Trump Bans TicToc For Violating Your Privacy Rights While Giving US-Based Firm Go Ahead (#GotBitcoin?)
U.S. Government Contractor Embedded Software In Apps To Track Phones. Trump Bans TicToc For Violating Your Privacy Rights While Giving US-Based Firm Go Ahead (#GotBitcoin?)
Anomaly Six has ties to military, intelligence agencies and draws location data from more than 500 apps with hundreds of millions of users.
A small U.S. company with ties to the U.S. defense and intelligence communities has embedded its software in numerous mobile apps, allowing it to track the movements of hundreds of millions of mobile phones world-wide, according to interviews and documents reviewed by The Wall Street Journal.
Anomaly Six LLC a Virginia-based company founded by two U.S. military veterans with a background in intelligence, said in marketing material it is able to draw location data from more than 500 mobile applications, in part through its own software development kit, or SDK, that is embedded directly in some of the apps.
An SDK allows the company to obtain the phone’s location if consumers have allowed the app containing the software to access the phone’s GPS coordinates.
App publishers often allow third-party companies, for a fee, to insert SDKs into their apps. The SDK maker then sells the consumer data harvested from the app, and the app publisher gets a chunk of revenue.
But consumers have no way to know whether SDKs are embedded in apps; most privacy policies don’t disclose that information. Anomaly Six says it embeds its own SDK in some apps, and in other cases gets location data from other partners.
Anomaly Six is a federal contractor that provides global-location-data products to branches of the U.S. government and private-sector clients. The company told The Wall Street Journal it restricts the sale of U.S. mobile phone movement data only to nongovernmental, private-sector clients.
Numerous agencies of the U.S. government have concluded that mobile data acquired by federal agencies from advertising is lawful. Several law-enforcement agencies are using such data for criminal-law enforcement, the Journal has reported, while numerous U.S. military and intelligence agencies also acquire this kind of data.
Many private-sector companies in the advertising and marketing world buy and sell geolocation data, sometimes reselling it to government agencies or contractors. But the direct collection of such data by a business closely linked to U.S. national security agencies is unusual.
Anomaly Six was founded by defense-contracting veterans who worked closely with government agencies for most of their careers and built a company to cater in part to national-security agencies, according to court records and interviews.
The firm’s capabilities were described in documents prepared for military officials that were reviewed by the Journal. The company also explained its business practices in a recent briefing to the office of Sen. Ron Wyden, whose staff then described it to the Journal. The Oregon Democrat has been conducting a probe into the sale of Americans’ location data.
“Anomaly Six is a veteran-owned small business that processes and visualizes location data sourced from mobile devices for analytics and insights,” the company said in response to questions for this article.
“We leverage detailed location data from numerous first-party sources to provide insights into groups, behaviors, and patterns.” The company said it acknowledged the “intense scrutiny” around the government use of such data, but said all the data it works with is commercially available and compliant with all laws.
Anomaly Six said it would support regulation to require more disclosure by apps of how data is collected and used. The exact apps the company partners with couldn’t be determined and the company declined to comment, citing confidentiality agreements. The partnerships between data brokers and app makers are typically closely held trade secrets within the world of commercial-data sales.
Asif Khan, a marketing expert and founder of the Location Based Marketing Association, a trade group representing advertising and marketing companies who deal in location data, said the government acquisition of consumer location data has been a longstanding issue for the industry. He said app-makers should be more transparent with consumers about how the data may be used once it is collected.
“You could argue that the government has the right, just like any commercial entity, to buy the data, if the data is available from a commercial supplier,” said Mr. Khan. “But you also need to be able to clearly say ‘this data could be used by government.’”
“I think the average consumer doesn’t have a clue,’ he said.
In the data drawn from apps, each cellphone is typically represented by an alphanumeric identifier that isn’t linked to the name of the cellphone’s owner.
But the movement patterns of a phone over time can allow analysts to deduce its ownership—for example, where the phone is located during the evenings and overnight is likely where the phone-owner lives.
The company says it doesn’t meet the definition of a data broker under California law and isn’t required to register. The California attorney general’s office didn’t respond to a request for comment.
