Categories
Automobiles china Industrial Espionage International Trade and World Market Mergers, Acquisitions and Divestitures Solar Energy Uncategorized United States International Relations United States Politics and Government Wind Power

How China Obtains American Trade Secrets

BEIJING — The new trade deal between Washington and Beijing is intended in part to address one of the most acrimonious issues between them: China’s tactics in acquiring technology from companies based in the West.

It’s a thorny topic, and one that is unlikely to be fully solved with a trade pact.

The Trump administration blames China for stealing Western trade secrets, and it used those allegations as the legal basis for launching the trade war nearly two years ago. Trade talks between the two sides quickly became about broader issues, but the partial trade pact set to be signed on Wednesday includes pledges by China to stop some of the practices that Western businesses have long criticized. Depending on the details, that could make the deal more palatable for American businesses.

Underpinning these concerns is that China has repeatedly shown that it can acquire technology and, through heavy government subsidies, build competitive rivals to American companies. Businesses worry that it could do the same in other industries, like software and chips.

China has long denied that it forces foreign companies to give up technology. They do it willingly, Beijing asserts, to get access to China’s vast and growing market. Still, Chinese officials say they are taking steps to address the concerns.

The American authorities have long accused Chinese companies and individuals of hacking and other outright theft of American corporate secrets. And some in the Trump administration worry that Chinese companies are simply buying it through corporate deals.

American companies say Chinese companies also use more subtle tactics to get access to valuable technology.

Sometimes China requires foreign companies to form joint ventures with local firms in order to do business there, as in the case of the auto industry. It also sometimes requires that a certain percentage of a product’s value be manufactured locally, as it once did with wind turbines and solar panels.

The technology companies Apple and Amazon set up ventures with local partners to handle data in China to comply with internal security laws.

Companies are loath to accuse Chinese partners of theft for fear of getting punished. Business groups that represent them say Chinese companies use those corporate ties to pressure foreign partners into giving up secrets. They also say Chinese officials have pressured foreign companies to give them access to sensitive technology as part of a review process to make sure those products are safe for Chinese consumers.

Foreign business groups point to renewable energy as one area where China used some of these tactics to build homegrown industries.

Gamesa of Spain was the wind turbine market leader in China when Beijing mandated in 2005 that 70 percent of each wind turbine installed in China had to be manufactured inside the country. The company trained more than 500 suppliers in China to manufacture practically every part in its turbines. It set up a plant to assemble them in the city of Tianjin. Other multinational wind turbine manufacturers did the same.

The Obama administration questioned the policy as a violation of World Trade Organization rules and China withdrew it, but by then it was too late. Chinese state-controlled enterprises had begun to assemble turbines using the same suppliers. China is now the world’s biggest market for wind turbines, and they are mostly made by Chinese companies.

A somewhat similar industrial evolution occurred soon after in solar energy. China required that its first big municipal solar project only use solar panels that were at least 80 percent made in China. Companies rushed to produce in China and share technology.

The Chinese government also heavily subsidized the manufacture of solar panels, mostly for export. Chinese companies ended up producing most of the world’s solar panels.

Some in the Trump administration fear the same thing is happening in cars.

Shortly after opening China to foreign auto companies, Chinese officials held a competition among global automakers for who would be allowed to enter the market. The competition included a detailed review of each company’s offer to transfer technology to a joint venture to be formed with a Chinese state-owned partner.

General Motors beat out Ford Motor and Toyota by agreeing to build a state-of-the-art assembly plant in Shanghai with four dozen robots to make the latest Buicks. Executives at Volkswagen, the German automaker that had entered China even earlier, were furious, because competitive pressures forced them to upgrade their technology as well.

China is now the world’s largest car market. But except for a few luxury models, practically all of the cars sold in China are made there. Steep Chinese tariffs on imported cars and car parts have also played a role, as has the desire of foreign companies to avoid the costs and risks of transporting cars from distant production sites.

In the trade truce expected to be signed on Wednesday, Chinese officials have agreed not to force companies to transfer technology as a condition of doing business, and they undertook to punish firms that infringe on or steal trade secrets. China also agreed not to use Chinese companies to obtain sensitive technology through acquisitions.

Even before that, Chinese officials pledged to drop the joint venture requirement in areas like cars.

The question is whether China will stick to its pledges. Chinese officials have already issued rules echoing much of what they promised in Wednesday’s agreement. Foreign lawyers say the new rules have large loopholes. The rules give Chinese regulators broad discretion to act as they see fit in cases that involve “special circumstances,” “national state interests” and other fuzzy exceptions.

The trade pact calls for consultations within 90 days if the United States thinks Beijing is not living up to its commitments, but it is unclear whether the Trump administration could then force compliance. More broadly, the pact does not address China’s subsidies for new industries, a key factor in what happened in sectors like solar panels. China has largely rebuffed calls to rein in subsidies for homegrown competitors in industries like semiconductors, commercial aircraft, electric cars and other technologies of tomorrow.

The Trump administration is counting on tariffs to counterbalance that. The partial trade pact will leave in place broad tariffs on many of those industries to prevent Chinese competitors from flooding the American market. Leaving broad tariffs in place also gives Western companies a strong financial incentive to reconsider supply chains that are heavily reliant on China.

Categories
California Data Storage General Data Protection Regulation (GDPR) Law and Legislation privacy Science and Technology Uncategorized

What’s the Price of Getting Your Data? More Data

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Categories
Cluster Munitions Defense Department Iraq Iraq War (2003-11) Iraqi Army Persian Gulf War Shanahan, Patrick M (1962- ) Uncategorized United States Army United States Defense and Military Forces

A Myth That Won’t Die About a Gulf War Weapon, and Why It Matters

At the end of Operation Desert Storm in early 1991, the United States Army was extolling the performance of America’s new and technically advanced weapons. Making their combat debuts were the Patriot missile, the Bradley Fighting Vehicle, the Abrams tank and a somewhat curious looking truck that looked like a cross between a tank and a shipping container: the M270 Multiple Launch Rocket System, or M.L.R.S., with the chassis and treads of a Bradley and two packs of six rockets on its back.

Each rocket carried 644 dual-purpose improved conventional munitions, or DPICM grenades, which looked like D-cell batteries with a nylon loop streaming from the top. The trucks were designed to fire 12 of these rockets in less than one minute and spread 7,728 small explosive charges over 30 acres. The rockets could be fired deep into enemy territory — dropping millions of explosive charges onto large groups of armored vehicles — without American forces ever having to get near enemy territory.

[Sign up for the weekly At War newsletter to receive stories about duty, conflict and consequence.]

Rumors were soon circulating that Iraqi soldiers had been so overwhelmed by the M.L.R.S.’s firepower that they had begged the Americans to stop dropping the “steel rain.” For the Army’s long-range artillery units, this phrase became a rallying cry, and a way to evoke the overwhelming victory that left America’s enemy trembling with fear — even today. The problem, however, is that the documentation behind the steel-rain narrative does not exist.

Though some Iraqi soldiers may have been scared of those rockets and their effects, there seem to be no official interrogation records confirming it. There is also evidence that the steel-rain moniker predates Desert Storm in American artillery circles. But those details got lost in the mythmaking.

Just two years after the war’s end, the Government Accountability Office reported that M.L.R.S. rockets failed at far higher rates in combat than the Army had advertised, and that dud grenades left over from rocket attacks had killed and wounded at least 16 American troops. An Army report in the early 2000s noted that even though the M.L.R.S. was deployed in Bosnia and Kosovo in the 1990s, “not one rocket was fired because of the lack of precision and potential for collateral damage as well as the high submunition dud rate.” By the 2000s, the Army seemed to be moving away from the old unguided M.L.R.S. rockets all together, and the steel rain myth seemed to go with it.

