If a stranger randomly approached you on the street and asked for your birthdate, address, hobbies, likes, and dislikes, you’d probably walk away. Or call the cops.
Yet, we have been volunteering all that and so much more to the Facebooks and TikToks of the world. The data genie is out of the bottle; no one could deny that. Finally, people are starting to take this seriously. I’ve been sounding the alarm on all these platforms for years, so it’s nice to finally see popular culture catch up to the cybersecurity community.
We, in cybersecurity, may have to be the Debbie Downers at the party, but at least we’re trying to warn everyone else that someone spiked the digital punch bowl with arsenic and will then try and steal your wallet.
The worst offender of this, by far, is TikTok. ByteDance Beijing (now just ByteDance) took the world by storm about five to six years ago by acquiring the pointless dance video platform Musical.ly, an app best known for illegally harvesting children’s data and helping predators easily talk to kids. This platform exploded under its new name, TikTok, and the rest is history. Sadly, TikTok turned the surveillance of the world up to 11.
Many fail to realize that when a company is based in China, that corporation is beholden to the Chinese government. In 2017, a law known as the “National Intelligence Law of the People’s Republic of China” went into effect, and the data harvesting of the world’s population on behalf of China was formalized. Under the provisions of this sweeping law falls the duty of every Chinese citizen and entity:
“All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with the law, and shall protect national intelligence work secrets they are aware of,” states Article 7 of the law.
Basically, this means that any foreign organization that uses a Chinese-made technological product has the possibility that it could be used against them to gather information. Fears at the international government level are at the point that many governments, including the United States, have started banning Chinese infrastructure providers like Huawei. Essentially, Huawei wouldn’t have a choice in the matter of turning over all data they’ve collected on their clients when the Chinese authorities come knocking. However, most people are not purchasing expensive internet routing equipment for their homes like businesses do; this is where TikTok and other Chinese-created apps come into play.
TikTok is a surveillance app first, stupid dance and challenge video second. Before his Reddit post was taken down, a cybersecurity researcher claimed to have reverse-engineered TikTok and what it was doing was terrifying, according to the detailed analysis he posted. He noted that the app was collecting everything it possibly could from the user’s mobile phone, turning on GPS every 30 seconds to find location (which was turned on by default), setting up a proxy on the phone that could be exploited along with other vulnerabilities that were apparently there intentionally for the same reason, and more. If you think this was some random guy who claimed to be a cybersecurity researcher just trying to get his fifteen minutes of fame by making false claims, a formal research outfit known as Internet 2.0 confirmed all of this in 2022.
Thanks to whistleblowers providing eighty recorded meetings of TikTok employees, we already know that U.S.-based TikTok engineers have to contact someone in China to access parts of U.S. infrastructure and that TikTok replicates their U.S.-based data to Singapore, which is out of U.S. jurisdiction. Also, it has been confirmed that Chinese nationals have repeatedly accessed U.S.-based TikTok data despite the demonstrably false claims of their executives testifying in Congress that this wasn’t the case. Recently, TikTok’s CEO went in front of the U.S. Congress to testify on this mess, and, in typical fashion, congress was clueless on what questions to actually ask (for the record, here are the questions that should have been asked but never were).
Now, U.S. lawmakers are set to act against TikTok but are attempting to overreach, potentially putting internet freedom at risk in the United States.
Senate Bill S.686, the RESTRICT Act, known as the “TikTok Bill,” is vague but also like swatting flies with a rocket launcher. Section 4. c of the bill gives the Executive Branch unprecedented powers to prohibit or mitigate the activity within any technology owned by a foreign adversary.
Section 11. a is where U.S. citizens can get into serious trouble if this law is passed as is. It clearly states:
“IN GENERAL.—It shall be unlawful for a person to violate, attempt to violate, conspire to violate, or cause a violation of any regulation, order, direction, mitigation measure, prohibition, or other authorization or directive issued under this Act, including any of the unlawful acts described in paragraph.”
And this is the Big Brother issue. We have millions of U.S. citizens from other countries, including those on this bill’s “Foreign Adversaries” list. They have plenty of family back in their country of origin. Million of citizens here use WeChat to talk directly to their relatives in China. WeChat is a Chinese technology, and most US-based messaging apps are already banned in China. Suppose a U.S. citizen has WeChat on their phone. Could they be susceptible to penalties like “A fine of not more than $250,000 or an amount that is twice the value of the transaction that is the basis of the violation concerning which the penalty is imposed, whichever is greater” if they unknowingly run afoul of this potential law?
Or, if they know about the restriction but willfully keep using WeChat, will they now lose their property due to “Civil Forfeiture,” as stated in the bill? It may seem like an extreme case to make here; however, vague language can be interpreted in a multitude of ways, and there are no serious exceptions or carveouts in this bill, which includes a judicial review section that is also open to interpretation.
I’m no fan of apps made in adversarial states, and TikTok will never be installed on any of my devices. Ever. With that said, while I’m for a ban on TikTok and other technologies that foreign governments can weaponize for surveillance and data gathering, no law can be absolute. We cannot start passing bills allowing the U.S. government to start surveilling its citizens over app use, which is precisely what has to happen to determine who is using an adversarial app. Overreach into citizens’ lives cannot be allowed in the name of security. So here is what I propose:
First, the respective App Stores of Apple and Google ban apps created in adversarial countries. This has the net effect of reducing this growth as users purchase new phones that do not have these apps. This will also help with e-waste as a contingent of users will hold onto their phones longer, thus also putting pressure on Apple and Google to stop aggressively enforcing “planned obsolesce” on their users.
Second, mandate in all compliance laws for corporations (think about PCI DSS for credit cards, HIPAA for healthcare, etc.) that they must both geo-block adversarial countries from their firewalls so nothing can route to them, and also block any applications from their network that are from adversarial countries.
Finally, we need a big push for education. Apple and Google can require app makers to clearly state their country of origin and then actually check as part of their vetting process. Studies have shown that many people (especially the younger generations) no longer care that their data is being gathered at an astonishing rate, whether by TikTok, Facebook, or another platform. They need to understand that while we have already given up an enormous amount of data to these companies, we can start reversing that trend. Also, unlike TikTok, we have recourse under U.S. law to level lawsuits against the Facebooks of the world for their egregious behavior because they are based here in this country, and that’s a core difference most don’t realize. So, this has to start with educating everyone.
There is no easy answer to keeping people safe and private in an increasingly interconnected world. Still, as long we keep adding more and more people who are willing to watch the punchbowl at the party and warn others, we’ll hopefully be ok in the long run.
_________________________________________________________________________________________________________________
Nick Espinosa
An expert in cybersecurity and network infrastructure, Nick Espinosa has consulted with clients ranging from small business owners up to Fortune 100 level companies for decades. Since the age of 7, he’s been on a first-name basis with technology, building computers and programming in multiple languages. Nick founded Windy City Networks, Inc at 19 which was acquired in 2013. In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations was launched.
Nick is a regular columnist, a member of the Forbes Technology Council, and on the Board of Advisors for both Roosevelt University & Center for Cyber and Information Security as well as the College of Arts and Sciences. He’s also the Official Spokesperson of the COVID-19 Cyber Threat Coalition, Strategic Advisor to humanID, award-winning co-author of a bestselling book, TEDx Speaker, and President of The Foundation.
