One note. Project Texas was not just proposed. It has been mostly implemented, and those who dismiss it as an option do not seem to have made any effort to understand it. Which only shows clearly that the motivations are not about solving anything, just scoring political points.
Assume that Project Texas has completed, and data and service sovereignty measures have been passed, meaning all service compute and landed data for TikTok is solely resident to US regions run by Oracle Cloud. What gives that architecture any less opportunity for a means to escrow data of interest to the CCP, or to allow the sort of domestic surveillance tooling that we see that the state used with willing PRC-based telco with the Anxun documents?
Just to show how many turtles are stacked up here:
1. Do we think all internal netflow, particularly of those VPNs that are bound for non-organizational hosts, are scrutinized by the authorities?
2. Are TikTok Inc security researchers free to publicize vulnerabilities, and do so before informing colleagues, superiors, or anyone at Bytedance?
3. Are we sure the above research happens with platforms that we can guarantee aren't subject to passive surveillance by personnel associated with colleagues, superiors, or anyone at Bytedance?
I think that Matt Stoller has a comprehensive take on the situation. His Subtack Big is about what is going on with anti-trust in the USA. While I do not always agree with him, I do see his point, that this is not a move against the Chinese per say, but more of part of a systematic move to protect Americans from the unlawful data gathering of all companies. He has been covering the cases against Microsoft and Google too, which are slow moving, but being lost because Lena Khan is so wonderful at her job. She is in my opinion the star of the Justice Department. So, while a perceived bias against China may not be fair, although I don't think anyone would be defending TikTok if it were a Russian company that had the control of all of our youth, it is not as simple as this.
The details of how the secure enclave works are complex, but it has been done by cybersecurity professionals who know what they are doing, and provides for a regular third-party auditing of data access, AI algorithm updates, etc. Not sure what you mean by "escrow data of interest to CCP". What would that be exactly? Teen videos? The architecture of Project Texas prevents any Chinese citizen from access to data of US citizens within the secure enclave, and data transfers out of the conclave related to user data would be monitoring and audited by Oracle or other third parties. CFIUS would also have significant over sight of board and specific personnel hiring. The entire project has been architected specifically to address the data access and AI algorithm manipulation concerns, which are both questionable in terms of actual national security concerns. See piece Milton Mueller did at the IGP at Georgia Tech.
In general, I agree that Clover and Texas's data protection schemes are at a high standard for US and EU civil society on paper, I think they do not really stand up well given the high risk of insider threat.
1. For Texas, third party auditing is not the same as threat modeling, adversarial hunting, and other aspects that would endeavor to find systems of covert logging. Though there are authorities involved, I would only trust a system inasmuch as they have proven their security architecture publicly, and we do not have that (nor does IGP deal with this in detail, besides the data collected, which indeed has been disclosed).
2. At least for Clover, the contract they have with the NCC Group seems a boilerplate standard MSSP contract. There's no provisions for internal threat. There's no transparency to their SOW beyond a standard MSSP contract. Again, we are talking about a threat model for egress by the highest authority, it would be using distributed service accounts designed to appear as existing services.
3. A data enclave is only as effective as its chain of trust and logging. For the former, we know that with Huawei, SGX chains of trust escrow private keys at manufacture time. So we can only be assured of a trusted compute system in as much as we can trust the core authorization system (and we don't know how their HSM works), and the abilities for leadership to override any of the features of this system (and we don't know this either). For the latter, the social mores at TikTok US are defaulting towards all comms to be off the record. It's paradoxical to be sure.
4. There's plenty of data that can be used from TikTok that can be used to help with the aggregate. We know Anxun contractors hacked into Twitter accounts of KZ based Uyghur dissidents, and that the subversion when coupled with KZ telecom data was sufficient to target. This might have been IP address, but it was certainly IMSI address as well. The persons of interest in this case would be public facing activism. Historically, it has been HK independence activists, the same group ByteDance has targeted when they were official owners of TT.
5. And while there's a high level of secondary access required by (4)'s methodology, TikTok hasn't established why they need to persist user connection details or any other individual device metadata. We know there's a lot that can be let go (see Signal as an example that only purportedly logs first and last connection time)
So in sum I think TikTok deserves a higher barrier to disprove insider threat, and while Clover and Texas seem to be built to address data protection issues policy-first, as a practitioner I don't find they give us any more assurances beyond a standard GDPR plan backed by an MSSP security deal.
First of all, the vast majority of TikTok data is public, you can get an account and follow anyone you want. The vast majority of the most sensitive personal data is actually in the videos that people willingly make and share. The other personal data is not all that interesting frankly from an foreign intelligence service point of view, trust me, I used to do that for a living. So the concern about "insider threats' seems pretty misplaced here, This is not a company than is holding valuable IP that needs to be protected from theft. If you have ever used the platform you would realize that it is about user generated data, mostly shortly videos, and most of this is content interesting to teens and people basically 12-30. It is what people in the intelligence community would call "low grade ore", i.e, requiring a lot of resources to "mine", with little of value. And no corporate secrets. Plus, TiktTok/Bytedance are now under a microscope. Why would Beijing want to jeopardize the viability of a hugely successful Chinese social media company for no real significant gain? People concerned about China and data of course who have zero experience in the private sector or running a company never ask this basic question, As with Huawei, isnt it kinda too obvious to ask the company to do stuff? This is not the way the world really works, governments typically do not ask companies to do stuff for them that if known would undermine the company's business model. Again, trust me on this.....so treating TikTok as some sort of data collection or propaganda tool flies in the face of what China would or would not do, and would or would not gain from viewing the firm in this way....
