TorrentFreak: Five men behind pirate IPTV service 'Flawless' were sentenced to more than 30 years in prison today, after a private prosecution by the Premier League. A FACT test purchase in 2017 led to the involvement of four territorial police forces, three regional Trading Standards units, and the arrest of service kingpin, Mark Gould, in 2018. In less than two years, Flawless served over 50,000 UK households while generating millions in revenue.

A database containing the details of almost half-a-million RaidForums users has leaked online, a year after the U.S. Department of Justice seized the notorious cybercrime forum. From a report: The leaked database was posted on Exposed, described by security researchers as an up-and-coming forum "wanting to fill the void" left by the recent BreachForums shutdown. An Exposed admin, known as "Impotent," posted the alleged RaidForums user data, which includes the details of 478,000 users, including their usernames, email addresses, hashed passwords and registration dates. "All of the users that were on raidforums may have been infected," the admin's post says. RaidForums had around 550,000 users at the time of its shutdown last year. The admin added that some users' details have been removed from the leak, though it's unclear how many or the reasoning behind this.

Xiaoxing Xi, a Temple University professor who was falsely accused of spying for China, will be able to bring a lawsuit against the Federal Bureau of Investigation. From a report: A judge at a federal appeals court ruled in favor of Xi on Wednesday, allowing the physicist to move forward with his case against the U.S. government for wrongful prosecution and violating his family's constitutional rights by engaging in unlawful search, seizure and surveillance. The decision comes after FBI agents swarmed Xi's Philadelphia home in 2015, rounded up his family at gunpoint, and arrested him on fraud charges related to economic espionage, before abruptly dropping the charges months afterward.

"I'm very, very glad that we can finally put the government under oath to explain why they decided to do what they did, violating our constitutional rights," Xi said in an exclusive interview with NBC News. "We finally have an opportunity to hold them accountable." The case will now be kicked back to the district court, continuing a long legal battle. Xi, who's represented in part by the American Civil Liberties Union, attempted to bring a suit against the government in 2017, alleging that FBI agents "made knowingly or recklessly false statements" to support their investigation and prosecution. Xi also claimed that his arrest was discriminatory, and that he was targeted due to his ethnicity, much like other scholars of Chinese descent. A district court dismissed his case in 2021, but Xi appealed the decision last year.

"Beginning next Thursday, Massachusetts Attorney General Andrea Joy Campbell plans to start enforcing the state's automotive right-to-repair law," reports the Boston Globe. "But this week, the world's top automakers asked a federal judge to stop her." The Alliance for Automotive Innovation, a car industry trade group, sued to block enforcement of the law almost from the moment it was passed by voter referendum in 2020. Ever since, the law has been tied up in the courtroom of US District Judge Douglas Woodlock. Now the alliance has asked Woodlock to grant a temporary injunction that would stop Campbell from enforcing the law until he issues a final ruling in the case.

Campbell's predecessor, now-Governor Maura Healey, repeatedly refrained from enforcing the law, pending Woodlock's decision. But Healey always reserved the right to reverse this policy if a ruling took too long. In March, Campbell said she would start enforcing the law effective June 1. "The people of Massachusetts deserve the benefit of the law they approved more than two years ago," she said in a document filed with the court.

But the carmakers say that only the federal government has the authority to enact such a law. They claim the law is so poorly drafted that they can't comply with it, and even if they could, compliance would weaken vehicle security, making it easier for cyber criminals to steal digital data about vehicles and their owners. Two carmakers, Kia and Subaru, have tried to comply with the law by switching off the telematic services in their cars. But the carmakers argue that this deprives consumers of the right to use these features, which include emergency roadside assistance that could potentially save lives.

The PyPi registry of open source Python packages "began evaluating ways to reduce the amount of identifying information that it stores," reports the Register, "even before the U.S. Justice Department came asking for data on suspect users."

But now, "the Python community package registry wants developers to understand that it's working to minimize the user data that it stores." The goal is not to be unable to respond to lawful requests for information; rather it's to store only the minimum amount of data necessary so as not to expose users to unnecessary privacy intrusion. Coincidentally, data minimization may prevent organizations from becoming a preferred source of on-demand surveillance: having excessive amounts of information about users invites legal demands, which staff then have to handle...