According to interviews with numerous people in the industry, there is little regulation in the U.S. about the buying and selling of location data, leading to what one industry veteran called “the Wild West.” Consumers have come to expect free apps, and app makers have turned to selling user data to pay for the costs of developing and running the software, people familiar with the industry.
Anomaly Six’s offerings are similar to those of a company called Babel Street, which provides social-media monitoring services to the intelligence community and law-enforcement agencies. A lawsuit filed by Babel Street two years ago against Anomaly Six and its founders offers a window into the competitive and largely secretive market of providing consumer location products to the U.S. government.
The two founders of Anomaly Six formerly worked for Babel Street and left in 2018, according to the lawsuit.
Brandan Huff, a former Army counterintelligence officer, had managed Babel Street’s relationship with the Defense Department and had also worked for numerous other defense contractors. The other, Jeffrey Heinz, was also previously in the U.S. Army and had managed Babel Street’s relationships with the Justice Department, U.S. Cyber Command, civilian federal agencies and the intelligence community, court records show.
One of Babel Street’s products, called “Locate X,” includes the location records of millions of cellphones, drawn from consumer apps. The two former employees set out to build a product to compete with it, according to Babel’s lawsuit. Anomaly Six declined to comment on the lawsuit, which was settled out of court last year.
Babel Street doesn’t publicly advertise Locate X and binds clients and users to secrecy about even its existence, according to contracts and user agreements reviewed by the Journal. Developed with input from U.S. government officials, according to court records, Locate X is widely used by military intelligence units who work on gathering “open source” intelligence, or information taken from publicly available sources.
Babel Street also has contracts with the Department of Homeland Security, the Justice Department, and many other civilian agencies, federal contracting data shows. Babel Street didn’t respond to a request for comment.
Both Babel Street’s and Anomaly Six’s products can be used to combine intelligence gathered in more traditional ways, from clandestine human sources to secret intercepts, with social media data, satellite imagery, and consumer data from the private sector, according to interviews with people familiar with the process and documents reviewed by the Journal.
The information, gathered into what’s known as a “pattern of life” analysis, can provide a richer understanding of the habits and behaviors of potential intelligence targets, and to possibly predict their future behavior.
The U.S. isn’t alone in attempting to use mobile-location data for strategic advantage. The National Security Agency this month warned military and intelligence community personnel to sharply limit the location-tracking features on their mobile devices, out of concern that the data could be used by adversaries to reveal sensitive national security information about U.S. operations.
A group of academic researchers using Babel Street’s software were able to monitor the movement of devices at Russian military facilities as part of a project for the U.S. Army, the Journal also reported last month.
Such revelations showcase the power of even commercial data to reveal sensitive information about some of the most secure facilities in the world—and raise privacy concerns about the blurring the lines between corporate marketing and government surveillance.
“It’s really alarming to learn about companies like this that claim to have years’ worth of location data from all over the world. Revelations like this just keep coming,” said Laura Moy, a law professor at Georgetown University and director of the school’s Communications & Technology Law Clinic.
“Users have no idea that when they install a weather app, a game, or any other innocuous-seeming app that their private location data is going to be harvested and sold. Apparently that’s what’s happening here, and we have no transparency into the practice,” said Ms. Moy.
Anomaly Six isn’t listed in any public spending contracts, and many of Babel Street’s sales to government entities aren’t reflected in public documents either. Anomaly Six said its contracts with the U.S. government were unclassified but confidential, and that it couldn’t reveal which agencies it was working with without permission from those agencies.
TikTok Tracked User Data Using Tactic Banned by Google
The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies.
TikTok skirted a privacy safeguard in Google’s Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found.
The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn’t disclosed to TikTok users. TikTok ended the practice in November, the Journal’s testing showed.
The findings come at a time when TikTok’s Beijing-based parent company, ByteDance Ltd., is under pressure from the White House over concerns that data collected by the app could be used to help the Chinese government track U.S. government employees or contractors. TikTok has said it doesn’t share data with the Chinese government and wouldn’t do so if asked.
The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users’ data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage.
TikTok, which said earlier this year that its app collects less personal data than U.S. companies such as Facebook Inc. and Alphabet Inc.’s GOOG 1.78% Google, didn’t respond to detailed questions.
In a statement, a spokesperson said the company is “committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges.”
