An early debate among hackers, back in the days when the word had a positive connotation, concerned the inherent tension between the free flow of information and limitations on that flow to maximize its value. The issue was summed up in the well-known axiom, “Information Wants To Be Free. Information also wants to be expensive.”
Although corporate giants like Disney and IBM have successfully used patent and copyright law to defend their creative and intellectual property, those legal protections are being subverted and eroded in the age of surveillance capitalism and state-sponsored IP theft.
Indeed, some of today’s largest tech companies, notably Facebook, Huawei, Alibaba have profited in part by exploiting the work and private information of others. It seems that the “information should be free” crowd has seized the day, laws, ethics and regulations be damned. Unfortunately, in the era of social networks, data brokers, rogue governments, and global supply chains, restoring the sanctity of private personal information and intellectual property appears as futile as trying to put toothpaste back in the tube.
Although it’s appropriate to focus blame on the perpetrators of information theft, we victims are partially responsible through our acquiescence to ever more intrusive demands for information, justified as a minor inconvenience for ‘free’ services.
Likewise, the corporate victims of IP theft are somewhat culpable by accepting relatively modest legal settlements and onerous ‘partnership’ conditions in return for doing business in some rapidly growing countries, notably China. Regardless of such prior carelessness and compliance, technology users and innovators appear to be reaching a breaking point as the incidents of data theft and misuse pile up. A recap of some egregious examples helps illustrate the severity of the problems of information and IP abuse and why the perpetrators’ attempts at damage control are proving inadequate.
The normalization of IP theft
Huawei has made headlines recently for all the wrong reasons. As I detailed in a previous article, the company is under attack by US legal and trade authorities for allegedly countenancing IP and data theft and violating Iranian trade restrictions. The company vigorously denies the most serious charges and as I said:
So far, the evidence against Huawei, which is the primary target, deploying equipment that can surreptitiously exfiltrate data to its PRC masters is somewhere between non-existent and circumstantial, and its founder and CEO vehemently denies the charges.
Indeed, Huawei is reportedly preparing a countersuit against the U.S. government “for barring federal agencies from using the company’s products.” The suit isn’t expected to defend Huawei on the merits of the ban, but on the Constitutional question of whether the ban amounts to an illegal bill of attainder, namely a bill or executive action that punishes a particular individual or group without due process.
Huawei is simultaneously waging a PR charm offensive through newspaper ads, executive media appearances and journalist outreach designed to undermine the charges and improve its image. According to multiple reports, the company is:
inviting a select group of journalists to visit their campus in Shenzhen the week of March 18 to see labs that have only recently been opened to media… Huawei will cover the cost of your flights, hotel, food, etc.
Huawei also dispatched CSO Andy Purdy to do media appearances before MWC to defend the company’s security record. In an interview with Maria Bartiromo in which she repeated pressed Purdy on Huawei’s past IP theft and the current threat to information privacy of its core network and 5G products, Purdy deflected charges against the company saying, “the pressure on Huawei is part of the geopolitical dynamic between the US and China.” When Bartiromo recounted a litany of previous incidents of IP theft from Cisco, Motorola, T-Mobile and others, Purdy dodged the issue by shifting to a defense of the current accusations of possible data exfiltration to the Chinese government through backdoors in its equipment, stating:
There have been no major cyber security incidents in the world involving Huawei that industry and the fact that we've had some lawsuits in the past has characterized the industry for the last 20 years. We have resolved those issues [e.g. Cisco, Motorola] and we're moving forward the remaining issues that we hope to resolve in the in the next year or so.
When again pressed on the IP theft, Purdy attempted to portray the infractions as par for the course in the networking industry, and reiterated:
I'm also saying there have been no major cyber security incidents in the world in the hundred and seventy countries in which we do business. Our customers trust us around the world and we believe there are additional mechanisms that can be done so we can provide assurance and transparency so that we can help make the America benefit from us being allowed to compete.
Purdy also sought to disassociate Huawei from the actions of the Chinese government by correctly noting that Chinese spies didn’t need to rely on Huawei equipment to steal extremely sensitive data from the U.S. Office of Personnel Management and others such as a recent incident targeting the U.S. Navy, JPL and more than 45 companies. In sum, Purdy’s defense has three elements:
- Huawei equipment is not any more of a security risk that other networking gear and that there have been no reported incidents of the Chinese government using privileged, backdoor access to Huawei equipment to steal data. [ Part 2 is correct, but part 1 is not since as my earlier column detailed, the quality of Huawei software is inferior to most of its competitors, a deficiency that potentially opens many unknown security holes ]
- Huawei acknowledges stealing IP from other network equipment vendors and carriers in the past, but those days are over and, after all, everyone knows it was a routine business practice in the networking industry for companies to ‘borrow’ ideas, code and APIs from competitors. [ Again, part 1 is correct, but part 2 is a rationalization ]
- Operators in hundreds of countries trust Huawei equipment and the company believes it can add transparency measures, presumably like those I discussed previously done with the UK NCSC, to assuage even the harshest critics in the U.S. [ Such co-engineering efforts to understand the security internals of Huawei equipment are an open issue whose efficacy remains to be seen ]
The monetization of private data
Facebook’s cavalier attitude towards the privacy of its
users products is well documented, including here at diginomica. Indeed, Jerry Bowles summed up the core of Facebook’s ethical rot when he wrote:
The probability that Mark Zuckerberg is a sneaky slimeball will surprise few people.
A new threshold was recently crossed when security researchers confirmed what at least one journalist has long suspected, that Facebook sells private, “shadow” contact information, including phone numbers solely used for receiving two-factor authentication codes, to advertisers. As Gizmodo sums up the research (emphasis added):
They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.
Facebook defends the practice as “offering a more personalized experience,” however I’m sure that most users sharing a private wireless number just to get a secure login code would beg to differ. Once Facebook discovered how security experts were on to its scheme of using private data for ad targeting, it created another TFA technique that doesn’t require a phone number, however that doesn’t help the millions of users whose numbers have already been harvested. Indeed, this Twitter thread illustrates the bubbling outrage at using security as a Trojan horse to gather valuable data.
Facebook and Huawei are merely two of the more visible and egregious examples of alleged data theft and privacy violation as a business practice; they are hardly alone. While it’s difficult to quantify, the Commission on the Theft of American Intellectual Property, a project of a thinktank doing Asian economic research, estimates the annual loss from IP theft at between $225 and $600 billion, although it can’t quantify how much results from Chinese activity.
However, a survey of the American Chamber of Commerce in China found that more than half of its members said that IP “leakage” was a bigger concern in China than other regions. Indeed, a CNBC CFO survey found that one in five North American-based firms say that Chinese companies have stolen their IP within the past year, with just over 30% reporting theft over the past decade.
While detestable, the overriding question is whether such data theft, whether IP resulting from R&D investments or personal data incidentally or innocently shared as a condition for accessing an online service, has become the price of living and doing business in a fully-digitized world of omni-connectivity, global supply chains, online social interactions and commerce.
Fortunately, the backlash from businesses and individuals has become sufficient to produce regulatory efforts like GDPR and escalate the issues as central to global trade agreements, offering some hope that we’ve seen the peak of such abuse. Nevertheless, I fear the devious creativity of companies seeking to exploit weaknesses in any system of IP and data privacy protection will always find loopholes and backdoors to exploit. Thus, the fight against surveillance capitalism and flagrant data expropriation is likely to be a cat-and-mouse game of action and response for years to come.