I too am a security professional, so it's not worth either of our time patronizing. I think the problem here is precisely with the "trust me bro" attitude that pervades this exchange. Data and algorithmic security are provable, and neither TT nor their contractors have not taken steps to assure the public, but merely the capital class.
1. IP address and connection timings, browser and app connection signatures, are part of the bread and butter of telemetry. It's not netflow to be sure, but it is often used alongside netflow to characterize actor behavior, in exactly the pattern I mentioned. It might be relatively low value data, but as the IC notes, the CCP intelligence state is renowned for their hoarding and permissive access by default policies.
2. Likewise if subversion happens for this metadata, why not for internal data such as tags or video features? Obviously in the field one can check for payload sizes for feeds, but this itself is parameterizable.
3. Beijing would jeopardize a sale because Beijing isn't a monolith, and at least one portion of the party-state is responsive to its military and public security mechanism above profit. We know this through the fines MIIT levies when there are any cracks in discipline, as with the Log4Shell report to NVD.
4. When I say there is a party to company exchange: again this is literally how the world works, I implore you to read the Anxun logs. These imply informal conversations, largely between members of the PSB and CNITSEC certified individuals, that lead to shared data access, either through commissar accounts or formalized APIs. Obviousness does not obviate the existence of intrusion.
5. Finally: China, the CCP, and the state are not one body. Commercial interests are sufficient but not necessary to dictating motive.
Not sure what you men by "neither TT nor their contractors have taken steps to assure the public." If Project Texas were to be completed, and it has not/not been completed, even though the security professional tech bros at CFIUS think it is a sound technical solution, then TT would be in a position to explain it to the public. Without a full approved mitigation strategy, this cannot happen, which is not at all surprising. In the meantime, people on TV everyday are citing 2 or 3 year old examples of people in China having access to data, well duh, Project Texas was not in place 2/3 years ago and would need to be completed before the controls were in place. Has any other social media company even contemplated setting up such as system? The answer of course is no, so if you really cared about insider jobs and user data, then you would be advocating for a US data security law and equal treatment of all social media companies. The Aurora intrusions as you may or may not recall, was an insider job. On the locational data, are you serious arguing that the CCP is interested in tracking the movements of teenagers making videos on Tiktok? The IC concern about data hoarding is based on mirror imaging and in any case, the concern is way overblown, as Mueller addresses nicely in the IGP piece. US government workers probably should not be using TT or ANY social media, and that has already happened to a large degree because of rules against government workers using TT on their work phones. The idea that the CCP is going to hoard data on teenage video influencers for some future nefarious purpose is just not the way the real world works, trust me, I did that too....
1. Do we have any public comment by CFIUS on this other than they would act as overview? None of this seems practical
2. Is there anything codified in law or practice that would make one think that the CCP would operate differently than the 2-3 year old documents? I would rather have a public record for the work that TikTok did to close these specific requisition pathways, rather than assuming a lift and shift will do that work.
3. I gave Signal as an ideal example of a communication platform. For social media, definitely would agree that substantial data protection reform would be ideal over litigating individual platforms. But where that is not available, might as well hold documented avenues of espionage to scrutiny.
4. Do you have any proof of the motivational aims of a political entity that harvested hours of global internet traffic for the purposes of mass collection, via CT's misadvertisements 2015-2017? I don't think it is necessary to demonstrate this, mass collection as an activity is self-propagating, and that seemed to be our takeaway with the US as an operator, so I don't see why this wouldn't apply elsewhere.
5. What source talks about Aurora as though it was a single insider? The MFE side of the story I always heard was that it was credential harvesting followed by pivot to a subversion instance that wasn't locked down, but you do you.
6. Is there a reason you try to characterize TikTok logging and metadata solely as influencer content? It's 16th on Alexa, around LinkedIn and Reddit. There's considerable traffic data by virtue of this alone.
1. CFIUS is very good at implementing mitigation plans, and Treasury does not enter into them unless they are enforceable. Lots of good firms around the Beltway to help. Most of the Project Texas tech leaders are former USG officials who understand the issues better than anyone in Congress or who has not actually looked at the details of the secure enclave. 2. This is Bytedance , not "CCP". Bytedance is a private sector company, that has one subsidiary that includes a small shareholding by the government. This does not have anything to do with TikTokUS, which is a separate corporate entity. There should be information about the corporate structures of Bytedance and TikTokUS if you know where to look. And yes, the world is quite different than 2-3 years ago. Plus, the controls that a full up Project Texas would provide, would ensure that there were mechanisms for monitoring access, etc. it is not that hard to implement access controls. In any case, the past examples were all completely understandable, as engineers in China obviously maintained some access to data outside China, this is typical for all multinational corporations, and the examples the media gave were pretty lame, and almost certainly funded by TT US rivals. Always know your sources and their motivations as a security professional. 3. Not sure what "documented avenues of espionage" you are referring to. There have been none in the case of TIkTokUS. And the way to address concerns again, is via Project Texas, secure enclave, third party audits. No other social media company is doing this. 4. The CT diversion was never proven to be deliberate, and was much more likely the result of misconfigurations at the router level. In any case, there are lots of other ways to collect this kind of information, and other governments may also be interested, ask the USG, or Google Echelon. 5. I know all the details about Aurora, but will not talk about them in this context, very different issue, and clearly a high value target, unlike TT videos. 6. Have you ever used the app? Or know people who are using it for 5 hours a day? Social media in general turns out to be pretty weak gruel either for understanding who matters, or targeting disinformation. People tend to stay in their information bubbles, and are also sensitive to information they are not interested in. TT users are probably even more sensitive to this, given how good the algorithm is. Given the many many other sources of data that would be more interesting, if I were a security professional, i would not approve any effort to use TT for anything serious, understanding who uses the platform and for what. Pretty good idea to start there before worrying about "insiders."