The company said “the current version of TikTok does not collect MAC addresses.”
Most major mobile apps collect a range of data on users, practices that privacy advocates have long found alarming but that tech companies defend as providing highly customized experiences and targeted advertising. Data collection varies by company.
About 1% of Android apps collect MAC addresses, according to a 2018 study by AppCensus, a mobile-app analysis firm that consults with companies on their privacy practices.
A Google spokesperson said the company was investigating the Journal’s findings and declined to comment on the loophole allowing some apps to collect MAC addresses.
The Trump administration’s national-security concerns prompted ByteDance to explore a sale of TikTok’s U.S. operations with several suitors, including Microsoft Corp. When asked if the company was aware of this data-collection issue, a Microsoft spokesman declined to comment.
The issue involves a 12-digit “media access control,” or MAC, address, which is a unique number found in all internet-ready electronics, including mobile devices.
The MAC address is useful to advertising-driven apps because it can’t be reset or altered, allowing app makers and third-party analytics firms to build profiles of consumer behavior that persist through any privacy measure short of the owner getting a new phone. The Federal Trade Commission has said MAC addresses are considered personally identifiable information under the Children’s Online Privacy Protection Act.
“It’s a way of enabling long-term tracking of users without any ability to opt-out,” said Joel Reardon, an assistant professor at the University of Calgary and co-founder of AppCensus, Inc. “I don’t see another reason to collect it.”
Apple Inc. locked down iPhone MAC addresses in 2013, preventing third-party apps from reading the identifier. Google did the same two years later in Android. TikTok bypassed that restriction on Android by using a workaround that allows apps to get MAC addresses through a more circuitous route, the Journal’s testing showed.
The security hole is widely known, if seldom used, Mr. Reardon said. He filed a formal bug report about the issue with Google last June after discovering the latest version of Android still didn’t close the loophole. “I was shocked that it was still exploitable,” he said.
Mr. Reardon’s report was about the loophole in general, not specific to TikTok. He said that when he filed his bug report, the company told him it already had a similar report on file. Google declined to comment.
TikTok collected MAC addresses for at least 15 months, ending with an update released Nov. 18 of last year, as ByteDance was falling under intense scrutiny in Washington, the Journal’s testing showed.
TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behavior while giving the user some measure of anonymity and control over their information.
Privacy-conscious users can reset the advertising ID from the settings menu of the device, an action roughly equivalent to clearing cookies in a browser.
Google’s Play Store policies warn developers that the “advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier,” including the MAC address, “without explicit consent of the user.”
Storing the unchangeable MAC address would allow ByteDance to connect the old advertising ID to the new one—a tactic known as “ID bridging”—that is prohibited on Google’s Play Store. “If you uninstall TikTok, reset the ad ID, reinstall TikTok and create a new account, that MAC address will be the same,” said Mr. Reardon. “Your ability to start with a clean slate is lost.”
Despite the prohibition, ID bridging is fairly widespread, according to AppCensus, particularly among free gaming apps. But it seldom involves the MAC address, the most persistent identifier accessible in the current version of Android.
In a random study by AppCensus of 25,152 popular internet-enabled Android apps in 2018, only 347, or 1.4%, were seen using the Android loophole to send the MAC address. Of those, only 90 were also transmitting the built-in Android ID, which changes if the device is reset.
The Journal’s analysis confirmed some of the behavior detailed in a widely-discussed anonymous Reddit post in April charging that TikTok transmitted a range of personal data to ByteDance servers, including the MAC address. Google said it’s investigating the claims in that post.
The Journal examined nine versions of TikTok released on the Play Store between April 2018 and January 2020. The Journal’s analysis was limited to examining what TikTok collects when freshly installed on a user’s device, before the user creates an account and accepts the app’s terms of service.
Less typical are the measures ByteDance takes to conceal the data it captures. TikTok wraps most of the user data it transmits in an extra layer of custom encryption.
As with virtually all modern apps, TikTok’s Internet traffic is protected by the web’s standard encryption protocols, making it unlikely that an eavesdropper can steal information in transit.
That makes the additional, custom encryption code TikTok applies to user data seemingly extraneous—unless it was added to prevent the device owner from seeing what TikTok was up to, said Nathan Good, a researcher at the International Digital Accountability Council, a watchdog group that analyzes app behavior.
