Unpacking TikTok, Mobile Apps and National Security Risks – Lawfare

admin on April 2, 2020 Leave a Comment

On March 12, Sen. Josh Hawley introduced a bill into the Senate to ban the downloading and use of TikTok, the Chinese social media app, on federal government devices. Hawleys bill carves out exceptions for such activities as law enforcement investigations and intelligence collection, but holds that

no employee of the United States, officer of the United States, Member of Congress, congressional employee, or officer or employee of a government corporation may download or use TikTok or any successor application developed by ByteDance or any entity owned by ByteDance on any device issued by the United States or a government corporation.

Currently, the Transportation Security Administration and the U.S. Army have also banned the app on employee phones.

But whats Hawleys objection to an app used widely for dance challenges and lip-syncing?

The narrative goes something like this: TikTok is a company incorporated within China; the Chinese government pervasively surveils within its borders and can get access to company-held data on a whim; thus, TikToks potential collection of information on U.S. citizens is a security risk. Yet also thrown into the discussion are other allegationsTikTok removes political content at Beijings behest, for example. The failure to decouple these risks only muddies the waters and makes it harder for policymakers and the general public to understand the threats at play.

In reality, TikTok carries five clear risks. Two pertain directly to national security, and three perhaps relate to it, though not as clearly. All have been conflated or blurred together, at one point or another, by pundits and others commenting on TikToks risks. Policymakers and analysts would be wise to make meaningful distinctions among these risks and provide more nuance and detail around each specific threat.

Policymakers may clearly have many different interpretations of each of these risks likelihood and severity. Theres also no clear answer on what policymakers should do about the app. And, in reality, the problems raised by TikTok are much bigger than the app itselfrepresentative of larger questions that must be answered around U.S. data security policy.

Risk 1: TikTok Collecting Data on U.S. Government Employees

The first risk posed by TikTok is the collection of data on U.S. government employees (including those working as contractors). These are people who either have security clearances or could have clearances in the future or at the very least perform tasks that, if not classified, may still be considered sensitive in an unofficial sense. Data collection on these individuals and their activities can therefore reveal important national security information or be used in a coercive manner (that is, blackmail) to target those individuals.

There are two considerations with this type of data collection risk: the kinds of data that are being or might be collected; and Beijings ability to access that data.

The data collected by TikTok, at least on the surface, might seem relatively benign; after all, the app is a social media platform for sharing videos. Even if a U.S. federal government employee has the app, one could argue, that doesnt mean theyre sharing any videos that somehow compromise their personal or professional activities. And they can use the app without jeopardizing sensitive information.

But where the risk gets more complicated is the reality that most phone apps collect far more information than what the average user would suspect they are handing over to the app. (This might even go beyond that single firm: Charlie Warzel at the New York Times, for example, has a great explanation of how just by downloading an app, youre potentially exposing sensitive data to dozens of technology companies, ad networks, data brokers and aggregators.)

TikTok is reasonably upfront about the high volume of data it collects: its privacy policy for U.S. residents states,

We automatically collect certain information from you when you use the Platform, including internet or other network activity information such as your IP address, geolocation-related data (as described below), unique device identifiers, browsing and search history (including content you have viewed in the Platform), and Cookies (as defined below).

It notes further that [w]e also collect information you share with us from third-party social network providers, and technical and behavioral information about your use of the Platform, such as, potentially, contact lists on other social media services. This type of data collection can especially implicate national securitygeolocations or internet search histories of federal employees can reveal quite sensitive information, such as the location of secret government facilities, details about events relevant to the government about which those employees are seeking publicly available information, and personal activities that could potentially be used to build files for blackmail.

TikTok is hardly alone in this kind of collectiongo read the privacy policy of most major social media platforms and youll find similar if not more encompassing language.

But TikTok has a unique challenge: There are real questions about who beyond TikTok might have access to the collected data. This risk likely exists whether the app is downloaded on a government-owned device used by an employee, or on a personal device used by the employee.

So can the Chinese government compel the company to turn over data?