I agree 100%. Thank You for a clear rendition of our current TicTok dilemma. If the program can bring down our government then Russia needs to be examined closely as well. What is Russia using? I have heard Facebook and Twitter currently masquerading as X . Let’s educate ourselves NOT knee jerk to some asinine fear counsel.
What concerns me the most is the desire to make China a bogeyman. It's a vast, amazing, complex place. It has leadership problems, just like we do (we could be on the verge of something much worse than Xi, who has more domestic problems than American media bothers to portray).
The relationship between China and the U.S. is a perfect example of the kind of interdependence that Keohane and Nye first talked about a long time ago as a means to prevent nasty wars between major powers. Biden seems to understand the nature of this competitive but mutually beneficial relationship.
I'm hopeful that Biden's messaging on a willingness to sign a bill to ban TikTok was a ruse to get Trump to say he was against it, thereby pitting Republicans against each other again (it turns out Trump didn't need the ruse — he's in bed with a TikTok investor). That was my first reaction when I heard Biden declare his intent, and now that Trump appears to have fallen for the trap (Biden surely knew about this investor before the rest of us did), I'm even more convinced.
I think this bill dies in the Senate after Republicans display a bit more incompetence as legislators.
That said, it's ridiculous that the bill made its way out of committee unanimously. This reflects the idiocy of the always-on search for an enemy where one doesn't actually exist.
Please reconsider your argument that The entire concept of a "China" (land people economy etc) being 'bad' is not the case here. Those who do that are disingenuous. You CAN connect the CCP to TikTok, actually a few specific data harvesting centers, not the average Chinese citizen. An attack on TT is NOT an attack on "China" nor the "Chinese". That is how most locals argue, and that is just a cultural thing.
I won't reconsider my argument that politicians are using China as a bogeyman, which was my point, which I guess you missed. I don't think it matters if the people who are trying to turn China into an enemy consider the people their enemy or their government. Some will consider the people an enemy because they are racist. Some will consider the government the enemy because they are dim. Others will consider both the enemy. The reasons are not at all important. It's the foolishness of the exercise in general that matters.
US foreign policy "experts" make the same mistake with Iran. Iran is full of a huge population of young people who yearn to have closer ties to the West (not in the sense of Poland, but more in the sense of a place like Morocco — they'll always be Muslim first). When the Ayatollah dies, big changes will happen organically. The U.S doesn't need to "attack" them. But politicians like Lindsey Graham regularly talk about "strikes" against the country, which would radicalize its population against us.
The world is interdependent. Acting like it isn't is blindness. The original post was spot on and its arguments unassailable.
"The original post was spot on and its arguments unassailable."
Hardly.
It's a familiar viewpoint from certain quarters, for sure, but it's something of a straw man to talk about 'red scare' and 'bogeyman' as if Beijing has no vestige of enmity towards—or interest in undermining—the US. This is utter nonsense. The most troubling aspect of these defenders of TikTok is the downplaying of the very real risks of having the medium's content determined by an adversarial foreign power. And it's thoroughly disingenuous (not to mention ironic) to fall back on Beijing's (!!) argument that separating TikTok from the CCP is somehow an infringement of US citizens' freedoms (pass me the facepalm emoji).
If the whole TikTok imbroglio was such a nothingburger, there would not be so many serious, smart, and thoroughly objective China watchers voicing concerns. These people are neither paranoid nor 'hawks', so let's have some respect for that.
Did you even read Jay's post? He addresses your arguments. I'll add that you must also go after Shein and hundreds of other Chinese apps if you go after TikTok.
I am torn about TikTok. I don't personally use it and I can understand the apprehension about China using the data for nefarious purposes but there are also Free Speech issues involved here so it would be best not to overreact and suffer unintended consequences later on. The fact is, is that Congress is woefully far behind in regulating this industry and trying to catch up all at once by bludgeoning one platform to death with draconian measures doesn't strike me as the best way to handle the situation. I'm not offering an alternative but surely there must be a better way!
We have unfortunately made China into “the enemy”, especially GOP politicians who wish to deflect from their own party’s fascistic tendencies and authoritarian servitude to Donald Trump by scapegoating the PRC and CCP as the existential threat to “take over the world”.
It’s paranoia, hysteria, and it has manifested in action such as this TikTok ban legislation that has seemed to be steamrolling though Congress. Groupthink has taken over in an election year, and both political parties want to be seen as more “tough on China”.
So, a TikTok ban is an expression of their toughness. But as Kaiser says in this commentary, it’s the U.S. that is creating self-harm and will become the loser if this bill becomes law. It’s antithetical to our values. And it creates a slippery slope of potential future actions against “adversaries”, including those currently known, unknown, or in the case of China, made up. Very foolish and potentially dangerous mindset.
During Covid I spent some time attending workshops at the University of Chicago and Northwestern where people presented their research on various topics. One series that I attended was on communications. I would say it was communications tied to democracy. It made me very concerned about all of the social media, not less concerned. I feel that the USA is not doing enough to protect us from their data gathering for nefarious purposes. We should all be looking for ways to decrease their power. Facebook is for older people, Tiktok is for younger people. My daughter has cycled on and off of it, knowing that we don't want her on it. Still, there are so many ways for young adults to give up their information, and too many bad actors, it is concerning. So, given that the USA has Taiwan as an ally, not China, I can see how the desire to limit the influence of China on our population would be a goal before there is a conflict over China invading Taiwan, or do you not think that will happen? I understand that TikTok is seen in light of this. I would also look at Twitter, given that Elon Musk is a big old fascist and has been supporting Russia (our enemy) against Ukraine (our ally) in ways that are concerning. I am living back and forth between the US and EU, so I would like to see both doing more to protect democracy, but that is not necessarily synonymous with allowing social media businesses to just do whatever they want. I am concerned, because I assume that these actions against TikTok are in anticipation of being at war against China, and how that will affect us to have them having a platform where they can reach into homes and influence our children with propaganda. Right now I have been more concerned about Russia, but that might be naive. If Russia had a popular social media platform, which was used by almost every young person, given the current situation with Russia and Ukraine, I would absolutely want the USA to block access to that social media.