“It doesn’t provide any extra level of Internet security,” agreed Mr. Reardon. “But it does mean that we have no transparency into what’s being sent out.”
It is common for mobile apps to hide parts of their software to prevent them from being copied by competitors, but TikTok’s encryption doesn’t appear to be hiding a proprietary secret, said Marc Rogers, vice president of cybersecurity strategy at Okta, Inc., which provides services that help users securely log in online.
“My guess is that the reason they do that is to bypass detection by Apple or Google because if Apple or Google saw them passing those identifiers back they would almost certainly reject the app,” Mr. Rogers said.
Google should remove TikTok from its platform, said Sen. Josh Hawley (R., Mo.), in a statement to the Journal, when apprised of the findings. Sen. Hawley has been critical of TikTok and a hawk toward China generally.
“Google needs to mind its store, and TikTok shouldn’t be on it,” he said. “If Google is telling users they won’t be tracked without their consent and knowingly allows apps like TikTok to break its rules by collecting persistent identifiers, potentially in violation of our children’s privacy laws, they’ve got some explaining to do.”
Secretive High-Speed Trading Firm Hits Jackpot With TikTok
Susquehanna International Group is sitting on stake in app’s owner estimated at more than $15 billion.
No matter the outcome of the struggle between China and the U.S. over video-sharing app TikTok, an unlikely winner will be a secretive trading firm based outside of Philadelphia.
Susquehanna International Group LLP, an options-trading giant, has largely avoided publicity during its three-decade history.
Susquehanna’s core business is using quantitative models and computers to execute rapid-fire trades in various markets. Such firms tend to rake in profits by making thousands of small trades a day, often holding securities for fractions of a second.
But in the case of TikTok, the firm bet big and held on to its investment for years.
Susquehanna owns around 15% of TikTok owner ByteDance Ltd., according to people familiar with the matter. This makes Susquehanna the largest outside investor in the Beijing-based social-media company. Based on private trades of ByteDance shares earlier this year, Susquehanna is sitting on a stake that could be worth more than $15 billion on paper, according to data firm PitchBook.
The firm’s founding partners are poised to personally profit from the investment more than traditional venture capitalists would, because the firm invests only the partners’ money, according to Susquehanna’s China website. Typically, venture-capital firms raise funds from outside investors and must share profits with them. Susquehanna declined requests to interview its founders.
Susquehanna got into ByteDance early, joining a $5 million investing round in 2012, the year the Chinese company was founded, according to PitchBook. The company’s TikTok app now has hundreds of millions of users globally, about 100 million of whom are in the U.S., many of them teenagers. Susquehanna also invested in Musical.ly, a video app that was bought by Bytedance in 2017 and later folded into TikTok.
The future of the investment is still undecided, with Susquehanna caught in a geopolitical standoff between Washington and Beijing. ByteDance is currently seeking approval from both governments for a deal that would include Oracle Corp. and Walmart Inc. taking a stake in a newly created U.S.-based company and running some of its operations. Regardless of how it plays out, Susquehanna is likely standing on a significant return.
People close to ByteDance say the driving force behind the investment was a pair of local executives at Susquehanna’s China venture-capital unit, SIG Asia Investments: Tim Gong, who has led the unit, and Joan Wang, who was a big early supporter of ByteDance founder Zhang Yiming.
Susquehanna invested in two startups that Mr. Zhang was involved with before founding ByteDance—travel site KuXun and real-estate portal 99Fang—and the firm invested in ByteDance even after the failure of 99Fang. Ms. Wang met Mr. Zhang frequently to advise him on strategy as he cycled through ideas for a business model in ByteDance’s early days.
During the Chinese New Year holidays in 2012, Mr. Zhang met Ms. Wang at a cafe in Beijing and the two discussed artificial intelligence. The meeting planted the seeds for an AI-powered news-aggregation service called Toutiao, which would become Bytedance’s first big hit before TikTok.
At first skeptics doubted Toutiao’s ability to compete with larger rivals Sina Corp. and Sohu Inc. Ms. Wang, an early ByteDance board member, connected potential investors to Mr. Zhang, says Hong Chen, chief executive of Hina Group, a Chinese investment bank and investing firm.
