A secretive US security program has its sights on DiDi

Experts say a U.S. security assessment of DiDi unveiled by Protocol is occurring under a secretive program sweeping in Chinese tech companies and considering bans.

Didi app logo displayed on a smarphone in front of an American flag.

The headache of a review in the U.S. highlights the intense pressure DiDi is getting from both sides, as Washington and Beijing vie to neutralize any geopolitical advantage that the other might receive through its tech companies.

Photo Illustration: Budrul Chukrut/SOPA Images/LightRocket via Getty Images

The U.S. government is scrutinizing Chinese ride-hailing service DiDi to assess whether it’s a danger to national security, according to a Department of Defense letter reviewed by Protocol.

Experts say the probe appears to be one of several far-reaching and nearly invisible investigations of Chinese tech companies that the Commerce Department is leading under a rule that allows the U.S. to place a number of restrictions on the firms. The limits could go up to and include total bans on their usage resembling the prohibitions the Trump administration tried to bring down on TikTok and WeChat.

Like those bans, the reviews arose from former President Donald Trump’s declaration in 2019 that certain foreign-owned or -controlled digital services constituted “an unusual and extraordinary threat” to the U.S. The government then developed a little-noticed rule to formalize Trump’s order and apply it to technology ranging from cloud hosting to drones, and a year ago, Secretary of Commerce Gina Raimondo announced the department had “served subpoenas on multiple Chinese companies.” Few details of what could constitute extensive investigations, however, have emerged since.

DiDi’s apparent inclusion among the companies being reviewed was a natural extension of the tensions between the U.S. and China over the national security implications of each country’s tech companies, experts said, but the letter was notable because so few details about the Commerce Department program have trickled out into public so far.

The U.S. has frequently expressed security concerns over China-based companies, saying that any Chinese company must hand over data to Beijing upon request. The revelation of this particular review, however, comes as DiDi is also facing enormous regulatory pressure in China — some of it over the question of whether the app’s data could end up in U.S. hands.

Broad powers

The Department of Defense acknowledged the existence of a U.S. probe into DiDi in a January letter to Republican Rep. Anthony Gonzalez. The congressman wrote to the Pentagon and other departments last October, asking for a ban on the use of DiDi by American military and diplomatic personnel in China, as well as inclusion of the service “in the ongoing Commerce-led, inter-agency review into connected software applications that may pose threats to U.S. national security, foreign policy, and economic objectives.”

In a response reviewed by Protocol, the Department of Defense said it “actively reviews entities that pose a potential threat to national security either because they are directly or indirectly controlled by the Chinese Communist Party (CCP) or their business activities have the potential to be influenced” by Beijing.

The Pentagon was explicit that this assessment for influence includes Chinese “involvement in DiDi” — namely through a government cybersecurity investigation of the company.

The Defense Department also seemed to signal additional details, however, suggesting it was helping the Commerce Department with the review Gonzalez requested — part of the secretive and far-reaching program on the supply chain for information and communications technology and services, also known as ICTS.

The Commerce department and DiDi did not return requests for comment. Gonzalez’s office declined to comment, and the Pentagon said it wouldn’t weigh in “on private correspondence with members of Congress.”

ICTS assessments can allow the U.S. to prohibit the “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including … software updates, repairs, or the platforming or data hosting of applications for consumer download.”

In other words, a total ban is on the table.

A ban — or nothing?

The Defense Department letter does not spell out the precise nature of the government’s investigation, much less what the outcome might be. It does, however, make clear that the Commerce Department and other agencies are using “guidelines” originating in an executive order from the Trump White House and a follow-up order from the Biden administration.

Experts say that almost certainly points to a review under the Commerce Department’s ICTS rule. That regulation formalizes definitions, procedures and mitigation measures that are only broadly outlined in the two executive orders.

“This would be that review, and if it’s not, I’m not sure what other inter-agency review there would be,” said Matthew Rabinowitz, a lawyer specializing in international trade at Pillsbury Winthrop Shaw Pittman.

Although full bans are possible after an ICTS review, the actual result of the probes may be far short of that — including nothing at all. Experts said it was hard to forecast what the U.S. would decide to do.

If Washington just wanted to prohibit, limit or put conditions on potential future efforts by DiDi to invest in, merge with or acquire American companies, the Committee on Foreign Investment in the U.S. could handle it. The multi-agency panel conducts national security reviews of transactions in which a foreign business invests in a U.S. company. Other regulations also would permit a narrower ban that would, for instance, apply to the official devices of U.S. officials in China.

“I would look at this as actually having a much broader implication,” Rabinowitz said.

The use of the ICTS rule, then, may point to an interest in doing something more dramatic, even if any action would still likely focus on specific business decisions by DiDi or its possession of location data.

Yet the earlier TikTok and WeChat bans, which grew out of the order that Trump signed, collapsed in court after judges found they overstepped the government’s authority. The administration also used the bans in a failed attempt to arrange a corporate takeover by allies at Oracle. Biden’s follow-up order and the ICTS rule were designed to eliminate constitutional deficiencies of future actions, but a court might still find problems with a total prohibition on DiDi, creating legal uncertainty and headaches.

Under the ICTS rule, certain factors are also supposed to weigh against more extreme mitigation requirements, including lack of significant U.S. market share and lack of impact on critical U.S. infrastructure. DiDi would seem to be a lower-level threat on both measures.

“That might lead them to either not take action or to reserve taking action until they see how the situation develops,” said James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies think tank.

In addition, under the program, the Commerce Department has a lot of work to do. Little is known about the security reviews — although Alibaba’s cloud unit is reportedly also the subject of one — but Raimondo made clear the department was sweeping in an array of Chinese companies as it pursued ICTS investigations.

