It’s been widely assumed that once China’s Huawei builds a nation’s wireless telecommunications sytem and creates a “smart city” with hundreds of cameras monitoring many types of activity, the Chinese company has access to all that data. Now comes this suit by an American company regarding a smart city project in Pakistan. The story is from the Wall Street Journal and is behind a pay wall. In hopes this information will reach a broader audience, I have pasted it in below:
Huawei Accused in Suit of Installing Data ‘Back Door’ in Pakistan Project
Small U.S. software maker alleges Chinese telecom giant sought live access to data in Pakistan; Huawei denies claim
The contractor, Buena Park, Calif.-based Business Efficiency Solutions LLC, or BES, says in a lawsuit filed Wednesday in California district court that Huawei required it to set up a system in China that gives Huawei access to sensitive information about citizens and government officials from a safe-cities surveillance project in Pakistan’s second-largest city of Lahore.
Muhammad Kamran Khan, chief operating officer of the Punjab Safe Cities Authority, which oversees the Lahore project, said the authority has begun looking into BES’s allegations.
“Our team is examining the accusations and sought an explanation from Huawei,” Mr. Khan said in an interview. “We have also put a data security check on Huawei after this issue.”
“So far, there has been no evidence of any data stealing by Huawei,” he said.
A Huawei spokeswoman said the company doesn’t comment on ongoing legal cases. But she added, “Huawei respects the intellectual property of others, and there is no evidence Huawei ever implanted any back door in our products.”
In comments to The Wall Street Journal last September, Huawei acknowledged setting up a separate version of the Lahore system in China, but said it was only a test version that was “physically isolated from the customer’s live network.” This made it “impossible for Huawei to extract data from the customer’s live network.”
Pakistan’s foreign ministry didn’t respond to requests for comment.
U.S. officials have long alleged Huawei gear could enable Chinese espionage in the countries that install it. Huawei has repeatedly said its gear is safe and that it would never spy on behalf of any government.
The allegations in the suit stem from a long-running legal dispute between the companies. Huawei hired BES to provide software and other services to help it win the rights to build Lahore’s safe-city project in 2016. It eventually beat out Western competitors including Motorola Solutions and Nokia Corp. with its bid of $150 million, according to the suit, in which BES is represented by lawyers from Akin Gump Strauss Hauer & Feld LLP.
The relationship soured, and Huawei sued BES in Pakistan, where BES also sued Huawei. Those proceedings are ongoing. BES is no longer operational and has no revenue.
Huawei is a leader in safe-cities projects—citywide surveillance systems marketed to governments as crime-fighting tools that often make use of facial-recognition cameras and other high-tech capabilities. The projects have drawn scrutiny from some governments and rights groups, who say they are used to export China’s surveillance practices. Huawei says its projects improve public safety and says it has built safe-cities systems in hundreds of cities around the world.
Pakistan has signed more agreements for Huawei safe-city projects than any other country, according to research by the Center for Strategic and International Studies.
BES’s lawsuit says that Huawei’s alleged back door was located in a database that consolidated sensitive information—including national ID card records, foreigner registrations, tax records and criminal records—for law enforcement. The system is called the Data Exchange System, or DES, according to the lawsuit.
BES says in the suit that after it installed the DES in Lahore, Huawei demanded in 2017 that it install a duplicate DES in the eastern Chinese city of Suzhou that would give Huawei direct access to the data being gathered in Pakistan.
Before building the Suzhou system, BES says in the suit it asked Huawei to obtain approval from Pakistani authorities.
“We want to insure that PPIC3 has no objection in transfer of this technology outside of PPIC3 for security reasons,” Mr. Nawaz wrote in an email to Huawei officials attached to the lawsuit. “Please get an approval from PPIC3, in writing, prior to us performing this function.”
PPIC3 is the acronym for the Pakistani command center that oversees the Lahore project.
According to the lawsuit, Huawei initially said it wasn’t necessary to get approval for what it called a test and threatened to withhold payments and terminate its agreements with BES if the contractor didn’t build the system.
Later, the lawsuit says, Huawei told BES it had indeed received Pakistani approval, and BES went ahead with the installation in Suzhou.
Mr. Nawaz said in an interview that Huawei refused to show evidence of Pakistani approval and that BES installed the alleged back door under duress. The lawsuit alleges that “Huawei-China uses the proprietary DES system as a back door from China into Lahore to gain access, manipulate, and extract sensitive data important to Pakistan’s national security.”
Adrian Nish, the London-based head of threat intelligence at BAE Systems Applied Intelligence, a unit of BAE Systems PLC, said it isn’t uncommon for a vendor to build a duplicate version of a system in-house for testing while it is under development, but such duplicates shouldn’t be connected to the actual system.
“Those two systems should not talk to each other,” he said.