Since 2019, MirrorFace has been stealing information from myriad Japanese organizations to gain leverage over Japan in the event of hostilities between the two countries, experts said.

Source: Birgit Korber via Alamy Stock Photo

The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity warned Japanese organizations of a sophisticated Chinese state-backed cyber-espionage effort called "MirrorFace" to steal technology and national security secrets.

Japanese authorities said the advanced persistent threat group (APT) MirrorFace has been operating since 2019.

"By publicizing the modus operandi of 'MirrorFace' cyberattacks, the purpose of this alert is to make targeted organizations, business operators, and individuals aware of the threats they face in cyberspace and to encourage them to take appropriate security measures to prevent the damage caused by cyberattacks from spreading and to prevent damage from occurring in the first place," read a statement from Japanese police.

**MirrorFace Cyberattacks Against Japan**

Japanese law enforcement identified three types of MirrorFace attacks. The earliest and most enduring tactic used by MirrorFace to steal Japanese secrets was an elaborate phishing campaign between 2019 and 2023 aimed at delivering malware to the country's think tanks, governments, and politicians, according to the warning issued by Japan's National Police Agency and translated to English.

In 2023, MirrorFace pivoted to finding vulnerabilities in network devices across healthcare, manufacturing, information and communications, education, and aerospace, the police continued. MirrorFace exploited vulnerabilities in devices that included Fortinet FortiOS and FortiProxy (CVE-2023-28461), Citrix ADC (CVE-2023-27997,) and Citrix Gateway (CVE-2023-3519).

Another phishing campaign began around June 2024 and used basic phishing tactics against the media, think tanks, and Japanese politicians, according to police. And from February 2023 to October 2023, the group was observed exploiting an SQL injection in an external public server to gain access to Japanese organizations.

The revelations about MirrorFace's activities come amid other headline-grabbing Chinese-sponsored cyberattacks against US and global telecom companies, and even the US Department of the Treasury, carried out by a fellow APT group "Salt Typhoon."

MirrorFace appears to operating as a a People's Liberation Army (PLA) cyber-warfare unit, according to Mark Bowling, former FBI special agent and current chief information security and risk officer at ExtraHop.

"Since 2019, the MirrorFace APT has consistently utilized well-crafted spear-phishing campaigns, and used weaponized code/logic such as LODEINFO and MirrorStealer to steal credentials, escalate privileges, and exfiltrate data which could be utilized to better position the PLA in the event of hostilities with Japan," Bowling says.

As geopolitical tensions continue to flare up around the world, Bowling expects to see an increasing uptick in APT activity in kind, particularly by nation-state actors targeting the US.

"The consequences of those strained relations over Ukraine, Taiwan, and the ongoing Iran hostility against Israel though its proxies are now increasingly spilling over into aggressive and relentless digital campaigns," Bowling explains. "There is no doubt threats from nation-state groups will increase in volume and sophistication this year, targeting our critical infrastructure like utilities, telecommunications, and healthcare."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Chinese APT Group Is Ransacking Japan's Secrets

In my experience as a sysadmin, I have often found network connectivity issues challenging to troubleshoot. For those situations, tcpdump is a great ally.Take the course: Getting started with Linux fundamentalsTcpdump is a command-line utility that allows you to capture and analyze network traffic going through your system. It is often used to help troubleshoot network issues, as well as a security tool.A powerful and versatile tool that includes many options and filters, tcpdump can be used in a variety of cases. Because it's a command-line tool, it is ideal to run in remote servers or device

An introduction to using tcpdump at the Linux command line

The most recent iteration of the open source infostealer skates by antivirus programs on Macs, using an encryption mechanism stolen from Apple's own antivirus product.

Source: Charles Walker Collection via Alamy Stock Photo

The macOS infostealer "Banshee" has been spotted skating by antivirus programs using a string encryption algorithm it stole from Apple.

Banshee has been spreading since July, primarily via Russian cybercrime marketplaces, where it was sold as a $1,500 "stealer-as-a-service" for Macs. It's designed to steal credentials from browsers — Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera — and browser extensions associated with cryptocurrency wallets — Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. Plus, it lifts additional information about targeted systems, including software and hardware specifications, and the password needed to unlock the system.

It was far from a perfect tool, widely detected by antivirus programs, thanks in part to its being packaged entirely in plaintext. But on Sept. 26, researchers from Check Point observed a more potent variant. This more successful variant remained otherwise undetected for months, primarily because it was encrypted with the same algorithm used by Apple's Xprotect antivirus tool for macOS.

