China has passed a personal data protection law, state media Xinhua reports. TechCrunch: The law, called the Personal Information Protection Law (PIPL), is set to take effect on November 1. It was proposed last year -- signalling an intent by China's communist leaders to crack down on unscrupulous data collection in the commercial sphere by putting legal restrictions on user data collection. The new law requires app makers to offer users options over how their information is or isn't used, such as the ability not to be targeted for marketing purposes or to have marketing based on personal characteristics, according to Xinhua.

It also places requirements on data processors to obtain consent from individuals in order to be able to process sensitive types of data such as biometrics, medical and health data, financial information and location data. While apps that illegally process user data risk having their service suspended or terminated. Any Western companies doing business in China which involves processing citizens' personal data must grapple with the law's extraterritorial jurisdiction -- meaning foreign companies will face regulatory requirements such as the need to assign local representatives and report to supervisory agencies in China.

A fugitive who Justice Department officials say had scammed more than 20 people out of hundreds of thousands of dollars was sentenced to four years in prison on Friday, after being on the run for almost 15 years. From a report: Austrian authorities were able to identify Randy Levine, 54, of Boca Raton, Florida, due to a facial recognition system according to the DOJ, after he tried to use an alias to open a bank account, leading to his arrest in June 2020. Levine fled the US in 2005, after authorities seized his passport as part of an investigation into an alleged scam he had been running, the DOJ said in a release. According to Levine's plea agreement, which he signed in May, he would offer to set up gambling accounts for people if they sent him money. To help sell the idea that he really could help people make bets, Levine reportedly played a recording of casino sounds while he was on calls with victims (which he made using a Las Vegas phone number). Levine came under investigation by the FBI, but was able to get a replacement for the passport that law enforcement officials seized, by claiming the passport had simply been lost. He eventually ended up in Poland, where he was arrested in 2008. There was, however, a legal battle over whether he could be extradited to the US, which continued until late 2011. By the time Polish courts had decided that he could be extradited, Levine had already slipped away.

TikTok's plans to collect biometric identifiers from its users has prompted concern among U.S. lawmakers, who are demanding the company reveal exactly what information it collects and what it plans to do with that data. From a report: In a letter sent earlier this month addressed to TikTok CEO Shou Zi Chew, Sens. Amy Klobuchar (D-MN) and John Thune, (R-SD) say they are "alarmed" by the recent change to TikTok's privacy policy, which allows the company to "automatically collect biometric data, including certain physical and behavioral characteristics from video content posted by its users."

TechCrunch first reported details of the new privacy policy back in June, when TikTok said it will seek "required permissions" to collect "faceprints and voiceprints" where required by law, but failed to elaborate on whether it's considering federal law, states laws, or both (only a handful of U.S. states have biometric privacy laws, including Illinois, Washington, California, Texas and New York). Klobuchar and Thune's letter asks TikTok to explicitly explain what constitutes a "faceprint" and "voiceprint," as well as to explain how this data will be used and how long it will be retained. The senators also quizzed TikTok on whether any data is gathered for users under the age of 18; whether it makes any inferences about its users based on the biometric data it collects; and to provide a list of all third parties that have access to the data.

More than 90 policy and rights groups around the world published an open letter on Thursday urging Apple to abandon plans for scanning children's messages for nudity and the phones of adults for images of child sex abuse. From a report: "Though these capabilities are intended to protect children and to reduce the spread of child sexual abuse material, we are concerned that they will be used to censor protected speech, threaten the privacy and security of people around the world, and have disastrous consequences for many children," the groups wrote in the letter, which was first reported by Reuters. The largest campaign to date over an encryption issue at a single company was organized by the U.S.-based nonprofit Center for Democracy & Technology (CDT). Some overseas signatories in particular are worried about the impact of the changes in nations with different legal systems, including some already hosting heated fights over encryption and privacy.