As Samm Sacks recently wrote, Nothing is black and white, particularly when it comes to government access to data. Ultimately the Chinese government can compel companies to turn over their data, but this does not always happen. In some cases, companies can and do push back against government requests, as they have their own commercial interests to protect. There are real risks of government access to data, and this does happen, but its not as clear-cut in practice as many might assume.

There are also real fears among some U.S. policymakers that data from a company like TikTok could be added into an enormous dataset Beijing continues to compile from incidents such as the Equifax breach and the hack of the Office of Personnel Management. The product of such data-hoarding, in this view, is a massive dossier on U.S. persons that the Chinese government can use for intelligence and security purposesconsisting of everything from communications to credit scores to travel histories.

It is clear that there are national security risks with TikToks collection of data on U.S. federal government employees. The question for policymakers comes down to ones perceived likelihood of the risk, the severity of the risk and what to do about it.

Risk 2: TikTok Collecting Data on U.S. Persons Not Employed by the Government

Second is the risk that TikTok collects data on U.S. persons not working for the federal government in ways that still potentially impact national security. The considerations here mirror those of TikToks data collection on federal employees.

Yes, the link between data collection on federal personnel and national security threats (that is, counterintelligence operations) is clearer. One could imagine how a clearance-holding federal employee with an embarrassing internet search history could be blackmailed, or how the GPS movements of a clearance-holding federal employee would likewise be valuable to a foreign intelligence service.

Here, one danger is merely the potential for U.S. persons not currently employed by the government to have clearances or perform other sensitive government tasks in the future. There could also be the potential for collection to target individuals in the private sector working on proprietary and national security-related technologies.

The collection of this data could therefore have potential impacts on U.S. national security in ways that may give policymakers reason to consider wider action against TikTok. Policymakers decisions to take wider action would depend on where and how they interpret specific risk cases. For instance, one could perceive a risk of higher severity for an engineer working on tightly held and cutting-edge satellite imaging technology than for your average person.

It is also possible, in a Cambridge Analytica-style fashion, that such information could be used to develop profiles on Americans in ways that lend themselves to enhanced microtargeting on social media and other platforms.

In terms of the kinds of data being collected, TikTok, like most social media companies, very likely just collects the same types of information on all of its users. So collection on federal employees is likely the same as for non-federal employees.

The same goes for the legal authorities governing Beijings access to TikTok data: The risk remains largely similar to the risk for federal employees. Maybe Beijing has greater incentive to request access to certain kinds of information when data is on U.S. government employees than when its not. That said, this may also not be the case. TikTok might collect information from private citizens that exposes security-sensitive corporate activities. And what about the microtargetingcould Beijing have an incentive to access the data if it lent itself to, say, pushing advertisements for Chinese Communist Party (CCP)-preferred candidates in a U.S. election?

Risk 3: TikTok Censoring Information in China at Beijings Behest

The third risk pertains to Beijing ordering, forcing, coercing or otherwise leading TikTok to remove information on the platform in China. (This could include TikTok preemptively self-censoring content out of concern over possible retribution from the Chinese government.) This is not directly a U.S. national security issue, but it merits attention because of the way it has been roped into conversations about TikToks risks.

The Washington Post reported last fall, for example, on the ways in which certain content that the CCP dislikessuch as information on the Hong Kong pro-democracy protestswas strangely absent from TikTok.

Subsequently, amid this and other reports in the media about alleged TikTok censorship, Sens. Chuck Schumer and Tom Cotton sent a letter to the acting director of national intelligence, stating that

TikTok reportedly censors materials deemed politically sensitive to the Chinese Communist Party, including content related to the recent Hong Kong protests, as well as references to Tiananmen Square, Tibetan and Taiwanese independence, and the treatment of Uighurs. The platform is also a potential target of foreign influence campaigns like those carried out during the 2016 election on U.S.-based social media platforms.

In addition to raising concerns about the aforementioned risks of data collection on U.S. persons, the senators requested the intelligence community to investigate allegations that TikTok engages in political censorship at the direction of the Chinese government.