“She was a great helper for ByteDance,” said Mr. Chen, who is friends with Ms. Wang. “She is a very hands-on investor.”
The bridge between ByteDance, Ms. Wang and Susquehanna’s headquarters in Bala Cynwyd, Pa., is Arthur Dantchik, who co-founded the firm with a group of college friends in 1987.
Mr. Dantchik is on the ByteDance board, having taken over the seat initially occupied by Ms. Wang. He would also be a board member of TikTok Global, the proposed U.S.-based spinout that the company is working to create to avoid the app being banned from the U.S. by the Trump administration.
People close to Susquehanna say Mr. Dantchik is an affable, well-liked figure within the firm who was more globally oriented than some of the other founding partners. He helped start SIG Asia Investments in 2004. He has traveled regularly to China and other places where Susquehanna has investments, such as Israel, these people said.
The firm’s roots date back to the State University of New York at Binghamton, where six of its co-founders were students in the 1970s. Most of them shared a love of poker. They initially set up shop in the building of the Philadelphia Stock Exchange. Israel Englander, the billionaire chief executive of hedge-fund firm Millennium Management, helped the crew get its start by sponsoring Susquehanna co-founder Jeffrey Yass for a seat at the exchange. Mr. Yass’s father Gerald also helped set up the firm.
Poker remains a big part of Susquehanna’s culture. The game is part of the training curriculum for new employees, and the firm holds an annual employee poker tournament, detailed in a blog on Susquehanna’s website. Another co-founder, Eric Brooks, won first place in a seven-card stud event at the 2008 World Series of Poker. He gave his winnings of $415,856 to an educational charity.
Susquehanna now has more than 1,900 employees in offices world-wide. The firm accounts for more than one-fifth of U.S. options-trading volume, and it was sitting on more than $80 billion worth of stocks, options and other securities and derivatives at the end of 2019, according to an analysis of the firm’s regulatory filings by Alphacution, a research firm specializing in proprietary trading firms. Options are contracts that give investors the right to buy or sell a stock at a particular price.
Secrecy is another hallmark of Susquehanna, which doesn’t publicly disclose its financial metrics. The firm, like many high-speed trading firms, requires employees to sign noncompete agreements to keep trading secrets from being shared with rivals.
“Susquehanna is like a black hole,“ said Paul Rowady, director of research at Alphacution. “There’s no light that escapes.”
As ByteDance negotiates the fate of TikTok with U.S. and Chinese authorities, Mr. Dantchik hasn’t played a big role in talks with officials, allowing other ByteDance investors such as Sequoia Capital and General Atlantic to take the lead, people familiar with the discussions said.
More than 30 years after its formation, Susquehanna is still closely held by its remaining co-founders, and it has never brought in outside investors, the people close to the firm said.
That explains in part how it ended up in China. The trading business generated such hefty profits that it spurred the Susquehanna co-founders to look for other places to reinvest their money, these people said.
The firm branched out into traditional investing in the 1990s, initially focusing on private investments in public equity, or PIPEs, a type of deal in which private investors buy equity stakes directly from a publicly traded company. Later, Susquehanna set up units for venture capital and private-equity investments. As the Internet boom spread to China and more Chinese startups were listed in the U.S. in the 2000s, it launched SIG Asia Investments in Shanghai.
In its early days in China, Susquehanna appeared alongside Sequoia in several investments, such as Bona Film Group, producer of the 2019 World War II epic “Midway,” and fast-food chain Country Style Cooking Restaurant Chain Co. Overall in China, Susquehanna has invested in more than 260 companies since 2005 in such sectors as media, internet, consumer and health-care, totaling more than $2 billion, according to its website. It co-invested with Sequoia 36 times, according to Chinese venture capital research firm Zero2IPO.
In the coterie of entertainment financiers in China, Mr. Gong is known for co-hosting an exclusive party with Bona Film during the Shanghai Film Festival each year at a bungalow near the city’s famed waterfront promenade The Bund, according to people familiar with the matter. Attendees are often the power brokers in China’s film industry, such as producers and directors. Mr. Gong, a proud wine aficionado, handpicks the wines served at the parties.
Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,Trump Bans TicToc For,