Mike Fiedler, a member of the PyPI admin team, said in a statement on Friday that the organization's effort to improve user privacy and security dates back to 2020. Since the receipt of the subpoenas in March and April, that effort has been reinvigorated.

Much of the concern focuses on IP address data, which gets stored in conjunction with web log access; user events such as logins; project events including uploads; events associated with recently introduced organizations; and administrative PyPI journal entries. According to Fiedler, PyPI was able to stop storing IP data for journal entries — an append-only transaction log — because these were only exposed to administrators... To obscure IP addresses, PyPI is salting them — adding an arbitrary value — and then hashing them — running the data through a one-way scrambling function that creates a value called a hash. This provides a way to store a reference to potentially identifying data without actually storing raw data... PyPI has been using its CDN provider Fastly to pass along a salted hash of the IP address for requests via a custom header, along with broad GeoIP data (the country and city where the user is located), and is using that instead of the raw IP address. In April, the registry adopted code changes for hashing and salting IP addresses for requests that PyPI handles directly in Warehouse, the web application that implements the official Python package index.

And over the past few days, it has been replacing IP addresses in the PyPI user interface with geolocation data. PyPI still relies on IP address information to identify abuse — the creation of malicious packages, harassments, and so on — but Fiedler says even that is being looked at. "We're thinking about how to manage that without storing IP data, but we're not there yet," he said. Fiedler says the PyPI team will be weighing whether it can remove IP data from event history records after a period of time and whether the service can handle all its requests via CDN.

The judge's opinion noted the plaintiff's counsel had submitted a motion to dismiss "replete with citations to non-existent cases... Six of the submitted cases appear to be bogus judicial decisions with bogus quotes and bogus internal citations... The bogus 'Varghese' decision contains internal citations and quotes, which, in turn, are non-existent."

Eugene Volokh's legal blog describes what happened next: Thursday, plaintiff's counsel filed an affidavit in response, explaining that he was relying on the work of another lawyer at his firm, and the other lawyer (who had 30 years of practice experience) also filed an affidavit, explaining that he was relying on ChatGPT... ("The citations and opinions in question were provided by Chat GPT which also provided its legal source and assured the reliability of its content...")
Their affidavit said ChatGPT had "revealed itself to be unreliable," while adding that they had "never utilized ChatGPT as a source for conducting legal research prior to this occurrence and therefore were unaware of the possibility that its content could be false." The affidavit adds that the lawyer "greatly regrets having utilized generative artificial intelligence to supplement the legal research performed herein and will never do so in the future without absolute verification of its authenticity."

To support their position, their affidavit ends with this appendix — a ChatGPT transcript: [Q:] ls varghese a real case

[A:] Yes, Varghese v., China Southern Airlines Co Ltd, 925 F.3d 1339 (11th Cir. 2019) is a real case.

[Q:] What is your source

[A:] I apologize for the confusion earlier. Upon double-checking, I found that the case Varghese v. China Southern Airlines Co. Ltd., 925 F.3d 1339 (11th Cir. 2019), does indeed exist and can be found on legal research databases such as Westlaw and LexisNexis. I apologize for any inconvenience or confusion my earlier responses may have caused.

[Q:] Are the other cases you provided fake

[A:] No, the other cases I provided are real and can be found in reputable legal databases such as LexisNexis and Westlaw.
"Judge Castel appeared to be unimpressed, and yesterday issued an order ordering the law firm and the second lawyer to show cause why they shouldn't be sanctioned."

Thanks to long-time Slashdot reader davide marney for submitting the story.

An anonymous reader shared this report from the New York Times: Snippets of computer code. More than six million pages of emails, Slack messages and other digital records. And a small black notebook, filled with handwritten observations. For months, federal prosecutors building the criminal case against the fallen cryptocurrency executive Sam Bankman-Fried have assembled a vast and unusually varied array of evidence. The documents include crypto transaction logs and encrypted group chats from Mr. Bankman-Fried's collapsed exchange, FTX, as well as strikingly personal reflections recorded by a key witness in the case. The mountain of evidence ranks among the largest ever collected in a white-collar securities fraud case prosecuted by the federal authorities in Manhattan, according to data provided by a person with knowledge of the matter...

