Policy

A secretive US security program has its sights on DiDi

Experts say a U.S. security assessment of DiDi unveiled by Protocol is occurring under a secretive program sweeping in Chinese tech companies and considering bans.

Didi app logo displayed on a smarphone in front of an American flag.

The headache of a review in the U.S. highlights the intense pressure DiDi is getting from both sides, as Washington and Beijing vie to neutralize any geopolitical advantage that the other might receive through its tech companies.

Photo Illustration: Budrul Chukrut/SOPA Images/LightRocket via Getty Images

The U.S. government is scrutinizing Chinese ride-hailing service DiDi to assess whether it’s a danger to national security, according to a Department of Defense letter reviewed by Protocol.

Experts say the probe appears to be one of several far-reaching and nearly invisible investigations of Chinese tech companies that the Commerce Department is leading under a rule that allows the U.S. to place a number of restrictions on the firms. The limits could go up to and include total bans on their usage resembling the prohibitions the Trump administration tried to bring down on TikTok and WeChat.

Like those bans, the reviews arose from former President Donald Trump’s declaration in 2019 that certain foreign-owned or -controlled digital services constituted “an unusual and extraordinary threat” to the U.S. The government then developed a little-noticed rule to formalize Trump’s order and apply it to technology ranging from cloud hosting to drones, and a year ago, Secretary of Commerce Gina Raimondo announced the department had “served subpoenas on multiple Chinese companies.” Few details of what could constitute extensive investigations, however, have emerged since.

DiDi’s apparent inclusion among the companies being reviewed was a natural extension of the tensions between the U.S. and China over the national security implications of each country’s tech companies, experts said, but the letter was notable because so few details about the Commerce Department program have trickled out into public so far.

The U.S. has frequently expressed security concerns over China-based companies, saying that any Chinese company must hand over data to Beijing upon request. The revelation of this particular review, however, comes as DiDi is also facing enormous regulatory pressure in China — some of it over the question of whether the app’s data could end up in U.S. hands.

Broad powers

The Department of Defense acknowledged the existence of a U.S. probe into DiDi in a January letter to Republican Rep. Anthony Gonzalez. The congressman wrote to the Pentagon and other departments last October, asking for a ban on the use of DiDi by American military and diplomatic personnel in China, as well as inclusion of the service “in the ongoing Commerce-led, inter-agency review into connected software applications that may pose threats to U.S. national security, foreign policy, and economic objectives.”

In a response reviewed by Protocol, the Department of Defense said it “actively reviews entities that pose a potential threat to national security either because they are directly or indirectly controlled by the Chinese Communist Party (CCP) or their business activities have the potential to be influenced” by Beijing.

The Pentagon was explicit that this assessment for influence includes Chinese “involvement in DiDi” — namely through a government cybersecurity investigation of the company.

The Defense Department also seemed to signal additional details, however, suggesting it was helping the Commerce Department with the review Gonzalez requested — part of the secretive and far-reaching program on the supply chain for information and communications technology and services, also known as ICTS.

The Commerce department and DiDi did not return requests for comment. Gonzalez’s office declined to comment, and the Pentagon said it wouldn’t weigh in “on private correspondence with members of Congress.”

ICTS assessments can allow the U.S. to prohibit the “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including … software updates, repairs, or the platforming or data hosting of applications for consumer download.”

In other words, a total ban is on the table.

A ban — or nothing?

The Defense Department letter does not spell out the precise nature of the government’s investigation, much less what the outcome might be. It does, however, make clear that the Commerce Department and other agencies are using “guidelines” originating in an executive order from the Trump White House and a follow-up order from the Biden administration.

Experts say that almost certainly points to a review under the Commerce Department’s ICTS rule. That regulation formalizes definitions, procedures and mitigation measures that are only broadly outlined in the two executive orders.

“This would be that review, and if it’s not, I’m not sure what other inter-agency review there would be,” said Matthew Rabinowitz, a lawyer specializing in international trade at Pillsbury Winthrop Shaw Pittman.

Although full bans are possible after an ICTS review, the actual result of the probes may be far short of that — including nothing at all. Experts said it was hard to forecast what the U.S. would decide to do.

If Washington just wanted to prohibit, limit or put conditions on potential future efforts by DiDi to invest in, merge with or acquire American companies, the Committee on Foreign Investment in the U.S. could handle it. The multi-agency panel conducts national security reviews of transactions in which a foreign business invests in a U.S. company. Other regulations also would permit a narrower ban that would, for instance, apply to the official devices of U.S. officials in China.

“I would look at this as actually having a much broader implication,” Rabinowitz said.

The use of the ICTS rule, then, may point to an interest in doing something more dramatic, even if any action would still likely focus on specific business decisions by DiDi or its possession of location data.

Yet the earlier TikTok and WeChat bans, which grew out of the order that Trump signed, collapsed in court after judges found they overstepped the government’s authority. The administration also used the bans in a failed attempt to arrange a corporate takeover by allies at Oracle. Biden’s follow-up order and the ICTS rule were designed to eliminate constitutional deficiencies of future actions, but a court might still find problems with a total prohibition on DiDi, creating legal uncertainty and headaches.

Under the ICTS rule, certain factors are also supposed to weigh against more extreme mitigation requirements, including lack of significant U.S. market share and lack of impact on critical U.S. infrastructure. DiDi would seem to be a lower-level threat on both measures.

“That might lead them to either not take action or to reserve taking action until they see how the situation develops,” said James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies think tank.

In addition, under the program, the Commerce Department has a lot of work to do. Little is known about the security reviews — although Alibaba’s cloud unit is reportedly also the subject of one — but Raimondo made clear the department was sweeping in an array of Chinese companies as it pursued ICTS investigations.

In addition to apps with more than a million U.S. users, the ICTS rule says that the reviews can examine networking equipment, satellite tech, webcams, sensors and cloud hosting — as well as tech and services related to artificial intelligence, quantum computing or drones. The rule also goes beyond China, taking in technology that’s been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction” of the government in Russia, Iran, North Korea and more.

Trouble at home

The headache of a review in the U.S. also highlights the intense pressure DiDi is getting from both sides, as Washington and Beijing vie to neutralize any geopolitical advantage that the other might receive through its tech companies.

The Cyberspace Administration of China, for instance, has a long-running probe into cybersecurity and DiDi’s data infrastructure. The investigation may have been one reason DiDi decided late last year to delist from U.S. stock exchanges, and has reportedly delayed its plans to go public in Hong Kong as well.

As if that weren’t enough, Chinese nationalists have targeted the company, and last month it reportedly began layoffs that could affect one-fifth of all staff.

“DiDi’s under a lot of pressure from Beijing,” Lewis said. “The problem is, that doesn’t address any of the U.S. concern, which is: that DiDi can come under a lot of pressure from Beijing. So they’re in a tight place.”

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins