For weeks, the Trump administration has hinted that it can ban TikTok, the popular Chinese social video app among Generation Z, touting concerns that the data it collects could go directly to China.
It’s a concern that, while legitimate, comes with some skepticism from cybersecurity veterans. For years, the U.S. has done little to compel companies and even government agencies to protect Americans’ personal data, which has already ended up in the hands of China’s hackers. And recent efforts by federal law enforcement officials to compel companies to abandon encryption as a security measure have only weakened the position of the US government on the issue.
“TikTok is a potential security threat, but the TikTok ban hardly faces the deep threat China poses to our national security, economy and democracy,” said Senator Richard Blumenthal, D-Conn., In an email.
“I have been appalled at the Trump administration’s eagerness to make friends in Beijing as Chinese hackers steal from American companies, compromise consumer data and launch political disinformation campaigns,” Blumenthal said.
TikTok’s emergence as the target of data privacy concerns comes after more than a decade of high-profile data breaches by US companies dating back to China. The U.S. has little legal mandate to compel companies that hold huge sets of social security numbers, addresses, and other confidential information of Americans to a high standard of security or to regulate the sale of that information. And when companies are violated, their finances rarely take a significant hit.
Michael Daniel, the cybersecurity adviser to President Barack Obama, a position that Trump eliminated, said the United States needs a law that regulates best practices for Americans’ personally identifiable information, or PII.
“We have to agree that if you had people’s personally identifiable information, that you are going to take certain steps to protect it and that you have an obligation as a company to implement certain cybersecurity controls,” Daniel said in a telephone interview.
“For me, that’s the most important thing the government can do, is to push through a privacy law nationwide, and as part of that, set a standard of care for PII owners. If you meet those standards, then you should get liability protection, “he added.
Cybersecurity experts widely agree that a country with advanced cyber vulnerabilities, which China has, will eventually break a target if they want it long enough. But in some cases, companies with US data have shown little resistance.
When Chinese military officials hacked Equifax in 2017, for example, they stole the Social Security numbers and other personal information of nearly 150 million Americans. Equifax’s negligence sparked widespread outrage in the cybersecurity industry, and the consequences resulted in confusion for executives. But the company never faced serious penalties for the violation, and its actions quickly recovered. The breach has gained notoriety in the cybersecurity community as an example of how little is done regarding data breaches.
Equifax’s trick dates back to a known flaw in a commonly used web application that had not been fixed. Neglect in patching is rampant in American companies, said Tarah Wheeler, a member of cyber security at the New America expert group.
“Patch management is the biggest improvement that most American companies can make in national security,” Wheeler said by text message.
Historically, the market has done little to punish organizations that lost control of Americans’ PII data to China.
After the Chinese Ministry of State Security successfully hacked health insurance company Anthem, stealing the personal records of nearly 80 million people, the company settled a class action lawsuit for a record $ 115 million in 2017, the Most of which went to credit monitoring for victims. The following year, Anthem’s income was $ 91.3 billion. For 2019, the company’s shares reached a record high.
The United States government has also had its own problem with infractions. After China spent years hacking the United States Office of Personnel Management, stealing security clearance information from more than 21 million people, some government employees tried to sue the agency for violating their privacy. A judge dismissed his case after saying that the Privacy Law only prohibited the agency from voluntarily releasing user data.
This type of massive personally identifiable information is particularly valuable to intelligence agencies. A former National Security Agency analyst, who spoke on condition of anonymity because she was not authorized to speak on the matter, said such massive data sets of personal information were of particularly high value to Chinese intelligence. Massive data sets can be used with artificial intelligence capabilities to predict behavior, and it also gives China a baseline of information on potential targets.
“One is the combination of large-scale data analysis and the ability to build data science patterns,” he said. “And two, it’s the ability to create targeted espionage, a collection targeted at Americans of interest.”
But that doesn’t mean TikTok is a particularly tempting target, Daniel said.
“The TikTok user base is young,” he said. “It’s not that it doesn’t have intelligence value, but I would definitely say that other sources, like OPM or Anthem, would have more intelligence value.”
The most important data that TikTok has available is probably metadata, particularly location data, which tracks people carrying the app on their phones.
But that type of information is already widely trafficked by third-party data brokers, who are significantly regulated in Europe and by the laws of some states, but not by US federal law.
“To be honest, there are other, more legal ways to obtain large amounts of PII that the Chinese government has access to just like corporations,” said the former NSA analyst.
Efforts to create new data privacy legislation have also failed. The Government Accountability Office, the federal nonprofit watchdog, has been clamoring for consumer privacy laws since the early Obama administration. But the Trump White House missed a golden opportunity in 2018, in the wake of the Cambridge Analytica scandal, to guide competitive bills supported by both sides, said Amie Stepanovich, an expert on cybersecurity and privacy law at the University of Colorado Boulder.
“The administration never formulated a data protection policy or data privacy law,” he said. “At a time when there was bipartisan support to pass the law, there was no voice in the administration to support that effort to move forward.”
While little has been done to make companies that keep sensitive data more secure, efforts to limit their use of encryption have increased.
Attorney General William Barr and FBI Director Christopher Wray have delivered recent speeches pointing to and condemning China’s piracy history to steal US data. But both are also the strongest voices in management condemning end-to-end encryption, which protects data from being intercepted when it crosses from one device to another.
Cybersecurity experts have long warned against mandates to weaken encryption, arguing that any “back door” created in the security of a device is a hole that malicious governments or criminals could exploit.
Stepanovich warned that any back door would also be an opening for China.
“They go after encryption and potentially other business practices that help protect data and ensure that people are protected from bad actors,” said Stepanovich.