The diversity and growing volume of materials in the FTX case underscore the legal challenges facing Mr. Bankman-Fried, 31, who is charged with 13 criminal counts, including accusations that he misappropriated billions of dollars in customer money, defrauded investors and violated campaign finance laws. He has pleaded not guilty. With the trial set for October, prosecutors have gathered evidence ranging from phones and laptops to the contents of Mr. Bankman-Fried's Google accounts, which amounted to 2.5 million pages alone. At a hearing in March, Nicolas Roos, a federal prosecutor investigating FTX, said the government had obtained a laptop crammed with so much information that the F.B.I.'s technicians were struggling to decipher all of it. "It is a massive amount to sift through, and sometimes you can find incredibly useful information," said Moira Penza, a former federal prosecutor who's now in private practice. "It is a real challenge...."

Many of FTX's corporate records, including emails, Slack messages and transaction logs, were held by Sullivan & Cromwell, the law firm that took control of the exchange after it declared bankruptcy... In a January court filing, Sullivan & Cromwell displayed an excerpt from FTX's underlying code base, showing a feature that allowed Alameda to borrow virtually unlimited amounts of money from the exchange.

Long-time Slashdot reader SonicSpike shared this report from CBS News: Amid growing concerns of security risks to members of Congress, over 50 senators have been issued satellite phones for emergency communication, people familiar with the measures told CBS News... [Senate Sergeant at Arms] Gibson said satellite communication is being deployed "to ensure a redundant and secure means of communication during a disruptive event." Gibson said the phones are a security backstop in the case of an emergency that "takes out communications" in part of America.

Google has been ordered to pay Sonos $32.5 million after a jury verdict found that Google's smart speakers and media players infringed on one of Sonos' patents. The Verge reports: The legal battle started in 2020 when Sonos accused Google of copying its patented multiroom audio technology after the companies partnered in 2013. Sonos went on to win its case at the US International Trade Commission, resulting in a limited import ban on some of the Google devices in question. Google has also had to pull some features from its lineup of smart speakers and smart displays.

Last August, Google sued Sonos over allegations that the audio company infringed on Google's smart speakers and voice control technology. This most recent trial started earlier this month, with Google spokesperson Jose Castaneda telling Reuters at the time that the case pertains to "some very specific features that are not commonly used" and that Sonos "mischaracterized our partnership and technology." Neither Google nor Sonos immediately responded to The Verge's request for comment.

Sonos didn't come out of the case completely victorious, however, as the jury decided that Google's Home app didn't infringe on a separate patent filed by Sonos. The judge also told jurors to "disregard a $90 million damages estimate from a Sonos expert witness, saying he had decided that some of the evidence provided was inadmissible," Law360 reports.

A U.S. judge has approved Apple's $50 million class-action settlement resolving consumer claims over certain defective MacBook keyboards, in a ruling that spurned challenges to the deal. From a report: U.S. District Judge Edward Davila in San Jose, California, federal court in his ruling called the settlement "fair, adequate and reasonable." Eleven consumers from New York, Florida, California, Michigan and several other states were the lead plaintiffs in the national class action alleging consumer protection and warranty claims. The lawsuit accused Apple of failing to provide sufficient repairs or troubleshooting help for certain MacBook "butterfly" keyboards made between 2015 and 2019.

Britain's competition watchdog on Friday said social media giant Meta had offered to limit its use of other businesses' advertising data for its Facebook Marketplace service to address the regulator's competition concerns. From a report: The Competition and Markets Authority (CMA) said it was minded to accept the commitments, which include advertisers being able to opt out of allowing their data to be used to improve the Facebook Marketplace classified ads platform. CMA executive director of enforcement Michael Grenfell said: "Reducing the risk of Meta unfairly exploiting the data of businesses who advertise on its platform for its own competitive advantage could help many UK businesses who advertise there. We are now consulting on these commitments which we believe, at this stage, will address our concerns."