But it’s now making a comeback. Advocates in recent years have repeatedly and enthusiastically cited the steel-rain myth as they call on the Pentagon to bring back long-range artillery rockets and missiles in the face of rising tensions with Russia and China — and military planners are listening. As the Army looks to invest in an artillery force that was deliberately gutted for much of the conflicts in Iraq and Afghanistan, it’s important to look back at the lionization of M.L.R.S. cluster weapons used during the Persian Gulf war and the misconceptions that surround them.

What is this “steel rain” myth, and where did it come from?

On May 9, 1991, the Army’s chief of staff gave a speech at a gathering of senior artillery leaders at Fort Sill, Okla. — the home of Army and Marine Corps artillery. Gen. Carl Vuono, a career artillery officer, was pumping up the troops with tales of how well the Pentagon’s howitzers and ground-fired rockets had performed in the desert sands of Kuwait and Iraq. “It was training that created the skill in artillery batteries to bring such timely and accurate fires on the Iraqis, which they described as ‘steel rain,’” Vuono said.

What’s inaccurate about this story?

Reporters in the region in February 1991 — during the Desert Storm air and artillery campaign that preceded the ground war — wrote that it was American soldiers themselves who were calling their M.L.R.S. rocket attacks “steel rain.” A now-retired Army colonel named Hampton Hite — who as a captain commanded one of the M.L.R.S. batteries firing at Iraqi targets and was briefly interviewed in a Washington Post report about the rocket system — confirmed to The Times in 2017 that his unit (A Battery, 21st Field Artillery) had used the radio call sign “Steel Rain” since the unit was established in 1986. His soldiers would have been using that name on radio networks heard by many troops in other units, and it is possible that those other soldiers conflated that name with the rockets Hite’s battery fired. “I don’t doubt that these Iraqi P.O.W.s didn’t like being on the receiving end of M.L.R.S.,” Hampton said in 2017. “But I know for a fact that ‘steel rain’ didn’t come from them.”

How did the story spread?

Vuono’s speech injected the story directly into the artillery corps’s bloodstream. He was echoed by Maj. Gen. Raphael J. Hallada, the head of Army field artillery at the time. “As recipients of your firepower and also professional admirers,” Hallada wrote in June 1991 for Field Artillery, an Army journal, “the Iraqi enemy prisoners of war spoke of the terrible, pervasive ‘Steel Rain’ of your cannons and rockets.” The name evolved a bit, with one officer calling it “iron rain” in the same journal a few months later, though he still attributed the coining of the term to Iraqi prisoners.

The Defense Department’s final report to Congress on Desert Storm, published in April 1992, transmitted the narrative to lawmakers, saying that the M.L.R.S. had “a tremendous psychological impact on Iraqi soldiers. Enemy soldiers were terrified of its destructive force, which they sometimes referred to as ‘steel rain.’ ” The myth was then chiseled into stone in the Army’s own history of the war, which was made public in 1993 and sold as a book.

That document also misattributed a mass-fratricide bomblet attack on a unit of the First Armored Division to enemy fire. It correctly states that one American cavalry troop suffered at least 23 wounded when howitzers fired cluster shells at them; however, in a 2017 interview with The Times, the squadron operations officer at the time, Mark Hertling, now a retired lieutenant general, says he believes it was friendly fire that wounded his soldiers. Hertling himself was awarded a Purple Heart for shrapnel wounds he suffered in that incident.

So did Iraqis really surrender because of these artillery bomblets?

A lot of Iraqi soldiers surrendered to allied troops in 1991, but without the Pentagon’s producing the records, there are no publicly available documents that point to Iraqis’ surrendering specifically because of these DPICM grenades falling on them. Responding to a query from The Times, the Department of the Army was unable to locate any records from Desert Storm that cited Iraqi prisoners calling M.L.R.S. “steel rain,” and did not respond when asked if the service would continue to stand by its story. The only sources offering the narrative about Iraqis doing so are those written by Army artillery soldiers in the months and years following Desert Storm, citing secondhand accounts.

How did these rocket and artillery bomblets perform in combat?

In many cases, they failed to work as advertised. They were supposed to be able to destroy Soviet armored vehicles, with small armor-piercing warheads. But the attack on the First Armored Unit shows that the DPICMs not only failed to destroy Bradley Fighting Vehicles; they also failed to destroy the troop’s unarmored Chevrolet S.U.V.s — even those that took more than one direct hit.

These weapons had a much more pernicious effect, though, that was barely mentioned in the Army’s 1993 history. American howitzers fired nearly 27,450 cluster shells in the war, and batteries fired more than 17,000 submunition-loaded rockets. In all, those munitions disgorged 13.7 million DPICM grenades on Iraq and Kuwait. Pentagon documents estimate that between 10 and 20 percent or more likely failed to explode on impact, littering the battlefield with highly dangerous duds that would still explode if disturbed.

Why didn’t they work like they were supposed to?

During Desert Storm, the simplest reason is that the bomblets often landed in soft sand, when they were designed to hit the steel plates of armored vehicles. These submunitions relied on a simple fuze that needed to hit its target within a certain angle and provide enough resistance to work. Before his 2018 death, Bill Kincheloe, the inventor of that submunition’s fuze, gave multiple interviews to The Times and explained those parameters. “When that thing hits the ground, it has to hit within 45 degrees to fire,” Kincheloe said. “If it hits at 46 degrees, it won’t fire.” Kincheloe said that the sloped sides of tire tracks and footprints left in the sand could provide enough of an angle to send the submunitions tumbling upon impact, instead of detonating. The problem was even more acute because in early 1991, frequent and unusually intense rainstorms made the sand those bomblets landed in even softer. “If you dropped them on the soft sand, about 60 percent would go off,” Kincheloe said. “You’d have between 3 and 12 percent plain old duds, and the rest would be ground-impact duds.”

Some lessons of Desert Storm went unheeded when the United States went to war with Iraq in 2003. Whether because of the “steel rain” myth or not, the military still considered DPICM weapons desirable. One Army unit fired nearly 800 M.L.R.S. rockets after the invasion, and at least one Marine artillery unit shot cluster artillery shells in combat.

Their use had some unfortunate and completely foreseeable negative effects on civilians and American troops alike. A dud DPICM fired in a strike on a suspected insurgent position in late March 2003 exploded after Lance Cpl. Jesus A. Suarez del Solar accidentally stepped on it near Ad Diwaniyah, killing him. In July 2003, Cpl. Travis Bradach-Nall died near Karbala after a Marine nearby dropped a DPICM grenade he was trying to defuse, causing it to detonate.

Are these same weapons being added to the Army’s artillery arsenal today?

In the mid-1990s, when the Pentagon decided to make a precision-guided version of the M.L.R.S. rocket, the first variant was going to contain 406 DPICM grenades with more reliable fuzes that would also cause any duds to detonate after a set amount of time. Israeli Military Industries, the manufacturer of these grenades, claimed that they had a dud rate of less than 1 percent — an attractive feature for American military officials. However, despite spending millions in live-fire testing at ranges in New Mexico and Arizona, the dud rate was still around 5 percent, and the program was canceled in late 2008.

After several different Army munition-development initiatives failed to create a new kind of DPICM with a lower dud rate, the Pentagon appears to have given up on the idea. The effort to improve their reliability was driven in part by a directive from the secretary of defense in 2008 that would have prohibited the use existing cluster munitions like M26 rockets and DPICM artillery shells after 2018 because of their high dud rates, and mandated that only cluster weapons with a reliability rate over 99 percent could be used from then on. In the interim, new weapons programs designed to meet that standard were failing in tests, and the Army began to destroy its less-reliable weapons. That changed abruptly in late 2017 when the Pentagon reversed course and decided to simply retain the massive stockpile of older munitions that performed so poorly in Desert Storm. Patrick Shanahan, the deputy secretary of defense at the time, indicated that they would be kept in service for use in a potential war with North Korea.

