“We at Apple believe that privacy is a fundamental human right,” he said. “But we also recognize that not everyone sees things as we do. In a way, the desire to put profits over privacy is nothing new.”
As recent data scandals at Facebook and Google exposed the companies’ lax security and privacy practices, Cook is cashing in on a long-term bet that privacy could differentiate his company from competitors. For years, Apple has sought to position itself as a fierce advocate for privacy, reminding customers its products are its ubiquitous phones, laptops and software services — not their data.
Yet Apple’s strategy has sometimes hurt the company in Washington. During the fallout of the Snowden revelations, the company began encrypting its devices end-to-end so only customers — not Apple — had access to their personal data. This move earned the company kudos among privacy advocates, but strained its relationship with law enforcement because it could no longer turn over some of the personal data requested for investigations.
But as public scrutiny has shifted from concerns about the government’s surveillance practices to worries about the private sector’s overreach, Apple’s fortunes may be reversing. Its tough privacy stance could improve the company’s standing among lawmakers who are increasingly concerned about the tech industry’s ability to police itself -- and its open embrace of regulation could help ensure they don't impose a law the company would oppose.
Apple seems poised to support privacy regulations that probably would hamper other technology companies whose business models rely on customers freely and frequently sharing personal information. From the well of the the European Union Parliament, Cook praised the EU’s Global Data Protection Regulation, which other companies have criticized as cumbersome and posing a risk to innovation.
“It is time for the rest of the world — including my home country — to follow your lead,” he told the lawmakers in Brussels.
He also called for privacy laws rooted in the principle that companies should remove personally identifiable elements from customer data — or not collect it in the first place — to minimize the amount of personal data collected. He said data belongs to users, who should be able to correct and delete it.
Cook’s remarks underscore how challenging it will be for the industry to reach a consensus on federal privacy legislation, and seemed to draw battle lines with other companies. While Apple does not rely on data collection from its customers to survive, those companies' business models depend on consumers sharing data they can use to sell ads or to develop new technologies such as artificial intelligence. Facebook’s recent Cambridge Analytica scandal exposed the company’s broad data collection practices, and pushed it to tighten up its data security policies.
Cook suggested that other companies are not truly serious about making privacy a priority. As the looming possibility of a patchwork of state privacy laws pushes the tech industry into talks about privacy legislation, he criticized companies that support privacy reform in public but “resist and undermine it behind closed doors.”
“They may say to you, ‘our companies will never achieve technology’s true potential if they are constrained with privacy regulation,’" Cook said. “But this notion isn’t just wrong, it is destructive.”
My colleague Tony Romm contacted Google and Facebook for a response to Cook’s remarks. They did not immediately respond. Facebook chief executive Mark Zuckerberg and Google chief Sundar Pichai are set to deliver their own addresses, by video, to the conference later Wednesday.
Cook's speech earned praise from other companies and privacy advocates.
Microsoft, which has adopted GDPR as its global privacy standard, supported his speech. Julie Brill, Microsoft vice president for global and regulatory affairs, weighed in:
Cam Kerry, former general counsel for the U.S. Department of Commerce, said the speech marked a significant shift:
Yet the road to consensus is a long one. As technology industry trade groups scramble to develop privacy frameworks, they’re struggling to balance the divergent views of their members. One of the largest industry trade groups, Technet, is tasked with representing a wide range of technology companies in Washington, including Apple, Google and Facebook. Spokesman Alex Burgos said the group is currently navigating its members’ diverse perspectives.
“It’s a balancing act in any trade association,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “Cybersecurity researchers have linked a Russian government lab to a potentially deadly cyberattack last year at a Saudi petrochemical plant, part of a global operation to target computers that operate critical industrial systems,” The Washington Post's Ellen Nakashima and Aaron Gregg reported. “In a blog post published Tuesday, the firm FireEye said it has ‘high confidence’ that a government-owned research facility in Moscow built some of the malware used in the attack, which temporarily halted operations at the plant. During the attack, the malware triggered a safety system that shut down operations. Had that not happened, the attackers could have set off a potentially deadly chain of events, FireEye researchers said.”
The attack used a kind of malware that FireEye calls Triton. “FireEye said it linked the attack to the Central Scientific Research Institute of Chemistry and Mechanics through clues such as IP addresses and malware that revealed the online nickname of a hacker who worked for the lab,” Ellen and Aaron wrote. “The researchers also found computer code written in Cyrillic and noted that the attackers kept Moscow working hours — all potential signs the hackers were Russian.” However, as my colleagues reported, FireEye said in a blog post that it does “not have specific evidence to prove” that the Russian institute developed Triton.