An anonymous reader quotes a report from Wired: Bcrypt turns 25 this year, and Niels Provos, one of its coinventors, says that looking back, the algorithm has always had good energy, thanks to its open source availability and the technical characteristics that have fueled its longevity. Provos spoke to WIRED about a retrospective on the algorithm that he published this week in Usenix ;login:. Like so many digital workhorses, though, there are now more robust and secure alternatives to bcrypt, including the hashing algorithms known as scrypt and Argon2. Provos himself says that the quarter-century milestone is plenty for bcrypt and that he hopes it will lose popularity before celebrating another major birthday.

A version of bcrypt first shipped with the open source operating system OpenBSD 2.1 in June 1997. At the time, the United States still imposed stringent export limits on cryptography. But Provos, who grew up in Germany, worked on its development while he was still living and studying there. "One thing I found so surprising was how popular it became," he says. "I think in part it's probably because it was actually solving a problem that was real, but also because it was open source and not encumbered by any export restrictions. And then everybody ended up doing their own implementations in all these other languages. So these days, if you are faced with wanting to do password hashing, bcrypt is going to be available in every language that you could possibly operate in. But the other thing that I find interesting is that it's even still relevant 25 years later. That is just crazy."

Provos developed bcrypt with David Mazieres, a systems security professor at Stanford University who was studying at the Massachusetts Institute of Technology when he and Provos collaborated on bcrypt. The two met through the open source community and were working on OpenBSD. [...] Password security is always lagging, though, and both Provos and Mazieres expressed disbelief and disappointment that the state of passwords broadly has not evolved in decades. Even new schemes like passkeys are only just beginning to emerge. "Bcrypt should have been superseded already," Provos says. "It's surprising how much reliance we still have on passwords. If you had asked me 25 years ago, I would not have guessed that."

An anonymous reader quotes a report from NPR: The U.S. Supreme Court Court on Thursday significantly curtailed the power of the Environmental Protection Agency to regulate the nation's wetlands and waterways. It was the court's second decision in a year limiting the ability of the agency to enact anti-pollution regulations and combat climate change. The challenge to the regulations was brought by Michael and Chantell Sackett, who bought property to build their dream house about 500 feet away from Idaho's Scenic Priest Lake, a 19-mile stretch of clear water that is fed by mountain streams and bordered by state and national parkland. Three days after the Sacketts started excavating their property, the EPA stopped work on the project because the couple had failed to get a permit for disturbing the wetlands on their land. Now a conservative Supreme Court majority has used the Sackett's case to roll back longstanding rules adopted to carry out the 51-year-old Clean Water Act. While the nine justices agreed that the Sacketts should prevail, they divided 5-to-4 as to how far to go in limiting the EPA's authority.

Writing for the court majority (PDF), Justice Samuel Alito said that the navigable waters of the United States regulated by the EPA under the statute do not include many previously regulated wetlands. Rather, he said, the CWA extends to only streams, oceans, rivers and lakes, and those wetlands with a "continuous surface connection to those bodies." Justice Brett Kavanaugh, joined by the court's three liberal members, disputed Alito's reading of the statute, noting that since 1977 when the CWA was amended to include adjacent wetlands, eight consecutive presidential administrations, Republican and Democratic, have interpreted the law to cover wetlands that the court has now excluded. Kavanaugh said that by narrowing the act to cover only adjoining wetlands, the court's new test will have quote "significant repercussions for water quality and flood control throughout the United States." In addition to joining Kavanaugh's opinion, the court's liberals, signed on to a separate opinion by Justice Elena Kagan. Pointing to the air and water pollution cases, she accused the majority of appointing itself instead of Congress as the national policymaker on the environment. President Biden, in a statement, called the decision "disappointing." It "upends the legal framework that has protected America's waters for decades," he said. "It also defies the science that confirms the critical role of wetlands in safeguarding our nation's streams, rivers, and lakes from chemicals and pollutants that harm the health and wellbeing of children, families, and communities."

"I don't think its an overstatement to say its catastrophic for the Clean Water act," said Jim Murphy of the National Wildlife Federation. Wetlands play an "enormous role in protecting the nation's water," he said. "They're really the kidneys of water systems and they're also the sponges. They absorb a lot of water on the landscape. So they're very important water features and they're very important to the quality of the water that we drink, swim, fish, boat and recreate in."

