Hillicon Valley — Presented by AT&T — Facebook bug exposed photos of up to 6.8M users | Canada warns Trump not to intervene in Huawei case | Tech giant accused of providing cybersecurity to terror groups

Welcome to Hillicon Valley, The Hill's newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley.

Welcome! Follow the cyber team, Olivia Beavers (@olivia_beavers) and Jacqueline Thomsen (@jacq_thomsen), and the tech team, Harper Neidig (@hneidig). And CLICK HERE to subscribe to our newsletter.



YEAH WE'VE LOST COUNT TOO: Facebook said on Friday that up 6.8 million people may have been affected by a software bug exposing their photos to third-party app developers who did not have permission to view them.

Tomer Bar, Facebook's engineering director, said in a blog post that the bug had been active for 12 days in September and has since been fixed.

"We're sorry this happened," Bar wrote. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."

He added that the company would begin notifying affected users via alerts.

The latest vulnerability adds to the growing list of incidents threatening public trust in technology companies and prompting scrutiny from regulators around the world.

The bug revealed on Friday only involved users who had granted permission to certain apps to access their photos. Bar estimated that it affects 876 developers and about 1,500 of their apps.

When users grant access to their photos to third parties, it typically only applies to those posted on their timelines. The bug gave developers who had obtained that permission to access photos outside of that scope, including those posted on users' stories.


And in some cases, Barr wrote, app developers may have been able to access photos that weren't even posted but merely saved to Facebook in offline mode.

A Facebook spokesperson told The Hill the bug was discovered and fixed on Sept. 25. The company later notified Irish data protection authorities of the vulnerability on Nov. 22 after it had determined disclosure was necessary under the European General Data Protection Regulation (GDPR), the spokesperson said. 

Read more here.



OUR LOOK AT THE YEAR AHEAD: Tech and cybersecurity are poised to be at the forefront of Congress's agenda in 2019.

Lawmakers have increasingly set their sights on Silicon Valley, demanding a crackdown on tech giants like Facebook and Twitter. At the same time, cybersecurity efforts are increasingly focusing on the threat from abroad, particularly from Russia and China.

Congress has a hard lift ahead with many determined to pass a federal privacy standard as well as election security legislation to safeguard the 2020 vote. 

Check out our 2019 preview here.


A WARNING FROM CANADA: Canadian Foreign Minister Chrystia Freeland cautioned the Trump administration Friday against seeking to leverage the pending extradition of Chinese technology executive Meng Wanzhou.

"Canada understands the rule of law and extradition ought not ever to be politicized or used as tools to resolve other issues," she told reporters after meeting with Secretary of State Mike PompeoMichael (Mike) Richard PompeoOvernight Defense: Air Force general officially becomes first African American service chief | Senators introduce bill to block Trump armed drone sale measure | State Department's special envoy for Iran is departing the Trump administration State Department offers M reward for foreign election interference information State Department's special envoy for Iran is departing the Trump administration MORE and Secretary of Defense James MattisJames Norman MattisTrump advisers were wary of talking military options over fears he'd accidentally start war: report Trump prizes loyalty over competence — we are seeing the results Lawmakers torch Trump plan to pull 11,900 troops from Germany MORE.

Her comments referred to President TrumpDonald John TrumpBiden says his faith is 'bedrock foundation of my life' after Trump claim Coronavirus talks on life support as parties dig in, pass blame Ohio governor tests negative in second coronavirus test MORE's suggestion this week he may get involved in Meng's case if it would improve negotiations with China over Washington and Beijing's trade war.

More on the controversy here.



CLOUDFLARE PROVIDING SERVICE TO TERROR GROUPS: American tech giant Cloudflare is providing cybersecurity to at least seven terrorist organizations and militant groups, HuffPost reported Friday.

Cloudflare has more server traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined, and makes refusing to regulate access to its services a central feature of their business.

As a result, several groups on the State Department's list of terrorist organizations, including the Taliban, al-Shabaab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers' Party, al-Aqsa Martyrs Brigade and Hamas, are reportedly Cloudfare customers.

These groups run websites protected by the company, four national security and counter-extremism experts concluded to HuffPost. 

Read more here.



A SHAMOON MONSOON: Cybersecurity firm Symantec on Friday published new details about the resurgence of the destructive malware known as "Shamoon."

The Italian oil company Sapien said earlier this week that it had been hit with the malware in a cyberattack against its servers in the Middle East. And Symantec said today that it has uncovered evidence of attacks using the malware against two other companies in the oil and gas industry this week.

One of the firms was located in Saudi Arabia, and the other in the United Arab Emirates.

The research firm said in this round of attacks, the malware includes a second component, which will delete and overwrite files on an infected device. The main malware Shamoon will "erase the master boot record of the computer, rendering it unusable," according to Symantec.

"Why Shamoon has suddenly been deployed again remains unknown," the report reads. "However, the fact that the malware seems to be taken out of retirement every few years means that organizations need to remain vigilant and ensure that all data is properly backed up and a robust security strategy is in place."


T-MOBILE, SPRINT COMPROMISE ON HUAWEI: T-Mobile and Sprint are close to getting a national security panel to sign off on their $26 billion merger after their parent companies agreed to consider cutting back on buying telecommunications equipment from Huawei, Reuters reported Friday.


According to the report, the Committee on Foreign Investment in the U.S. (CFIUS) could sign off on the deal as early next week, though the merger still needs approval from the Federal Communications Commission and the Department of Justice.

Neither Sprint nor T-Mobile use Huawei equipment, but they're foreign parent companies do. 

Read more here.


A LIGHTER CLICK: Rule No. 1: Don't tick off the judge.



Facebook's New York privacy pop-up was small, weird, and filled with sugar. (The Verge)

Chinese hackers breach U.S. Navy contractors. (The Wall Street Journal)

Inside Huawei's secret HQ, China is shaping the future. (Bloomberg)

FBI secretly collected data on Aaron Swartz earlier than we thought--in a case involving Al Qaeda. (Gizmodo)
New Zealand rebukes Google for airing name of backpacker's accused killer. (The New York Times)