Huawei’s US Licenses Expire, Ending Android Phone Updates

 Huawei has been coasting on fumes lately, but that was enough for it to finally edge past Samsung to become the world’s top smartphone maker. However, tightening US sanctions threaten to bring the company’s growth to a halt. A temporary license that allowed US firms to support existing Huawei products as expired, and that means an end to Android updates on many Huawei phones. 

Things changed instantly for Huawei when the Commerce Department add,Huawei’s temporary license expired last week, meaning no US company can cooperate with or provide resources to the Chinese company any longer. That includes Google. When the Commerce Department went after Huawei, citing surveillance fears, Huawei offered numerous Android smartphones running Google’s services. It couldn’t make any new Googley phones, but it re-released the P30 Pro several times to provide an option for those who wanted Gmail, Maps, and so on

Through it all, Huawei has sought to assuage fears that its phones would stop working. While the older Google-powered Android devices will continue to work, they probably won’t be getting any more updates. Even though it released a revamped P30 just a few months ago, the phone will never get Android 11 and will soon fall behind on security patches. If you’re still clinging to a non-Chinese Huawei phone, it might be time to look at a replacement. Huawei is expected to unveil the Mate 40 family of smartphones in the next few weeks. These devices will not have a Google-enabled option, so you can expect updates to continue normally. 

This is only the latest setback for Huawei. It recently announced that more aggressive US trade restrictions have blocked the purchase of the semiconductors it needs to manufacture the custom Kirin ARM chips. That will make Huawei’s phones less competitive, even in the Chinese market where Google services are not available.

NSO Group points finger at state clients in WhatsApp spying case

In court filing, Israeli spyware company says it does not operate technology it provides

An Israeli spyware company that has been accused by WhatsApp of hacking 1,400 of its users, including journalists, human rights activists, and diplomatic officials, has blamed its government clients for the alleged abuses, according to court documents.
NSO Group – whose technology is reported to have been used against dozens of targets including Pakistani intelligence officials, Indian journalists, an exiled Rwandan political activists – also claimed in legal documents that the lawsuit brought against the company by WhatsApp threatened to infringe on its clients’ “national security and foreign policy concerns”.

NSO Group has never disclosed a full list of its government clients, but research by Citizen Lab, which tracks the use of spyware, has claimed that current and former clients include Saudi Arabia, Bahrain, Kazakhstan, Morocco, Mexico and the United Arab Emirates.
WhatsApp, the popular messaging app, filed a lawsuit against NSO Group in October, alleging that the cyberweapons company was behind a series of highly sophisticated attacks that it claimed violated US law in an “unmistakeable pattern of abuse”.

Among the alleged victims of the hack, which was discovered last April and continued for two weeks until the app’s vulnerability was fixed, were 100 human rights activists, lawyers, journalists and academics who were later notified of the alleged intrusion by WhatsApp.

In its first substantive legal filing in the case, filed last week, NSO hit back at WhatsApp and its parent company, Facebook, which it said were seen by governments as “safe spaces for terrorists and other criminals” who – without NSO’s services – could operate “without fear of detection by law enforcement”.

NSO Group also argued that WhatsApp had “conflated” NSO Group’s actions with the actions of NSO’s “sovereign customers”. While NSO Group licenses its signature spying technology, Pegasus, to government law enforcement and intelligence agencies and assists with “training, setup, and installation”, it said it did not operate the technology.

“Government customers do that, making all decisions about how to use the technology,” NSO said in its legal filing. “If anyone installed Pegasus on any alleged “target devices” it was not [the] defendants [NSO Group]. It would have been an agency of a sovereign government.”
NSO Group claimed that to challenge such conduct, WhatsApp would have to declare the “sovereign acts” of those governments to be illegal.

“For that reason,” the company said in the filing, “permitting this litigation to proceed would infringe critical national security and foreign policy concerns of sovereign governments”.
The company also highlighted the role it claimed the Israeli government played in its review of NSO Group’s business. The Israeli Ministry of defense, NSO Group said, could have access to information about NSO Group’s customers and “their intended use of Pegasus technology”.
In a statement, WhatsApp said NSO Group was attempting to “avoid responsibility” and questioned the accuracy of some of the company’s claims, including an allegation in the legal filing that Facebook had wanted to procure some of NSO Group’s technology in 2017.
In a sworn statement filed to the court, Shalev Hulio, an NSO Group co-founder, said that NSO had been approached by two Facebook representatives in October 2017 and asked about the right to “certain capabilities of Pegasus”, which the representatives had suggested could be used to help monitor users on Apple devices.

NSO Group declined to comment to the Guardian’s questions about the alleged meeting between Facebook and NSO and said it would not reveal the identity of the individuals. WhatsApp said the description of the discussions was an “inaccurate representation”. It declined to provide further comment.

The Powerful Global Spy Alliance You Never Knew Existed

It is one of the world’s most powerful alliances. And yet most people have probably never heard of it because its existence is a closely guarded government secret.

Photo: Simon Maina/AFP/Getty Images

The “SIGINT Seniors” is a spy agency coalition that meets annually to collaborate on global security issues. It has two divisions, each focusing on different parts of the world: SIGINT Seniors Europe and SIGINT Seniors Pacific. Both are led by the U.S. National Security Agency, and together they include representatives from at least 17 other countries. Members of the group are from spy agencies that eavesdrop on communications – a practice known as “signals intelligence,” or SIGINT.
Details about the meetings of the SIGINT Seniors are disclosed in a batch of classified documents from the NSA’s internal newsletter SIDToday, provided by whistleblower Edward Snowden and published today by The Intercept. The documents shine a light on the secret history of the coalition, the issues that the participating agencies have focused on in recent years, and the systems that allow allied countries to share sensitive surveillance data with each other.
The SIGINT Seniors Europe was formed in 1982, amid the Cold War. Back then, the alliance had nine members, whose primary focus was on uncovering information about the Soviet Union’s military. Following the attacks on the U.S. in September 2001, the group grew to 14 and began focusing its efforts on counterterrorism.
The core participants of the Seniors in Europe are the surveillance agencies from the so-called Five Eyes: the NSA and its counterparts from the U.K., Australia, Canada, and New Zealand. As of April 2013, the other members were intelligence agencies from Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain, and Sweden.

The alliance – which the NSA sometimes refers to as the “14 Eyes” – has collaborated to monitor communications during major European events, such as the Olympics in 2004 (hosted in Greece), the Winter Olympics in 2006 (hosted in Italy), and the soccer World Cup in summer 2006 (hosted in Germany). Between 2006 and 2007, as part of a counterterrorism operation, the agencies began working on “exploitation of the Internet,” which was described by the NSA as a “huge step forward” for the group, because some members of the alliance had previously been “reluctant to acknowledge there was such a thing as the Internet.”

As of 2010, the agencies were focused on targeting suspected terrorists, sharing intelligence related to piracy in the Horn of Africa, and they were collaborating on the development of new surveillance tools and techniques. According to the documents, the Seniors Europe had its own dedicated communication network called SIGDASYS, through which each agency can share copies of intercepted communications. The group also used a system called CENTER ICE to share intelligence about the war in Afghanistan.

The documents indicate that the Seniors Europe holds an annual conference, each time in a different location. In 2013, for instance, the group gathered in Sweden; in 2011, it met in the U.K; in 2010, in Germany; and in 2009, in Canada. In 2013, the NSA expressed an interest in creating a permanent facility that would host representatives from the Seniors Europe in a joint collaborative space. The NSA discussed the idea with its U.K. counterpart, Government Communications Headquarters, or GCHQ. The British were “all in” on the proposal, according to the NSA. However, from some unnamed members of the SIGINT Seniors, there was “persistent pushback” on the plan.
The NSA thought the facility would be best hosted in the U.K., as this would “be optimal in terms of having the most flexibility in tuning the operation to benefit the Five Eyes.” The agency also suggested the idea of France potentially hosting the unit but outlined its reservations about setting up the spy hub in continental Europe. “Some European nations may be leery about hosting a facility in their nation,” the NSA noted, partly due to “associated concerns for European human rights laws.” (Both NSA and its British counterpart, GCHQ, declined to answer questions for this story. GCHQ issued a statement asserting that it adheres to “a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate.”)
The Pacific division of the SIGINT Seniors is younger than the European branch. The NSA formed it in 2005, with the aim of “establishing a collaborative effort to fight terrorism in the Asia-Pacific region.” In March 2007, the NSA said that it was in the process of “raising ideas for expanding [SIGINT Seniors Pacific’s] intelligence focus beyond counterterrorism.”

The NSA was passing the Indians selected top-secret material, and India began leaking some of the intelligence.

The founder members of the Pacific alliance were the spy agencies from the Five Eyes, as well as South Korea, Singapore, and Thailand. By 2013, France and India had joined the Pacific group. The NSA was particularly keen on having India on board as part of a broader U.S. government effort to improve relations with the country, and “felt strongly that India’s participation in multilateral intelligence sharing would help mature its Indian SIGINT agencies as well as provide regional [counterterrorism] expertise.” In March 2008, then-NSA Director Gen. Keith Alexander led a delegation of officials – including representatives from Singapore and New Zealand – to New Delhi, where he asked India’s spy agencies if they would like to join forces. Three months later, the Indians accepted.