I appreciate the counterpoint here Kaiser. One part of the pro-ban argument which I think is unfairly glossed over is the part about influence.
I would put this two ways. First, I think TikTok's algorithm is sufficiently better than what exists already to exacerbate existing ideological problems. For example, in my field of Islamist counterextremism we see far more extreme content going far more viral on TikTok than any other social media. This isn't a unique problem to TikTok but is a much more acute version of a chronic issue we have socially since TikTok's algorithm is really good at surfacing viral content from people without big followings already.
Second, I think TikTok is sufficiently more addictive than other social media to cause a problem. Kids today demonstrably spend more time on social media, predominantly TikTok, at the expense of doing doing anything else. This results in less on person socialisation, fewer romantic relationships, fewer friends, fewer extracurriculars, etc. This has also clearly been a huge problem.
If security is the back door to toss a type of social media which is demonstrably tearing our social fabric apart, why not? The government regularly restricts freedoms in exchange for public welfare. I am fairly sure that the problems I've sketched are bad enough sans concerns about the CCP to justify tossing TikTok by any means possible.
Finally, I'm not certain that the argument about data privacy functions as intended. I suppose an omnibus privacy bill would be nice, but given the legislative impossibility of passing such a bill at a meaningful timescale (took us years and years over here in the UK with basically an electoral dictatorship), why not slice the salami a bit if you're really worried about privacy?
1. Please refrain from the reflexive use of “christsakes” which was in your essay and which is a default cuss word. It is inappropriate and puerile (that means childish).
2. You are simply wrong on the Tik-Tok issue. The CCP access to metadata is very “not good.” And, I really would like you to listen more carefully to Mike Gallagher. Don’t be so reflexively anti-
A FINAL POINT: on your pod-casts, please try a little harder not to always interrupt and talk over your dialogue partner. Don’t bloviate (that means talk interesting non-sense). Your pal, Jo Tho
Three comments to make two (actually three) points, three times. Find better uses for your time. Constructive comments are welcome, as are good faith arguments. Not pedantry or trolling.
1—please refrain from your reflexive use of “christsakes”….that is offputting and puerile (that means childish).
2—you are WRONG on the Tik-Tok topic. Just wrong. Sorry, it is dangerous to have CCP access to meta-data. And I say this as a listener and someone who appreciates your engagement with various global cultures, which is a good thing.
Well, and 3…….just as a helpful reminder: don’t always cut-off your pod-cast guests….KK, you do NOT always have to have the last word. you do NOT need to try and prove you are the keeper of the minutest minutiae…..sometimes just let it go. Dial-back a little on the “bloviation” meter….Bloviation means, roughly, diarrhea of the mouth. Party on, Garth. JT
Kaiser: 2 quick things….May I please suggest you stop (reflexively) saying ‘christsakes’….it is puerile….that means childish.
Second thing: putting a stop to TikTok collecting metadata is on-balance a good thing…You are wrong on this issue…..and I say this as a listener of your podcast….who appreciates your interest in various global cultures.
Third: don’t always interrupt your guests….It is mildly grating. You DO NOT always need the last work. JT
What I find most amusing are reports about how Bytedance's local Chinese version, Douyin, provides curated educational content to China's youth and with time limits but that the evil international version of Tik Tok optimizes for frivolity and narcissism.
Polls show that China's youth all want to be astronauts while American youth all want to be influencers. Let's blame that on China.
But are YouTube, FB or any other short video platform really any different?
We don't need the nefarious, invisible hand of algorithms written by coders in China for our youth to race to the bottom when it comes to user generated content generation and viewing. TikTok gets banned then that vacuum will eagerly and quickly be filled with similar sewage.
I disagree with the idea of app data "openess". I expect apps to protect my data. Tik Tok clearly does not (the breaches are real). With a foreign owned company we have little to no recource for recouping the losses we might incur from "data openess", and the misuse of our data. China is not our friend, and they play a long game. Now, with AI rapidly deploying, with little to no regulation anywhere, any "open (as in unprotected) data" is a sitting duck for misappropriation and misuse by AI and Tik Tok's data is no exception. The national security issues are indeed very real - and not with just Tok Tok either.
Thank you. Very incisive comments. I deleted TikTok from my phone as I found it difficult to use. I agree with you. I’m sure China already has access to just about anything they think they can get. Our information is & has been readily available for a long time.
Instead of banning tiktok to prevent China from being able to spread propaganda, how about we teach the electorate how to discern truth from lies in social media. This would benefit all of society. It is a precious skill not being addressed by the public. It's way way too easy to mislead people with lies and propaganda.
China’s influence operations would work, and China’s sees value in keeping them. Russia’s media operations (with US media complicity) were sufficient to change the 2016 election. We are vulnerable, especially if we don’t recognize that we are.
One note. Project Texas was not just proposed. It has been mostly implemented, and those who dismiss it as an option do not seem to have made any effort to understand it. Which only shows clearly that the motivations are not about solving anything, just scoring political points.
Assume that Project Texas has completed, and data and service sovereignty measures have been passed, meaning all service compute and landed data for TikTok is solely resident to US regions run by Oracle Cloud. What gives that architecture any less opportunity for a means to escrow data of interest to the CCP, or to allow the sort of domestic surveillance tooling that we see that the state used with willing PRC-based telco with the Anxun documents?