The Freedom of the Press Foundation is calling Apple's plan to scan photos on user devices to detect known child sexual abuse material (CSAM) a "dangerous precedent" that "could be misused when Apple and its partners come under outside pressure from governments or other powerful actors." They join the EFF, whistleblower Edward Snowden, and many other privacy and human rights advocates in condemning the move. Advocacy Director Parker Higgins writes: Very broadly speaking, the privacy invasions come from situations where "false positives" are generated -- that is to say, an image or a device or a user is flagged even though there are no sexual abuse images present. These kinds of false positives could happen if the matching database has been tampered with or expanded to include images that do not depict child abuse, or if an adversary could trick Apple's algorithm into erroneously matching an existing image. (Apple, for its part, has said that an accidental false positive -- where an innocent image is flagged as child abuse material for no reason -- is extremely unlikely, which is probably true.) The false positive problem most directly touches on press freedom issues when considering that first category, with adversaries that can change the contents of the database that Apple devices are checking files against. An organization that could add leaked copies of its internal records, for example, could find devices that held that data -- including, potentially, whistleblowers and journalists who worked on a given story. This could also reveal the extent of a leak if it is not yet known. Governments that could include images critical of its policies or officials could find dissidents that are exchanging those files.
[...]
Journalists, in particular, have increasingly relied on the strong privacy protections that Apple has provided even when other large tech companies have not. Apple famously refused to redesign its software to open the phone of an alleged terrorist -- not because they wanted to shield the content on a criminal's phone, but because they worried about the precedent it would set for other people who rely on Apple's technology for protection. How is this situation any different? No backdoor for law enforcement will be safe enough to keep bad actors from continuing to push it open just a little bit further. The privacy risks from this system are too extreme to tolerate. Apple may have had noble intentions with this announced system, but good intentions are not enough to save a plan that is rotten at its core.

An anonymous reader quotes a report from Deadline: Three former Netflix software engineers are among those who have been charged by the U.S. Securities and Exchange Commission for alleged insider trading. In a complaint (PDF) filed in federal court in Seattle, the regulatory agency says the engineers and two associates generated more than $3 million in profits from a "long-running scheme." The cornerstone of the setup, according to the complaint, was confidential information they obtained about Netflix subscriber growth. Subscriber numbers at Netflix or, more recently, Disney and other companies, have been central to Wall Street's embrace or rejection of stocks in recent years.

The SEC's complaint, Sung Mo "Jay" Jun was at the center of a long-running scheme to illegally trade on non-public information concerning the growth in Netflix's subscriber base. The complaint alleges that Sung Mo Jun, while employed at Netflix in 2016 and 2017, repeatedly tipped this information to his brother, Joon Mo Jun, and his close friend, Junwoo Chon, who both used it to trade in advance of multiple Netflix earnings announcements. After Sung Mo Jun left Netflix in 2017, the complaint says, he obtained confidential Netflix subscriber growth information from another Netflix insider, Ayden Lee. Sung Mo Jun allegedly traded himself and tipped Joon Jun and Chon in advance of Netflix earnings announcements from 2017 to 2019. The SEC alleges that Sung Mo Jun's former Netflix colleague Jae Hyeon Bae, another Netflix engineer, tipped Joon Jun based on Netflix's subscriber growth information in advance of Netflix's July 2019 earnings announcement.

The SEC said its market abuse unit uncovered the trading ring by using data analysis tools to identify the traders' suspicious run of success. "We allege that a Netflix employee and his close associates engaged in a long-running, multimillion dollar scheme to profit from valuable, misappropriated company information," Erin E. Schneider, director of the SEC's San Francisco office, said in a press release. "The charges announced today hold each of the participants accountable for their roles in the scheme." The defendants allegedly tried to evade detection by using encrypted messaging applications and paying cash kickbacks," added Joseph Sansone, Chief of the SEC's market abuse unit. Sung Mo Jun, Joon Jun, Chon, and Lee have consented to the entry of judgments, the SEC said. If approved by the court, the judgments would permanently enjoin each from violating the charged provisions, with civil penalties to be decided later by the court. Sung Mo Jun also agreed to an officer and director bar. Bae consented to the entry of a final judgment, also subject to court approval, and imposing a civil penalty of $72,875.

Apple censors references to Chinese politicians, dissidents and other topics in its engraving service, a report alleges. The BBC reports: Citizen Lab said it had investigated filters set up for customers who wanted something engraved on a new iPhone, iPad or other Apple device. And Apple had a broad list of censored words, not just in mainland China but also in Hong Kong and Taiwan. Apple said its systems "ensure local laws and customs are respected." "As with everything at Apple, the process for engraving is led by our values," chief privacy officer Jane Horvath wrote in a letter (PDF) provided to CitizenLab in advance of the publication of its report. And the engraving service tried not to allow trademarked phrases, alongside those that "are vulgar or culturally insensitive, could be construed as inciting violence, or would be considered illegal according to local laws, rules, and regulations."