FireEye also assessed with “high confidence” that it found a “malware testing environment” that was used to “refine” some of the hacking group's tools. “Triton comprises both malware that infects targets, and a framework for manipulating industrial control systems to gain deeper and deeper control in an environment,” Wired's Lily Hay Newman reported. “Triton attacks seem to set the stage for a final phase in which attackers send remote commands that deliver an end payload. The goal is to destabilize or disable an industrial control system's safety monitors and protection mechanisms so attackers can wreak havoc unchecked.”
PATCHED: “Amazon.com pitched its facial-recognition system in the summer to Immigration and Customs Enforcement officials as a way for the agency to target or identify immigrants, a move that could shove the tech giant further into a growing debate over the industry’s work with the government,” The Post's Drew Harwell reported Tuesday. “The June meeting in Silicon Valley was revealed in emails as part of a Freedom of Information Act request by the advocacy group Project on Government Oversight; the emails were published first in the Daily Beast. They show that officials from ICE and Amazon Web Services talked about implementing the company’s Rekognition face-scanning platform to assist with homeland security investigations.” As Drew noted, Amazon has several contracts with the government but none with ICE at the moment. (Amazon founder and chief executive Jeffrey P. Bezos owns The Washington Post.)
“An Amazon Web Services official who specializes in federal sales contracts, and whose name was redacted in the emails, wrote that the conversation involved ‘predictive analytics’ and ‘Rekognition Video tagging/analysis’ that could possibly allow ICE to identify people’s faces from afar — a type of technology immigration officials have voiced interest in for its potential enforcement use on the southern border,” my colleague wrote.
PWNED: BuzzFeed News's Craig Silverman published an in-depth article Tuesday describing “a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere.” Here is how the scheme operates: “One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies,” Silverman wrote. “They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News' request.”
Moreover, as Silverman reported, “a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans.” This scheme also shines a light on the threats that Android users can face, according to BuzzFeed News. “Experts say a scheme like this targets Android in part because of its huge user base, and because the Google Play store has a less rigorous app review process than Apple’s App Store,” Silverman reported. “Android apps are bought and sold, injected with malicious code, repurposed without users’ or Google’s knowledge, or, as in this case, turned into engines of fraud.”
— Speaking in Moscow on Tuesday, national security adviser John Bolton said the U.S. government is “monitoring the potential for foreign interference in our elections across the board very closely.” Bolton also said that Russia's efforts to interfere in the 2016 U.S. presidential election did not change the outcome but deteriorated the relationship between the two countries. “What the meddling did create was distrust and animosity within the United States, and particularly made it almost impossible for two years for the United States and Russia to make progress diplomatically,” Bolton said. “So that's a huge loss to both countries, but particularly to Russia. So it's a lesson, I think: Don't mess with American elections.”
— The effectiveness of U.S. Cyber Command’s operation to deter Russian operatives from interfering in the upcoming U.S. midterms by telling them that the United States is tracking their efforts is unclear, my colleague Ellen Nakashima reported yesterday. “It is not clear how effective a deterrent such warnings will be against Russian operatives such as those who brazenly assaulted U.S. political campaigns and ran disinformation operations to sow discord in the 2016 election season and sought to tip it in favor of Donald Trump,” Ellen wrote. “Such messages could indicate to the Russians that if they continue malicious activities, they might become the target of U.S. sanctions or indictments, experts said.”
Thomas Rid, a professor of strategic studies at Johns Hopkins University, told my colleague that an operation of “semi-covert messaging is likely to inject friction, if not fear, into the ranks of Russian covert operators.” Michael Carpenter, a former deputy assistant U.S. secretary of defense whose responsibilities included Russia policy, had a different opinion. “I’m skeptical that mere warnings to Russian operatives will serve as an effective deterrent,” he said, as quoted by Ellen.
— Three Democrats who sit on the Senate Intelligence Committee already wanted Director of National Intelligence Daniel Coats to weigh in on President Trump's comments about Chinese interference in U.S. politics, and now they have one more request. “On October 4, 2018, we wrote to inquire whether the President’s statement that China was attempting to interfere in the upcoming 2018 election was consistent with the assessments of the Intelligence Community (IC),” Sens. Ron Wyden (Ore.), Martin Heinrich (N.M.) and Kamala D. Harris (Calif.) said in a letter to Coats on Tuesday. “In addition to providing a public response to that inquiry, we ask that you address whether the President’s statement on 60 Minutes that China ‘meddled’ in the 2016 U.S. election is consistent with IC assessments.” The senators asked that Coats reply by Friday.
— More cybersecurity news from the public sector:
— “Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history,” the Associated Press's Michael Liedtke reported Tuesday. “The restitution hinges on federal court approval of a settlement filed late Monday in a 2-year-old lawsuit seeking to hold Yahoo accountable for digital burglaries that occurred in 2013 and 2014, but weren’t disclosed until 2016.”
— More cybersecurity news from the private sector:
- CyberCon 2018 organized by Fifth Domain on Nov. 1 in Arlington, Va.