**Banshee Malware Steals From XProtect**

XProtect is Apple's decade-and-a-half-old anti-malware engine for macOS. To detect and block malware, it uses "Remediator" binaries, which combine various methods and tools for antivirus-ing, including YARA rules, which contain patterns and signatures associated with known threats.

Check Point found that the same encryption algorithm that protects XProtect's YARA rules also concealed the September variant of Banshee.

It's not clear how the malware author — nom de guerre "0xe1" or "kolosain" — gained access to that algorithm.

"It could be that they performed a reverse engineering of the XProtect binaries, or even read relevant publications, but we can't confirm it," Antonis Terefos, reverse engineer at Check Point Research, speculates. "Once the string encryption of macOS XProtect becomes known — meaning the way the antivirus is storing the YARA rules is reverse-engineered — threat actors can easily 'reimplement' the string encryption for malicious purposes," he says.

Either way, the effect was significant. "The majority of the antivirus solutions in VirusTotal detected the initial Banshee samples using plaintext, but once the developer introduced this novel string encryption algorithm, none of the approximately 65 antivirus engines in VirusTotal detected it," he says.

That remained the case for around two months. Then, on Nov. 23, Banshee's source code was leaked on the Russian language cybercrime forum "XSS." 0xe1 shuttered his malware-as-a-service (MaaS) operation, and antivirus vendors incorporated associated YARA rules in due course. But even after that point, Terefos reports, the encrypted Banshee remained undetected by most engines on VirusTotal.

**How Banshee Stealer Is Spreading in Cyberattacks**

Since late September, Check Point has identified more than 26 campaigns spreading Banshee. Broadly speaking, they can be grouped into two clusters.

In three waves of campaigns lasting from mid-October to early November, threat actors spread the infostealer via GitHub repositories. The repositories promised users cracked versions of popular software, like Adobe programs and various image and video editing tools. The malware was concealed behind generic file names such as "Setup," "Installer," and "Update." This same cluster of activity also targeted Windows users with the popular Lumma Stealer.

The remaining campaigns spread Banshee via phishing sites, of one form or another. In these cases, the attackers disguised the malware as various popular software programs, including Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. If a visitor was using macOS, they'd get a download link.

More, varying campaigns could be on the way, now that Banshee has been leaked. Thus, Terefos says, "Despite macOS traditionally being regarded as more secure, Banshee’s success demonstrates the importance for macOS users to remain vigilant and aware of the threats."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability

An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation

Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.

GHSA-vprm-27pv-jp3w: Vaultwarden authenticated reflected cross-site scripting (XSS) vulnerability

The attack used a stolen remote support SaaS API key to exfiltrate data from workstations in the Treasury Department's Office of Foreign Assets Control.

Source: World History Archive via Alamy Stock Photo

NEWS BRIEF

The Chinese threat actor group known as "Silk Typhoon" has been linked to the December 2024 hack on an agency that's part of the US Department of the Treasury.

In the breach, the threat actors were able to use a stolen Remote Support SaaS API key through third-party cybersecurity vendor BeyondTrust to steal data from workstations in the Office of Foreign Assets Control (OFAC).

Silk Typhoon, also known as Hafnium, is well known for hitting targets in education, healthcare, defense, and non-governmental organizations. 

Using tools such as the China Chopper Web shell, the group's cyber-espionage campaigns focus mainly on data theft.

The group also targeted the Treasury Department's Office of Financial Research; this latest breach is still being investigated and assessed.

The Cybersecurity and Infrastructure Security Agency (CISA) has since confirmed that these exploits are limited to just the agency, and there is no indication that any other federal agencies have been impacted by the incident.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Hacking Group 'Silk Typhoon' Linked to US Treasury Breach

A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.

Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement.

The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like _Candy Crush_ and dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening without users’ or even app developers’ knowledge.

“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising ‘bid stream,’” rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.

The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples’ mobile phones.

“This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards says.

Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps.

The list includes dating sites Tinder and Grindr; massive games such as _Candy Crush_, _Temple Run_, _Subway Surfers_, and _Harry Potter: Puzzles & Spells_; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.

The full list can be found here. Multiple security researchers have published other lists of apps included in the data, of varying sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app that had slight name variations to make it easier for readers to search for apps they have installed.

Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.

Much of the location data attached to these app names does not have a time stamp. But there are indications it dates from 2024. One of the apps listed is _Call of Duty: Mobile_, and specifically its Season 5 iteration, which launched in May 2024.