[CitizenLab's] new report found more than 1,100 filtered keywords, across six different regions, mainly relating to offensive content, such as racist or sexual words. But it alleges the rules are applied inconsistently and are much wider for China. "Within mainland China, we found that Apple censors political content, including broad references to Chinese leadership and China's political system, names of dissidents and independent news organizations, and general terms relating to religions, democracy, and human rights," it says. The report also alleges that censorship "bleeds" into both the Hong Kong and Taiwan markets. It found: 1,045 keywords blocked in mainland China; 542 in Hong Kong; and 397 in Taiwan. In contrast, Japan, Canada and the US had between 170 and 260 filtered words.

An anonymous reader writes: Apple's NeuralHash algorithm (PDF) -- the one it's using for client-side scanning on the iPhone -- has been reverse-engineered.

Turns out it was already in iOS 14.3, and someone noticed:

Early tests show that it can tolerate image resizing and compression, but not cropping or rotations. We also have the first collision: two images that hash to the same value. The next step is to generate innocuous images that NeuralHash classifies as prohibited content.

This was a bad idea from the start, and Apple never seemed to consider the adversarial context of the system as a whole, and not just the cryptography.

Thousands of Afghans struggling to ensure the physical safety of their families after the Taliban took control of the country have an additional worry: that biometric databases and their own digital history can be used to track and target them. From a report: U.N. Secretary-General Antonio Guterres has warned of "chilling" curbs on human rights and violations against women and girls, and Amnesty International on Monday said thousands of Afghans - including academics, journalists and activists - were "at serious risk of Taliban reprisals." After years of a push to digitise databases in the country, and introduce digital identity cards and biometrics for voting, activists warn these technologies can be used to target and attack vulnerable groups. "We understand that the Taliban is now likely to have access to various biometric databases and equipment in Afghanistan," the Human Rights First group wrote on Twitter on Monday.

"This technology is likely to include access to a database with fingerprints and iris scans, and include facial recognition technology," the group added. The U.S.-based advocacy group quickly published a Farsi-language version of its guide on how to delete digital history - that it had produced last year for activists in Hong Kong - and also put together a manual on how to evade biometrics. Tips to bypass facial recognition include looking down, wearing things to obscure facial features, or applying many layers of makeup, the guide said, although fingerprint and iris scans were difficult to bypass.

A new paper (PDF) published by Microsoft's research department proposes to tackle piracy with a blockchain-based bounty system titled "Argus." The system allows volunteers to report piracy in exchange for a reward. It uses the Ethereum blockchain and is transparent, practical, and secure, while limiting abusive reports and errors. TorrentFreak reports: Argus is a transparent system built on the Ethereum blockchain that allows people to anonymously report piracy in exchange for a bounty. Pirated content is traced back to the source through a unique watermark that corresponds with a secret code. When a pirated copy is reported, the status of the source (licensee) is changed to "accused." The system provides an appeal option, but if that fails, the accused status changes to "guilty." Argus is an open system but there are various safeguards to prevent abuse. Reporting the same pirated work multiple times under different aliases is useless, for example, as that will only reduce the reward.

The system relies on several checks to ensure that the system is open, while avoiding false accusations at the same time. And according to the researchers, the costs of utilizing the blockchain are relatively low. "We effectively optimize several cryptographic operations so that the cost for a piracy reporting is reduced to an equivalent cost of sending about 14 ETH-transfer transactions to run on the public Ethereum network, which would otherwise correspond to thousands of transactions. "With the security and practicality of Argus, we hope real-world anti-piracy campaigns will be truly effective by shifting to a fully transparent incentive mechanism," the researchers add.

Whether Microsoft has any plans to test the system in the wild is unknown. It theoretically works with various media types including images, audio and software. That said, it's unclear how effective it will be. The researchers "assume" that the watermarking technology deployed is tamper-free, which isn't always the case today. The paper and the Argus system will be presented at the upcoming 40th International Symposium on Reliable Distributed Systems, which will be held virtually at the end of September.

An anonymous reader quotes a report from BleepingComputer: Security researchers are sounding the alarm on a critical vulnerability affecting tens of millions of devices worldwide connected via ThroughTek's Kalay IoT cloud platform. The security issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network for easy connectin and communication with a corresponding app. A remote attacker could leverage the bug to gain access to the live audio and video streams, or to take control of the vulnerable device. Researchers at Mandiant's Red Team discovered the vulnerability at the end of 2020 and worked with the U.S. Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate the disclosure and create mitigation options.

Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. It affects the Kalay protocol that is implemented as a software development kit (SDK) that is built into mobile and desktop applications. Mandiant's Jake Valletta, Erik Barzdukas, and Dillon Franke looked at ThroughTek's Kalay protocol and found that registering a device on the Kalay network required only the device's unique identifier (UID). Following this lead, the researchers discovered that a Kalay client, such as a mobile app, usually receives the UID from a web API hosted by the vendor of the IoT device. An attacker with the UID of a target system could register on the Kalay network a device they control and receive all client connection attempts. This would allow them to obtain the login credentials that provide remote access to the victim device audio-video data. The researchers say that this type of access combined with vulnerabilities in device-implemented RPC (remote procedure call) interface can lead to complete device compromise. By the latest data from ThroughTek, its Kalay platform has more than 83 million active devices and manages over 1 billion connections every month. The best way to protect yourself from this vulnerability is to keep your device software and applications updated to the latest version, as well as create complex, unique login passwords. The report also recommends you avoid connecting to IoT devices from an untrusted network.

Hamburg's state government has been formally warned against using Zoom over data protection concerns. From a report: The German state's data protection agency (DPA) took the step of issuing a public warning yesterday, writing in a press release that the Senate Chancellory's use of the popular videoconferencing tool violates the European Union's General Data Protection Regulation (GDPR) since user data is transferred to the US for processing. The DPA's concern follows a landmark ruling (Schrems II) by Europe's top court last summer which invalidated a flagship data transfer arrangement between the EU and the US (Privacy Shield), finding US surveillance law to be incompatible with EU privacy rights.

The fallout from Schrems II has been slow to manifest -- beyond an instant blanket of legal uncertainty. However a number of European DPAs are now investigating the use of US-based digital services because of the data transfer issue, and in some instances publicly warning against the use of mainstream US tools like Facebook and Zoom because user data cannot be adequately safeguarded when it's taken over the pond. German agencies are among the most proactive in this respect. But the EU's data protection supervisor is also investigating the bloc's use of cloud services from US giants Amazon and Microsoft over the same data transfer concern.

An anonymous reader quotes a report from Ars Technica: Sonos scored an early victory in its case against Google Friday, when the US International Trade Commission ruled that Google infringed five of Sonos' smart speaker patents. The ruling is preliminary and subject to a full ITC review, but it could lead to a ban on Google smart speakers. In January 2020, Sonos brought a patent infringement case against Google targeting Google's smart speakers, the Google Home, and later the Nest Audio line. Sonos is the originator of Internet-connected speakers that easily hook up to streaming services, while Google speakers combine a similar feature set with voice-activated Google Assistant commands. To hear Sonos tell the story, Google got a behind-the-scenes look at Sonos' hardware in 2013, when Google agreed to build Google Play Music support for Sonos speakers. Sonos claims Google used that access to "blatantly and knowingly" copy Sonos' audio features for the Google Home speaker, which launched in 2016.

TechCrunch got statements from both sides of the fight. First up, Sonos Chief Legal Officer Eddie Lazarus told the site, "Today the ALJ has found all five of Sonos' asserted patents to be valid and that Google infringes on all five patents. We are pleased the ITC has confirmed Google's blatant infringement of Sonos' patented inventions. This decision re-affirms the strength and breadth of our portfolio, marking a promising milestone in our long-term pursuit to defend our innovation against misappropriation by Big Tech monopolies." Meanwhile, Google said, "We do not use Sonos' technology, and we compete on the quality of our products and the merits of our ideas. We disagree with this preliminary ruling and will continue to make our case in the upcoming review process." A final ruling should happen on December 13, and it's not just speakers that could be banned if the two companies don't make nice. The products that connect to those speakers, like Pixels and Chromecasts, could also be banned.

Slashdot reader nickwinlund77 quotes Wired: Location data sharing from wireless carriers has been a major privacy issue in recent years... Carriers remain perennially hungry to know as much about you as they can. Now, researchers are proposing a simple plan to limit how much bulk location data they can get from cell towers.

Much of the third-party location data industry is fueled by apps that gain permission to access your GPS information, but the location data that carriers can collect from cell towers has often provided an alternative pipeline. For years it's seemed like little could be done about this leakage, because cutting off access to this data would likely require the sort of systemic upgrades that carriers are loath to make.

