Hearing on facial recognition threats pushed back as chair questions Apple, Google
Friday, shortly after Rep. Stephen Lynch (D-MA), chairman of the House Committee on Oversight and Investigations Subcommittee on National Security, confirmed he was pushing back until probably next year a hearing he had scheduled next week to examine the threats facial recognition technology poses to national security, he suddenly announced he had sent letters to the CEOs of Google and Apple, indicating he likely wants them to appear before his subcommittee.
The turn of events came on the heels of the concerns that had been raised — after the hearing had been scheduled — on the perils of foreign-designed and controlled apps like the Russian-designed FaceApp the FBI had warned congressional leaders about only weeks ago.
Although Lynch had been quoted as saying “with all this stuff going on [the House impeachment of President Donald Trump] we thought it would be good to wait until after Christmas” to convene the hearing, the two letters he announced Friday he had sent to Google CEO Sundar Pichai and Apple CEO Tim Cook indicated there was a different reason. In his letters, Lynch asked for specific information related to whether Google and Apple require mobile application developers to disclose potential overseas affiliations before making their products available to users in the U.S.
Lynch had earlier expressed his concerns that technologies developed by foreign governments present serious dangers to both privacy and national security, both of which were to be the focus of the hearing before his subcommittee next week.
FaceApp, owned by St. Petersburg, Russia-based Wireless Lab, is a smartphone app that went viral this summer after it was released with a filter that allowed users to age selfies they uploaded to the company’s Amazon cloud servers. The last estimated number of individuals who had downloaded the app was 80 million.
A statement from Lynch’s office Friday stated, “(r)ecent reporting suggests that foreign companies and developers could be providing sensitive data to their host governments on US citizens via their mobile applications, such as TikTok, Grindr, and FaceApp, creating significant national security risks.”
In his letters Friday to Pichai and Cook, Lynch – who is also Chair of the Task Force on Financial Technology and serves on the House Committee on Financial Services’ National Security, International Development and Monetary Policy and Oversight and Investigations Subcommittees — aired his growing discomfort over foreign governments’ access to data stored on devices running foreign developed and controlled apps.
“Recent press reports have shed light on allegations that certain foreign companies and developers may be providing sensitive data on US citizens via their mobile applications to their host governments, thereby creating significant national security risks,” Lynch said in his letter to Pichai. “Given these concerns, the subcommittee seeks information relating to whether Google requires mobile application developers to disclose their potential overseas affiliations prior to making their products available on Google Play.”
In his letter to Cook, Lynch asked “whether Apple requires mobile application developers to disclose their potential overseas affiliations prior to making their products available on the Application Store.”
He told both CEOs that, “US laws permit mobile applications to collect massive amounts of personal information about their users as long as the users consent to the collection of that information as a condition of service. However, many smartphone owners are not aware that by consenting to an application’s service agreement, they are authorizing the application to access significant quantities of personal, and oftentimes sensitive, information. The extent to which this information is secured, either through encryption or alternative mechanisms, as well as the degree to which user data is shared, varies across applications.”
Lynch noted that, “(w)hen using mobile devices in the United States, users may assume that the Fourth Amendment, which prohibits unreasonable government searches and seizures, protects the data that they share voluntarily with the mobile applications on their smartphones … when a mobile application is owned, operated, or developed by a foreign entity irrespective of whether that data is stored on servers in the United States or abroad, there is a greater risk that foreign governments might be able to access that information.”
And, he stated, “this could happen if the foreign government gains unauthorized access to a mobile application’s information technology systems, or if the government compels or incentivizes developers to share their user data.”
He went on to point out that American University Law Professor Jennifer Daskal, and New America Fellow Samm Sacks, had observed that “while China does not have automatic access to data stored by Chinese-owned companies, ‘the reality is that if and when Beijing makes a demand, it is hard for Chinese-based companies to say no.’”
“Russia’s intelligence services,” she cautioned, “maintain robust cyber exploitation capabilities as evidenced by, for example, Russia’s surveillance system, the System of Operative Search Measures, which allows the Russian Federal Security Service (FSB) to obtain telephonic and online communications via direct connection to internet service providers (ISP). In other words, the FSB can remotely access all communications and servers on Russian networks without making a request to ISPs.”