Gravy is a company that powers much of the rest of the location data industry. It collates mobile phone location data from various sources, then sells that to commercial companies or, through its subsidiary Venntel, to US government agencies. Norwegian outlet NRK and I previously revealed the flow of location data from a handful of ordinary apps to Gravy and then to Venntel. Venntel’s clients have included Immigration and Customs Enforcement, Customs and Border Protection, the IRS, the FBI, and the Drug Enforcement Administration.

Venntel has also provided the underlying data for another government-bought surveillance tool called Locate X. 404 Media and a group of other outlets showed last year how that tool, made by a company called Babel Street, could be used to monitor visitors to out-of-state abortion clinics.

But the newly hacked data shows for the first time just how many apps could be part of a location data supply chain, even if their developers are not aware of it. Most app developers and companies included in the list did not respond to a request for comment. Flightradar24 said in an email that it had never heard of Gravy, but that it does display ads, which “help keep Flightradar24 free.”

Tinder said in an email that “Tinder takes safety and security very seriously. We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app” but did not answer questions about ads inside the app.

Muslim Pro, one of the Muslim prayer apps included in the list, said in an email that it was not aware of Gravy. “Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users,” the email said. That does not necessarily mean that a member of the advertising ecosystem can’t extract such data, though. (In 2020 I revealed Muslim Pro was selling its users’ location data to a company called X-Mode, whose clients included US military contractors; Muslim Pro stopped the practice after my reporting.)

A Grindr spokesperson told 404 Media in an email that “Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.” Grindr was previously found to have allowed data brokers to obtain its users’ location data.

It’s important that the data appears to be sourced through real-time bidding, because that dictates who is responsible (rogue members of the advertising industry and the tech giants that facilitate that industry), how users can protect themselves (attempting to block ads), and the fact that massive app publishers may not even be aware their users’ data is being harvested and therefore might not know how to stop it. An app developer will know if it implemented location-data-gathering code itself. It might not know that some company, somewhere, is silently listening in on the advertising process and siphoning data from their app.

Surveillance firms can obtain RTB data by acquiring ad tech companies and posing as prospective advertisers. The spy-run location data company doesn’t need to successfully place an ad; instead, it is able to gather data on devices by simply being plugged into that industry. Location data in this case can also include a users’ IP address, which is then geolocated to give their coarse location.

Last January, 404 Media reported on an Israeli surveillance company called Patternz, which was sourcing masses of location data through the RTB process.

In an exposed training video, Patternz showed some of the popular apps it got location data from: 9GAG, Kik, sports app FUTBIN, caller ID apps such as CallApp and Truecaller; and various word, sudoku, and solitaire puzzle games. Every one of these apps are also in the Gravy data. This suggests that Gravy, or wherever Gravy got that data from, also sourced it from interacting with the advertising system rather than location-tracking code baked into the apps.

404 Media shared some of the location data with another security researcher with knowledge of the advertising and location data industries. “It appears that at least some of this data would likely have been sourced from advertising related, real-time bidding,” Krzysztof Franaszek, founder of Adalytics, a digital forensics firm, told 404 Media after reviewing the data. He pointed out some of the user-agents in the file, which show how a user’s device connected to a service, referenced “afma-sdk.” That is a string used by Google’s Mobile Ads SDK (software development kit). In other words, in some cases, it is Google’s advertising platform that is delivering the ads that are eventually leading to this tracking by outside companies and potentially government contractors.

Google did not respond to multiple requests for comment for this article. Neither did Apple.

Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS \[Global Navigation Satellite System\]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”

“What we’re seeing here in this data appears to me to be a huge diversity of apps,” Edwards says. “That’s not what you see from an SDK ingestion; that’s what you see from bulk RTB ingestions.”

In December the Federal Trade Commission banned another location data company called Mobilewalla from collecting consumer data “from online advertising auctions for purposes other than participating in those auctions.” In other words, the agency banned Mobilewalla from participating in the RTB process for building datasets on peoples’ devices. The FTC also said Venntel and Gravy collected data without obtaining user consent, ordered the company to delete historical location data, and banned it from selling data related to sensitive areas like health clinics and places of worship, except in “limited circumstances” involving national security or law enforcement.

404 Media has verified the hacked Gravy data in various ways. Some files include credentials for Gravy’s Snowflake instances, a data warehousing tool. 404 Media checked that the URLs in the hacked files do correspond to real Snowflake instances. One file called “users” contains a long list of companies. Some of these firms denied having any relationship with Gravy; Cuebiq, another location data firm mentioned in the file, told 404 Media it “routinely evaluates available data in the market to determine if they are an appropriate fit for our business. Most do not make it past the evaluation stage to production, as was the case here. Cuebiq tested a limited data sample, which was never made available to our customers, and the data was deleted at the end of the limited trial.”