But many of the conversations about this political censorship do not distinguish between TikTok removing content within Chinas borders and TikTok removing that same content globally. This might seem like a trivial distinction, but its not. In the former case, content would be removed (or perhaps algorithmically downplayed) for those accessing the mobile application from within Chinas geographic borders. Thus, this geoblocking would affect those physically located within China. If TikTok was censoring content globally, by contrast, once flagged, the offending content would be deleted from anyones and everyones TikTok feed.

The former issue of geoblocked content within China (that is, this third risk) is mostly a domestic issue in China. It is an issue of free speech and human rights, certainly, but it doesnt directly impact U.S. national security in the ways that it potentially would if content was removed globally at one governments behest.

Risk 4: TikTok Censoring Information Beyond China at Beijings Behest

So what is the national security risk if TikTok did not limit its content takedowns to within China?

There is no clear evidence that Beijing has directly told TikTok to remove content around the world. TikToks parent company responded to the Post investigation from last September by asserting that the platforms content moderation policies in the U.S. are handled by an American team and are not influenced by the Chinese government. But policymakers have expressed worries, in light of such observations as the aforementioned lack of Hong Kong protest videos on the platform, that TikTok is in fact (at Beijings direct behest or not) removing those kinds of content globally. This risk centers on whether and how TikTok could remove, for anyone using the app, a video critical of the CCP or that talks about concentration camps in Xinjiang, for example. In this case, nobody in the world would be able to access the content on TikTok once removed; the takedowns would be global.

Again, the national security risks here are not as direct as with data collection. Yet there are genuine concerns about the Chinese government exporting its censorship through platforms like TikTok. The worry is that Beijing compels high-demand Chinese-incorporated internet platforms to remove content worldwide. Beijings internet censorship practices, otherwise confined within Chinese borders, could hypothetically spread through this tactic.

This certainly presents risks to democracy and free speech. More teenagers in the United States are using TikTok to share political content. Political censorship is therefore not an insignificant issue. The takedown of certain critical videos could, for one thing, subtly influence platform users views of Beijing. And there are real concerns, especially in light of such investigations as the Washington Posts report last November that former U.S. [TikTok] employees said moderators based in Beijing had the final call on whether flagged videos were approved.

Risk 5: Disinformation on TikTok

Fifth and finally, there is concern among U.S. policymakers about potential disinformation on TikTok. Tons of U.S. teenagers use TikTok and consume political content through the application, so there is a concern that the users could amplify disinformation on the platform. This incursion of disinformation into U.S. public discourse is no doubt corrosive to the democratic process. Yet this is not a national security risk that is necessarily specific to TikTok.

Virtually every internet platform deals with disinformation; thus, that TikTok is Chinese incorporated in and of itself has nothing to do with it. But U.S. officials have expressed concern about the potential for disinformation on the platform. (These concerns arent unfounded: See the false information that circulated on TikTok about the coronavirus.) One could certainly make the argument that the platform responses to disinformationin light of political censorship concernsmight impact U.S. interests in undesirable ways. But the presence of disinformation on the platform is in many ways a distinct risk from the preceding four.

Looking Beyond TikTok

These questions, and the policy responses to them, have implications well beyond TikTok. And they have become increasingly urgent, as these questions about mobile apps, data collection and national security grow more frequent and as more bills like Sen. Hawleys are introduced into Congress.

The issues here are complex. If the view is that any data collected by a Chinese internet company is a national security riskbecause of Beijings purportedly easy access to that data, and the ways it could be potentially combined with other datasets (for example, from the Office of Personnel Management hack)then many applications fall into the bucket of risk. The widely used application WeChat, for example, could certainly be banned under that view.

But the problem is even more complicated. After all, China isnt the only country about which policymakers are or might be concerned.

Last fall, for example, Sen. Schumer sent a letter to the FBI requesting they investigate the security risks of Russian mobile apps. The letter cited the legal mechanisms available to the Government of Russia that permit access to data as reason for concern.

If Russian-made apps are also considered an unacceptable data collection risk for U.S. government employees, then how should the U.S. approach and maintain a list of countries that fit into that category?

The United States isnt alone in confronting these questions. And these arent entirely novel problems. Indias military, for example, has prohibited personnel from installing Chinese social platform WeChat due to security concerns. The Australian armed forces have also banned WeChat. The Pentagon banned the militarys use of geolocating fitness trackers in August 2018 after live GPS data was found on the public internet: Researchers were able to track the location of troops on military bases and spies in safe houses.

