Putting l’Affaire TikTok into the Proper National Security Context

Trying to tease actual policy out of the Trump administration’s theatrics can be a frustrating experience. Yet, the President’s executive orders banning TikTok and WeChat reveal the administration pursuing a coherent national security policy. The EOs call for the apps to cease operating in the US within 45 days unless they are sold by their Chinese parent companies. The coherence only emerges when the ban is viewed in context, however.

The TikTok Ban is An Element of a Broader National Security Strategy

On its own, the TikTok ban seems arbitrary and histrionic. Ban a consumer video sharing app because it threatens US security? Really? Yes, really. An overall ban TikTok gained attention because the app is popular, but it is only one of several similar government moves. The military banned its personnel from using TikTok on their personal mobile devices earlier this year. A pair of bills in Congress sets out to ban TikTok from use by all government employees.

The underlying national security issue relates to the Chinese Communist Party’s (CCP’s) access to data about Americans. It is well understood that the CCP either influences or directly controls many of China’s leading technology companies. American intelligence agencies can now assume that any data generated by a Chinese app can potentially be shared with the CCP, the Chinese military and intelligence apparatus. There have been many examples of this in recent years.

How serious is this risk? According to Tom Kelly, president and CEO of ID Experts, “A seemingly innocent app available for download on any phone can have devastating consequences for our privacy and be weaponized against our national security.” Kelly warned that TikTok gives Chinese authorities access to users’ social media contacts, location data and personal information like their ages and phone numbers.

According to Tom Kelly, president and CEO of ID Experts, “A seemingly innocent app available for download on any phone can have devastating consequences for our privacy and be weaponized against our national security.”

The weaponization of personal data and device access occurs in multiple stages and levels of attack. Theresa Payton, former White House Chief Information Officer and CEO of the cybersecurity consultancy Fortalice Solutions, noted that access to TikTok potentially gives CCP entities access to home WiFi routers and a huge amount of correlated personal data. “It’s a portal into people’s lives,” she said.

“It’s a portal into people’s lives.” – Theresa Payton, former White House Chief Information Officer 

Research at Pace University’s Digital Forensics Research Lab bears out this concern. After studying TikTok, Professor Darren Hayes determined that the app tracks the user’s locations and can potentially pull in contacts and private social media relationships or even manipulate system files. The user’s personal information, including chat logs, are available in plaintext—an apparent error in the program’s design but more likely a deliberate technique to steal private conversations.

Research at Pace University’s Digital Forensics Research Lab bears out this concern. After studying TikTok, Professor Darren Hayes determined that the app tracks the user’s locations and can potentially pull in contacts and private social media relationships or even manipulate system files.

Why should the US be so concerned that a Chinese app has access to users’ personal information? After all, personal user information is the currency of the tech world. Few Americans outside the Electronic Frontier Foundation care much about the issue, eagerly giving away their data in exchange for free entertainment. The concern becomes more compelling when viewed as part of China’s wider digital war on the US.

To the extent that such attributions are accurate, China stands credibly accused of the data breach at the federal government’s Office of Personnel Management (OPM), Equifax, Anthem Blue Cross and many other high-profile data heists. The CCP’s vacuuming up of millions of TikTok account records and related personal data is just another part of a program to amass data on Americans.

We cannot know what the CCP’s purpose is in this project, but we can assume their aims are not benign.

We cannot know what the CCP’s purpose is in this project, but we can assume their aims are not benign. Theories of CCP data gathering include enhancing their ability to impersonate American military and government personnel for espionage purposes, theft of intellectual property (like the plans for the F-35, which they stole in 2009) and comparable digital skullduggery.

Alternatively, by creating and then analyzing data about Americans, the CCP has the basis for influencing American public opinion. Theresa Payton has studied this risk in depth, recently writing the book, Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth. In her view, the people who may be influenced after having their data stolen by TikTok serve in the US military. She observed, “They can’t say, of course, but it’s pretty unusual for the DoD to involve itself in a consumer matter like this. Something serious most likely triggered them.”

The intelligence world has its interpretation of the cyber war of which TikTok is just one little piece. Samantha Hoffman of the Australian Strategic Policy Institute remarked that the CCP “engages in data collection on a massive scale as a means of generating information to enhance state security—and, crucially, the political security of the Chinese Communist Party (CCP)—across multiple domains.” They do this because, as she put it, “The party-state intends to shape, manage and control its global operating environment so that public sentiment is favourable to its own interests.” The US is part of the CCP’s “global operating environment.”

“The party-state intends to shape, manage and control its global operating environment so that public sentiment is favourable to its own interests.” – Samantha Hoffman of the Australian Strategic Policy Institute remarked

The TikTok ban meshes with other, arguably bigger and more serious national security efforts to block the CCP’s digital invasion of the US. The Huawei 5G equipment ban, also promulgated by the Trump administration, is an attempt to prevent China from designing America’s telecom network. This might seem like a fairly obvious defense priority, but the difficulties in rolling out the ban show that nothing is so easy.

Retired Air Force General Robert Spalding, who tracks the Huawei issue intensely, shared “5G and the IoT amplify the ability of Chinese tech companies, and by default the CCP, to gain more insight into people’s behavior and potentially influence it without their consent.” He added, “As 5G networks are built, the source of data that flows to the tech companies and the CCP will be the devices (such as cameras and microphones) that have been placed there by companies like Baidu.”

Not That This Will Be Easy

Selling TikTok to Microsoft or some other American firm is a reasonable remedy, but it will not be easy to realize. As Theresa Payton pointed out, it’s still not clear where TikTok’s user data actually resides—especially when processes like failover and load balancing are taken into consideration. “Where is it? Who has seen it? Is it shared? When is it disposed of? These are just a few of many questions that must be asked and answered,” she said. Payton also shared that the source code for TikTok would require a thorough, third-party analysis before a sale to Microsoft would have any impact on national security.

As Theresa Payton pointed out, it’s still not clear where TikTok’s user data actually resides—especially when processes like failover and load balancing are taken into consideration.

And, This All Begs a Much Bigger Question

Ultimately, the TikTok ban and similar, limited measures should prompt people to ask a bigger, more significant question: If these technologies, with their connections to the CCP, pose a threat to national security, then what about the thousands of other Chinese technologies we rely on to run our government, industry and news media? American digital infrastructure is riddled with Chinese-made chips, devices and, increasingly, software. If the suspicions of the US intelligence community are correct, then we will need to do more than just ban TikTok to gain a measure of security. We’ll have to rethink the entire American technology supply chain.