Chinese and Russian Companies Exploit Flaws in US Cybersecurity

Are Google and Apple violating US sanctions against Russia?

Hands on a keyboard in front of a displayed cyber code on Oct. 4, 2018. (Reuters/Dado Ruvic/Illustration/File Photo)
Hands on a keyboard in front of a displayed cyber code on Oct. 4, 2018. (Reuters/Dado Ruvic/Illustration/File Photo)

By Rex M. Lee


Commentary

As I’ve previously discussed, Google and Apple distribute Chinese surveillance and data-mining technology. They also distribute similar technology developed by Russian companies, which could be in violation of existing U.S. sanctions against Russia and China.

In 2017, Google and Apple pulled apps developed by Iranian app developers from Google Play and the Apple App Store in regards to U.S. sanctions against Iran that date back to the late 1970s or early 1980s.

Google and Apple may violate existing U.S. sanctions against Russia by distributing Russian apps via Google Play and the Apple App Store.

In addition to a potential violation of U.S. sanctions, apps developed by Russian companies pose huge civil liberty, privacy, cybersecurity, and safety threats to U.S. citizens and our national security. The apps seem harmless at first, but when you consider that they are nothing more than malware that enables the app developer to monitor, track, and data-mine the user for financial gain, the privacy and cybersecurity threats these apps pose to the user become noticeable.

Active Russian app-development firms include Prisma Labs, Magora, e-Legion, Mercury Development, Shakuro, Touch Instinct, and many others.

Potential Violations of US Sanctions Against Russia

Doing business with these app developers may violate existing U.S. sanctions against Russia, according to information posted on the Centers for Strategic and International Studies’ website, which lists more than 60 rounds of sanctions.

Below are examples of several U.S. sanctions against Russia that may be relevant to U.S. companies that conduct business with Russian technology development firms:

·       Executive Orders 13661, 13662, and 13694 in conjunction with Countering America’s Adversaries Through Sanctions Act PL 115-44, effective Dec. 19, 2018: human rights violations and corruption, interference in U.S. elections, cyber-enabled activities, and use of biological weapons affecting individuals and companies.

·       Executive Order 13694, effective April 1, 2015: cyber-enabled activities affecting individuals and companies.

·       Countering America’s Adversaries Through Sanctions Act PL 115-44, effective Aug. 2, 2017: human rights violations and corruption, annexation of Crimea and violation of Ukraine’s territorial integrity and democratic institutions, interference in U.S. elections, supporting the Assad government and its activities, and cyber-enabled activities affecting individuals, companies, government officials, and government agencies.

I’ve identified more than 10 technology- and cyber-related U.S. sanctions against Russia, yet companies such as Apple and Google distribute intrusive apps developed by Russian companies.

Additionally, many U.S. companies that contract numerous Russian app development firms to develop apps that support smartphones, tablet PCs, connected products, and PCs in general may also be in violation of existing U.S. sanctions against Russia.

In light of Russia’s alleged meddling in our elections and Chinese companies stealing intellectual property (IP) from U.S. companies, why is any U.S. company voluntarily doing business (directly or indirectly) with Russian or Chinese app development firms when apps are malware that enable the app developer to surveil and data-mine the app user?

Furthermore, why have Google and Apple pulled apps developed by Iranian companies from their app stores due to existing U.S. sanctions against Iran but haven’t pulled apps developed by Russian and Chinese companies?

Due to the serious privacy and cybersecurity threats that intrusive Android, Apple, and Microsoft apps pose to smartphone, tablet PC, and PC users, the U.S. government should impose new sanctions against doing any business with nation-state technology companies from adversarial countries such as China and Russia.

Why Apps Are a Threat

As I’ve discussed before, companies such as Google, Apple, and Microsoft don’t sell your identifiable personal information to third-parties, they do much worse—they auction off their operating system (OS) product users to data-driven technology providers such as Facebook, Amazon, Baidu, and Tencent for profits.

This means that when you purchase a product such as a smartphone supported by the Android OS or Apple iOS, you become a commodity for sale by Google and Apple, regardless of whether these companies expose you to nation-state companies from adversarial countries such as China and Russia.

Is there a better way than using an intrusive app that is legal to steal IP from a smartphone or PC user versus using illegal methods to hack the same smartphone or PC user? Apple, Google, and Microsoft enable this to happen.

Companies may claim they use app users’ personal and professional information to improve the users’ experience or use the information for advertising purposes. However, the fact remains that companies from China and Russia may have also found a flaw in U.S. cybersecurity policy that they can exploit in order to surveil and data-mine U.S. telecommunication subscribers (individuals or businesses) and authorized device users (spouse, children, employees, etc.) by way of protected telecom products such as smartphones.

Many of these companies work closely with their nation’s governments, if they’re not directly state-owned, or must comply with repressive cybersecurity laws that require them to store customer data on local servers—accessible to the state on demand.

Existing U.S. telecom laws require any state actor (foreign or domestic) to acquire a warrant from a domestic judge or a Foreign Intelligence Surveillance Court (FISA) in order to lawfully surveil and data-mine a U.S. telecom product user.

A nation-state company from an adversarial country cannot legally acquire a warrant from a domestic judge or a FISA court in order to surveil and data-mine a U.S. citizen.

Threat Remains Unaddressed

Why are nation-state companies from China and Russia enabled to surveil and data mine U.S. citizens through their smartphones?

Who in our government or what government agency provides oversight when it comes to these types of privacy and cybersecurity threats associated with telecom-related products and PCs that are supported by protected telecom infrastructure?

In 2016, I conducted research on smartphone security as part of a Department of Homeland Security (DHS) study. In my report to the DHS, I included the fact that bad actors from adversarial countries such as China, Russia, Iran, and North Korea could easily distribute intrusive apps through partnerships with companies such as Google or through sources such as Google Play, the Apple App Store, and the Microsoft App Store.

“For example, what security measures have Google, Apple, and Microsoft put into place to keep state actors (foreign, domestic, hostile, friendly) from starting software companies to develop predatory and surveillance apps such as games that are pre-installed, installed-by-update, and/or are distributed in the apps stores?” I asked in my report.

“These are predatory and surveillance apps that can be embedded in app-driven telephones and computers used by citizens, children, private industry, and/or government entities.

“What oversight has agencies such as a state attorney general’s office, the Federal Communications Commission, Federal Trade Commission, and DHS put into place to protect citizens, children, private industry, and government entities from predatory entities who use connected products as a vehicle to hack personal and professional information?”

To date, the DHS has still yet to address these types of threats.

This flaw regarding our national security needs to be addressed immediately due to the level of surveillance conducted on the app user, and the amount of highly confidential information that these nation-state companies can data-mine from a smartphone, tablet PC, or PC.

Rex M. Lee is a privacy and data security consultant and Blackops Partners senior analyst and researcher. Visit him at MySmartPrivacy.com.

Views expressed in this article are the opinions of the author and do not necessarily reflect the views of The Epoch Times.

Subscribe For Latest Updates

Sign up to receive important news avoided by other media.
Invalid email address
We promise not to spam you. You can unsubscribe at any time.

Be the first to comment

Leave a Reply