TikTok and the Great Firewall of America

shutterstock_566768119
6 August 2020

Emily Parker is CoinDesk’s Global Macro Editor.

On Wednesday, the Trump administration announced The Clean Network program, which is supposed to protect Americans’ private information from “malign actors,” namely China. The basic idea is that barring Chinese apps and companies will make America safe again. “Building a Clean fortress around our citizens’ data will ensure all of our nations’ security,” the State Department statement said. 

This is similar to the language lawmakers are using against TikTok. “A U.S. company should buy TikTok so everyone can keep using it and your data is safe,” U.S. Senate Minority Leader Chuck Schumer (D-N.Y.) recently tweeted. “This is about privacy.”  

The argument is that the Chinese-owned app TikTok, which has access to the personal data of millions of Americans, could pose a threat to national security. Taken at face value, that position is not unreasonable. The problem is the assumption that U.S. companies can be trusted to keep personal data private and safe. This is not necessarily true. 

See also: Money Reimagined: China’s ‘Cold War’ Blockchain Strategy

No, this isn’t “whataboutism,” or “America does bad things, too.” It’s simply to say we don’t even know for sure TikTok is mishandling personal data or surveilling ordinary citizens. We do know American companies are. So why aren’t more people talking about this national security threat?

Last week, President Trump threatened to ban TikTok in the U.S., raising the bizarre specter of a world in which teenagers jump over the Great Firewall of America to use a Chinese app. Trump walked this back a bit, saying the U.S. would shut down TikTok on Sept. 15 unless Microsoft or another “very American” company bought it. He also said that the U.S. government should get a cut of the sale. 

Just for argument’s sake, let’s give the White House the benefit of the doubt and assume this isn’t election year China-bashing or old-fashioned protectionism. The idea of a foreign-owned company holding a honeypot of personal data on millions of Americans – data subject to a third-party hack or pressure from a government – is not a great scenario. 

The problem is the assumption that U.S. companies can be trusted to keep personal data private and safe.

But American companies are also vulnerable to these threats. Last year the New York Times published a deep dive into how mostly unregulated companies use mobile phones to trace the movements of tens of millions of people – and also store that information. 

“Within America’s own representative democracy, citizens would surely rise up in outrage if the government attempted to mandate that every person above the age of 12 carry a tracking device that revealed their location 24 hours a day,” the article noted. “Yet, in the decade since Apple’s App Store was created, Americans have, app by app, consented to just such a system run by private companies.”

The Times was also able to use that same data set to track, within minutes, the location of President Trump. If that’s not a national security issue, then what is? If journalists can use this kind of data to find a U.S. president, foreign spies could probably do the same. 

“Here we are freaking out about TikTok, when people’s cell phone carriers are doing things that are frankly compromising our security in much graver ways,” said Rebecca MacKinnon, founding director of Ranking Digital Rights, a research program at the think tank New America.

Nor is excessive data collection limited to cell phone companies. Google’s data hoarding is well known. It was not long ago that Facebook allowed the data firm Cambridge Analytica access to the private data of 50 million users.

In a widely viewed TED Talk from 2017, the academic Zeynep Tufekci reminded the world how Facebook tracks every status update, Messenger conversation and log-in location, not to mention all the information it purchases from data brokers. Her talk concluded with the plea: “We need a digital economy where our data and our attention is not for sale to the highest-bidding authoritarian or demagogue.” 

In the case of TikTok, the fear is Beijing could demand data on American users, and TikTok owner ByteDance would have no choice but to hand it over. Especially at a moment of heightened U.S.-China tensions, many Americans would be uncomfortable with this, and understandably so.

But some of those same Americans probably wouldn’t want their own government keeping tabs on them either. Yet, the data stored by U.S. companies has facilitated precisely that situation. As the cryptologist Bruce Schneier wrote in his book, “Data and Goliath”:  

The [National Security Agency] didn’t build a massive internet eavesdropping system from scratch. It noticed that the corporate world was already building one, and tapped into it ... [S]ometimes those corporations work with the NSA willingly. Sometimes they’re forced by the courts to hand over data, largely in secret.

Governments, of course, are only part of the problem. Non-state hackers can also wreak considerable havoc, as evidenced by the 17-year-old in Florida who allegedly broke into some of the most prominent Twitter accounts in the world. Stories of massive data breaches are becoming all too familiar. Researchers found 2019 to be the worst year on record, with almost 8 billion records exposed. 

Data honeypots are dangerous, regardless of their nationality. Campaigners have proposed solutions, including breaking up the tech giants. Ranking Digital Rights recommends a federal privacy law that would include strong data-minimization and purpose-limitation provisions.  

Ideally, “collection, retention and data sharing could only happen with very explicit consent and opt-in by the user,” MacKinnon said. “But that is not the case. We have very lax legal protections for users about what is happening to our data.”

See also: Lex Sokolin – China’s Open Source Development Has Lessons for the US

“Congress’ failure to pass a strong federal privacy law is a national security failure,” MacKinnon added. 

Another solution would be the popularization of decentralized social media platforms in which users control their own information. The idea is to store personal data on a distributed ledger rather than in a centralized entity like Facebook. This would, in theory, help address the honeypot problem. While this idea is often talked about in the blockchain and crypto community, we’re still some ways off from seeing a platform like this unseat the incumbent tech giants.

Now that data security is back in the headlines, it’s a good time to refocus on this issue. We can start with U.S. lawmakers acknowledging this problem is much bigger than TikTok and won’t be solved by simply putting more data in the hands of U.S. companies.

Read more

Privacy Opinion TikTok