As for how many of them remain, the military does not typically disclose its weapons inventories in real time, but there is relatively recent data available in online briefings. According to one report, the Army still had 360,192 rockets in its inventory in 2008. And a 2012 Army briefing noted that the service still had more than 3.6 million 155-millimeter DPICM artillery shells.

The Pentagon’s interest in long-range artillery rockets and missiles continues, though it is unclear whether new models will incorporate cluster-munition warheads. The maximum range of the Pentagon’s current inventory of ground-launched missiles was limited since the 1980s by the Intermediate-Range Nuclear Forces Treaty, but following the United States’ withdrawal from that treaty last year, the Pentagon can once again field land-based missiles that can fly more than 300 miles before striking their targets — meaning for the first time in more than 30 years the Pentagon is pursuing nonnuclear weapons that can fly as far as modern technology allows. Defense contractors are already offering prototypes for the Army’s consideration, and Congress allocated $160 million for the program in 2019 and $243 million in 2020.

Categories
computer security Computers and the Internet Cyberattacks and Hackers Cyberwarfare and Defense Espionage and Intelligence Services Microsoft Corp National Security Agency North Korea russia Shadow Brokers Software Uncategorized Windows (Operating System)

N.S.A. Takes Step Toward Protecting World’s Computers, Not Just Hacking Them

WASHINGTON — The National Security Agency has taken a significant step toward protecting the world’s computer systems, announcing Tuesday that it alerted Microsoft to a vulnerability in its Windows operating system rather than following the agency’s typical approach of keeping quiet and exploiting the flaw to develop cyberweapons.

The warning allowed Microsoft to develop a patch for the problem and gave the government an early start on fixing the vulnerability. In years past, the National Security Agency has collected all manner of computer vulnerabilities to gain access to digital networks to gather intelligence and generate hacking tools to use against American adversaries.

But that policy was heavily criticized in recent years when the agency lost control of some of those tools, which fell into the hands of cybercriminals and other malicious actors, including North Korean and Russian hackers.

By taking credit for spotting a critical vulnerability and leading the call to update computer systems, the National Security Agency appeared to adopt a shift in strategy and took on an unusually public role for one of the most secretive arms of the American government. The move shows the degree to which the agency was bruised by accusations that it caused hundreds of millions of dollars in preventable damage by allowing vulnerabilities to circulate.

“We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community,” Anne Neuberger, the agency’s cybersecurity director, told reporters.

The vulnerability exists in Windows 10, Microsoft’s flagship operating system, as well as some versions of its server software. It allows hackers to insert malicious code into a target computer and make it appear to be from a safe and trusted source. The vulnerability could also allow hackers to decrypt secret communications.

The vulnerability was serious, officials said. The National Security Agency warned government officials who oversee classified systems about the flaw and the coming Microsoft patch before discussing it publicly, Ms. Neuberger said.

The agency has in the past privately shared vulnerabilities it found with Microsoft and other technology companies. During the Obama administration, officials said, they shared about 90 percent of the flaws they discovered.

But the agency never allowed those firms to publicly identify the agency as the source of those discoveries, Ms. Neuberger said. The agency wanted the public acknowledgment of its role in finding the new defect to demonstrate the importance of patching the flaw, she said.

“Ensuring vulnerabilities can be mitigated is an absolute priority,” Ms. Neuberger said.

The National Security Agency’s action suggests the vulnerability for American government systems likely outweighed its usefulness as a tool for the agency to gather intelligence.

Experts and technology companies praised the agency. But some noted that even as one arm of the government was moving to protect the public’s ability to encrypt its communications, another was taking the opposite tack. A day earlier, the Justice Department called on Apple to break the encryption on its phones, and it has pushed for so-called back doors on Facebook’s encrypted message services.

The Washington Post earlier reported on the agency’s warning to Microsoft, which released a patch for the vulnerability on Tuesday.

Customers who automatically update their operating systems or applied Tuesday’s patch “are already protected,” said Jeff Jones, a senior director at Microsoft.

Microsoft said no evidence had emerged that malicious actors had exploited the vulnerability and said its security software could detect malware trying to do so.

The National Security Agency’s decision to reveal the flaw to Microsoft — and then to publicly announce its move — is in sharp contrast to how it handled another flaw that it discovered but told Microsoft about too late to prevent global damage.

In early 2017, agency officials told Microsoft’s president, Brad Smith, that it had found a flaw in its operating systems but lost it to a group called the Shadow Brokers, which somehow obtained hacking tools that the United States had used to spy on other countries. The agency had known about the flaw for some time but held on to it, believing that one day it might be useful for surveillance or the development of a cyberweapon.

But when the agency’s arsenal of flaws leaked out — presumably through insiders, though the National Security Agency has never said — among it was code nicknamed “Eternal Blue.” While Microsoft had raced to get people to patch the erroneous code, many systems remained unprotected.

Soon North Korean hackers used the code to develop “WannaCry,” software that crippled the British health care system, which used an outdated version of Microsoft Windows. And Russian hackers used it in the NotPetya attacks, among the most damaging cyberattacks in history, costing hundreds of million of dollars to companies including FedEx and Maersk, the shipping giant.

The agency dismissed the idea that it was responsible for the malicious use of the code — arguing that the responsibility lay with North Korea and Russia, which mounted the attacks. But privately, many agency officials acknowledged that the tendency to hoard such flaws in hopes of developing weapons had come at a huge price and that the United States bore some responsibility for the damage caused by Eternal Blue and other tools.

Some experts believe Eternal Blue is continuing to cause problems, allowing hackers to disrupt computer systems.

The White House often decides whether to hold on to a flaw for future use or reveal it to the manufacturer. Obama administration officials set up a system to make the decision. Trump administration officials say a similar process still exists, but they have stopped publishing information about the percentage of vulnerabilities they make public.

The National Security Council reviewed the latest decision to share information about the new flaw with Microsoft, Ms. Neuberger said.

The vulnerability involves Windows’ digital signature system, according to one of the people familiar with the issue. Microsoft, and other companies, use digital signatures to identify software and updates as authentic.

The vulnerability unearthed by the National Security Agency could potentially allow a hacker to add a fake signature that could allow malware to be inserted onto a vulnerable computer. Because the vulnerability was not yet public, no known malware has taken advantage of it.

Criminal hackers or nation states typically take weeks to exploit a new vulnerability, so businesses, governments and individuals may have a little time to install the security patch developed by Microsoft. Experts urged them to move quickly nonetheless.

It was not clear how much of a strategic shift the agency’s announcement amounted to. The agency presumably is still hunting for vulnerabilities and flaws that could allow them to infiltrate Iranian computer systems, as well as those used by Russia, China and other adversarial countries.

But if the agency continues to follow the example set Tuesday, future vulnerabilities that affect not just one critical computer system but instead millions of users or more across the world, its experts could help fix the problem rather than exploit it.

Categories
Apple Inc Barr, William P computer security Computers and the Internet Cook, Timothy D Corporate Social Responsibility iPhone Justice Department Naval Air Station Pensacola Shooting (2019) privacy Software Uncategorized United States Politics and Government

Apple Takes a (Cautious) Stand Against Opening a Killer’s iPhones

SAN FRANCISCO — Apple is privately preparing for a legal fight with the Justice Department to defend encryption on its iPhones while publicly trying to defuse the dispute, as the technology giant navigates an increasingly tricky line between its customers and the Trump administration.

