A secretive US security program has its sights on DiDi

Experts say a U.S. security assessment of DiDi unveiled by Protocol is occurring under a secretive program sweeping in Chinese tech companies and considering bans.

Didi app logo displayed on a smarphone in front of an American flag.

The headache of a review in the U.S. highlights the intense pressure DiDi is getting from both sides, as Washington and Beijing vie to neutralize any geopolitical advantage that the other might receive through its tech companies.

Photo Illustration: Budrul Chukrut/SOPA Images/LightRocket via Getty Images

The U.S. government is scrutinizing Chinese ride-hailing service DiDi to assess whether it’s a danger to national security, according to a Department of Defense letter reviewed by Protocol.

Experts say the probe appears to be one of several far-reaching and nearly invisible investigations of Chinese tech companies that the Commerce Department is leading under a rule that allows the U.S. to place a number of restrictions on the firms. The limits could go up to and include total bans on their usage resembling the prohibitions the Trump administration tried to bring down on TikTok and WeChat.

Like those bans, the reviews arose from former President Donald Trump’s declaration in 2019 that certain foreign-owned or -controlled digital services constituted “an unusual and extraordinary threat” to the U.S. The government then developed a little-noticed rule to formalize Trump’s order and apply it to technology ranging from cloud hosting to drones, and a year ago, Secretary of Commerce Gina Raimondo announced the department had “served subpoenas on multiple Chinese companies.” Few details of what could constitute extensive investigations, however, have emerged since.

DiDi’s apparent inclusion among the companies being reviewed was a natural extension of the tensions between the U.S. and China over the national security implications of each country’s tech companies, experts said, but the letter was notable because so few details about the Commerce Department program have trickled out into public so far.

The U.S. has frequently expressed security concerns over China-based companies, saying that any Chinese company must hand over data to Beijing upon request. The revelation of this particular review, however, comes as DiDi is also facing enormous regulatory pressure in China — some of it over the question of whether the app’s data could end up in U.S. hands.

Broad powers

The Department of Defense acknowledged the existence of a U.S. probe into DiDi in a January letter to Republican Rep. Anthony Gonzalez. The congressman wrote to the Pentagon and other departments last October, asking for a ban on the use of DiDi by American military and diplomatic personnel in China, as well as inclusion of the service “in the ongoing Commerce-led, inter-agency review into connected software applications that may pose threats to U.S. national security, foreign policy, and economic objectives.”

In a response reviewed by Protocol, the Department of Defense said it “actively reviews entities that pose a potential threat to national security either because they are directly or indirectly controlled by the Chinese Communist Party (CCP) or their business activities have the potential to be influenced” by Beijing.

The Pentagon was explicit that this assessment for influence includes Chinese “involvement in DiDi” — namely through a government cybersecurity investigation of the company.

The Defense Department also seemed to signal additional details, however, suggesting it was helping the Commerce Department with the review Gonzalez requested — part of the secretive and far-reaching program on the supply chain for information and communications technology and services, also known as ICTS.

The Commerce department and DiDi did not return requests for comment. Gonzalez’s office declined to comment, and the Pentagon said it wouldn’t weigh in “on private correspondence with members of Congress.”

ICTS assessments can allow the U.S. to prohibit the “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including … software updates, repairs, or the platforming or data hosting of applications for consumer download.”

In other words, a total ban is on the table.

A ban — or nothing?

The Defense Department letter does not spell out the precise nature of the government’s investigation, much less what the outcome might be. It does, however, make clear that the Commerce Department and other agencies are using “guidelines” originating in an executive order from the Trump White House and a follow-up order from the Biden administration.

Experts say that almost certainly points to a review under the Commerce Department’s ICTS rule. That regulation formalizes definitions, procedures and mitigation measures that are only broadly outlined in the two executive orders.

“This would be that review, and if it’s not, I’m not sure what other inter-agency review there would be,” said Matthew Rabinowitz, a lawyer specializing in international trade at Pillsbury Winthrop Shaw Pittman.

Although full bans are possible after an ICTS review, the actual result of the probes may be far short of that — including nothing at all. Experts said it was hard to forecast what the U.S. would decide to do.

If Washington just wanted to prohibit, limit or put conditions on potential future efforts by DiDi to invest in, merge with or acquire American companies, the Committee on Foreign Investment in the U.S. could handle it. The multi-agency panel conducts national security reviews of transactions in which a foreign business invests in a U.S. company. Other regulations also would permit a narrower ban that would, for instance, apply to the official devices of U.S. officials in China.

“I would look at this as actually having a much broader implication,” Rabinowitz said.

The use of the ICTS rule, then, may point to an interest in doing something more dramatic, even if any action would still likely focus on specific business decisions by DiDi or its possession of location data.

Yet the earlier TikTok and WeChat bans, which grew out of the order that Trump signed, collapsed in court after judges found they overstepped the government’s authority. The administration also used the bans in a failed attempt to arrange a corporate takeover by allies at Oracle. Biden’s follow-up order and the ICTS rule were designed to eliminate constitutional deficiencies of future actions, but a court might still find problems with a total prohibition on DiDi, creating legal uncertainty and headaches.

Under the ICTS rule, certain factors are also supposed to weigh against more extreme mitigation requirements, including lack of significant U.S. market share and lack of impact on critical U.S. infrastructure. DiDi would seem to be a lower-level threat on both measures.

“That might lead them to either not take action or to reserve taking action until they see how the situation develops,” said James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies think tank.

In addition, under the program, the Commerce Department has a lot of work to do. Little is known about the security reviews — although Alibaba’s cloud unit is reportedly also the subject of one — but Raimondo made clear the department was sweeping in an array of Chinese companies as it pursued ICTS investigations.