Just to show how many turtles are stacked up here:
1. Do we think all internal netflow, particularly of those VPNs that are bound for non-organizational hosts, are scrutinized by the authorities?
2. Are TikTok Inc security researchers free to publicize vulnerabilities, and do so before informing colleagues, superiors, or anyone at Bytedance?
3. Are we sure the above research happens with platforms that we can guarantee aren't subject to passive surveillance by personnel associated with colleagues, superiors, or anyone at Bytedance?
I think that Matt Stoller has a comprehensive take on the situation. His Subtack Big is about what is going on with anti-trust in the USA. While I do not always agree with him, I do see his point, that this is not a move against the Chinese per say, but more of part of a systematic move to protect Americans from the unlawful data gathering of all companies. He has been covering the cases against Microsoft and Google too, which are slow moving, but being lost because Lena Khan is so wonderful at her job. She is in my opinion the star of the Justice Department. So, while a perceived bias against China may not be fair, although I don't think anyone would be defending TikTok if it were a Russian company that had the control of all of our youth, it is not as simple as this.
https://www.thebignewsletter.com/p/the-tiktok-problem-is-not-what-you?utm_campaign=email-post&r=f0qfn&utm_source=substack&utm_medium=email
The details of how the secure enclave works are complex, but it has been done by cybersecurity professionals who know what they are doing, and provides for a regular third-party auditing of data access, AI algorithm updates, etc. Not sure what you mean by "escrow data of interest to CCP". What would that be exactly? Teen videos? The architecture of Project Texas prevents any Chinese citizen from access to data of US citizens within the secure enclave, and data transfers out of the conclave related to user data would be monitoring and audited by Oracle or other third parties. CFIUS would also have significant over sight of board and specific personnel hiring. The entire project has been architected specifically to address the data access and AI algorithm manipulation concerns, which are both questionable in terms of actual national security concerns. See piece Milton Mueller did at the IGP at Georgia Tech.
See this, still by far the best thing written to address the specifics of concerns, and thoroughly debunk them: https://www.internetgovernance.org/2023/01/08/new-igp-research-paper-tiktok-and-us-national-security/
In general, I agree that Clover and Texas's data protection schemes are at a high standard for US and EU civil society on paper, I think they do not really stand up well given the high risk of insider threat.
1. For Texas, third party auditing is not the same as threat modeling, adversarial hunting, and other aspects that would endeavor to find systems of covert logging. Though there are authorities involved, I would only trust a system inasmuch as they have proven their security architecture publicly, and we do not have that (nor does IGP deal with this in detail, besides the data collected, which indeed has been disclosed).
2. At least for Clover, the contract they have with the NCC Group seems a boilerplate standard MSSP contract. There's no provisions for internal threat. There's no transparency to their SOW beyond a standard MSSP contract. Again, we are talking about a threat model for egress by the highest authority, it would be using distributed service accounts designed to appear as existing services.
3. A data enclave is only as effective as its chain of trust and logging. For the former, we know that with Huawei, SGX chains of trust escrow private keys at manufacture time. So we can only be assured of a trusted compute system in as much as we can trust the core authorization system (and we don't know how their HSM works), and the abilities for leadership to override any of the features of this system (and we don't know this either). For the latter, the social mores at TikTok US are defaulting towards all comms to be off the record. It's paradoxical to be sure.
4. There's plenty of data that can be used from TikTok that can be used to help with the aggregate. We know Anxun contractors hacked into Twitter accounts of KZ based Uyghur dissidents, and that the subversion when coupled with KZ telecom data was sufficient to target. This might have been IP address, but it was certainly IMSI address as well. The persons of interest in this case would be public facing activism. Historically, it has been HK independence activists, the same group ByteDance has targeted when they were official owners of TT.
5. And while there's a high level of secondary access required by (4)'s methodology, TikTok hasn't established why they need to persist user connection details or any other individual device metadata. We know there's a lot that can be let go (see Signal as an example that only purportedly logs first and last connection time)
So in sum I think TikTok deserves a higher barrier to disprove insider threat, and while Clover and Texas seem to be built to address data protection issues policy-first, as a practitioner I don't find they give us any more assurances beyond a standard GDPR plan backed by an MSSP security deal.
First of all, the vast majority of TikTok data is public, you can get an account and follow anyone you want. The vast majority of the most sensitive personal data is actually in the videos that people willingly make and share. The other personal data is not all that interesting frankly from an foreign intelligence service point of view, trust me, I used to do that for a living. So the concern about "insider threats' seems pretty misplaced here, This is not a company than is holding valuable IP that needs to be protected from theft. If you have ever used the platform you would realize that it is about user generated data, mostly shortly videos, and most of this is content interesting to teens and people basically 12-30. It is what people in the intelligence community would call "low grade ore", i.e, requiring a lot of resources to "mine", with little of value. And no corporate secrets. Plus, TiktTok/Bytedance are now under a microscope. Why would Beijing want to jeopardize the viability of a hugely successful Chinese social media company for no real significant gain? People concerned about China and data of course who have zero experience in the private sector or running a company never ask this basic question, As with Huawei, isnt it kinda too obvious to ask the company to do stuff? This is not the way the world really works, governments typically do not ask companies to do stuff for them that if known would undermine the company's business model. Again, trust me on this.....so treating TikTok as some sort of data collection or propaganda tool flies in the face of what China would or would not do, and would or would not gain from viewing the firm in this way....
