On Nov. 16, Reuters reported that push notification company Pushwoosh is Russian in origin despite presenting itself as a US-based company. Pushwoosh code was present in apps used by the Centers for Disease Control (CDC) and the US Army.
Reuters determined that Pushwoosh is registered with the Russian government and pays taxes there, but this information is not included in US regulatory filings. Pushwoosh published a statement in response to the Reuters report denying that it is based in Russia.
"Pushwoosh Inc. is the sole proprietor of all IP rights assigned to Pushwoosh Service and a primary legal entity of the Pushwoosh brand. Pushwoosh Inc. is a privately held C-Corp company incorporated under the state laws of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation," according to the statement.
The company did not respond to Reuters' request for evidence supporting its statement.
Importance of Origins
Why would a company obscure its origins? "This could be for any number of reasons such as trying to avoid sanctions imposed by the US government, trying to appear to be from the US in order to seem more trustworthy, trying to avoid any anti-Russian bias, and trying not to appear to be a Russian government entity," Nigel Houghton, director of marketplace and ecosystem development at threat intelligence company ThreatQuotient, explains.
Regardless of the motivation, the question of Pushwoosh's origins is a question of risk. "There is a certain amount of risk involved in using any application like this, but one that is actively trying to hide the fact that it is a Russian-owned and operated business should raise red flags," Houghton contends.
With Pushwoosh code in thousands of apps, all different kinds of organizations are likely using it for customer engagement. The level of concern could depend on the user.