Timothy D. Cook, Apple’s chief executive, has marshaled a handful of top advisers, while Attorney General William P. Barr has taken aim at the company and asked it to help penetrate two phones used by a gunman in a deadly shooting last month at a naval air station in Pensacola, Fla.

Executives at Apple have been surprised by the case’s quick escalation, said people familiar with the company who were not authorized to speak publicly. And there is frustration and skepticism among some on the Apple team working on the issue that the Justice Department hasn’t spent enough time trying to get into the iPhones with third-party tools, said one person with knowledge of the matter.

The situation has become a sudden crisis at Apple that pits Mr. Cook’s longstanding commitment to protecting people’s privacy against accusations from the United States government that it is putting the public at risk. The case resembles Apple’s clash with the F.B.I. in 2016 over another dead gunman’s phone, which dragged on for months.

This time, Apple is facing off against the Trump administration, which has been unpredictable. The stakes are high for Mr. Cook, who has built an unusual alliance with President Trump that has helped Apple largely avoid damaging tariffs in the trade war with China. That relationship will now be tested as Mr. Cook confronts Mr. Barr, one of the president’s closest allies.

“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements,” Mr. Trump said Tuesday in a post on Twitter. “They will have to step up to the plate and help our great Country.”

Apple declined to comment on the issue on Tuesday. Late Monday, after Mr. Barr had complained that the company had provided no “substantive assistance” in gaining access to the phones used in the Pensacola shooting, Apple said it rejected that characterization. It added that “encryption is vital to protecting our country and our users’ data.”

But Apple also offered conciliatory language, in a sign that it did not want the showdown to intensify. The company said it was working with the F.B.I. on the Pensacola case, with its engineers recently holding a call to provide technical assistance.

“We will work tirelessly to help them investigate this tragic attack on our nation,” Apple said.

At the heart of the tussle is a debate between Apple and the government over whether security or privacy trumps the other. Apple has said it chooses not to build a “backdoor” way for governments to get into iPhones and to bypass encryption because that would create a slippery slope that could damage people’s privacy.

The government has argued it is not up to Apple to choose whether to provide help, as the Fourth Amendment allows the government to violate individual privacy in the interest of public safety. Privacy has never been an absolute right under the Constitution, Mr. Barr said in a speech in October.

Mr. Cook publicly took a stand on privacy in 2016 when Apple fought a court order from the F.B.I. to open the iPhone of a gunman involved in a San Bernardino, Calif., mass shooting. The company said it could open the phone in a month, using a team of six to 10 engineers. But in a blistering, 1,100-word letter to Apple customers at the time, Mr. Cook warned that creating a way for the authorities to gain access to someone’s iPhone “would undermine the very freedoms and liberty our government is meant to protect.”

Bruce Sewell, Apple’s former general counsel who helped lead the company’s response in the San Bernardino case, said in an interview last year that Mr. Cook had staked his reputation on the stance. Had Apple’s board not agreed with the position, Mr. Cook was prepared to resign, Mr. Sewell said.

The San Bernardino case was bitterly contested by the government and Apple until a private company came forward with a way to break into the phone. Since then, Mr. Cook has made privacy one of Apple’s core values. That has set Apple apart from tech giants like Facebook and Google, which have faced scrutiny for vacuuming up people’s data to sell ads.

“It’s brilliant marketing,” Scott Galloway, a New York University marketing professor who has written a book on the tech giants, said of Apple. “They’re so concerned with your privacy that they’re willing to wave the finger at the F.B.I.”

Mr. Cook’s small team at Apple is now aiming to steer the current situation toward an outside resolution that doesn’t involve the company breaking its own security, even as it prepares for a potential legal battle over the issue, said the people with knowledge of the thinking.

Some of the frustration within Apple over the Justice Department is rooted in how police have previously exploited software flaws to break into iPhones. The Pensacola gunman’s phones were an iPhone 5 and an iPhone 7 Plus, according to a person familiar with the investigation who declined to be named because the detail was confidential.

Those phones, released in 2012 and 2016, lack Apple’s most sophisticated encryption. The iPhone 5 is even older than the device in the San Bernardino case, which was an iPhone 5C.

Security researchers and a former senior Apple executive who spoke on the condition of anonymity said tools from at least two companies, Cellebrite and Grayshift, have long been able to bypass the encryption on those iPhone models.

Cellebrite said in an email that it helps “thousands of organizations globally to lawfully access and analyze” digital information; it declined to comment on an active investigation. Grayshift declined to comment.

Cellebrite’s and Grayshift’s tools exploit flaws in iPhone software that let them remove limits on how many passwords can be tried before the device erases its data, the researchers said. Typically, iPhones allow 10 password attempts. The tools then use a so-called brute-force attack, or repeated automated attempts of thousands of passcodes, until one works.

“The iPhone 5 is so old, you are guaranteed that Grayshift and Cellebrite can break into those every bit as easily as Apple could,” said Nicholas Weaver, a lecturer at the University of California, Berkeley, who has taught iPhone security.

Chuck Cohen, who recently retired as head of the Indiana State Police’s efforts to break into encrypted devices, said his team used a $15,000 device from Grayshift that enabled it to regularly get into iPhones, particularly older ones, though the tool didn’t always work.

In the San Bernardino case, the Justice Department’s Office of Inspector General later found the F.B.I. had not tried all possible solutions before trying to force Apple to unlock the phone. In the current case, Mr. Barr and other Justice Department officials have said they have exhausted all options, though they declined to detail exactly why third-party tools have failed on these phones as the authorities seek to learn if the gunman acted alone or coordinated with others.

“The F.B.I.’s technical experts — as well as those consulted outside of the organization — have played an integral role in this investigation,” an F.B.I. spokeswoman said. “The consensus was reached, after all efforts to access the shooter’s phones had been unsuccessful, that the next step was to reach out to start a conversation with Apple.”

Security researchers speculated that in the Pensacola case, the F.B.I. might still be trying a brute-force attack to get into the phones. They said major physical damage may have impeded any third-party tools from opening the devices. The Pensacola gunman had shot the iPhone 7 Plus once and tried destroying the iPhone 5, according to F.B.I. photos.

The F.B.I. said it fixed the iPhones in a lab so that they would turn on, but the authorities still couldn’t bypass their encryption. Security researchers and the former Apple executive said any damage that prevented third-party tools from working would also preclude a solution from Apple.

A Justice Department spokeswoman said in an email: “Apple designed these phones and implemented their encryption. It’s a simple, ‘front-door’ request: Will Apple help us get into the shooter’s phones or not?”

While Apple has closed loopholes that police have used to break into its devices and resisted some law enforcement requests for access, it has also routinely helped police get information from phones in cases that don’t require it to break its encryption. Apple has held seminars for police departments on how to quickly get into a suspect’s phone, and it has a hotline and dedicated team to aid police in time-sensitive cases.

In the past seven years, Apple has also complied with roughly 127,000 requests from American law enforcement agencies for data stored on its computer servers. Such data is unencrypted and access is possible without a customer’s passcode.

In 2016, when the standoff between Apple and the government was at its most acrimonious, Mr. Cook said Congress should pass a law to decide the boundaries between public safety and technological security. In court filings, Apple even identified an applicable law, the Communications Assistance for Law Enforcement Act.

On Monday, Mr. Barr said the Trump administration had revived talks with Congress to come up with such a law.

Jack Nicas reported from San Francisco, and Katie Benner from Washington.