I too am a security professional, so it's not worth either of our time patronizing. I think the problem here is precisely with the "trust me bro" attitude that pervades this exchange. Data and algorithmic security are provable, and neither TT nor their contractors have not taken steps to assure the public, but merely the capital class.
1. IP address and connection timings, browser and app connection signatures, are part of the bread and butter of telemetry. It's not netflow to be sure, but it is often used alongside netflow to characterize actor behavior, in exactly the pattern I mentioned. It might be relatively low value data, but as the IC notes, the CCP intelligence state is renowned for their hoarding and permissive access by default policies.
2. Likewise if subversion happens for this metadata, why not for internal data such as tags or video features? Obviously in the field one can check for payload sizes for feeds, but this itself is parameterizable.
3. Beijing would jeopardize a sale because Beijing isn't a monolith, and at least one portion of the party-state is responsive to its military and public security mechanism above profit. We know this through the fines MIIT levies when there are any cracks in discipline, as with the Log4Shell report to NVD.
4. When I say there is a party to company exchange: again this is literally how the world works, I implore you to read the Anxun logs. These imply informal conversations, largely between members of the PSB and CNITSEC certified individuals, that lead to shared data access, either through commissar accounts or formalized APIs. Obviousness does not obviate the existence of intrusion.
5. Finally: China, the CCP, and the state are not one body. Commercial interests are sufficient but not necessary to dictating motive.
Not sure what you men by "neither TT nor their contractors have taken steps to assure the public." If Project Texas were to be completed, and it has not/not been completed, even though the security professional tech bros at CFIUS think it is a sound technical solution, then TT would be in a position to explain it to the public. Without a full approved mitigation strategy, this cannot happen, which is not at all surprising. In the meantime, people on TV everyday are citing 2 or 3 year old examples of people in China having access to data, well duh, Project Texas was not in place 2/3 years ago and would need to be completed before the controls were in place. Has any other social media company even contemplated setting up such as system? The answer of course is no, so if you really cared about insider jobs and user data, then you would be advocating for a US data security law and equal treatment of all social media companies. The Aurora intrusions as you may or may not recall, was an insider job. On the locational data, are you serious arguing that the CCP is interested in tracking the movements of teenagers making videos on Tiktok? The IC concern about data hoarding is based on mirror imaging and in any case, the concern is way overblown, as Mueller addresses nicely in the IGP piece. US government workers probably should not be using TT or ANY social media, and that has already happened to a large degree because of rules against government workers using TT on their work phones. The idea that the CCP is going to hoard data on teenage video influencers for some future nefarious purpose is just not the way the real world works, trust me, I did that too....
1. Do we have any public comment by CFIUS on this other than they would act as overview? None of this seems practical
2. Is there anything codified in law or practice that would make one think that the CCP would operate differently than the 2-3 year old documents? I would rather have a public record for the work that TikTok did to close these specific requisition pathways, rather than assuming a lift and shift will do that work.
3. I gave Signal as an ideal example of a communication platform. For social media, definitely would agree that substantial data protection reform would be ideal over litigating individual platforms. But where that is not available, might as well hold documented avenues of espionage to scrutiny.
4. Do you have any proof of the motivational aims of a political entity that harvested hours of global internet traffic for the purposes of mass collection, via CT's misadvertisements 2015-2017? I don't think it is necessary to demonstrate this, mass collection as an activity is self-propagating, and that seemed to be our takeaway with the US as an operator, so I don't see why this wouldn't apply elsewhere.
5. What source talks about Aurora as though it was a single insider? The MFE side of the story I always heard was that it was credential harvesting followed by pivot to a subversion instance that wasn't locked down, but you do you.
6. Is there a reason you try to characterize TikTok logging and metadata solely as influencer content? It's 16th on Alexa, around LinkedIn and Reddit. There's considerable traffic data by virtue of this alone.
1. CFIUS is very good at implementing mitigation plans, and Treasury does not enter into them unless they are enforceable. Lots of good firms around the Beltway to help. Most of the Project Texas tech leaders are former USG officials who understand the issues better than anyone in Congress or who has not actually looked at the details of the secure enclave. 2. This is Bytedance , not "CCP". Bytedance is a private sector company, that has one subsidiary that includes a small shareholding by the government. This does not have anything to do with TikTokUS, which is a separate corporate entity. There should be information about the corporate structures of Bytedance and TikTokUS if you know where to look. And yes, the world is quite different than 2-3 years ago. Plus, the controls that a full up Project Texas would provide, would ensure that there were mechanisms for monitoring access, etc. it is not that hard to implement access controls. In any case, the past examples were all completely understandable, as engineers in China obviously maintained some access to data outside China, this is typical for all multinational corporations, and the examples the media gave were pretty lame, and almost certainly funded by TT US rivals. Always know your sources and their motivations as a security professional. 3. Not sure what "documented avenues of espionage" you are referring to. There have been none in the case of TIkTokUS. And the way to address concerns again, is via Project Texas, secure enclave, third party audits. No other social media company is doing this. 4. The CT diversion was never proven to be deliberate, and was much more likely the result of misconfigurations at the router level. In any case, there are lots of other ways to collect this kind of information, and other governments may also be interested, ask the USG, or Google Echelon. 5. I know all the details about Aurora, but will not talk about them in this context, very different issue, and clearly a high value target, unlike TT videos. 6. Have you ever used the app? Or know people who are using it for 5 hours a day? Social media in general turns out to be pretty weak gruel either for understanding who matters, or targeting disinformation. People tend to stay in their information bubbles, and are also sensitive to information they are not interested in. TT users are probably even more sensitive to this, given how good the algorithm is. Given the many many other sources of data that would be more interesting, if I were a security professional, i would not approve any effort to use TT for anything serious, understanding who uses the platform and for what. Pretty good idea to start there before worrying about "insiders."