The Pacific group used a system called CRUSHED ICE to share information. According to an NSA document dated from November 2007, CRUSHED ICE is a secure network that enables sharing of secret intelligence, collected from intercepted communications, about counterterrorism. “The system allows for collaboration by way of voice, binary-file/email exchanges, analysis, and reporting, graphics and mapping, communities of interest, collection management, and other applications as needed,” the November 2007 document stated.
For the countries invited to participate in the SIGINT Seniors, there are obvious benefits. They can learn new surveillance techniques from the world’s most powerful spy agencies and at the same time, obtain information about their own countries or regions that they otherwise may have been unable to access. But not all nations who have been invited to join the alliance have jumped on board. According to an NSA document from March 2007, Japan refused to sign up to the Pacific group, expressing concerns that “unintended disclosure of its participation would be too high a risk.”
A downside of SIGINT Seniors is the risk that a partner will mishandle sensitive information. This happened on at least one occasion with India. By the time terrorists had struck Mumbai in a series of attacks in November 2008, the country had been admitted to the Pacific group. The NSA was passing the Indians selected top-secret material, such as interrogation reports and recordings of intercepted phone calls. In the weeks following the Mumbai incident, India began leaking some of the intelligence — “at times it seemed a daily occurrence,” the NSA’s country desk officer complained. The NSA limited the provisioning of top-secret information to India after repeated warnings and meetings left it dissatisfied. Still, the NSA, which had deployed analysts to India, remained hopeful Indian intelligence agencies would “mature … into the partners NSA needs in South Asia.”
The SIGINT Seniors likely remains active today and has probably grown its capabilities in recent years. According to the 2013 “black budget” – a portion of the U.S. federal budget dedicated to secret intelligence-gathering work – the NSA was that year working to bolster both the European and Pacific branches of the SIGINT Seniors, and planned to “expand the level of cooperation on [counterterrorism] and explore other potential areas of collaboration.”

Indian government proposes an encryption plan that would mandate backdoors.

The global debate over encryption reached India this weekend as the country’s government became the latest to publicly wrestle with the growing popularity of strong cryptography and its implications for law-enforcement operations.

The government of India, the world’s most populous democracy, released a draft National Encryption Policy over the weekend that would require all individuals and businesses using encryption to store decrypted versions of data for 90 days, available for law enforcement to demand pursuant to the country’s laws. The law would apply to everyone using services in India, even if they are not Indian citizens.
The policy also says that “encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time,” introducing the strong possibility of a legally mandated backdoor allowing the government to access encrypted data.
The policy would not apply to “sensitive departments/agencies of the government” but would apply to Central and State Government Departments, an exception deemed hypocritical by civil-liberties advocates.
The document is the work of an unspecified “expert group” inside India’s Department of Electronics and Information Technology (DeitY).
Other than releasing the draft, which is open to public comment until Oct. 16, Indian officials have not addressed its subject matter or responded to the intense criticisms it has generated.
India’s new draft policy comes in the midst of an ongoing global encryption debate that has pitted privacy activists and law enforcement officials in multiple countries against each other. As strong encryption becomes more prevalent, its implications for law-enforcement and national-security investigations become more worrisome to the government officials.
In the U.S., the years-long public debate on the issue has seen the director of the FBI accusing companies like Apple of aiding terrorists by locking out government investigators. But the White House hasn’t taken a position in the debate, and reports suggest that the Obama administration is preparing to publicly support widespread strong encryption against the wishes of some intelligence officials.
Obama, who is being presented with multiple options by the National Security Council seems likely to back off of a plan similar to India’s draft proposal.
In Europe, however, the debate is shifting in the opposite direction. A bill dubbed the “snoopers’ charter,” which is expected to become law in the newly empowered Conservative government would ban apps from operating in the U.K. unless they contained a backdoor allowing government access to encrypted data.

Security experts across the world have slammed backdoors as unfeasible and insecure technical solutions.

“The path to hell starts at the backdoor,” Brad Smith, general counsel and executive vice president of legal and corporate affairs at Microsoft, said at the World Economic Forum. “You should not ask for backdoors. That compromises protection for everyone against everything.”
Privacy advocates in India immediately slammed the government’s draft policy. Pranesh Prakash, policy director at the Bengaluru-based Center for Internet and Society, told the Times of India that the policy was a “bad idea conceived by people who do not understand encryption,” because it exposed businesses and individuals to hackers like those who infiltrated Ashley Madison and those who have repeatedly broken into U.S. government systems.
Update 9:12am, Sept. 22: The Indian government has withdrawn the draft of its encryption proposal, arguing that it was misunderstood and did not reflect the government’s full views of encryption priorities.

