s executive order banning transactions with the Tencent-owned messaging app.

Trump issued the executive order against WeChat on August 6, the same day he issued a similar one banning transactions with ByteDance, the parent company of TikTok, claiming national security concerns. Both orders caused confusion because they are set to go into effect 45 days after being issued, but said that Secretary of Commerce Wilbur Ross will not identify what transactions are covered until then.

With that deadline now looming at the end of this week, WeChat users in America are still uncertain about the app’s future. Though WeChat is the top messaging app by far in China, where it also serves as an essential conduit for payments and other services, the U.S. version of the app has relatively limited features. It is used by Chinese-Americans, and other members of the Chinese disapora in the U.S., to keep in touch with their family and other people in China. With other popular messaging apps, like Facebook Messenger and WhatsApp, banned in China, WeChat is often the most direct communication channel available to them.

The U.S. government’s filing (embedded below) was made as part of a request for a preliminary injunction against the executive order brought by the U.S. WeChat Users Alliance, a non-profit organization initiated by attorneys who want to preserve access to WeChat for users in the U.S. A hearing is scheduled for Thursday.

In it, attorneys from the Justice Department said the U.S. Commerce Department is continuing to review transactions and will clarify which ones are affected by Sept. 20, but “we can provide assurances that [Secretary Ross] does not intend to take actions that would target persons or groups whose only connection to WeChat is their use or downloading of the app to convey personal or business information between users, or otherwise define the relevant transaction in such a way that would impose criminal or civil liability on such users.”

But in a response (also embedded below), the U.S. WeChat Users Alliance said that the Department of Justice’s filing instead demonstrates why a preliminary injunction is necessary. “Having first failed to articulate any actual national security concerns, the administration’s latest ‘assurances’ that users can keep using WeChat, and exchange their personal and business information, only further illustrates the hollowness and pre-textual nature of the Defendants’ ‘national security rationales.’”

The U.S. WeChat Users Alliance filed for the injunction on August 21. In an open letter published on its site, it said a complete ban of WeChat “will severely affect the lives and the work of millions of people in the U.S. They will have a difficult time talking to family relatives and friends back in China. Countless people or businesses who use WeChat to develop and contact customers will also suffer significant economic losses.”

The group also believes that the executive order “violates many provisions of the U.S. Constitution,” and the Administrative Procedure Act.

#apps, #china, #department-of-justice, #messaging, #policy, #tc, #tencent, #u-s-government, #wechat

Justice Dept. charges five Chinese members of APT41 over cyberattacks on U.S. companies

WASHINGTON, DC – DECEMBER 09: The Justice Department building on a foggy morning on December 9, 2019 in Washington, DC. (Photo by Samuel Corum/Getty Images)

The Justice Department has announced charges against five alleged Chinese citizens, accused of hacking over 100 companies in the United States, including tech companies, game makers, universities, and think tanks.

Zhang Haoran and Tan Dailin were charged in August 2019 with over two-dozen counts of conspiracy, wire fraud, identity theft and charges related to computer hacking. Prosecutors also added nine additional charges against Jiang Lizhi, Qian Chuan, and Fu Qiang last month.

Prosecutors also charged two businessmen, who were arrested in Malaysia, for their role in trying to profit from the group’s intrusions into game companies to steal and sell digital goods and virtual currency.

“Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and coordinated private sector protective actions reveal yet again the Department’s determination to use all of the tools at its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,” said assistant attorney general John C. Demers.

“This is the only way to neutralize malicious nation state cyber activity,” he said.

The hackers are accused of being members of the China-backed APT41 hacking group, also known as “Barium,” to steal source code, customer data, and other valuable business information from businesses in the U.S., Australia, Brazil, Hong Kong, South Korea and other countries.

The indictments said that the hackers worked for a front company, Chengdu 404, which purports to be a network security company but prosecutors say was a cover for the hackers. The alleged hackers used a number of known security vulnerabilities to break into companies and launch attacks against a company’s supply chains, allowing the hackers to break into other companies. The indictments confirm earlier research from security firm FireEye that said APT41 hackers used vulnerabilities against networking gear to break into their victims’ networks.

The hackers also allegedly stole code-signing certificates, which can be used to trick computers into thinking malware is from a legitimate source and safe to run. Last year, APT41 was blamed for a supply chain attack at computer maker Asus, which saw the attackers push a backdoor to at least hundreds of thousands of computers using the company’s own servers.

Prosecutors said the hackers tried to make money by launching ransomware attacks and cryptojacking schemes, which hijack computers with malware to mine cryptocurrency.

After the indictments were filed, prosecutors said they obtained warrants to seize websites, domains, and servers associated with the group’s operations, effectively shutting them down and hindering their operations.

The alleged hackers are still believed to be in China, but the allegations serve as a “name and shame” effort employed by the Justice Department in recent years against state-backed cyber attackers.