At the Usenix security conference on Thursday, though, network security researchers Paul Schmitt of Princeton University and Barath Raghavan of the University of Southern California are presenting a scheme called Pretty Good Phone Privacy that can mask wireless users' locations from carriers with a simple software upgrade that any carrier can adopt—no tectonic infrastructure shifts required... The researchers propose installing portals on every device — using an app or operating system function — that run regular checks with a billing server to confirm that a user is in good standing. The system would hand out digital tokens that don't identify the specific device but simply indicate whether the attached wireless account is paid up.

CBS News reports: Russian intelligence services worked with prominent ransomware gangs to compromise U.S. government and government-affiliated organizations, according to new research from cybersecurity firm Analyst1.

Two Russian intelligence bureaus — the Federal Security Service, or FSB, and Foreign Intelligence Service, or SVR — collaborated with individuals in "multiple cybercriminal organizations," security analysts with the firm say in the report. The research indicates these cybercriminals helped Russian intelligence develop and deploy custom malware targeting American companies that serve U.S. military clients... The code was launched sometime between June 2019 and January 2020 and hid in the background of Windows machines, silently harvesting keystrokes and sensitive documents...

Analyst1 does not attribute the rise in organized criminal ransomware directly to Russian President Vladimir Putin or the Kremlin. But DiMaggio does "strongly believe" the Russian government colluded with cybercriminal gangs to spy on American defense targets.
The report described said two different Russian cybercriminal groups attacked the same target, infiltrated their targeted systems, "then distributed malware using a PowerShell Windows application..."

The report's author, a lead researcher at Analyst1, tells CBS that the ransomware variation "crawls documents for specific keywords, like 'weapon' and 'top secret,' then quietly sends the info back to the attacker."

TorrentFreak reports: A new paper published by Microsoft's research department proposes to tackle piracy with a blockchain-based bounty system titled "Argus." The system allows volunteers to report piracy in exchange for a reward. It uses the Ethereum blockchain and is transparent, practical, and secure, while limiting abusive reports and errors...

Pirated content is traced back to the source through a unique watermark that corresponds with a secret code. When a pirated copy is reported, the status of the source (licensee) is changed to "accused." The system provides an appeal option, but if that fails, the accused status changes to "guilty...." Whether Microsoft has any plans to test the system in the wild is unknown. It theoretically works with various media types including images, audio and software...

This idea isn't completely new, however, as the South African company Custos came up with a similar idea years ago. Microsoft's research notes that Argus is superior to Custos' solution as it can assess the severity of piracy and the strength of accusations.
TorrentFreak points out that the paper also received input from researchers at Alibaba and Carnegie Mellon University.

I like how the paper referenced the appropriately-named functions for parts of the process, including Report(), Appeal(), and SetGuilty().

Dan Guido's cybersecurity consulting firm Trail of Bits claims its clients range from Facebook to DARPA. CNET tells the story of what happened after someone stole Guido's electric scooter: The cybersecurity CEO, located in Brooklyn, New York, had hidden two Apple AirTags inside the black scooter, concealed with black duct tape. He set out the next day to locate the vehicle with help from the little Bluetooth trackers. Spoiler alert: He succeeded.

Guido works at the New York City-based Trail of Bits, a cybersecurity research and consulting firm that serves clients in the defense, tech, finance and blockchain industries. He chronicled his hunt for the scooter in a series of tweets Monday, sharing both the challenges and successes of his wild journey... After some convincing, two police officers eventually agreed to accompany him to the scooter's location. Then, they spotted something promising: an e-bike store.

After venturing inside, Guido received a ping, alerting him the elusive scooter was nearby...
Guido's tweets document the rest of the big confrontation. "As I further inspect the scooter, the cops start asking questions: Do you sell used e-bikes? Do you collect info from the seller? Do you ask they prove ownership? What is the contact info for the person who dropped this scooter off? No, No, No, and we don't know...

"An employee inside realizes we're investigating further. He immediately becomes agitated: I should be happy I got my scooter back and leave. It's my fault for getting it stolen. I'm screwing up his day. This isn't how we do things in Brooklyn. More joined in..."

Among Guido's final tweets of advice: "Limit your in-person interactions and always involve the police. Don't try to retrieve your stolen goods until you have backup."

Apple Insider adds that "This Apple Insider. "">isn't the first time that Apple's AirTags have been used to locate missing or stolen items. Back in July, a tech enthusiast said he used the tracking accessories to find his missing wallet hours after losing it on the New York City subway."