“If the FBI assesses that elected officials, candidates, political campaigns, or political parties are targets of foreign influence operations involving FaceApp, the FBI would coordinate notifications, investigate, and engage the Foreign Influence Task Force, as appropriate,” she explained.
Tyson’s letter to Schumer was in response to the Senator having asked the FBI and Federal Trade Commission back in July about FaceApp, saying, “it would be deeply troubling if the sensitive personal information of US citizens was provided to a hostile foreign power actively engaging in cyber hostilities against the United States.”
Upon receiving Tyson’s letter on November 25, Schumer tweeted, “(t)his year when millions were downloading #FaceApp, I asked the FBI if the app was safe … Well, the FBI just responded. And they told me any app or product developed in Russia like FaceApp is a potential counterintelligence threat.”
Without fanfare, Biometric Update has learned, the Department of Defense (DOD) also expressed its own concerns about soldiers and civilian employees’ use of the app on their personal mobile phones, which a DOD official said could contain “an extraordinary amount of useful information for counterintelligence purposes.” He declined to comment further, or to acknowledge that a rumored advisory to that effect had been issued.
At about the same time, Democratic National Committee Chief Security Officer Bob Lord – who served as Yahoo’s Chief Information Security Officer, Chief Information Security Officer in Residence at Rapid 7, and chief of Twitter’s information security — warned its party’s presidential campaigns’ members to stop using the app.
“This novelty is not without risk: FaceApp was developed by Russians. It’s not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks,” he pressed, adding, “(i)f you or any of your staff have already used the app, we recommend that they delete the app immediately.”
Dmitry Sergeyevich Peskov, Press Secretary for Vladimir Putin, defended Faceapp, saying despite FBI and U.S. intelligence services’ concerns, it’s a free market.
“Given the pervasiveness of smartphone technology in the United States, as well as the vast amounts of information stored on those devices, foreign adversaries may be able to collect sensitive information about US citizens, which presents serious and immediate risks for US national security,” Lynch said in his letter, taking note that, “(f)or example, by collecting personal information on US government personnel who have access to classified information, foreign adversaries may attempt to expose them to blackmail, tailor intelligence spotting or recruitment activities to specific targets, or exert undue foreign influence in US policymaking.”
“In addition,” he added, “artificial intelligence could enable foreign adversaries to manipulate user-provided data to create profiles on average US citizens that could be leveraged in future military conflicts or diplomatic disputes.”
In his letter to Google CEO Sundar Pichai, Lynch asked for “answers to the following questions” no later than January 10:
• How does Google determine whether an application should be made available to the public on Google Play?
• What information does Google require application developers to submit with their proposals?
• Does Google require developers to provide the country (or countries) in which their mobile applications will house user data? If so, does Google determine whether to list certain applications on Google Play based on where user data will be housed? If not, are there any statutory or regulatory limitations that prohibit Google from requesting this information?
• Does Google require developers to disclose when a non-U.S. corporation or entity owns a greater than 50 percent equity stake in an application? If so, does Google determine whether to list certain applications on Google Play based on foreign corporate ownership? If not, are there any statutory limitations that prohibit Google from requesting this information?
• Has Google established baseline data protection standards that mobile application proposals must comply with?
• How does Google determine whether mobile applications pending approval operate in accordance with their user consent agreements or privacy policies?
• Does Google have a mechanism for periodically reviewing and enforcing these agreements and policies?
• Does Google track an application’s total number of downloads in the United States?
• Does Google track an application’s potential number of users in the United States?
Lynch asked Apple the same questions, including: “According to Apple’s App Store Review Guidelines, ‘Apps that share user data without user consent or otherwise complying with data privacy laws may be removed from sale and may result in … removal from the Apple Developer Program.’” So, “(h)ow does Apple determine whether mobile applications pending approval operate in accordance with their user consent agreements or privacy policies?”
Lynch concluded by informing the two CEOs that “the Committee on Oversight and Reform is the principal oversight committee of the House of Representatives and has broad authority to investigate ‘any matter’ at ‘any time’ under House Rule X,” which covers committees and their legislative jurisdictions.
“Congress has a responsibility to protect the privacy of American citizens and the national security of the United States while foreign entities and governments invest in economic and technological advancement,” Lynch said, declaring, “(d)eliberate, thorough, and transparent oversight of foreign operated mobile applications promotes these goals.”