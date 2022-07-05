Placeholder while article actions load

Good morning and happy Tuesday! I hope you had a safe, relaxing long weekend. As always, you can send me tips and comments: aaron.schaffer@washpost.com Below: A hacker claims to offer billions of records on Chinese citizens, and a bug bounty firm admits that it had an insider threat. Wp Get the full experience. Choose your plan ArrowRight Law enforcement often turns to Google for help Google has said it will begin automatically deleting location data when users visit abortion clinics and other highly sensitive locations.

The announcement, which came last Friday, underscores a deeper issue to privacy advocates: that the search engine giant and other tech companies are still amassing troves of data on their users that could be used in prosecutions for illegal abortions. Some abortion rights advocates fear states could allow patients themselves to be prosecuted, although the state bans so far only target abortion providers.

Indeed, Google is an attractive target for law enforcement. The company received more than 40,000 U.S. search warrants and subpoenas in the first half of last year, according to data it released on its website.

Law enforcement officials have used the requests in creative ways:

In 2019, Google gave Wisconsin investigators data on people who had searched for a sexual abuse victim on its site, Forbes’s Thomas Brewster reports . Lawyers and privacy advocates are challenging the constitutionality of a similar warrant in Colorado, Brewster reports

The FBI used “geofence” warrants to map out the phones inside the Capitol on Jan. 6, 2021.

And, prosecutors have used web searches and histories to go after women in Indiana and Mississippi over the past decade, my colleagues Cat Zakrzewski, Pranshu Verma and Claire Parker reported this weekend.

Google has “long focused on minimizing the data we use to make our products helpful and on building tools that allow people to control and delete data across our platforms,” spokesman Matt Bryant told The Post's Geoffrey A. Fowler in an email.

Yet Google’s announcement about automatically deleting abortion-related location data “does not specifically say how the company will respond to abortion-related requests,” my colleague Gerrit De Vynck writes. And Google’s settings put the onus on the user to limit the company’s data collection, and few users probably end up turning on those settings, Geoffrey argues.

Post-Roe world

Google and what it does with personal data is under heightened scrutiny as states begin restricting access to abortions now that the Supreme Court has overturned Roe v. Wade, the 1973 ruling giving women a right to an abortion.

“The way tens of millions of Americans use everyday Google products has suddenly become dangerous,” Geoffrey writes. “Following the Supreme Court decision to overturn the landmark Roe v. Wade ruling, anything Google knows about you could be acquired by police in states where abortion is now illegal. A search for ‘Plan B,’ a ping to Google Maps at an abortion clinic or even a message you send about taking a pregnancy test could all become criminal evidence.”

The danger of data collection feels different in the wake of Roe v. Wade’s overturning, said Shoshana Zuboff, an emerita Harvard Business School professor who popularized describing Google’s business as “surveillance capitalism" and supports abortion rights.

“Every device becomes our potential enemy,” she told Geoffrey.

“The harsh reality is that while we’re now worried about women who seek abortions being targeted, the same apparatus could be used to target any group or any subset of our population — or our entire population — at any moment, for any reason that it chooses,” she said. “No one is safe from this.”

Decreasing data

Geoffrey’s simple suggestion: Collect less data. That would put it more in line with what rival privacy-focused DuckDuckGo is doing, but would also be a big shift for Google, which gets ad revenue partly as a result of collecting data on users.

Google could change its settings to automatically delete user searches and other data after a week or less, give users who use its Incognito mode the ability to be anonymous online and secure chats on its platforms, Geoffrey suggests.

But any fix that’s narrowly tailored to abortion risks leaving adjacent, potentially incriminating data up for grabs. Even queries “seemingly unrelated to abortion may still be used against people seeking care or those who assist them,” Matt Cagle, senior staff attorney at the ACLU of Northern California, told Geoffrey.

The keys

Hacker claims to offer billions of Chinese police records for sale

The hacker claims that the trove has data on a billion Chinese citizens and has sensitive information like summaries of incidents over two decades, the Wall Street Journal’s Karen Hao and Rachel Liang report.

It would amount to one of the largest leaks of personal data ever if it checks out. Five people whose information was in the leak told the Wall Street Journal that the data on them was correct. Some phone numbers in the leak were no longer in use, though

One man who reported being scammed sighed when the Journal told him that his records were exposed. “We are all running naked,” he said, using a Chinese phrase to describe not having privacy.

The hacker claims that the records came from police in Shanghai, which is China’s most populous city. They said they targeted Alibaba cloud subsidiary Aliyun, which they said hosted the database. The hacker is offering the data for 10 bitcoin (around $200,000). Some experts told the Journal that asking for such a large amount of money could hint at the possibility that the hacker is exaggerating or lying about the leak.

Alibaba said it's investigating the incident, the Wall Street Journal reports. Shanghai police and China's internet regulator didn't respond to the outlet's request for comment.

Some of TikTok’s Chinese employees can access user data, company tells GOP senators

TikTok chief executive Shou Zi Chew told nine Republican senators that TikTok parent ByteDance’s Chinese employees access data on TikTok’s U.S. users when they pass internal security controls, Bloomberg’s Alex Barinka reports. TikTok has long been scrutinized for its data security practices. TikTok’s Chinese engineers can access U.S. user data, BuzzFeed News reported last month.

“We know we're among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of U.S. user data,” TikTok told BuzzFeed News at the time. “That's why we hire experts in their fields, continually work to validate our security standards, and bring in reputable, independent third parties to test our defenses.”

Last month, TikTok said it would move its U.S. user data to Oracle’s cloud infrastructure, CNN reported. FCC Commissioner Brendan Carr, a Republican, said that didn’t address his concerns and he called on Apple and Google to remove TikTok from their app stores last month. TikTok executive Michael Beckerman said on CNN this weekend that he had “reached out to Commissioner Carr and his office and offered to go in and brief him,” with the hope of being able to “set the record straight with him.”

Employee stole researcher-reported vulnerabilities, firm says

The malicious HackerOne employee got in touch with seven companies to report vulnerabilities that they saw when they were working at HackerOne, a platform that lets researchers report software vulnerabilities and get bug bounties, Bleeping Computer’s Ionut Ilascu reports. The employee received bounties from at least some of the companies they reported the stolen bugs to.

HackerOne says it fired the employee. “Subject to review with counsel, we will decide whether criminal referral of this matter is appropriate,” it said. “We continue forensic analysis on the logs produced and devices used by the former employee.”

Global cyberspace