#computer-security, #cyberattack, #department-of-justice, #federal-bureau-of-investigation, #government, #hacker, #internet-security, #justice-department, #ransomware, #security, #security-breaches, #united-states

Dirty diesel engines will cost Daimler $1.5 billion in DoJ settlement

A 1980s Mercedes-Benz diesel belches exhaust fumes in London. People expected diesel engines of this vintage to be dirty, but we had a right to expect that diesel engines sold over the past decade complied with emissions laws. Turns out, they don't.

Enlarge / A 1980s Mercedes-Benz diesel belches exhaust fumes in London. People expected diesel engines of this vintage to be dirty, but we had a right to expect that diesel engines sold over the past decade complied with emissions laws. Turns out, they don’t. (credit: Richard Oliver/Getty Images)

In 2020 it seems more usual to read about the US Environmental Protection Agency rolling back pollution laws or arguing that big business should be allowed to do what it wants. But apparently the agency does occasionally work as intended. Earlier this week, together with the US Department of Justice and the California Air Resources Board, it held Daimler AG—parent company to Mercedes-Benz—accountable for selling diesel vehicles fitted with emissions defeat devices.

EPA and CARB found that all was not right with the Daimler’s diesel engines in the wake of the 2015 Volkswagen emissions scandal. EPA told Daimler it was going to conduct some additional tests of the company’s four- and six-cylinder diesel engines “using driving cycles and conditions that may reasonably be expected to be encountered in normal operation and use, for the purposes of investigating a potential defeat device.”

In doing so, it discovered several auxiliary emission control devices that were not described in the homologation paperwork submitted by Daimler. In total, about 160,000 Sprinter vans and about 90,000 Mercedes-Benz vehicles are affected, between model years 2009 and 2016.

Read 3 remaining paragraphs | Comments

#cars, #daimler, #daimlerchrysler, #defeat-device, #department-of-justice, #diesel, #environmental-protection-agency, #epa

Apple opens up — slightly — on Hong Kong’s national security law

After Beijing unilaterally imposed a new national security law on Hong Kong on July 1, many saw the move as an effort by Beijing to crack down on dissent and protests in the semi-autonomous region.

Soon after, a number of tech giants — including Microsoft, Twitter and Google — said they would stop processing requests for user data from Hong Kong authorities, fearing that the requested data could end up in the hands of Beijing.

But Apple was noticeably absent from the list. Instead, Apple said it was “assessing” the new law.

When reached by TechCrunch, Apple did not say how many requests for user data it had received from Hong Kong authorities since the new national security law went into effect. But the company reiterated that it doesn’t receive requests for user content directly from Hong Kong. Instead, it relies on a long-established so-called mutual legal assistance treaty, allowing U.S. authorities to first review requests from foreign governments.

Apple said it stores iCloud data for Hong Kong users in the United States, so any requests by Hong Kong authorities for user content has to be first approved by the Justice Department, and a warrant has to be issued by a U.S. federal judge before the data can be handed over to Hong Kong.

The company said that it received a limited number of non-content requests from Hong Kong related to fraud or stolen devices, and that the number of requests it received from Hong Kong authorities since the introduction of the national security law will be included in an upcoming transparency report.

Hong Kong authorities made 604 requests for device information, 310 requests for financial data, and 10 requests for user account data during 2019.

The report also said that Apple received 5,295 requests from U.S. authorities during the second half of last year for data related to 80,235 devices, a seven-fold increase from the previous six months.

Apple also received 4,095 requests from U.S. authorities for user data stored in iCloud on 31,780 accounts, twice the number of accounts affected during the previous six months.

Most of the requests related to ongoing return and repair fraud investigations, Apple said.

The report said it received 2,522 requests from U.S. authorities to preserve data on 6,741 user accounts, allowing law enforcement to obtain the right legal process to access the data.

Apple also said it received between 0-499 national security requests for non-content data on between 15,500 and 15,999 users or accounts, an increase of 40% on the previous report.

Tech companies are only allowed to report the number of national security requests in ranges, per rules set out by the Justice Department.

The company also published two FBI national security letters, or NSLs, from 2019, which the company petitioned to make public. These letters are subpoenas issued by the FBI with no judicial oversight and often with a gag order preventing the company from disclosing their existence. Since the introduction of the Freedom Act in 2015, the FBI was required to periodically review the gag orders and lift them when they were no longer deemed necessary.

Apple also said it received 54 requests from governments to remove 258 apps from its app store. China filed the vast majority of requests.

#apple, #department-of-justice, #government, #icloud, #law-enforcement, #operating-systems, #security, #transparency-report

Decrypted: Tesla’s ransomware near miss, Palantir’s S-1 risk factors

Another busy week in cybersecurity.