Categories
"Security Through Obscurity"(Exhibit) Altman-Siegel Gallery Art Benioff, Marc Denny, Simon Fashion and Apparel Income Inequality Patagonia Inc Salesforce.com Inc San Francisco (Calif) Scarves Thatcher, Margaret H Uncategorized Uniforms Venture Capital your-feed-fashion

Tech Bro Uniform Meets Margaret Thatcher. Disruption Ensues.

The death knell of the Patagonia vest, at least as a symbol of utopianism co-opted by the tech and venture capital world and transformed into shorthand for a certain kind of unbridled corporate power, was much predicted last summer.

That is when the outdoor recreation company put its puffers where its principles were and said it would no longermake vests branded with its own name and the names of companies that did not share its environmental commitments.

“Woe to the bros!” cried customers and commentators alike, in both glee and horror.

The prophesies of doom turned out to be somewhat overstated. But they may soon be heard again in the land, thanks to an unexpected source: Simon Denny, a New Zealand-born artist who lives in Berlin.

Mr. Denny is the man behind a new show at the Altman Siegel gallery in San Francisco, “Security Through Obscurity,” that combines (of all things) Patagonia, Salesforce (the customer relations digital behemoth) and Margaret Thatcher. The result is a visual treatise on income inequality, global capitalism and the digital world built on shared fashion references.

Also proof positive that clothes are part of the currency of our times, no matter where you look.

After all, Patagonia and Margaret Thatcher are not two names most people would put in the same sentence. Their heydays are separated by decades; their power bases across an ocean; their philosophies of life even further apart.

Yet both Patagonia and the former British prime minister have one thing in common: They each gave the world items of dress that transcended their origins to become emblems.

In the case of Patagonia, the power vest: the fleece or puffer zip-up that is the de facto uniform of the private equity and venture capital world and the tech companies that loves it.

In the case of Mrs. Thatcher, the silk scarf, which, along with the skirt suit and pussy-bow blouse, became signifiers of the Iron Lady, the woman who put on her absolutely appropriate clothes like armor in her battle to liberate the markets and bring “tough capitalism” to Britain.

Combining both, Mr. Denny, 37, found the shape, literally, of an idea.

Mr. Denny is known for work that explores the culture of technology and its effects on society. He grew up in New Zealand and moved to Germany in 2007 to attend art school.

After graduating, as he began developing his signature, he started “following” individuals he saw as paradigm changers: reading their press, their speeches and books; checking in as their careers progressed.

Peter Thiel was one. Mr. Denny’s 2019 exhibition, “The Founder’s Paradox,” held in Auckland, New Zealand, featured Mr. Thiel (for one), the billionaire tech venture capitalist who is known for buying up swaths of land in that country, as a figure called Lord Tybalt, in art inspired by fantasy board games. Dominic Cummings, the architect of Boris Johnson’s electoral victory, is another. Ditto Mrs. Thatcher.

“She was very visible in the 1980s, shaping a new kind of politics that emphasized the individual, deregulation and global neoliberalism,” Mr. Denny said, speaking on the phone from Berlin a few days before the opening.

Though Mr. Denny has previously had exhibitions at MoMA PS1 and the Serpentine in London, and represented New Zealand at the 56th Venice Biennale in 2015, this is the first time he has used fashion in his work, and it is partly because of the former prime minister.

In early 2019, a Christie’s auction catalog crossed his desk that included a group of Mrs. Thatcher’s scarves. “There were a number of things being sold,” Mr. Denny said, “but many were quite expensive.” There were suits, jewelry, silver, decorative vases. The scarves, however, were a more accessible story.

“I thought, ‘Wow, these could be quite potent material for me,’” he said. “I knew I really wanted to work with them.”

He ended up winning 17 of them from two different lots after “quite fierce competition.” The estimate for one lot was 400 to 600 pounds, and it ultimately went for £3,250 ($4,218.82); the other was £500 to £800, and the final price was £3,000 ($3,894.30). They include a Nicole Miller scarf with a Forbes print, dollar bills and slogans like “Forbes capitalist tool” and “No guts, no story”; a leopard print that made Mr. Denny think of England’s colonial past; a Chanel design; and one from Liberty of London.

“To me, they represent an era of dress — the feminine but power business look,” Mr. Denny said. “Also the Thatcher policies, which have accelerated global inequality.”

Combine that with the offer of a show in San Francisco, home of both the tech elite and a growing divide between rich and poor that is painfully visible, and Mr. Denny’s thoughts turned to another kind of dress: the vest.

He zeroed in on one example in particular, a Salesforce branded Patagonia vest, like the kind given to Dreamforce conference attendees in 2015. (Salesforce, the company co-founded by Marc Benioff in 1999 that has revenues of over $13 billion, is one of the largest employers in San Francisco.)

Credit…Simon Denny, via Altman Siegel Gallery; Nick Ash
Credit…Simon Denny, via Altman Siegel Gallery; Nick Ash

The result is four Nano Puff power vests made from a variety of Mrs. Thatcher’s scarves with a repurposed Patagonia label taken from an actual Patagonia garment and pasted over one breast, displayed in shallow glass vitrines like collector’s memorabilia, and two Patagonia sleeping bags, which are references to the homeless in San Francisco.

Standing up, the sleeping bags resemble nothing so much as sarcophagi, likewise made from the scarves. All of the pieces are filled with repurposed down stuffing from sleeping bags sourced in resale stores around the city.

The exhibition also includes collages made from 3-D printing Salesforce patents (the kind that Wired magazine suggested could be potential foreign tax havens). Prices range from $7,500 to $60,000.

None of the individuals or brands involved were contacted before the show; this is not a collaboration, like the Louis Vuitton handbags done by Yayoi Kusama or Haruki Murakami, but a commentary. And its implications are hard to avoid.

“The Patagonia vest is something people here will relate to right away,” said Claudia Altman-Siegel, the owner of the gallery. “I don’t know if they will like it or find it too close to home. But I really hope Marc Benioff will come.” (According to Mr. Denny, Mr. Thiel did come to see his show in New Zealand.)

Mr. Denny is not by any means the first artist to use the visual representations of luxury and fashion as a material way to confront cultural dissonance. Tom Sachs did it in the late 1990s when he used luxury brand signifiers to explore consumerism and branding. (Remember the Tiffany Glock, Chanel Guillotine or Hermès Value Meal?)

Wang Guangyi, a Chinese artist, did it with his “Great Criticism” series of paintings, which superimposed brand logos on Mao-era Communist propaganda posters.

“More and more artists like to use fashion as a way to help deliver a message because it’s an accessible point of entry for so many people,” said Stefano Tonchi, the former editor of W and now the creative director of L’Officiel Group. “It’s a way of talking not to a niche, but to a larger audience.”

None of this has escaped fashion itself, which as a rule has attempted to embrace artists who use its products as material, thus defanging the critical potential of the work. “I don’t think he’s the kind of artist who, if Dior called and said, ‘Let’s do a bag!’ he would want to say yes,” Mr. Tonchi said of Mr. Denny.

Though Mr. Denny has many artist friends in Berlin who are close to Demna Gvasalia, the designer for Balenciaga, and though Mr. Denny himself has been featured in L’Uomo Vogue and the magazine of the Canadian retailer Ssense, he has no plans to parlay his current dalliance with clothing into a sideline.

He seemed taken aback by the suggestion that he collaborate with a brand — though he does hope the show has an effect on how we dress.

“I think it would be hard not to think about the Patagonia vests differently,” he said. “I hope it puts all the super-contradictions of how we live into a frame that is impossible to ignore.”

Or, perhaps, wear — except in the wilderness, as the company originally intended.

