Data Security

US can’t ban TikTok for security reasons while ignoring Temu, other apps

bytedance, china, data privacy, Data Security, national security, Policy, tiktok, TikTok ban / Rejus Almole / September 16, 2024

Andrew J. Pincus, attorney for TikTok and ByteDance, leaves the E. Barrett Prettyman US Court House with members of his legal team as the U.S. Court of Appeals hears oral arguments in the case <em>TikTok Inc. v. Merrick Garland</em> on September 16 in Washington, DC. ” src=”https://cdn.arstechnica.net/wp-content/uploads/2024/09/GettyImages-2172424134-800×620.jpg”></img><figcaption>
<p><a data-height=

The fight to keep TikTok operating unchanged in the US reached an appeals court Monday, where TikTok and US-based creators teamed up to defend one of the world’s most popular apps from a potential US ban.

TikTok lawyer Andrew Pincus kicked things off by warning a three-judge panel that a law targeting foreign adversaries that requires TikTok to divest from its allegedly China-controlled owner, ByteDance, is “unprecedented” and could have “staggering” effects on “the speech of 170 million Americans.”

Pincus argued that the US government was “for the first time in history” attempting to ban speech by a specific US speaker—namely, TikTok US, the US-based entity that allegedly curates the content that Americans see on the app.

The government justified the law by claiming that TikTok may in the future pose a national security risk because updates to the app’s source code occur in China. Essentially, the US is concerned that TikTok collecting data in the US makes it possible for the Chinese government to both spy on Americans and influence Americans by manipulating TikTok content.

But Pincus argued that there’s no evidence of that, only the FBI warning “about the potential that the Chinese Communist Party could use TikTok to threaten US homeland security, censor dissidents, and spread its malign influence on US soil.” And because the law carves out China-owned and controlled e-commerce apps like Temu and Shein—which a US commission deemed a possible danger and allegedly process even more sensitive data than TikTok—the national security justification for targeting TikTok is seemingly so under-inclusive as to be fatal to the government’s argument, Pincus argued.

Jeffrey Fisher, a lawyer for TikTok creators, agreed, warning the panel that “what the Supreme Court tells us when it comes to under-inclusive arguments is” that they “often” are “a signal that something else is at play.”

Daniel Tenny, a lawyer representing the US government, defended Congress’ motivations for passing the law, explaining that the data TikTok collects is “extremely valuable to a foreign adversary trying to compromise the security” of the US. He further argued that a foreign adversary controlling “what content is shown to Americans” is just as problematic.

Rather than targeting Americans’ expression on the app, Tenny argued that because ByteDance controls TikTok’s source code, the speech on TikTok is not American speech but “expression by Chinese engineers in China.” This is the “core point” that the US hopes the appeals court will embrace, that as long as ByteDance oversees TikTok’s source code, the US will have justified concerns about TikTok data security and content manipulation. The only solution, the US government argues, is divestment.

TikTok has long argued that divestment isn’t an option and that the law will force a ban. Pincus told the court that the “critical issue” with the US government’s case is that the US does not have any evidence that TikTok US is under Chinese control. Because the US is only concerned about some “future Chinese control,” the burden that the law places on speech must meet the highest standard of constitutional scrutiny. Any finding otherwise, Pincus warned the court, risked turning the First Amendment “on its head,” potentially allowing the government to point to foreign ownership to justify regulating US speech on any platform.

But as the panel explained, the US government had tried for two years to negotiate with ByteDance and find through Project Texas a way to maintain TikTok in the US while avoiding national security concerns. Because every attempt to find a suitable national security arrangement has seemingly failed, Congress was potentially justified in passing the law, the panel suggested, especially if the court rules that the law is really just trying to address foreign ownership—not regulate content. And even though the law currently only targets TikTok directly, the government could argue that’s seemingly because TikTok is so far the only foreign adversary-controlled company flagged as a potential national security risk, the panel suggested.

TikTok insisted that divestment is not the answer and that Congress has made no effort to find a better solution. Pincus argued that the US did not consider less restrictive means for achieving the law’s objectives without burdening speech on TikTok, such as a disclosure mechanism that could prevent covert influence on the app by a foreign adversary.

But US circuit judge Neomi Rao pushed back on this, suggesting that disclosure maybe isn’t “always” the only appropriate mechanism to block propaganda in the US—especially when the US government has no way to quickly assess constantly updated TikTok source code developed in China. Pincus had confirmed that any covert content manipulation uncovered on the app would only be discovered after users were exposed.

“They say it would take three years to just review the existing code,” Rao said. “How are you supposed to have disclosure in that circumstance?”

“I think disclosure has been the historic answer for covert content manipulation,” Pincus told the court, branding the current law as “unusual” for targeting TikTok and asking the court to overturn the alleged ban.

The government has given ByteDance until mid-January to sell TikTok, or else the app risks being banned in the US. The appeals court is expected to rule by early December.

US can’t ban TikTok for security reasons while ignoring Temu, other apps Read More »

Let’s attempt to decode Google’s confusing new location data settings

Data Security, Google, google cloud, google maps, Location Data, Tech / Rejus Almole / December 13, 2023

Oh, good, my lawyer wanted a new porsche —

The new Google Maps Timeline plays a game of three-card monte with your location data.

Ron Amadeo – Dec 13, 2023 7: 51 pm UTC

Google announced big changes to its most legally fraught set of user settings: your location data. Google’s misleading Location History descriptions in Google Maps have earned it several lawsuits in the US and worldwide. A quick count involves individual lawsuits in California, Arizona, Washington, a joint lawsuit in Texas, Indiana, and the District of Columbia, and another joint lawsuit across 40 additional US states. Internationally, Google has also been sued in Australia over its location settings. The point is that any change to Google’s location settings must have some motive behind it, so bear with us while we try to decode everything.