In case you missed it: A widely used messaging app used by over a million protesters has several major security flaws; a little-known loophole has let the DMV sell driver’s licenses and Social Security records to private investigators; and the U.S. government is suing to reclaim over $2.5 million in cryptocurrency stolen by North Korean hackers from two major exchanges.

But this week we are focusing on how a Tesla employee foiled a ransomware attack, and, ahead of Palantir’s debut on the stock market, how much of a risk factor is the company’s public image?


THE BIG PICTURE

Russian charged with attempted Tesla ransomware attack

$1 million. That’s how much a Tesla employee would have netted if they accepted a bribe from a Russian operative to install malware on Tesla’s Gigafactory network in Nevada. Instead, the employee told the FBI and the Russian was arrested.

The Justice Department charged the 27-year-old Russian, Egor Igorevich, weeks later as he tried to flee the United States. According to the indictment, his plan was to ask the employee to deliberately deploy ransomware on the Gigafactory’s network, grinding the network to a halt for a ransom of several million dollars. The would-be insider threat is likely the first of its kind, one ransomware expert told Wired, as financially driven hackers continue to up their game.

Tesla founder Elon Musk tweeted earlier this week confirming that Tesla was the target of the failed attack.

The attack, if carried out, could have been devastating. The indictment said that the malware was designed to extract data from the network before locking its files. This data-stealing ransomware is an increasing trend. These hacker groups not only encrypt a victim’s files but also exfiltrate the data to their servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

#computer-security, #computing, #cryptography, #cybercrime, #decrypted, #department-of-justice, #driver, #encryption, #facebook, #florida, #malware, #mayfield, #nevada, #ransomware, #security, #security-breaches, #software, #startups, #tampa, #ten-eleven-ventures, #tesla, #u-s-government, #united-states

Why movie theaters are in trouble after DOJ nixes 70-year-old case

Disney logo adorns a container of movie theater popcorn.

Enlarge / The House of Mouse is the shadow lurking in the future of movie theaters. (credit: Aurich Lawson / Getty Images)

If you went to the movies in 2019, you probably saw a Disney movie. Seven of the top 10 highest-grossing films released in the United States last year were distributed by the House of Mouse, and hundreds of millions of people went to see them on thousands of screens. Some weeks it felt like the entire film industry was Disney: Captain Marvel and the rest of the Avengers (Endgame) competed for your attention for a while, as Aladdin, The Lion King, and Toy Story 4 kept up a steady drumbeat of animation until Elsa dropped back onto hapless households in Frozen II. In amongst that morass, though, there were still other movies shown, many of them popular with audiences and critics alike.

But now, the rule that prevented a studio from buying up a major theater chain is now gone—opening up the possibility that your local cinema could go whole hog and become a true Disneyplex before you know it.

On Friday, a federal judge agreed to the Department of Justice’s petition to vacate the Paramount Consent Decrees, a landmark 1948 ruling that forbade vertical integration in the film sector and ended the Hollywood studio system. In isolation, the decision could raise some concerns. In a world where theaters are decimated thanks to a pandemic and consolidation among media firms is already rampant, the future for independent theaters looks grim.

Read 39 remaining paragraphs | Comments

#antitrust, #biz-it, #competition, #department-of-justice, #disney, #gaming-culture, #justice-department, #paramount, #policy

Twitter says Android security bug gave access to direct messages

Twitter says a security bug may have exposed the private direct messages of its Android app users, but said that there was no evidence that the vulnerability was ever exploited.

The bug could have allowed a malicious Android app running on the same device to siphon off a user’s direct messages stored in the Twitter app by bypassing Android’s in-built data permissions. But, Twitter said that the bug only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed.

A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher “a few weeks ago” through HackerOne, which Twitter uses for its bug bounty program.

“Since then, we have been working to keep accounts secure,” said the spokesperson. “Now that the issue has been fixed, we’re letting people know.” Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed.

The notice sent to affected Twitter users. (Image: TechCrunch)

Twitter said the vast majority of users had updated their Twitter for Android app and were no longer vulnerable. But the company said about 4% of users are still running an old and vulnerable version of its app, and users will be notified to update the app as soon as possible.

Many users began noticing in-app pop-ups notifying them of the issue.

News of the security issue comes just weeks after the company was hit by a hacker, who gained access to an internal “admin” tool, which along with two other accomplices hijacked high-profile Twitter accounts to spread a cryptocurrency scam that promised to “double your money.” The hack and subsequent scam netted over $100,000 in scammed funds.

The Justice Department charged three people — including one minor — allegedly responsible for the incident.

#android, #computing, #department-of-justice, #google-allo, #hackerone, #kik-messenger, #operating-systems, #security, #smartphones, #software, #spokesperson, #tc, #twitter

Amazon says police demands for customer data have gone up

Amazon has said the number of demands for user data made by U.S. federal and local law enforcement have increased during the first half of 2020 than during the same period a year earlier.