Categories
Agarwal, Ritesh Budget Travel Hotels and Travel Lodgings India Layoffs and Job Reductions Oyo (Oravel Stays Pvt Ltd) SOFTBANK Corporation Start-ups Uncategorized

Oyo Scales Back as SoftBank-Funded Companies Retreat

MUMBAI, India — Oyo, once one of India’s fastest-growing tech start-ups, is now rapidly scaling back.

In recent weeks, Oyo, a budget hospitality company, has pulled out of dozens of cities, cut thousands of hotel rooms, started laying off employees and slashed other costs as it faced pressure from its biggest investor, the Japanese conglomerate SoftBank, to curb vast operating losses.

The retreat has been swift and sweeping. In India alone, Oyo has lost more than 65,000 rooms — or about a quarter of what it had offered to travelers — since October, according to internal data from current and former employees that was reviewed by The New York Times. This month, Oyo also stopped selling rooms in more than 200 small Indian cities, according to company documents and one current employee and one former employee.

The moves come on top of more than 2,000 layoffs around the world, which Oyo began rolling out last week, according to six current and former employees. Before the cutbacks, Oyo had about 20,000 employees in 80 countries.

Oyo said some of the data obtained by The Times was inaccurate but declined to be specific. In an email to employees on Monday, Ritesh Agarwal, the company’s chief executive, said Oyo was focused on sustainable growth and profitability — which meant layoffs.

“Unfortunately, some roles at Oyo will become redundant as we further drive tech-enabled synergy, enhanced efficiency, and remove duplication of effort across businesses or geographies,” he wrote in the email.

The Economic Times, an Indian publication, first reported in December that job cuts at Oyo were coming.

Oyo’s actions are part of a broader pullback by start-ups funded by SoftBank. Armed with a $100 billion fund known as the Vision Fund, SoftBank has shoveled money into start-ups across the globe in recent years. That has given many young companies fuel to expand, often with little thought for profit.

Last year, some SoftBank-funded start-ups began running into trouble — most notably WeWork, the office space company, which failed to go public when investors began questioning its losses. WeWork ultimately ousted its chief executive and slashed its valuation to less than $8 billion from $47 billion.

WeWork’s fall led to questions about other start-ups that SoftBank had financed and whether those young firms could make money. Last month, the dog-walking service Wag underwent several rounds of layoffs before SoftBank sold its shares at a loss. The construction start-up Katerra, another SoftBank-funded company, also cut its staff.

This month, layoffs have gathered momentum at start-ups that SoftBank had invested in. The South American delivery service Rappi and the San Francisco car-sharing start-up Getaround said they were laying off employees. Zume, a company that used robots to make pizzas and had been valued at $2 billion, cut more than half of its work force. It also stopped making pizzas.

Some investors and start-ups said they were now approaching SoftBank’s Vision Fund cautiously — or, in some cases, avoiding it altogether.

“We have advised almost all of our companies to steer clear,” said Josh Wolfe, an investor at the venture capital firm Lux Capital who has been critical of SoftBank’s strategy. “Everyone else was fearful to say the emperor had no clothes.”

SoftBank declined to comment on Oyo and other start-ups in which it has invested.

Mr. Agarwal founded Oyo in 2013 to organize India’s small independent hotels into a chain. The company markets rooms online and takes a cut of each stay. Mr. Agarwal, who has become a business star in India, has said he aspired to make Oyo the world’s largest hotel chain by 2023, displacing Marriott.

But as Oyo tried to expand globally, in part pushed by SoftBank, it spent heavily on incentives to attract hotel owners and customers to its site. That resulted in losses in India, where Oyo has said it will lose money through at least 2021.

Masayoshi Son, SoftBank’s chief executive, began investing in Oyo in 2015. SoftBank and its Vision Fund now own half its stock. While Mr. Son has called Oyo a jewel of his fund and urged it to grow quickly, he has since changed his stance.

As Oyo’s losses have mounted, senior leaders at the company have told employees that SoftBank had demanded that it become profitable on a basis known as EBITDA — earnings before interest, taxes, depreciation and amortization — by mid-2020, according to current and former employees.

In another sign of SoftBank’s shifting position, Yahoo Japan, which is half-owned by SoftBank, pulled the plug in November on a Japanese apartment-rental venture with Oyo. Most of the Oyo employees involved in the Japan venture have been laid off or relocated, current and former employees said.

Oyo faces other troubles in India. On Friday, the Indian income-tax authorities visited the company’s headquarters just outside New Delhi, requesting reams of documents. The tax department and Oyo said the government was examining whether the company was properly withholding and remitting income taxes on payments to vendors.

The Times reported this month that Oyo had offered thousands of unlicensed hotel rooms and sometimes offered free rooms to government officials to deter enforcement. The Times also described how some Oyo employees worked together to commit fraud against the company.

In his email on Monday, Mr. Agarwal said the behavior described by The Times would violate the company’s code of conduct. “We take all the allegations very seriously and are looking into each and every one,” he wrote.

To stem losses, Oyo has also cut back on staff and supplies such as mineral water and cleaning fluids in the hotels it runs itself, according to the current and former employees. Oyo staff members managing some of the hotels have been instructed to save more money on electricity bills by switching off lights, elevators and even boilers for hot water, they said.

Morale has plummeted among thousands of Oyo workers globally, current and former employees have said.

Prabhjeet Singh, an Oyo business development manager who left the company in September, said employees who criticized the company ran a greater risk of losing their jobs.

“It’s a culture of silence,” he said.

Oyo’s reputation has deteriorated so much in India that other employers are reluctant to hire its former workers, said Mr. Singh, who has been unable to land another job.

“They look at me as if I’ve done a crime working at Oyo,” he said.

Vindu Goel reported from Mumbai, Karan Deep Singh from New Delhi and Erin Griffith from San Francisco.

Categories
Alshamrani, Mohammed Saeed Apple Inc Barr, William P computer security Federal Bureau of Investigation Justice Department Mass Shootings Naval Air Station Pensacola Shooting (2019) privacy San Bernardino, Calif, Shooting (2015) Uncategorized United States Defense and Military Forces United States Politics and Government

Barr Asks Apple to Unlock Pensacola Killer’s Phones, Setting Up Clash

WASHINGTON — Attorney General William P. Barr declared on Monday that a deadly shooting last month at a naval air station in Pensacola, Fla., was an act of terrorism, and he asked Apple in an unusually high-profile request to provide access to two phones used by the gunman.

Mr. Barr’s appeal was an escalation of a continuing fight between the Justice Department and Apple pitting personal privacy against public safety.

“This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence,” Mr. Barr said. He called on technology companies to find a solution and complained that Apple had provided no “substantive assistance,” a charge that the company strongly denied on Monday night, saying it had been working with the F.B.I. since the day of the shooting.

Detailing the results of the investigation into the Dec. 6 shooting that killed three sailors and wounded eight others, Mr. Barr said the gunman, Second Lt. Mohammed Saeed Alshamrani — a Saudi Air Force cadet training with the American military — had displayed extremist leanings.

Mr. Alshamrani warned on last year’s anniversary of the Sept. 11, 2001, attacks that “the countdown has begun” and posted other anti-American, anti-Israeli and jihadist social media messages, some within hours of attacking the base, Mr. Barr said. “The evidence shows that the shooter was motivated by jihadist ideology,” the attorney general said.

The government has also removed from the country some 21 Saudi students who trained with the American military, Mr. Barr said. He stressed that investigators found no connection to the shooting among the cadets, but said that some had links to extremist movements or possessed child pornography. Mr. Barr said the cases were too weak to prosecute but that Saudi Arabia kicked the trainees out of the program.

The battle between the government and technology companies over advanced encryption and other digital security measures has simmered for years. Apple, which stopped routinely helping the government unlock phones in late 2014 as it adopted a more combative stance and unveiled a more secure operating system, has argued that data privacy is a human rights issue. If Apple developed a way to allow the American government into its phones, its executives argued, hackers or foreign governments like China would exploit the tool.

But frustrated law enforcement officials accuse Apple of providing a haven for criminals. They have long pushed for a legislative solution to the problem of “going dark,” their term for how increasingly secure phones have made it harder to solve crimes, and the Pensacola investigation gives them a prominent chance to make their case.

In a statement Monday night, Apple said the substantive aid it had provided law enforcement agencies included giving investigators access to the gunman’s iCloud account and transaction data for multiple accounts.

The company’s statement did not say whether Apple engineers would help the government get into the phones themselves. It said that “Americans do not have to choose between weakening encryption and solving investigations” because there are now so many ways for the government to obtain data from Apple’s devices — many of which Apple routinely helps the government execute.

It will not back down from its unequivocal support of encryption that is impossible to crack, people close to the company said.

Justice Department officials said that they needed access to Mr. Alshamrani’s phones to see data and messages from encrypted apps like Signal or WhatsApp to determine whether he had discussed his plans with others at the base and whether he was acting alone or with help.

“We don’t want to get into a world where we have to spend months and even years exhausting efforts when lives are in the balance,” Mr. Barr said. “We should be able to get in when we have a warrant that establishes that criminal activity is underway.”

The confrontation echoed the legal standoff over an iPhone used by a gunman who killed 14 people in a terrorist attack in San Bernardino, Calif., in late 2015. Apple defied a court order to assist the F.B.I. in its efforts to search his device, setting off a fight over whether privacy enabled by impossible-to-crack encryption harmed public safety.

The San Bernardino dispute was resolved when the F.B.I. found a private company to bypass the iPhone’s encryption. Tensions between the two sides, however, remained, and Apple worked to ensure that neither the government nor private contractors could open its phones.

Image
Credit…Robyn Beck/Agence France-Presse — Getty Images

Mr. Barr said that Trump administration officials have again begun discussing a legislative fix.

But the F.B.I. has been bruised by Mr. Trump’s unsubstantiated complaints that former officials plotted to undercut his presidency and by a major inspector general’s report last month that revealed serious errors with aspects of the Russia investigation. A broad bipartisan consensus among lawmakers allowing the bureau to broaden its surveillance authorities is most likely elusive, though some lawmakers singled out Apple for its refusal to change its stance.

“Companies shouldn’t be allowed to shield criminals and terrorists from lawful efforts to solve crimes and protect our citizens,” Senator Tom Cotton, Republican of Arkansas, said in a statement. “Apple has a notorious history of siding with terrorists over law enforcement. I hope in this case they’ll change course and actually work with the F.B.I.”

Apple typically complies with court orders to turn over information on its servers. But said that it would turn over only the data it had, implying that it would not work to unlock the phones.

Investigators secured a court order within a day of the shooting, allowing them to search the phones, Mr. Barr said. He turned up the pressure on Apple a week after the F.B.I.’s top lawyer, Dana Boente, asked the company for help searching Mr. Alshamrani’s iPhones.

Officials said that the F.B.I. was still trying to gain access to the phones on its own and approached Apple only after asking other government agencies, foreign governments and third-party technology vendors for help, to no avail.

The devices were older models: an iPhone 7 with a fingerprint reader and an iPhone 5, according to a person familiar with the investigation.

Justice Department officials said that investigators have yet to make a final determination about whether Mr. Alshamrani conspired with others. They said that the Saudi government was offering “unprecedented” cooperation but that “we need to get into those phones.”

Mr. Barr and other law enforcement officials described a 15-minute shootout before security officers shot and killed Mr. Alshamrani. During the firefight, Mr. Alshamrani paused at one point to shoot one of his phones once, Mr. Barr said, adding that his other phone was also damaged but that the F.B.I. was able to repair them well enough to be searched.

Mr. Alshamrani also shot at photographs of President Trump and one of his predecessors, said David Bowdich, the deputy director of the F.B.I. A person familiar with the investigation identified the unnamed president as George W. Bush.

Mr. Alshamrani’s weapon was lawfully purchased in Florida under an exemption that allows nonimmigrant visa holders to buy firearms if they have a valid hunting license or permit, officials said.

Law enforcement officials have continued to discuss Mr. Alshamrani’s phones with Apple, they said.

“We’re not trying to weaken encryption, to be clear,” Mr. Bowdich said at a news conference, noting that the issue has come up with thousands of devices that investigators want to see in other cases.

“We talk about this on a daily basis,” he said. Mr. Bowdich was the bureau’s top agent overseeing the San Bernardino investigation and was part of the effort to push Apple to crack into the phone in that case.

But much has also changed for Apple in the years since Tim Cook, its chief executive, excoriated the Obama administration publicly and privately in 2014 for attacking strong encryption. Obama officials who were upset by Apple’s stance on privacy, along with its decision to shelter billions of dollars in offshore accounts and make its products almost exclusively in China, aired those grievances quietly.

Now Apple is fighting the Trump administration, and Mr. Trump has shown far more willingness to publicly criticize companies and public figures. When he recently claimed falsely that Apple had opened a manufacturing plant in Texas at his behest, the company remained silent rather than correct him.

At the same time, Apple has financially benefited more under Mr. Trump than under President Barack Obama. It reaped a windfall from the Trump administration’s tax cuts, and Mr. Trump said he might shield Apple from the country’s tariff war with China.

He had said last month that finding a way for law enforcement to gain access to encrypted technology was one of the Justice Department’s “highest priorities.”

Mr. Alshamrani, who was killed at the scene of the attack, came to the United States in 2017 and soon started strike-fighter training in Florida. Investigators believe he may have been influenced by extremists as early as 2015.

Mr. Barr rejected reports that other Saudi trainees had known of and recorded video of the shooting. Mr. Alshamrani arrived at the scene by himself, and others in the area began recording the commotion only after he had opened fire, Mr. Barr said. They and other Saudi cadets cooperated with the inquiry, he added.

Jack Nicas contributed reporting from San Francisco.

Categories
Amazon.com Inc Antitrust Laws and Competition Issues Bezos, Jeffrey P e-commerce Flipkart.com India Modi, Narendra Shopping and Retail Uncategorized

Welcome to India, Mr. Bezos. Here’s an Antitrust Complaint.

MUMBAI, India — Amazon’s founder and chief executive, Jeff Bezos, is visiting India this week for the first time in over five years.

Instead of garlands, India’s government is welcoming him with a new antitrust case.

The Competition Commission of India, the country’s antitrust regulator, opened a formal investigation on Monday into the practices of Amazon and Flipkart, the Indian e-commerce giant mostly owned by Walmart.

The inquiry was prompted by complaints from an association of small traders, after several rounds of regulations failed to curb the market power of the two e-commerce platforms, particularly in the online sales of mobile phones. Indian merchants have lobbied Prime Minister Narendra Modi to take tougher action against the companies.

India requires foreign-owned e-commerce firms to be neutral marketplaces, much like eBay, to protect local retailers and distributors from deep-pocketed competition. In the United States, Amazon both operates a marketplace and sells many products — including diapers, batteries and books — like a traditional retailer, buying them wholesale and then reselling them to consumers. Under Indian law, the site is supposed to rely on independent sellers who post their products on Amazon.

But both Amazon and Flipkart give preference to some sellers, the Indian regulator said, by using affiliated companies, discounts and their global relationships with manufacturers to influence who sells what and at what price.

For example, Amazon sells its own brands, like AmazonBasics luggage and Solimo paper products, on its Indian site through companies in which it holds an equity stake. And Flipkart features a small group of preferred, high-volume sellers on its service.

