Huawei employee arrested in Poland on spying allegations

Huawei’s sales director in Poland, who previously served in the Chinese diplomatic corps, has been arrested by the Polish authorities on spying allegations. Huawei immediately terminated his employment.

More details have been disclosed related to the arrest of Wang Weijing, who also goes by the name Stanislaw Wang. After serving as attaché at the Chinese general consulate in Gdansk, Wang joined Huawei’s Poland office in 2011, first as its PR director then as its sales director responsible for selling to the Polish public sector. Wang was detained on 8 January, on allegations of spying, as was first reported by the Polish public broadcaster TVP.

According to TVP, an Orange employee arrested on the same allegations, identified as Piotr D, had worked at the country’s Internal Security Agency (ISA, or “Agencja Bezpieczeństwa Wewnętrznego (ABW)” in Polish), which carried out the arrests. While at ISA one of his responsibilities was issuing security certificates for equipment used by Poland’s public-sector offices. He left the agency earlier after being accused of corruption but was not formally charged.

The offices of Huawei and Orange were searched respectively following the arrests, though a spokesperson for ISA told Reuters that the allegations against Wang were related to individual actions, not directly linked to Huawei. This is also the line Huawei adopted when it promptly severed the employment relationship with Wang, citing that “in accordance with the terms and conditions of Huawei’s labour contract, we have made this decision because the incident has brought Huawei into disrepute.”

Orange said it did not know if the investigation in Piotr D. was linked to his professional work but would continue to cooperate with the authorities.

Despite the troubles it has run into in markets like the US, New Zealand, Japan, and the UK, Huawei’s business in Eastern Europe has been largely unperturbed. However the latest twist in Poland and the earlier arrest of Meng Wanzhou, Huawei’s CFO, in Canada might put this position under pressure. On Saturday 12 January, Joachim Brudzinski, Poland’s interior minister, called for a EU-NATO joint position with regard to banning Huawei from these markets when speaking on a Polish commercial radio station. “There are concerns about Huawei within NATO as well. It would make most sense to have a joint stance, among EU member states and NATO members,” said Brudzinski.

Then on Sunday 13 January, Karol Okonski, a government official responsible for cyber security, told Reuters that Poland could consider forbidding the public sector from using Huawei products while probing the legal measures to limit Huawei’s access to the private sector. “We do not have the legal means to force private companies or citizens to stop using any IT company’s products. It cannot be ruled out that we will consider legislative changes that would allow such a move,” Okonski said.

Huawei has always denied that it poses security threats, or it spies on behalf of the Chinese government. In a statement it sent out to media after its CFO’s arrest and it sent again after the arrests in Poland, Huawei stressed that it “complies with all applicable laws and regulations in the countries where it operates, and we require every employee to abide by the laws and regulations in the countries where they are based.”

Incidentally, the South China Morning Post reported earlier that, shortly before her arrest in Canada, Meng Wanzhou and Ren Zhengfei, the founder of Huawei and Meng’s father, hosted a town hall meeting for Huawei employees. According to a transcript distributed to Huawei staff and seen by SCMP, both executives discussed extensively on compliance. Cases were divided into “red” and “yellow” lines. By red line, Meng meant the rules where there is “no bargaining and must be strictly complied with”, while by yellow line she referred to cases where strict compliance is not operationally feasible, and the company can build in the costs of flouting the rules as “sunk costs.” She cited labour risks as an example.

“Of course, beyond the yellow and red lines, there may still be another scenario, and that is where the external rules are clear-cut and there’s no contention, but the company is totally unable to comply with in actual operations. In such cases, after a reasonable decision-making process, one may accept the risk of temporary non-compliance,” quoted by SCMP.

Ren also urged his staff to consider both cost and benefit in compliance cases, especially related to laws of the US and EU. SCMP quoted him challenging those present when answering a question: “We must not bind ourselves up just because the US is attacking us. If our hands and feet are bound, then we will not be able to continue producing, then what’s the point of compliance?”