Tesla stock closes above $420, 16 months after Musk tweeted price as goal

Shares of electric-car maker Tesla closed above $420 on Tuesday — more than a year after tweeting about that mythical, magical number got CEO Elon Musk in trouble with securities regulators.

Paid

When mobile health technology meets conventional healthcare

PAID CONTENT BY ABBOTT

Tesla closed at $425.25 a share at 1 p.m. Eastern Time, after breaching the $420 mark in intraday trading on Monday. The new high brings the company's total stock market value to $76.6 billion.

In a tweet Monday, Musk crowed about the brief intraday breach: "Whoa ... the stock is so high lol," the chief executive wrote, with a wink to "420," a classic reference to marijuana. 

The symbolism of the $420-a-share figure for Tesla goes back 16 months. In August 2018, Musk tweeted, "Am considering taking Tesla private at $420. Funding secured," sending the company's stock soaring. It turned out, though, that he did not have funding secured, and that he chose the $420 figure in a back-of-the-envelope calculation, and also because he "thought his girlfriend 'would find it funny.

Privacy Protection: INDIA SEEMS TO BE GOING THE NSA-PRISM WAY, WHEN IT COMES TO SURVEILLANCE

By Anita Gurumurthy and Amrita Vasudevan

It is a well-known fact that privacy laws in India are not taken that seriously. We all register on social media websites and use their apps. But barely anyone of us bother to read through the terms and conditions. And social media sites could end up taking advantage of the fact. Most times knowingly (we know that the free service comes at the cost of our data and attention), and at times unknowingly (when data is shared with authorities). Recently, it was learned that social media sites such as Facebook, Instagram and Twitter were sharing data with third-party apps such as Geofeedia. This is a location-based analytics platform that was used by American law enforcement agencies as a surveillance tool to track and monitor protest activity.

Contract - driven interactions

In the Indian context, there is little protection for such an activity by a third party site. India does not have a data protection regime (apart from the limited Sensitive Personal Data Rule, 2011 - but this is limited to only certain kinds of data that is listed and does not cover photos, messages, contact lists, etc., available on social media sites). In the absence of such a regime that most countries in the North have, our interactions with social media apps are only contract-driven - that is, bound by the dense and often overlooked Terms of Service, which we just 'accept' with a click.

These agreements are boilerplate - and there is no room for negotiation. Take for instance, Uber's user agreement where the user gives up total control over data through royalty-free licenses that Uber grants itself, through its terms and conditions. Please note that this is a "worldwide, perpetual, irrevocable, transferable, royalty-free license with the right to sublicense, to use, copy, modify, create derivative works of, distribute, publicly display, publicly perform, and otherwise exploit in any manner” user data. This actually means that what Uber then does with the data for commercial gain is something we write off just by downloading the app and beginning to use Uber.

In the National Privacy Principles developed by the Group of Experts on Privacy lead by Justice Shah, Principle 6: Disclosure of Information Principle states that: A data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure.

Thus, reiterating the fact that if we had data protection legislation - it would give us some standing with respect to the use/misuse of our data.

Who's responsible?

But coming back to the case of Geofeedia sharing data available via Facebook and Twitter's APIs with law enforcement authorities, who could misuse it to fulfill their purposes, who would the ultimate onus lie with? Is it Geofeedia who is to be held accountable or is it the original social network that is sharing its APIs with third parties which are then using it for their own purposes.

There are different situations where - one is social media companies providing of data to law enforcement agencies, and the other is sharing of data for commercial purposes.

With respect to the first kind - in India, we seem to be going the NSA-PRISM way with respect to surveillance by setting up the Central Monitoring System (CMS). Unlike earlier surveillance regimes, CMS will not require the intervention of any communication/ internet service provider (ISP), and can directly monitor communications in real-time. There are no legal safeguards against the misuse of communication information or frameworks of accountability of law enforcement agencies. At this point since we do not know what the data retention guidelines (that are expected to be issued) will look like - but the consequences of a CMS can be chilling.

I don't think we can say what effect the guidelines will have on the CMS, but if the government has direct access to communications and need not go through the intermediary at all, then these retention guidelines seem futile. Especially since the CMS requires no trigger for surveillance. Communication service providers are subject to licensing conditions that require direct access to communications without a warrant.