In addition to apps with more than a million U.S. users, the ICTS rule says that the reviews can examine networking equipment, satellite tech, webcams, sensors and cloud hosting — as well as tech and services related to artificial intelligence, quantum computing or drones. The rule also goes beyond China, taking in technology that’s been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction” of the government in Russia, Iran, North Korea and more.

Trouble at home

The headache of a review in the U.S. also highlights the intense pressure DiDi is getting from both sides, as Washington and Beijing vie to neutralize any geopolitical advantage that the other might receive through its tech companies.

The Cyberspace Administration of China, for instance, has a long-running probe into cybersecurity and DiDi’s data infrastructure. The investigation may have been one reason DiDi decided late last year to delist from U.S. stock exchanges, and has reportedly delayed its plans to go public in Hong Kong as well.

As if that weren’t enough, Chinese nationalists have targeted the company, and last month it reportedly began layoffs that could affect one-fifth of all staff.

“DiDi’s under a lot of pressure from Beijing,” Lewis said. “The problem is, that doesn’t address any of the U.S. concern, which is: that DiDi can come under a lot of pressure from Beijing. So they’re in a tight place.”

Elon Musk's influence over Twitter was clear at its annual meeting

Even though executives tried not to talk about Musk's deal to buy the company, they couldn't help but address his agenda.

Elon Musk loomed over Twitter's annual shareholder meeting.

Photoillustration: Getty Images; Unsplash; Protocol

In his opening remarks at Twitter's annual shareholder meeting on Wednesday, CEO Parag Agrawal said he wouldn't discuss the pending acquisition bid from Elon Musk, which wasn't on the agenda. That didn’t matter much: Musk’s fingerprints were all over the event, even overshadowing the expected if still-emotional news that Jack Dorsey would step away from Twitter’s board at the meeting's conclusion.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Sponsored Content

Why the digital transformation of industries is creating a more sustainable future

Qualcomm’s chief sustainability officer Angela Baker on how companies can view going “digital” as a way not only toward growth, as laid out in a recent report, but also toward establishing and meeting environmental, social and governance goals.

Three letters dominate business practice at present: ESG, or environmental, social and governance goals. The number of mentions of the environment in financial earnings has doubled in the last five years, according to GlobalData: 600,000 companies mentioned the term in their annual or quarterly results last year.

But meeting those ESG goals can be a challenge — one that businesses can’t and shouldn’t take lightly. Ahead of an exclusive fireside chat at Davos, Angela Baker, chief sustainability officer at Qualcomm, sat down with Protocol to speak about how best to achieve those targets and how Qualcomm thinks about its own sustainability strategy, net zero commitment, other ESG targets and more.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.


Netflix’s layoffs reveal a larger diversity challenge in tech

Netflix just laid off 150 full-time employees and a number of agency contractors. Many of them were the company’s most marginalized employees.

It quickly became clear that many of the laid-off contractors possessed marginalized identities.

Illustration: Christopher T. Fong/Protocol

After Netflix’s first round of layoffs, there was a brief period of relief for the contractors who ran Netflix’s audience-oriented social media channels, like Strong Black Lead, Most and Con Todo. But the calm didn’t last.

Last week, Netflix laid off 150 full-time employees and a number of agency contractors. The customary #opentowork posts flooded LinkedIn, many coming from impacted members of Netflix’s talent and recruiting teams. A number of laid-off social media contractors also took to Twitter to share the news. It quickly became clear that similar to the layoffs at Tudum, Netflix’s entertainment site, many of the affected contractors possessed marginalized identities. The channels they ran focused on Black, LGBTQ+, Latinx and Asian audiences, among others.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.


Crypto doesn’t have to be red or blue

Sens. Cynthia Lummis and Kirsten Gillibrand are backing bipartisan legislation that establishes regulatory clarity for cryptocurrencies. This is the right way to approach a foundational technology.

"Crypto doesn’t neatly fall along party lines because, as a foundational technology, it is — or should be — inherently nonpartisan," says Diogo Mónica, co-founder and president of Anchorage Digital.

Photo: Anchorage Digital

Diogo Mónica is president and co-founder of Anchorage Digital.

When I moved from Portugal to the United States to work at Square, it was hard to wrap my head around the two-party system that dominates American politics. As I saw at home, democracies, by their very nature, can be messy. But as an outsider looking in, I can’t help but worry that the ever-widening gap between America’s two major parties looms over crypto’s future.

Keep Reading Show less
Diogo Mónica
Diogo Mónica is the co-founder and president of Anchorage Digital, the premier digital asset platform for institutions. He holds a Ph.D. in computer science from the Technical University of Lisbon, and has worked in software security for over 15 years. As an early employee at Square, he helped build security architecture that now moves $100 billion annually. At Docker, he helped secure core infrastructure used in global banks, governments and the three largest cloud providers.

What downturn? A16z raises $4.5 billion for latest crypto fund

The new fund is more than double the $2.2 billion fund the VC firm raised just last June.

A16z general partner Arianna Simpson said that despite the precipitous drop in crypto prices in recent months, the firm is looking to stay active in the market and isn’t worried about short-term price changes.

Photo: Andreessen Horowitz

Andreessen Horowitz has raised $4.5 billion for two crypto venture funds. They’re the industry’s largest ever and represent an outsized bet on the future of Web3 startups, even with the industry in the midst of a steep market downturn.

The pool of money is technically two separate funds: a $1.5 billion fund for seed deals and a $3 billion fund for broader venture deals. That’s more than other megafunds recently raised by competitors such as Paradigm and Haun Ventures.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Latest Stories