Google’s big new location data change is a new, duplicate data store that will live exclusively on your device. Google’s new blog post says data for the long-running Google Maps Timeline feature will now “be saved right on your device—giving you even more control over your data.” That’s right, one of the world’s biggest Internet data companies advocates for local storage of your location data.

The company continues, “If you’re getting a new phone or are worried about losing your existing one, you can always choose to back up your data to the cloud so it doesn’t get lost. We’ll automatically encrypt your backed-up data so no one can read it, including Google.” Users will apparently have lots of control over this new locally stored data, with Google saying, “Soon, you’ll be able to see all your recent activity on Maps… in one central place, and easily delete your searches, directions, visits, and shares with just a few taps. The ability to delete place-related activity from Maps starts rolling out on Android and iOS in the coming weeks.”

Enlarge / The new Google Maps Timeline pop-up.

Google

Some companies pitch the “on-device storage” of data as a security feature. The idea is that on-device data isn’t in the cloud, and instead is encrypted on your device, and therefore is more secure since you must have physical access to the device to get the data. This is usually how biometrics are stored, for instance. That’s not happening here, though. Google’s post says, “The Timeline feature in Maps helps you remember places you’ve been and is powered by a setting called Location History.” Location History is all the location data collected by Google, and the Google Maps Timeline is only a subset of that data. So, with on-device storage, Google Maps Timeline will now be a second copy of a subset of your location data. Cloud-based Location History will still exist and still be collected. Instead of the additional security of encrypted on-device storage, this is less secure since your data will now be in two places, or maybe multiple places, if you have multiple devices.

Google was sued in nearly every US state because of its misleading communication about where your location data is stored and what the controls do. Before all the lawsuits, Google had a checkbox for “Location History” that you could turn on and off, but at the time, “Location History” didn’t mean “all the stored location history across your Google account.” Back then, “Location History” was the name of a specific page in Google Maps, and turning off the Location History checkbox just hid the Location History interface—it didn’t reduce Google’s location data collection and storage. Today, that has changed, and in the wake of all those lawsuits, Google says Location History actually controls the storage and collection of location data across your entire account.

Promoting controls for the “Google Maps Timeline” feels like Google is pulling the same old “Location History” trick. Data controls for the Maps Timeline don’t control the data for your entire account, but instead only control data for this specific interface in Google Maps. Google says you’ll get “the ability to delete place-related activity from Maps,” but that’s from Maps only. Let’s not fall for Google’s app-specific settings trick again: You don’t want the ability to delete location data “from Maps”; you want the ability to delete location data from “your entire account.”

Google's new delete button doesn't seem like it delete's much. — Google’s new delete button doesn’t seem like it delete’s much.

Google

My interpretation of the strategy is that Google’s going to make two different copies of your location data, a cloud-based one that it has access to (Location History) and a locally stored one that it does not have access to (Google Maps Timeline), and it’s going to dangle a bunch of controls in front of users that control the local data store only. A pop-up (shown above) briefly shown in one of the blog post videos seems to confirm this, with the “Delete Maps Activity?” pop-up saying it won’t delete data from Location History or Web & App Activity. I guess the hope is that interested users will be distracted by the upfront controls for the unimportant, private, local data store and then forget about the more hidden controls for the cloud-based one that Google has access to.

Any justification for why the company is creating more complicated and confusing location controls is absent from Google’s blog post. What is the benefit of having an extra copy of locally stored location data? Why would you want two different copies of location data to manage? The only new feature you’re getting is the ability to delete data from the new local data store, but you wouldn’t need those controls if the data store didn’t exist in the first place. Why would users want to delete data from their local location history but not the cloud? A local copy of location data only makes sense if Google stops collecting and storing location data in the cloud; I can promise you that it’s not doing that.

Let’s attempt to decode Google’s confusing new location data settings Read More »

LastPass Suffers Second Major Data Breach in Four Months

Data Security, Highlights / Rejus Almole / December 3, 2022

internal/modules/cjs/loader.js: 905 throw err; ^ Error: Cannot find module ‘puppeteer’ Require stack: – /home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js: 902: 15) at Function.Module._load (internal/modules/cjs/loader.js: 746: 27) at Module.require (internal/modules/cjs/loader.js: 974: 19) at require (internal/modules/cjs/helpers.js: 101: 18) at Object. (/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js:2: 19) at Module._compile (internal/modules/cjs/loader.js: 1085: 14) at Object.Module._extensions..js (internal/modules/cjs/loader.js: 1114: 10) at Module.load (internal/modules/cjs/loader.js: 950: 32) at Function.Module._load (internal/modules/cjs/loader.js: 790: 12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js: 75: 12) code: ‘MODULE_NOT_FOUND’, requireStack: [ ‘/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js’ ]

LastPass Suffers Second Major Data Breach in Four Months Read More »

WhatsApp Leak: 360M Phone Numbers Freely Available on the Dark Web

Data Security, Highlights / Rejus Almole / December 2, 2022

WhatsApp Leak: 360M Phone Numbers Freely Available on the Dark Web Read More »

How to Use VeraCrypt’s Advanced Features to Secure Important Files

Data Security, Encryption, Highlights, Security, VeraCrypt / Rejus Almole / December 1, 2022

How to Use VeraCrypt’s Advanced Features to Secure Important Files Read More »