Welcome to Codebook, Axios' cybersecurity newsletter and trust fall liability.
If you've got tips or story ideas, I'd love to see. Just reply to this email.
A Huawei store in Shenyang, Liaoning Province of China. Photo: VCG/VCG via Getty Images
The arrest and pending extradition of Huawei chief financial officer Meng Wanzhou for violating Iran sanctions may have quick, dramatic impacts in international politics and global technology sales.
Why it matters: The beleaguered Chinese electronics and telecommunications equipment firm is now facing geopolitical crises on two fronts: British telecom giant BT just barred use of Huawei products in its 5G network. The arrest of Meng, the CFO and daughter of the company's founder, is a blow to the company on top of an already bad situation.
We may have cornered a wounded corporation. "Huawei is one of the Chinese government's pet companies," said James Lewis, director of technology policy at the CSIS think tank and a former Commerce Department official who worked on Chinese high tech policy. "They will retaliate and China will take hostages.
"If I was an American tech executive, I wouldn't travel to China this week," Lewis added.
Background: Meng was arrested in Canada and will be extradited to the United States. China has demanded her release.
The intrigue: The South China Morning Post reported Meng sent a memo to employees saying there were some situations — "yellow lines" as opposed to "red" ones — in which it would be OK to violate sanctions laws, she said.
The charges echo similar charges against ZTE. Both Chinese companies manufacture tech equipment. ZTE has twice admitted to sending equipment to Iran and North Korea, ultimately settling for a $1 billion fine and organizational changes.
Huawei, like ZTE, is often accused by U.S. lawmakers of sabotaging its products to allow Chinese surveillance. Those allegations have led many nations, including the U.S., to bar the firms' equipment from use in telecommunications projects.
Sen. Marco Rubio (R-Fla.) celebrated the arrest in an email to Axios and encouraged Canada to reverse course on permitting Huawei wares. "[Huawei] has long posed a serious risk to U.S. national security, and I continue to strongly urge Canada to reconsider Huawei’s inclusion in any aspect of its 5G development, introduction, and maintenance," he wrote.
Key takeaways (abridged) from a British Parliament member's release of internal Facebok emails and documents from Axios' Sara Fischer.
Naivete about data leaking: An email shows a former Facebook VP of product management saying he was generally skeptical there was as much strategic risk in data leaks between developers (like what happened with Cambridge Analytica).
Whitelists: The documents show that Facebook gave some companies like Netflix and Lyft access to data that Facebook stopped giving broad access to beginning in 2014-2015 after it changed its data policies.
Call and text history on Android: Facebook executives emailed about the PR and legal risks of accessing a record of Android call and message history. Emails make it seem like the company wanted to collect the data as discretely as possible to avoid such risks.
After the NRCC acknowledged an email breach occurred before the election, many people's thoughts turned to election tampering — as in the 2016 election. But even if the NRCC was hacked by a foreign nation, which we do not yet know, it still might not be tampering.
Why it matters: All nations spy. And while no one wants to be the victim of spying, spying without breaking anything is well within what nations expect each other to do.
It's counterintuitive to most people, but the world works under a gentleman's agreement that espionage — gathering intelligence purely to inform policy or military decisions — is the international equivalent of a misdemeanor. Using the information to meddle with other countries' affairs is the felony.
"The key differentiators are the intent behind the intrusion, what the intruder does on the network and how any stolen information is used," said Michael Daniel, ex-White House cybersecurity czar and current president and CEO of the Cyber Threat Alliance.
We don't know if the NRCC hackers intended any damage to the infrastructure or psyche of America. They could easily have been looking for information to guide policies if a party won an election — as American officials admit the U.S. has done.
That doesn't mean we're definitely out of the woods.
Photo: Maciej Toporowicz, NYC
Hackers are targeting academics, particularly those with biomedical engineering backgrounds, in an espionage-like campaign to steal data. Arbor Networks ASERT team, who discovered the group, have dubbed the actors "Stolen Pencil."
Why it matters: Universities are gold mines of intellectual property. But ASERT notes that there is no evidence of data theft, leaving the purpose of the attacks a little unclear.
Details: Victims were sent links to a malicious browser extension that would open a secret connection to the victims' system. The hackers then uploaded a bevy of tools to harvest passwords from those machines.
Maybe it was North Korea: There is some evidence that the attack may have come from North Korea, although not enough to say with any certainty.
The Australian government passed a modified version of its encryption bill Thursday, after the attorney general and his opposition shadow came to an agreement.
Why it matters: The bill gives law enforcement the ability to compel tech firms to circumvent encryption in their products to aid law enforcement. Australia is a member of the Five Eyes alliance along with the U.S., U.K., Canada and New Zealand, and the bill is seen by many as a stepping stone toward new encryption laws in other nations.
What they're saying: "We are very concerned," said Sharon Bradford Franklin, director of surveillance and cybersecurity policy at New America’s Open Technology Institute. "The U.K. Investigatory Powers Act may have been the first domino towards global encryption policy, but Australia's rule is far more dangerous."
The original bill was marketed as one that gives law enforcement access without the creation of back doors or mass surveillance, and indeed it specifically bans "systemic surveillance."
The compromise will permit the government to command tech firms to implant surveillance technology or software into products to investigate crimes that carry at least a three-year prison sentence.
"This is a backdoor to a backdoor," said Bradford Franklin, who noted that if Australia ordered a surveillance implant in an Apple phone, the U.S. or anyone else could order Apple to provide access to that information feed.
Codebook will return on Tuesday.