I agree 100%. Thank You for a clear rendition of our current TicTok dilemma. If the program can bring down our government then Russia needs to be examined closely as well. What is Russia using? I have heard Facebook and Twitter currently masquerading as X . Let’s educate ourselves NOT knee jerk to some asinine fear counsel.
Great observations, thanks.
What concerns me the most is the desire to make China a bogeyman. It's a vast, amazing, complex place. It has leadership problems, just like we do (we could be on the verge of something much worse than Xi, who has more domestic problems than American media bothers to portray).
The relationship between China and the U.S. is a perfect example of the kind of interdependence that Keohane and Nye first talked about a long time ago as a means to prevent nasty wars between major powers. Biden seems to understand the nature of this competitive but mutually beneficial relationship.
I'm hopeful that Biden's messaging on a willingness to sign a bill to ban TikTok was a ruse to get Trump to say he was against it, thereby pitting Republicans against each other again (it turns out Trump didn't need the ruse — he's in bed with a TikTok investor). That was my first reaction when I heard Biden declare his intent, and now that Trump appears to have fallen for the trap (Biden surely knew about this investor before the rest of us did), I'm even more convinced.
I think this bill dies in the Senate after Republicans display a bit more incompetence as legislators.
That said, it's ridiculous that the bill made its way out of committee unanimously. This reflects the idiocy of the always-on search for an enemy where one doesn't actually exist.
Please reconsider your argument that The entire concept of a "China" (land people economy etc) being 'bad' is not the case here. Those who do that are disingenuous. You CAN connect the CCP to TikTok, actually a few specific data harvesting centers, not the average Chinese citizen. An attack on TT is NOT an attack on "China" nor the "Chinese". That is how most locals argue, and that is just a cultural thing.
I won't reconsider my argument that politicians are using China as a bogeyman, which was my point, which I guess you missed. I don't think it matters if the people who are trying to turn China into an enemy consider the people their enemy or their government. Some will consider the people an enemy because they are racist. Some will consider the government the enemy because they are dim. Others will consider both the enemy. The reasons are not at all important. It's the foolishness of the exercise in general that matters.
US foreign policy "experts" make the same mistake with Iran. Iran is full of a huge population of young people who yearn to have closer ties to the West (not in the sense of Poland, but more in the sense of a place like Morocco — they'll always be Muslim first). When the Ayatollah dies, big changes will happen organically. The U.S doesn't need to "attack" them. But politicians like Lindsey Graham regularly talk about "strikes" against the country, which would radicalize its population against us.
The world is interdependent. Acting like it isn't is blindness. The original post was spot on and its arguments unassailable.
"The original post was spot on and its arguments unassailable."
Hardly.
It's a familiar viewpoint from certain quarters, for sure, but it's something of a straw man to talk about 'red scare' and 'bogeyman' as if Beijing has no vestige of enmity towards—or interest in undermining—the US. This is utter nonsense. The most troubling aspect of these defenders of TikTok is the downplaying of the very real risks of having the medium's content determined by an adversarial foreign power. And it's thoroughly disingenuous (not to mention ironic) to fall back on Beijing's (!!) argument that separating TikTok from the CCP is somehow an infringement of US citizens' freedoms (pass me the facepalm emoji).
If the whole TikTok imbroglio was such a nothingburger, there would not be so many serious, smart, and thoroughly objective China watchers voicing concerns. These people are neither paranoid nor 'hawks', so let's have some respect for that.
Did you even read Jay's post? He addresses your arguments. I'll add that you must also go after Shein and hundreds of other Chinese apps if you go after TikTok.
Jay?
Your reply indicates that you're more focused on data than content. I'd say the latter is the bigger issue.
Content is the issue? You want to regulate TikTok *content*??????
Beijing *is* regulating TikTok content. That's the issue.
I am torn about TikTok. I don't personally use it and I can understand the apprehension about China using the data for nefarious purposes but there are also Free Speech issues involved here so it would be best not to overreact and suffer unintended consequences later on. The fact is, is that Congress is woefully far behind in regulating this industry and trying to catch up all at once by bludgeoning one platform to death with draconian measures doesn't strike me as the best way to handle the situation. I'm not offering an alternative but surely there must be a better way!
We have unfortunately made China into “the enemy”, especially GOP politicians who wish to deflect from their own party’s fascistic tendencies and authoritarian servitude to Donald Trump by scapegoating the PRC and CCP as the existential threat to “take over the world”.
It’s paranoia, hysteria, and it has manifested in action such as this TikTok ban legislation that has seemed to be steamrolling though Congress. Groupthink has taken over in an election year, and both political parties want to be seen as more “tough on China”.
So, a TikTok ban is an expression of their toughness. But as Kaiser says in this commentary, it’s the U.S. that is creating self-harm and will become the loser if this bill becomes law. It’s antithetical to our values. And it creates a slippery slope of potential future actions against “adversaries”, including those currently known, unknown, or in the case of China, made up. Very foolish and potentially dangerous mindset.