This all raises challenging questions about where to draw the line: Is an app that, hypothetically, makes custom emojis and collects only a users phone number more of a security risk than one that provides the weather based on current geographic location?

Meanwhile, its worth remembering that apps are only one potential way for a government to get access to information on individuals: The highly unregulated data brokerage industry, which sells incredibly intimate information on all kinds of people to whomever is buying, could easily be exploited by foreign governments. Governments could buy information from brokerage firms and ascertain sensitive activities of, say, a U.S. federal employee with a security clearance or a non-government employee who happens to be running for Congress in the next election.

Policymakers might consider crafting legislation based on the people on whom data is being collectedthat is, focusing on data collection of government employees, which presents immediate national security concerns, rather than about data collection on all Americans. Targeted bans on app downloads on government phones could be a solution, as Sen. Hawley proposed in his bill.

More broadly, one could imagine developing a framework of criteria to answer these questions that will arise again and again. This framework would function in the same way as would objective criteria by which to routinely evaluate other elements of digital supply chain security, another much-needed national security tool. For instance, the Committee on Foreign Investment in the United States could explicitly make data privacy and security a more central component of its investment screening process. Agencies like the Cybersecurity and Infrastructure Security Agency could lead an interagency process to determine government recommendations for baseline corporate cybersecurity standards writ large that, like with encryption, could be used subsequently by policymakers to evaluate protections implemented by firms like TikTok. Federal departments such as the Department of Defense could develop clear and at least semipublic frameworks by which they decide to prohibit employee use of mobile apps.

Again, though, even this route leads to more questions. What about American- or European-incorporated companies that collect disturbing amounts of sensitive personal information on U.S. government employees? Do they not fit these categories too? Policymakers need to consider these questions.

Policymakers also must consider whether these mobile app and data security decisions should depend less on the kinds of data collected and on whom, and more on the legal structures in the countries in which these companies are incorporated. Beijing, for instance, engages in unchecked surveillance. While the actual practice of Beijing getting data from private companies isnt as straightforward as some might imagine, its certainly far easier than the U.S. government getting access to American company data. For some policymakers, that difference might be the end-all-be-all to allowing Chinese apps on U.S. government employee phonesforget about details like the kinds of data in question.

And this is all without even getting into the risks of content censorship in China, content censorship globally and disinformationwhich pertain more to content management on an app like TikTok than they do directly to national security. This isnt to say (as clarified above) that no national security linkages exist or could exist to, say, TikTok removing political content worldwide at Beijings behest. But, rather, I suggest that the links to a U.S. national security threat from censorship and disinformation are generally not as pronounced as those from the collection of geolocation data on a U.S. federal employee with an active security clearance, for example.

This isnt just a laundry list of academic questions.

Some observers might find a TikTok ban to be a relatively narrowly targeted and sensible policy response to a perceived threat of Chinese state access to data. But the reality is that decisions in this sphere of data security and U.S. data protection are not made in a vacuum. They have broader implicationsfirst-order, second-order, and even third- or fourth-order effects. Many countries develop mobile apps, and many of them could be perceived as posing security risks in various ways. They, too, must be considered as part of the picture. A cohesive and repeatable strategy for making these decisions is far superiorfrom economic, national security and rights-protection perspectivesthan a whack-a-mole-style approach that might yield a sensible policy but not with a sensible process.

All the while, it is important not to blur and conflate these risks. The national security risks of mobile apps made and managed by foreign-incorporated companies may take different forms and may differ in likelihood, severity and desired response. Blurring the lines makes it hard to develop targeted policies that address actual risks in ways that fully consider costs and benefits.

Many countries worldwide are grappling with these same questions. Many governments, like Washington, are also considering if, where and how they want to decouple elements of their technology systems from other countries. Here, Washington should tread very carefully because these broader and global implications demand much more thought.

Go here to see the original:
Unpacking TikTok, Mobile Apps and National Security Risks - Lawfare

Related Posts
Posted in Internet Security

Comments are closed.