The disclosure came in the company’s latest transparency report, published Thursday.

The figures show that Amazon received 23% more subpoenas and search warrants, and a 29% increase in court orders compared to the first half of 2019. That includes data collected from its Amazon.com retail storefront, Amazon Echo devices and its Kindle and Fire tablets.

Breaking those figures down, Amazon said it received:

  • 2,416 subpoenas, turning over all of partial user data in 70% of cases;
  • 543 search warrants, turning over all of partial user data in 79% of cases;
  • 146 court orders, turning over all of partial user data in 74% of cases.

The number of requests to the company’s cloud services, Amazon Web Services, also went up compared to a year earlier.

But it’s not clear what caused the rise in U.S. government demands for user data. A spokesperson for Amazon did respond to a request for comment.

But the company saw the number of overseas requests drop by about one-third compared to the same period a year earlier. Amazon rejected 92% of the 177 overseas requests it received, turning over partial user data in 10 cases and all requested data in four cases.

Amazon also said it received between 0 and 249 national security requests, flat from previous reports. Justice Department rules on disclosing classified requests only allow companies to respond in numerical ranges.

Amazon was one of the last major tech companies to issue a transparency report, despite mounting pressure from privacy advocates. But its report remains far lighter on details compared to its Silicon Valley rivals.

The company’s Ring smart camera division, despite facing criticism for its poor security practices and its close relationships with law enforcement, has yet to release any data related to police requests for user data.

#amazon-alexa, #amazon-echo, #articles, #assistant, #business, #cloud-services, #department-of-justice, #hardware, #kindle, #law-enforcement, #publishing, #security, #transparency-report, #u-s-government, #united-states, #web-services

Garmin global outage caused by ransomware attack, sources say

An ongoing global outage at sport and fitness tech giant Garmin was caused by a ransomware attack, according to two sources with direct knowledge of the incident.

The incident began late Wednesday and continued through the weekend, causing disruption to the company’s online services for millions of users, including Garmin Connect, which syncs user activity and data to the cloud and other devices. The attack also took down flyGarmin, its aviation navigation and route-planning service.

Portions of Garmin’s website were also offline at the time of writing.

Garmin has said little about the incident so far. A banner on its website reads: “We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

The two sources, who spoke on the condition of anonymity as they are not authorized to speak to the press, told TechCrunch that Garmin was trying to bring its network back online after the ransomware attack. One of the sources confirmed that the WastedLocker ransomware was to blame for the outage.

One other news outlet appeared to confirm that the outage was caused by WastedLocker.

Garmin’s online services have been down for days. The cause is believed to be ransomware, according to two sources with direct knowledge of the incident. (Screenshot: TechCrunch)

WastedLocker is a new kind of ransomware, first discovered by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.

Malwarebytes said that WastedLocker does not steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million.

The FBI has also long discouraged victims from paying ransoms related to malware attacks.

Evil Corp has a long history of malware and ransomware attacks. The group, allegedly led by a Russian national Maksim Yakubets, is known to have used Dridex, a powerful password-stealing malware that was used to steal more than $100 million from hundreds of banks over the past decade. Later, Dridex was also used as a way to deliver ransomware.

Yakubets, who remains at large, was indicted by the Justice Department last year for his alleged part in the group’s “unimaginable” amount of cybercrime during the past decade, according to U.S. prosecutors.

The Treasury also imposed sanctions on Evil Corp, including Yakubets and two other alleged members, for their involvement in the decade-long hacking campaign.

By imposing sanctions, it’s near-impossible for U.S.-based companies to pay the ransom — even if they wanted to — as U.S. nationals are “generally prohibited from engaging in transactions with them,” per a Treasury statement.

Brett Callow, a threat analyst and ransomware expert at security firm Emsisoft, said those sanctions make it “especially complicated” for U.S.-based companies dealing with WastedLocker infections.

“WastedLocker has been attributed by some security companies to Evil Corp, and the known members of Evil Corp — which purportedly has loose connections to the Russian government — have been sanctioned by the U.S. Treasury,” said Callow. “As a result of those sanctions, U.S persons are generally prohibited from transacting with those known members. This would seem to create a legal minefield for any company which may be considering paying a WastedLocker ransom,” he said.

Efforts to contact the alleged hackers were unsuccessful. The group uses different email addresses in each ransom note. We sent an email to two known email addresses associated with a previous WastedLocker incident, but did not hear back.

A Garmin spokesperson could not be reached for comment by phone or email on Saturday. (Garmin’s email servers have been down since the start of the incident.) Messages sent over Twitter were also not returned. We’ll update if we hear back.

#apps, #crime, #crimes, #cybercrime, #department-of-justice, #gadgets, #garmin, #hacker, #hardware, #health, #malware, #ransomware, #security, #security-breaches, #spokesperson, #united-states