The commission will investigate whether those arrangements violate India’s antitrust law.

India is one of Amazon’s fastest-growing markets as well as an important location for its customer service and research operations. But Mr. Bezos has made just three trips to the country.

On Wednesday, he is expected to discuss opportunities for small businesses on Amazon at a conference in New Delhi. He is also expected to meet Mr. Modi and plans to travel to Mumbai, home to India’s Bollywood film industry, to rub elbows with Bollywood stars like the actor Shah Rukh Khan and the director Zoya Akhtar.

In a statement, Amazon said, “We welcome the opportunity to address allegations made about Amazon; we are confident in our compliance, and will cooperate fully with C.C.I.”

Flipkart said it was complying with all laws in India governing e-commerce and noted the large number of sellers on its platform. “We take pride in democratizing e-commerce in India,” the company said in a statement.

Amazon, the world’s biggest online retailer, faces other antitrust inquiries around the world. The scrutiny in Europe and the United States has also focused on its relationship to its third-party sellers, which account for about 60 percent of sales.

The Federal Trade Commission and the House Judiciary Committee are examining whether Amazon treats unfairly sellers that do not use some of Amazon’s services, such as its fulfillment network. The European Union’s antitrust commission has opened an investigation into whether Amazon misuses information from its marketplace sellers to decide what products it sells directly to customers, including its own private-label offerings.

Amazon has maintained that it faces strong competitors, such as Walmart, and is a small player in the overall retail market, which is still dominated by physical stores.

Karen Weise contributed reporting from Seattle.

Categories
Appointments and Executive Changes Away (JRSK Inc) Customer Relations Haselden, Stuart Korey, Steph Luggage and Packing Social Media Start-ups Uncategorized

Away C.E.O. Is Back, Just Weeks After Stepping Down

She apologized for her management style and stepped down as chief executive. Now, she says it was a mistake to fall on her sword and is taking her job back.

Former employees of Away luggage, one of the fastest-growing retail start-ups in recent years, accused the company’s chief executive, Steph Korey, of creating a toxic culture within the company in an article published by the technology website The Verge that went viral last month.

The article included text messages that a Verge editor described on Twitter as showing Ms. Korey using the workplace messaging application Slack “as a tool to stalk and bully junior and minority employees.”

In the article, former employees — who were identified by pseudonyms — contended that Ms. Korey pushed them too hard. In one message quoted in the article, which was sent at 3 a.m., she told employees on the customer service team that they could not work from home or submit vacation requests until customer service problems she had identified were resolved. In others, she came across as passive-aggressive.

Within hours of its publication, the article had created a social media firestorm around the company, which is worth more than $1 billion in the private market with plans to go public. For a company focused on a millennial audience and a brand that seeks to evoke a sense of community, the story was viewed internally as existential.

Within 24 hours, Ms. Korey had issued a lengthy apology. “I am sincerely sorry for what I said and how I said it. It was wrong, plain and simple,” she said. “I can imagine how people felt reading those messages from the past, because I was appalled to read them myself,” she wrote. Days later, the company said that it was hiring a new chief executive and that Ms. Korey would become executive chairwoman.

The episode, the latest example of a fast-growing company run by young founders that has found itself in a crisis, was viewed within the insular world of start-ups as a swift fall for Ms. Korey, Away’s 31-year-old co-founder.

The new chief executive, Stuart Haselden, plans to start his job on Monday, having been recruited from Lululemon Athletica, the company famous for its leggings.

But there is one new, significant wrinkle: His title won’t be chief executive — he will be co-chief executive with Ms. Korey. She isn’t going anywhere. The company plans to announce the move on Monday morning.

“Frankly, we let some inaccurate reporting influence the timeline of a transition plan that we had,” Ms. Korey said in an interview last week. With some time and perspective, she said, the company’s board members decided to reverse themselves. “All of us said, ‘It’s not right.’”

The members of Away’s board say they feel as if they fell victim to management by Twitter mob.

The company now says it disputes The Verge’s reporting and has hired Elizabeth M. Locke, the lawyer who successfully brought a defamation case against Rolling Stone magazine for a story about a supposed gang rape at the University of Virginia. It is unclear whether Away plans to bring a lawsuit.

In a statement, The Verge said, “Steph Korey responding to our reporting by saying her behavior and comments were ‘wrong, plain and simple’ and then choosing to step down as C.E.O. speaks for itself.”

Sitting in a windowless conference room at the company’s SoHo headquarters, Ms. Korey, at one point nearly breaking down in tears, said that the month since the article was published had been a tough lesson about management — and herself. She was bombarded by criticism on Twitter and other social media platforms that she thought would put the company’s future in jeopardy.

“It’s very upsetting if suddenly total strangers tell you that you should get an abortion,” said Ms. Korey, who is pregnant. One user on Twitter wrote: “Imagine how she’ll treat that baby.”

In the moment, she said, she chose to take herself out of the chief executive role and make herself executive chairwoman. “I said, ‘I don’t know if the company needs a C.E.O. under fire right now,’” she said. “‘Why don’t we just accelerate our transition plan?’”

In a separate interview, Ludwig Ensthaler, a partner at the venture capital firm Global Founders Capital and the only independent director on Away’s four-member board, confirmed that it had been Ms. Korey’s decision to step down and that there was no pressure from outside investors. He added that he should not have accepted the restructuring plan she proposed in the first place.

Ms. Korey had already recruited Mr. Haselden to the company to become its president, with the promise that, after a transition period, he would be elevated to chief executive to help take the company public. When the plan changed after the Verge article was published, she said she would become executive chairwoman and Mr. Haselden the chief executive. But behind the scenes, she said, she expected both of them to operate pretty much in their original roles, just with different titles. Ms. Korey’s co-founder, Jen Rubio, will remain president and chief brand officer.

“I honestly thought that people didn’t care that much about the inner workings of Away,” she said, “Who is C.E.O. and who is executive chairman — that wasn’t something that, at a private company that’s less than four years old that sells travel products, I just didn’t think would be news and people would care.”

But, she said, it quickly became clear that her plan to remain at Away — effectively in the same role but with a new title — was not understood inside or outside the company.

“The way it became perceived it was like I stepped down and like I left the company,” she said. “I have a very external-facing role working with new vendors, working with new partners, recruiting new candidates. And without a change, it looks like they have a board director reaching out to them who doesn’t work at the company.”

Mr. Haselden said in a telephone interview that the article didn’t paint Ms. Korey as the person he knew and said her original decision to step aside “was very selfless in trying to defuse the firestorm of social media.”

“But it just created a misconception that she was exiting the business, which was never the intent,” he added. Making them both co-chief executive, he said, “will clarify how we intended to operate from the beginning.” Ms. Korey said she still planned to eventually step aside after a transition period and Mr. Haselden will become the sole chief executive.

Whether the article reflected an accurate picture of the company — The Verge has since published several updates, clarifications and corrections — it is hard to judge if Ms. Korey herself has changed.

The company provided a trove of emails from employees that suggested they loved working for her. Yet even after the Verge article appeared, employees continued to leak screenshots of Away’s Slack channels to the site, suggesting that whatever changes had been made, some people inside the company remained unhappy.

Ms. Korey said she has done a lot of soul-searching since the article was published. While she maintained that it misrepresented her behavior, she said she recognized that she had made mistakes and could improve.

“When I think back on ways I’ve phrased feedback, there have been times where the word choice isn’t as thoughtful as it should have been, or the way it was framed actually wasn’t as constructive as it could have been,” she said. “Those are not, in the eyes of our leadership and the eyes of our board, terminal, unsolvable problems.”