Privacy International points GDPR finger at Facebook

An investigation from privacy advocacy group Privacy International on the flow of personal information has questioned whether Facebook and its advertisers are violating Europe’s GDPR.

To date there have not been any major challenges using the data privacy regulation. There have of course been numerous violations of user privacy, but as these incidents occurred prior to the implementation of GDPR, the old-version of the rules and punishments were used. This investigation from Privacy International could prove to be a landmark.

The investigation itself questions whether Facebook and the app-developers which use its platform for data collection and user identification is acting responsibly and legally. Using the Facebook Software Development Kit (SDK), data is automatically sent back to the social media giant, irrelevant as to whether consent has been collected, or even if the user has a Facebook book account.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” Privacy International states on its website.

“App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called ‘mitmproxy’, an interactive HTTPS proxy, Privacy International has analysed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

After testing dozens of different apps, Privacy International claims 61% automatically transfer data to Facebook the moment a user opens the app, while others routinely send Facebook data that is incredibly detailed. Some of these users may be logged out of the platform or might not even have a Facebook account in the first place. Developers tested include travel comparison app Kayak, job search company Indeed and crowd-sourced search service Yelp.

Looking at the Kayak example, not only was information transferred back to Facebook once the app was opened and closed, but also during each stage of the search process. In the example Privacy International gives, the user selected a flight from London Gatwick to Tokyo between December 2 and 5, Narita Airport was then selected, before another search was conducted searching for hotels for two adults in the city. All of this information was sent to Facebook without prompt, despite Kayak claiming, ‘don’t worry, we’ll never share anything without your permission’, when the user signs in.

Alone this information is useful, but not incredibly so. However, when you consider the huge number of apps which will be sending information back to Facebook, an incredibly detailed picture of the user can be built. Using the other apps tested in this investigation, Facebook could also learn or make assumptions about the user’s religion (Muslim Pro), music interests (Shazam), salary and disposable income (Indeed Job Search) and interest in physical activities (MyFitnessPal). All of this information could be used to feed incredibly personalised advertisements to the user.

The big question which remains is whether this could be perceived as a violation of GDPR. Facebook has stated it released an update to the SDK which allowed developers to suspend the automatic data transfers, though this was only for version 4.34 and later. With the Opt-out section (the Google advertising ID) automatically turned off, some might suggest the user is being led as opposed to asked.

Another factor which could work against Facebook is the collection of data on users who do not have Facebook accounts; this is much more suspect. As per GDPR, a company has to have a specific and justified reason to collect personal information. It does appear Facebook is collecting information on users despite having no purpose or valid reason to do so.

With fines for violating GDPR up to 3% of annual turnover, the stakes are very high. This could prove to be one of the first tests of the rules, designed to protect the privacy of the general public, and few will be surprised Facebook is a central character in the story. With the social media giant seemingly antagonising many governments around the world, we suspect there will be a queue forming to have a swing with the sharp GDPR stick.

Facebook and Google accused of GDPR ‘forced consent’

It turns out that imposing extra layers of bureaucracy on companies can bring about unintended consequences, who knew?

Among the inevitable deluge of emails sent by companies desperate to be seen to be doing the bare minimum in compliance with the General Data Protection Regulation (GDPR) that came into effect in Europe today, have been those requesting blanket opt-ins. They usually feature handy one-click buttons that most people presumably use just to be able to put this trying week behind them. The underlying threat is that users either agree to everything or get kicked off the service.

Campaigning group noyb.eu (none of your business), headed by prominent data privacy complainer Max Schrems, is not happy with how Facebook and Google have gone about interacting with their users on this matter. So it has filed complaints against the two and also Facebook subsidiaries Instagram and WhatsApp, in four different countries to make sure it’s nice and pan-European.

“The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR),” says the complaint. “Consequently access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017.

Using language apparently taken from the pages of 50 Shades of Grey, companies seem to be imposing forced consent on their users in order to achieve basic compliance with the GDPR regulations. But if this complaint has merit, which it seems to, then these tech giants might end up getting a thorough spanking from the European Commission.