In addition to apps with more than a million U.S. users, the ICTS rule says that the reviews can examine networking equipment, satellite tech, webcams, sensors and cloud hosting — as well as tech and services related to artificial intelligence, quantum computing or drones. The rule also goes beyond China, taking in technology that’s been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction” of the government in Russia, Iran, North Korea and more.

Trouble at home

The headache of a review in the U.S. also highlights the intense pressure DiDi is getting from both sides, as Washington and Beijing vie to neutralize any geopolitical advantage that the other might receive through its tech companies.

The Cyberspace Administration of China, for instance, has a long-running probe into cybersecurity and DiDi’s data infrastructure. The investigation may have been one reason DiDi decided late last year to delist from U.S. stock exchanges, and has reportedly delayed its plans to go public in Hong Kong as well.

As if that weren’t enough, Chinese nationalists have targeted the company, and last month it reportedly began layoffs that could affect one-fifth of all staff.

“DiDi’s under a lot of pressure from Beijing,” Lewis said. “The problem is, that doesn’t address any of the U.S. concern, which is: that DiDi can come under a lot of pressure from Beijing. So they’re in a tight place.”

LA is a growing tech hub. But not everyone may fit.

LA has a housing crisis similar to Silicon Valley’s. And single-family-zoning laws are mostly to blame.

As the number of tech companies in the region grows, so does the number of tech workers, whose high salaries put them at an advantage in both LA's renting and buying markets.

Photo: Nat Rubio-Licht/Protocol

LA’s tech scene is on the rise. The number of unicorn companies in Los Angeles is growing, and the city has become the third-largest startup ecosystem nationally behind the Bay Area and New York with more than 4,000 VC-backed startups in industries ranging from aerospace to creators. As the number of tech companies in the region grows, so does the number of tech workers. The city is quickly becoming more and more like Silicon Valley — a new startup and a dozen tech workers on every corner and companies like Google, Netflix, and Twitter setting up offices there.

But with growth comes growing pains. Los Angeles, especially the burgeoning Silicon Beach area — which includes Santa Monica, Venice, and Marina del Rey — shares something in common with its namesake Silicon Valley: a severe lack of housing.

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.

While there remains debate among economists about whether we are officially in a full-blown recession, the signs are certainly there. Like most executives right now, the outlook concerns me.

In any case, businesses aren’t waiting for the official pronouncement. They’re already bracing for impact as U.S. inflation and interest rates soar. Inflation peaked at 9.1% in June 2022 — the highest increase since November 1981 — and the Federal Reserve is targeting an interest rate of 3% by the end of this year.

Keep Reading Show less
Nancy Sansom

Nancy Sansom is the Chief Marketing Officer for Versapay, the leader in Collaborative AR. In this role, she leads marketing, demand generation, product marketing, partner marketing, events, brand, content marketing and communications. She has more than 20 years of experience running successful product and marketing organizations in high-growth software companies focused on HCM and financial technology. Prior to joining Versapay, Nancy served on the senior leadership teams at PlanSource, Benefitfocus and PeopleMatter.


SFPD can now surveil a private camera network funded by Ripple chair

The San Francisco Board of Supervisors approved a policy that the ACLU and EFF argue will further criminalize marginalized groups.

SFPD will be able to temporarily tap into private surveillance networks in certain circumstances.

Photo: Justin Sullivan/Getty Images

Ripple chairman and co-founder Chris Larsen has been funding a network of security cameras throughout San Francisco for a decade. Now, the city has given its police department the green light to monitor the feeds from those cameras — and any other private surveillance devices in the city — in real time, whether or not a crime has been committed.

This week, San Francisco’s Board of Supervisors approved a controversial plan to allow SFPD to temporarily tap into private surveillance networks during life-threatening emergencies, large events, and in the course of criminal investigations, including investigations of misdemeanors. The decision came despite fervent opposition from groups, including the ACLU of Northern California and the Electronic Frontier Foundation, which say the police department’s new authority will be misused against protesters and marginalized groups in a city that has been a bastion for both.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.


These two AWS vets think they can finally solve enterprise blockchain

Vendia, founded by Tim Wagner and Shruthi Rao, wants to help companies build real-time, decentralized data applications. Its product allows enterprises to more easily share code and data across clouds, regions, companies, accounts, and technology stacks.

“We have this thesis here: Cloud was always the missing ingredient in blockchain, and Vendia added it in,” Wagner (right) told Protocol of his and Shruthi Rao's company.

Photo: Vendia

The promise of an enterprise blockchain was not lost on CIOs — the idea that a database or an API could keep corporate data consistent with their business partners, be it their upstream supply chains, downstream logistics, or financial partners.

But while it was one of the most anticipated and hyped technologies in recent memory, blockchain also has been one of the most failed technologies in terms of enterprise pilots and implementations, according to Vendia CEO Tim Wagner.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


Kraken's CEO got tired of being in finance

Jesse Powell tells Protocol the bureaucratic obligations of running a financial services business contributed to his decision to step back from his role as CEO of one of the world’s largest crypto exchanges.

Photo: David Paul Morris/Bloomberg via Getty Images

Kraken is going through a major leadership change after what has been a tough year for the crypto powerhouse, and for departing CEO Jesse Powell.

The crypto market is still struggling to recover from a major crash, although Kraken appears to have navigated the crisis better than other rivals. Despite his exchange’s apparent success, Powell found himself in the hot seat over allegations published in The New York Times that he made insensitive comments on gender and race that sparked heated conversations within the company.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Latest Stories