404 Media also sent a section of the data to another data broker called Datonics. “We investigated the matter described in your email, and the segment IDs in those files are those of Gravy, not Datonics,” the company said in an email.

Unacast, which merged with Gravy in 2023, did not respond to multiple requests for comment, both on the hack and whether it or any of its suppliers have derived location data from the real-time bidding process.

Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location

Texas has become a leading enforcer of internet rules. Its latest probe includes some platforms that privacy experts describe as unusual suspects.

Over the past decade, Texas attorney general Ken Paxton has wielded his office’s significant resources to investigate well-known tech giants including Google and Meta over how they moderate content and treat rivals. He helped win settlements against Apple for allegedly misleading users and is suing TikTok for allegedly endangering children's privacy. Now, Paxton’s latest tech investigation includes an expansive number of targets, WIRED has learned.

Rumble, Quora, and WeChat are among the 15 companies from which Texas has demanded answers by next week about their collection and use of data of people under 18 years old. Paxton announced the investigation in a press release last month but named only four of the companies being probed—Character.AI, Red­dit, Insta­gram, and Dis­cord. WIRED obtained the names of additional targeted companies through a public records request. They also include Kick, Kik, Pinterest, Telegram, Twitch, Tumblr, WhatsApp, and Whisper.

Paxton’s office did not respond to requests for comment, including about how it chose which businesses to investigate. But the variety of companies questioned highlights the sprawling reach of a new Texas law aimed at increasing oversight of minors’ use of social media and chat services.

Three experts in youth privacy regulations who have been following Paxton’s enforcement efforts say the new investigation should be treated credibly, and they believe it could result in companies agreeing to improve their practices. The alternative could be up to hundreds of millions of dollars in penalties per company. “When you bring all the statutes together, Texas has a pretty significant hammer,” says Paul Singer, a partner and section chair at the law firm Kelley Drye & Warren.

Spokespeople for Character.AI and Tumblr say they take safety issues seriously. Meta and WeChat declined to comment. Other companies under investigation did not respond to requests for comment.

Paxton launched his probe three days after the families of an 11-year-old girl and 17-year-old boy in Texas sued chatbot startup Character.AI, claiming the company designed its product in an unsafe way that exposed the kids to sexualized and violent responses. In October, a similar case was filed in Florida by the family of a 14-year-old who shot himself to death allegedly following conversations with a Character.AI chatbot. Character.AI later introduced an experience aimed at kids and plans to roll out parental controls.

Other services under investigation including Kik, Instagram, and Discord have faced public scrutiny over their use by children. But less so WeChat, a messaging app popular among Chinese Americans, and Quora, a forum for crowdsourcing information that’s recently expanded into AI chatbots.

Paxton’s interest in Rumble, a YouTube-like website popular among US conservative political commentators, is also perhaps unexpected given his track record of partisan views about social media companies. Rumble has touted itself as a haven for free expression, unlike platforms that engage in allegedly heavier content moderation. Paxton is a Republican and has criticized platforms that unfairly silence Texans.

The privacy experts who spoke with WIRED described Rumble, Quora, and WeChat as unusual suspects but declined to speculate on the rationale behind their inclusion in the investigation. Josh Golin, executive director of the nonprofit Fairplay, which advocates for digital safety for kids, says concerns aren’t always obvious. Few advocacy groups worried about Pinterest, for example, until the case of a British teen who died from self-harm following exposure to sensitive content on the platform, he says.

Paxton’s press release last month called his new investigation “a critical step toward ensuring that social media and AI companies comply with our laws designed to protect children from exploitation and harm.”

The United States Congress has never passed a comprehensive privacy law, and it hasn’t significantly updated child online safety rules in a quarter century. That has left state lawmakers and regulators to play a big role.

Paxton’s investigation centers on compliance with Texas’ Securing Children Online through Parental Empowerment Act, or SCOPE, which went into effect in September. It applies to any website or app with social media or chat functions and that registers users under the age of 18, making it more expansive than the federal law, which covers only services catering to under-13 users.

SCOPE requires services to ask for users’ age and provide parents or guardians power over kids’ account settings and user data. Companies also are barred from selling information gathered about minors without parental permission. In October, Paxton sued TikTok for allegedly violating the law by providing inadequate parental controls and disclosing data without consent. TikTok has denied the allegations.