On the other hand, Section 67C (under which the retention guidelines are to be issued) is very wide, and does not provide circumstances under which data may be retained. The guidelines that are imminent could provide some clarity, and also limit the duration for which social networks can retain user data.

On commercial sharing of data- as stated earlier, in India we are at the mercy of the copious T&C that we sign on to, to be able to access the benefits of the platform. The advertising model for revenue generation that most internet companies rely on requires the collection of user data to target their advertisements. Essentially, services that are given to us ‘free’ - like Facebook, Gmail, Twitter or Uber are being subsidized by our data.

Privacy policies are fluid

Sometimes, privacy policies are altered post clicking ‘accept’ in ways that compromise the users’ privacy. (Again, you just don't have any other option except to opt-out), and often, when such alterations happen, terms of use deem the continued use of the application as acceptance of revised privacy policies.

WhatsApp had post its acquisition by Facebook suddenly announced changes to its privacy policy which would allow it to share user data with Facebook. Two students had challenged WhatsApp’s revision to its privacy policy before Delhi High Court. The Court dismissed the petition insisting that users could opt-out by deleting their accounts.

When a similar challenge was mounted before the authorities in the UK, Facebook had to put a pause on their data sharing - and this was because of its strong data protection policy. Under the UK data protection law, the company has to inform the authority established under the Act of any changes in the use of user data. In the case of WhatsApp, the UK authority objected to such sharing.

When Windows 10 was launched, users were allocated an advertising ID for targeted advertising and data collection by Microsoft's personal assistant, Cortana. What we see is that a decision on whether or not to trade my privacy for a service is not left to the user. Privacy experts and human rights activists have been arguing that a better approach to managing to target should be to allow consumers to opt into services. But this is something that commercial interests have really opposed. For instance, in the US, when Senator Ellen Corbett from California introduced a bill to give consumers greater control over their private data by making the default setting on social networking sites privacy-compliant - Facebook, Google, Skype, and Twitter banded together to oppose it.

We need a data protection law that contains the national privacy principles that the justice Shah committee had listed and we do require a regulatory authority to be set up that can implement the law. Till that happens, we are are the mercy of the terms and conditions of apps and services that we accept.

Anita Gurumurthy and Amrita Vasudevan are with IT for Change, an NGO in Bengaluru that works at the intersection of digital technologies, development, and social justice.

Telcos ask DoT for mechanism to control mobile handset quality

NEW DELHI: The COAI has flagged the issue of mobile device quality impacting data throughput and call drops, and asked the government to work out a "proper mechanism" to control the quality of handsets in the country.

The cellular operators' body has claimed that there has been a "massive influx of untested and uncertified smartphones (more than 10,000 models in India) due to design variations introduced by the device manufacturers".

The Cellular Operators Association of India (COAI) contended that the onus of call drops and service quality has been attributed squarely to operators in the recent past, but "the role of devices in issue of service quality and call drops has not been considered adequately".

It has sought an "urgent policy intervention", drawing attention of the Telecom Department to degradation in data in case of dual SIM LTE mobile devices.

"...it is of paramount importance that a proper mechanism to address and control the quality of mobile devices in India is devised. In absence of such a regime, the impact on network quality could blow out of proportion, especially with the influx of more affordable devices in the market and the creation of new device ecosystem with Internet of Things," the association said.

COAI has shot off a letter to Telecom Commission Chairman claiming that tests conducted on some dual SIM 4G handsets revealed that placing a SIM, which has only 4G-LTE capability, in the second slot (meant for 2G only) significantly deteriorated the throughput of any other operator's 4G SIM present in the main slot, by up to 40 per cent.

"The analysis so far points to a chipset specific implementation by MediaTek. All the device models that have the MediaTek chipsets are likely to have this issue. It is estimated that MediaTek chipsets are present in more than 35 per cent of the smartphones in the country," COAI alleged.

Responding to the charges, a MediaTek India representative said that the company "recently became aware of these reports and it is of the utmost priority to address".

"While MediaTek s solutions are globally compliant and fully adhere to all global standard bodies-defined guidelines, we are already working closely with all the telecom operators to ensure any reported issues are resolved...The Indian mobile market is a key focus and of great importance for MediaTek," the company representative said in a statement.

The letter by COAI Director General Rajan S Mathews has further urged the Telecom Department to mandate that original equipment manufacturers (OEMs) of mobile devices should fix the issue using an 'over the air' upgrade in the next four weeks, and in the case of non-compliance, such devices should be taken off the market.

"The sale of any mobile device that has been found to be adversely impacting the data throughput should be banned," COAI suggested, adding that policy norms should be issued for enforcing the device and network standards such as minimum processor and memory requirements.