During Covid I spent some time attending workshops at the University of Chicago and Northwestern where people presented their research on various topics. One series that I attended was on communications. I would say it was communications tied to democracy. It made me very concerned about all of the social media, not less concerned. I feel that the USA is not doing enough to protect us from their data gathering for nefarious purposes. We should all be looking for ways to decrease their power. Facebook is for older people, Tiktok is for younger people. My daughter has cycled on and off of it, knowing that we don't want her on it. Still, there are so many ways for young adults to give up their information, and too many bad actors, it is concerning. So, given that the USA has Taiwan as an ally, not China, I can see how the desire to limit the influence of China on our population would be a goal before there is a conflict over China invading Taiwan, or do you not think that will happen? I understand that TikTok is seen in light of this. I would also look at Twitter, given that Elon Musk is a big old fascist and has been supporting Russia (our enemy) against Ukraine (our ally) in ways that are concerning. I am living back and forth between the US and EU, so I would like to see both doing more to protect democracy, but that is not necessarily synonymous with allowing social media businesses to just do whatever they want. I am concerned, because I assume that these actions against TikTok are in anticipation of being at war against China, and how that will affect us to have them having a platform where they can reach into homes and influence our children with propaganda. Right now I have been more concerned about Russia, but that might be naive. If Russia had a popular social media platform, which was used by almost every young person, given the current situation with Russia and Ukraine, I would absolutely want the USA to block access to that social media.
I appreciate the counterpoint here Kaiser. One part of the pro-ban argument which I think is unfairly glossed over is the part about influence.
I would put this two ways. First, I think TikTok's algorithm is sufficiently better than what exists already to exacerbate existing ideological problems. For example, in my field of Islamist counterextremism we see far more extreme content going far more viral on TikTok than any other social media. This isn't a unique problem to TikTok but is a much more acute version of a chronic issue we have socially since TikTok's algorithm is really good at surfacing viral content from people without big followings already.
Second, I think TikTok is sufficiently more addictive than other social media to cause a problem. Kids today demonstrably spend more time on social media, predominantly TikTok, at the expense of doing doing anything else. This results in less on person socialisation, fewer romantic relationships, fewer friends, fewer extracurriculars, etc. This has also clearly been a huge problem.
If security is the back door to toss a type of social media which is demonstrably tearing our social fabric apart, why not? The government regularly restricts freedoms in exchange for public welfare. I am fairly sure that the problems I've sketched are bad enough sans concerns about the CCP to justify tossing TikTok by any means possible.
Finally, I'm not certain that the argument about data privacy functions as intended. I suppose an omnibus privacy bill would be nice, but given the legislative impossibility of passing such a bill at a meaningful timescale (took us years and years over here in the UK with basically an electoral dictatorship), why not slice the salami a bit if you're really worried about privacy?
Kaiser: 2 quick points:
1. Please refrain from the reflexive use of “christsakes” which was in your essay and which is a default cuss word. It is inappropriate and puerile (that means childish).
2. You are simply wrong on the Tik-Tok issue. The CCP access to metadata is very “not good.” And, I really would like you to listen more carefully to Mike Gallagher. Don’t be so reflexively anti-
A FINAL POINT: on your pod-casts, please try a little harder not to always interrupt and talk over your dialogue partner. Don’t bloviate (that means talk interesting non-sense). Your pal, Jo Tho
Three comments to make two (actually three) points, three times. Find better uses for your time. Constructive comments are welcome, as are good faith arguments. Not pedantry or trolling.
// Kaiser 2 quick things:
1—please refrain from your reflexive use of “christsakes”….that is offputting and puerile (that means childish).
2—you are WRONG on the Tik-Tok topic. Just wrong. Sorry, it is dangerous to have CCP access to meta-data. And I say this as a listener and someone who appreciates your engagement with various global cultures, which is a good thing.
Well, and 3…….just as a helpful reminder: don’t always cut-off your pod-cast guests….KK, you do NOT always have to have the last word. you do NOT need to try and prove you are the keeper of the minutest minutiae…..sometimes just let it go. Dial-back a little on the “bloviation” meter….Bloviation means, roughly, diarrhea of the mouth. Party on, Garth. JT
Kaiser: 2 quick things….May I please suggest you stop (reflexively) saying ‘christsakes’….it is puerile….that means childish.
Second thing: putting a stop to TikTok collecting metadata is on-balance a good thing…You are wrong on this issue…..and I say this as a listener of your podcast….who appreciates your interest in various global cultures.
Third: don’t always interrupt your guests….It is mildly grating. You DO NOT always need the last work. JT
What I find most amusing are reports about how Bytedance's local Chinese version, Douyin, provides curated educational content to China's youth and with time limits but that the evil international version of Tik Tok optimizes for frivolity and narcissism.
Polls show that China's youth all want to be astronauts while American youth all want to be influencers. Let's blame that on China.
But are YouTube, FB or any other short video platform really any different?
We don't need the nefarious, invisible hand of algorithms written by coders in China for our youth to race to the bottom when it comes to user generated content generation and viewing. TikTok gets banned then that vacuum will eagerly and quickly be filled with similar sewage.
I disagree with the idea of app data "openess". I expect apps to protect my data. Tik Tok clearly does not (the breaches are real). With a foreign owned company we have little to no recource for recouping the losses we might incur from "data openess", and the misuse of our data. China is not our friend, and they play a long game. Now, with AI rapidly deploying, with little to no regulation anywhere, any "open (as in unprotected) data" is a sitting duck for misappropriation and misuse by AI and Tik Tok's data is no exception. The national security issues are indeed very real - and not with just Tok Tok either.
Thank you. Very incisive comments. I deleted TikTok from my phone as I found it difficult to use. I agree with you. I’m sure China already has access to just about anything they think they can get. Our information is & has been readily available for a long time.
Instead of banning tiktok to prevent China from being able to spread propaganda, how about we teach the electorate how to discern truth from lies in social media. This would benefit all of society. It is a precious skill not being addressed by the public. It's way way too easy to mislead people with lies and propaganda.
The best analysis I've seen on this situation! Well written Kaiser, thanks for breaking this done and sharing your thoughts
China’s influence operations would work, and China’s sees value in keeping them. Russia’s media operations (with US media complicity) were sufficient to change the 2016 election. We are vulnerable, especially if we don’t recognize that we are.