The investigation announced last month also referenced the Texas Data Privacy and Security Act, or TDPSA, which became effective in July and requires parental consent before processing data about users younger than 13. Paxton’s office has asked the companies being investigated to detail their compliance with both the SCOPE Act and the TDPSA, according to legal demands obtained through the public records request.

In total, companies must answer eight questions by next week, including the number of Texas minors they count as users and have barred for registering an inaccurate birthdate. Lists of whom minors’ data is sold or shared with have to be turned over. Whether any companies have already responded to the demand couldn’t be learned.

Tech company lobbying groups are challenging the constitutionality of SCOPE Act in court. In August, they secured an initial and partial victory when a federal judge in Austin, Texas, ruled that a provision requiring companies to take steps to prevent minors from seeing self-harm and abusive content was too vague.

But even a complete win might not be a salve for tech companies. States including Maryland and New York are expected to enforce similar laws starting later this year, says Ariel Fox Johnson, an attorney and principal of the consultancy Digital Smarts Law & Policy. And state attorneys general could resort to pursuing narrower cases under their tried-and-true laws barring deceptive business practices. “What we see is often information gets shared or sold or disclosed in ways families didn’t expect or understand,” Johnson says. “As more laws are enacted that create firm requirements, it seems to be becoming more clear that not everybody is in compliance.”

Rumble Among 15 Targets of Texas Attorney General’s Child Privacy Probe

The fate of TikTok now rests in the hands of the US Supreme Court. If a law banning the social video app this month is upheld, it won’t disappear from your phone—but it will get messy fast.

The law says it will be “unlawful” for entities to “distribute, maintain or update” the app including its source code, or by “providing services” that allow it to keep running as it is now. This distribution, maintenance, or updates could be, the law says, by means of mobile app stores that can be accessed in the US or by “providing internet hosting services.”

“The law really deliberately avoided saying that it was illegal to have the app on your phone,” says Milton Mueller, a professor and cofounder of the Internet Governance Project at the Georgia Institute of Technology, who filed an amicus brief to the Supreme Court in opposition of the ban. “Their attempt is to say nobody new can download it from the Apple or Google stores, and nobody who has it can update it through those stores,” Mueller says. “There’s nothing in the law that says ‘TikTok you must block US users,’ which is again interesting.”

If TikTok is removed from Apple’s App Store and Google’s Play Store in the US, it will not be possible to directly install new updates that will add new features, fix bugs within the code, or quash security flaws. Over time, that means TikTok will stop functioning properly. Apple didn’t respond to WIRED’s request for comment, while Google declined to comment on what it will do if the law comes into effect.

The law’s other focus is on stopping “hosting” companies from providing services to TikTok—and the definition is pretty wide. Hosting companies “may include file hosting, domain name server hosting, cloud hosting, and virtual private server hosting,” the law says. Since the summer of 2022, as TikTok faced pressure about its Chinese ownership, the company has hosted US user data within Oracle’s cloud services. Oracle also did not respond to WIRED’s request for comment.

Even so, other systems such as content delivery networks, advertising networks, payment providers, and more are used as part of TikTok’s infrastructure. The law does not specifically mention these services, but differing legal readings could make them question whether they help to “maintain” or “distribute” TikTok’s fully functioning service.

Hall says a recent test of TikTok’s website showed 185 embedded domains on the page. “They pull in code, content from that array of third-party providers and their own domains too,” he says. “The apps will start to decay and rot as either services stop working, things like content distribution networks or services who feel like they can't take the risks of the ambiguous nature of the language or the potential enforcement by the incoming administration.”

There’s one internet infrastructure player that the ban does not specifically put pressure on: internet service providers. Countries such as Russia and China have developed censorship measures that allow them to block entire websites from being accessed through web bowsers. Mueller believes this omission by US lawmakers was likely deliberate, as it avoids setting up a Chinese-style internet firewall. “They knew that a system of ISP-based blocking and filtering would obviously be a form of First Amendment restriction,” he says.

**Avoiding a TikTok Ban**

While TikTok’s service in the US would likely degrade over time, there remain some potential ways around any ban—both for individuals and potentially also the company itself. How effective these measures would be likely depends on how motivated people are to keep using TikTok and what the company decides to do.

“TikTok has 170 million users,” says Alan Rozenshtein, an associate professor of law at the University of Minnesota, who is in favor of the law but says it is the “best of a bunch of bad options” relating to TikTok. “This law will not prevent every one of them from accessing TikTok. I don’t think that was ever the goal of the law. The law is to make it meaningfully harder to access TikTok.”

Latest News