Invasive spyware capable of reading a smartphone's messages and listening to calls was found on the phones of at least 12 Armenian journalists, politicians and civil society members, according to a report published Thursday by a group of nonprofit organizations. From a report: The spyware, called Pegasus and made by the Israeli company NSO, had previously been found on the phones of thousands of people around the world, leading to U.S. sanctions in 2021 and a lawsuit from Apple. But researchers said their most recent findings are unique -- they believe it is the first time that the technology has been weaponized in an armed conflict between countries.

Armenia has intermittently battled its neighbor Azerbaijan for decades. In 2020, a cease-fire was broken in the disputed region of Nagorno-Karabakh, leaving thousands dead. Since then, the two countries have been mired in a sporadic shooting war which has killed dozens more. The report, a collaboration among the international internet rights group Access Now, Amnesty International and the University of Toronto's Citizen Lab, calls for "an immediate moratorium" on the sale and transfer of spyware technology. NSO is the most notorious mercenary spyware developer in the world. It creates powerful programs like Pegasus, which can hack smartphones to reveal information such as contacts, calls and location.

Minnesota Governor Tim Walz has signed a groundbreaking right-to-repair law, which will come into effect on July 1, 2024. The Verge reports: The rules, part of an omnibus appropriations bill, require electronics manufacturers to let independent repair shops and consumers buy the parts and tools necessary to repair their own equipment. But the rules don't apply to some notable categories, including farm equipment, game consoles, medical devices, and motor vehicles.

The new Minnesota rules take effect July 1st, 2024, and they cover products sold on or after July 1st, 2021. If manufacturers sell a product in the state, they must offer residents the equipment to repair it on "fair and reasonable" terms within 60 days, and they must offer documentation for performing repairs and service free of charge. Failure to do so will violate Minnesota's Deceptive Trade Practices statute, opening manufacturers up to penalties from the attorney general. "This is the biggest right to repair win to date," said Nathan Proctor, who leads the right to repair initiative at public interest group PIRG, in a statement. PIRG notes that Minnesota is the first state to offer right-to-repair protections for home appliances and commercial and educational computing systems, which were carved out of New York's law. In a blog post, repair site iFixit focused on the free documentation element. "With online documentation, people everywhere in the world -- not just in Minnesota -- will benefit from this," said iFixit CEO Kyle Wiens.

Nintendo is facing a potential class-action lawsuit filed by a young gamer and backed by his father, alleging that the microtransactions in the mobile game Mario Kart Tour are "immoral." Axios reports: The suit calls for refunds for all minors in the U.S. who paid to use Mario Kart Tour's "Spotlight Pipes," which delivered players in-game rewards using undisclosed odds. Until last year, Mario Kart Tour players could spend real money to repeatedly activate the pipes, in the hope they'd randomly produce useful upgrades. The suit alleges that Nintendo intentionally made the game difficult to proceed in without paying, using "dark patterns," an industry term for tricking consumers, to steer players toward spending more.

The suit was filed in March but emerged on the federal docket last week after it was moved out of state court. Its plaintiff, identified as N.A., spent more than $170 on Mario Kart Tour microtransactions, via his father's credit card, which was linked to their Nintendo user account. "Defendant's lootbox mechanism capitalized on and encouraged addictive behaviors akin to gambling," according to N.A.'s suit. It states that minors are particularly susceptible to systems that involve surprise rewards. Axios notes that Nintendo "discontinued use of spotlight pipes in Mario Kart Tour last September, switching to a system that lets players directly purchase items offered in its in-game shop."

An anonymous reader quotes a report from Ars Technica: An app that had more than 50,000 downloads from Google Play surreptitiously recorded nearby audio every 15 minutes and sent it to the app developer, a researcher from security firm ESET said. The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices, ESET researcher Lukas Stefanko said in a post published on Tuesday. Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.

The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ESET named the newly modified RAT in iRecorder AhRat.

Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker's command-and-control server, also known colloquially in security circles as a C&C or C2. Going forward, the app would receive the same instruction every 15 minutes indefinitely. [...] Stefanko said it's possible that iRecord is part of an active espionage campaign, but so far, he has been unable to determine if that's the case. "Unfortunately, we don't have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn't clear if a specific group of people was targeted or not," he wrote. "It seems very unusual, but we don't have evidence to say otherwise."

The European Commission has published its biannual list of foreign countries with problematic copyright policies. One of the highlighted issues is a lack of pirate site blocking, which is seen as an effective enforcement measure, writes TorrentFreak, a news website that tracks piracy news. Interestingly, the EU doesn't mention the United States, which is arguably the most significant country yet to implement an effective site-blocking regime.

An anonymous reader shares a press release from the American Civil Liberties Union (ACLU): The U.S. Supreme Court [Monday] declined to hear Moore v. United States, leaving in place a patchwork of lower court decisions on an important and recurring question about privacy rights in the face of advancing surveillance technology. In this case, police secretly attached a small camera to a utility pole, using it to surveil a Massachusetts home 24/7 for eight months -- all without a warrant. Law enforcement could watch the camera's feed in real time, and remotely pan, tilt, and zoom close enough to read license plates and see faces. They could also review a searchable, digitized record of this footage at their convenience. The camera captured every coming and going of the home's residents and their guests over eight months. As a result, the government targeted the home of a community pillar -- a lawyer, respected judicial clerk, devoted church member, and a grandmother raising her grandkids -- to cherry-pick images from months of unceasing surveillance in an effort to support unwarranted criminal charges against an innocent person.

Federal courts of appeals and state supreme courts have divided on the question of whether such sweeping surveillance is a Fourth Amendment search requiring a warrant. The highest courts of Massachusetts, Colorado, and South Dakota have held that long-term pole camera surveillance of someone's home requires a warrant. In Moore v. United States, the members of the full en banc U.S. Court of Appeals for the First Circuit split evenly on the question, with three judges explaining that a warrant is required, and three judges expressing the belief that the Fourth Amendment imposes no limit on this invasive surveillance. This issue will continue to arise in the lower courts; the ACLU filed an amicus brief on the question in the U.S. Court of Appeals for the Tenth Circuit earlier this month. "The Supreme Court's decision not to hear this case means that people across the country remain vulnerable to law enforcement's claim of unfettered authority to surveil any of us at our homes, for as long as they wish, with no judicial oversight," said Nathan Freed Wessler, deputy director of the ACLU's Speech, Privacy, and Technology Project. "As the cost of surveillance technology falls and its use by law enforcement expands, the need to resolve whether the Fourth Amendment poses any constraint has become all the more urgent. We will continue fighting for essential privacy protections."

Employees of the Chinese-owned video app TikTok have regularly posted user information on a messaging and collaboration tool called Lark, according to internal documents. The New York Times: In August 2021, TikTok received a complaint from a British user, who flagged that a man had been "exposing himself and playing with himself" on a livestream she hosted on the video app. She also described past abuse she had experienced. To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times. The British woman's personal data -- including her photo, country of residence, internet protocol address, device and user IDs -- were also posted on the platform, which is similar to Slack and Microsoft Teams. Her information was just one piece of TikTok user data shared on Lark, which is used every day by thousands of employees of the app's Chinese owner, ByteDance, including by those in China.

According to the documents obtained by The Times, the driver's licenses of American users were also accessible on the platform, as were some users' potentially illegal content, such as child sexual abuse materials. In many cases, the information was available in Lark "groups" -- essentially chat rooms of employees -- with thousands of members. The profusion of user data on Lark alarmed some TikTok employees, especially since ByteDance workers in China and elsewhere could easily see the material, according to internal reports and four current and former employees. Since at least July 2021, several security employees have warned ByteDance and TikTok executives about risks tied to the platform, according to the documents and the current and former workers. "Should Beijing-based employees be owners of groups that contain secret" data of users, one TikTok employee asked in an internal report last July. The user materials on Lark raise questions about TikTok's data and privacy practices and show how intertwined it is with ByteDance, just as the video app faces mounting scrutiny over its potential security risks and ties to China.