"New Amazon CEO Andy Jassy is facing questions about how the company plans to use the data it gathers from its newly installed palm-reading scanners in some of the company's retail outlets," reports GeekWire: A group of three U.S. senators — Amy Klobuchar (D-Minn.), Bill Cassidy (R-La.), and Jon Ossoff (D-Ga.) — sent a letter to Jassy asking a series of questions about its new Amazon One program which encourages people to make contactless payments via hand scans in its brick-and-mortar stores, such as Whole Foods. Specifically, the senators expressed concerns about Amazon's own history with its user data...

"Our concerns about user privacy are heightened by evidence that Amazon shared voice data with third-party contractors and allegations that Amazon has violated biometric privacy laws... In contrast with biometric systems like Apple's Face ID and Touch ID or Samsung Pass, which store biometric information on a user's device, Amazon One reportedly uploads biometric information to the cloud, raising unique security risks," they wrote in the letter.

Currently, Amazon is offering $10 in promotional credits to those who enroll their bank accounts in the program and link them to their Amazon accounts. Hot Hardware calls it a "slightly creepy promo," asking "What is the lowest amount you would sell your personal palm print for to a third-party?"

Remember that small leak on the International Space Station discovered in 2018 that was traced to a Russian module and apparently made by a drill bit? (Implicating the technicans that built the module on earth, Ars Technica wrote "There is evidence that a technician saw the drilling mistake and covered the hole with glue, which prevented the problem from being detected...")

It's being revisited in the aftermath of a more recent incident involving Russia's Nauka science module to the International Space Station. (A software glitch after launch had required two course corrections for its rocket, and then while docking in space the module mistakenly fired its thrusters, causing the space station to briefly loss control, as well as communication with earth for 11 minutes.) Russia "is furious at what it says is unfair criticism of its space program," notes Futurism.com.

In response, Russia's state-owned news agency TASS has presented an anonymous interview with someone said to be a "high ranking" official at their space agency suggesting that the 2018 drill hole could've been caused by an emotionally unstable NASA flight engineer onboard the space station. The state-owned agency's story claims this flight engineer had discovered a blood clot in their jugular vein, and could've decided their return to earth for medical treatment might be expedited by sabotaging Russia's module. The problem with this story? Space.com reports: NASA officials knew the precise locations of the U.S. astronauts before the leak occurred and at the moment it began, thanks to space station surveillance. The video footage indicated that none of the U.S. astronauts on the station were near the Russian segment where the Soyuz vehicle was docked.
So Russia's state-owned news agency TASS now suggests that NASA could've tampered with that video to cover-up sabotage by NASA's astronauts — and points out that they weren't allowed to administer lie-detecting polygraph tests to those astronauts.

Asked to comment on the "unstable astronaut" theory, NASA's human spaceflight chief said they "did not find this accusation credible."

Ars Technica calls Russia's claims "extraordinarily defamatory."

An anonymous reader quotes a report from Ars Technica: Samsung Group's leader, Jay Y. Lee, is out of jail on parole today. Lee was serving a 30-month sentence for his role in "Choi-gate," a major 2016 South Korean political scandal that brought down South Korean then-President Park Geun-hye. In 2017, Lee was originally sentenced to five years in jail after being found guilty of bribery, embezzlement, capital flight, and perjury. An appeal and retrial cut Lee's five-year prison sentence down to 30 months after suspending the charges for bribery and embezzlement. Lee served 18 months of that sentence, and now he's out on parole.

Upon his release, Lee told reporters, "I've caused much concern for the people. I deeply apologize. I am listening to the concerns, criticisms, worries, and high expectations for me. I will work hard." Lee's release from prison is controversial. The pro-business side of South Korean politics wants to see Lee back on the streets because Samsung is a massive part of South Korea's economy, and jailing the leader has delayed major strategic decisions at the company. Civic groups say South Korea's business elite get a different set of rules from everyone else and that Lee's parole is the latest sign of that reality.

Samsung makes up anywhere from 10-20 percent of South Korea's GDP, depending on how the latest quarter is going. As the top dog at Samsung, Lee has the final say on major investments and acquisitions, and one of the big decisions he needs to make is where to build a $17 billion chip factory in the US. The plant could be operational as soon as October 2022, and with the world currently in the middle of a global chip shortage, there's pressure to get everything started. US businesses have even been lobbying South Korea to pardon Lee in the hopes that the deal would go through. Lee reportedly left prison to head to Samsung headquarters, but he still has more legal issues to deal with. In October, he will face another trial relating to the Samsung C&T merger, this time for accounting fraud and stock price manipulation.