TikTok is like a Dickens novel. It’s the best of apps. It’s the worst of apps. There seems to be no in-between. Over the next few weeks and maybe months, we are going to dig into the controversy and find the truth that’s somewhere in the middle. We are going to find out just what’s up with TikTok.
We started our journey with an interview with Ian Thornton-Trump, CISO for the UK cybersecurity firm Cyjax, who often joins us on the Crucial Tech podcast. He was integral in developing the security policy for the nation of Canada and we wanted to get the position of somebody who has worked in government on why TikTok is or is not a big deal.
CPM — So Ian, thanks for joining today. What the hell is going on with TikTok?
Ian Thornton-Trump —It’s a massive mess right now with all sorts of kind of crazy stories going on about it. We’ve all heard that it’s basically a spying app for the Chinese government. That’s the allegation. I gotta break some news on your show, Lou. Everything is a spying application.
It can be seen in a couple of different lenses. So the first one is any of these apps that get on your phone, be it, you know, Facebook, WhatsApp, any of these are harvesting data about you about the conversations potentially that you’re having and certainly the metadata. And if you think for a moment that the FBI and the secret service aren’t prepared to go to a US judge and ask for a National Security Letter (NSL) and deliver it unto Facebook or Meta or whatever they’re calling themselves these days and say we need information about Lou, they’re going to get it … unless the company is egregiously against it and is prepared to fight it. That is a really difficult thing to do when the badges show up and the NSL letter comes out. The letters are super secret. You don’t really know that there’s one in place until the government has gotten what it wants.
The argument that has been put forth is that it’s OK for American Tech to be harvesting all of that personal data about what we do because we have the American law to protect us … allegedly … maybe… except if you’re a foreign national of another country. You’re maybe not to entitled those robust defenses under the US Constitution as you might otherwise have if you’re an American citizen. But we do know from history, the NSA has been pretty liberal about spying on all things.
The issue here that is being parsed out is twofold. The first is, American Tech is a big lobby group when it comes to the government. I think American Tech is a little bit, how do you say this, jealous of the massive success of a Chinese app that has gone completely viral. I think the concern has some legitimacy in that the is being harvested and pushed back to servers. A recent Forbes article made it very clear that China has the capability of tracking individuals using the application and the content that they create. But that is very similar to any other similar organization, the big difference being is the relationship between big tech and the United States government, and the relationship between big tech and the Chinese government.
There is a lot more transparency and due process involved in the American relationship. The concern is if Western people of influence, including government agents and politicians, have this application on their devices, it gives the Chinese government an unquantifiable advantage in identifying who those people are and what their roles are, and how they might be subtly influenced by large bags of cash or whatever have you, right? So I feel like there are some risk factors, there are some challenges when it comes to this, and the challenge that I think that we face right now is trying not to sound. Like we’re not embracing the success of an application that just happens to be built and manufactured in China. I think there’s more jealousy from Western competitors than there is truly a security threat, however.
CPM — I’m kind of in the same place as you. But here’s the downside side of that. So China, North Korea, Russia, some Eastern European countries even India kind of looks sideways at ransomware gangs and phishing gangs operating within their borders. We know that North Korea finances its nuclear weapons program by selling malware packages…
Ian Thornton-Trump — …Yeah, and crypto heists and all sorts of illicit activity…
CPM — … and as you point out, every social media group or platform is collecting massive amounts of data on us and not just social media. I recently helped edit a book called Data for All, by a well-known data scientist, John Thompson. In one chapter he described a trip that he and his wife took to Ann Arbor to go to a Notre Dame football game and visit their daughter. The chapter mostly consisted of a bulleted list of every point that some company collected about them on that trip. And it went for four pages in single-space bullets. And that was just to get from home to a gas station where they filled up. There’s a massive amount of data being collected on us by major corporations and even small to medium businesses. That’s the kind of data that phishing and ransomware gangs want to find their targets and to social engineer them.
Now, because that is essentially validated as an okay operation, maybe not a legal operation, but an okay operation by the Chinese government and the North Koreans and all that, doesn’t this make TikTok a bigger source of information for them?
Ian Thornton-Trump — Oh, I think it definitely does. And balls were missed here because it was upon us before we had a chance to really understand it. All of a sudden the ball game is, hey, China, stop pushing us on these issues because you’re completely reliant on Western capital in order to keep your economy and manufacturing up.
And we do have leverage over China. We don’t have much over North Korea in terms of economic leverage other than we can essentially continue sanctioning them until hell freezes over. I don’t think there’s ever been a time when anyone has talked about fewer sanctions for North Korea.
China’s interesting in that they continue to sort of push our buttons, if you will, of Western technology, Western research and development, and Western pharmaceutical companies. They certainly have, I think, the envy of the massive spend that Western tech puts into things like, you know, AI, like, you know, the development of some of the largest companies in the world, such as, you know, Google, Facebook, and of course, Microsoft as well.
And so it’s not surprising that we find ourselves every few years being astonished at China’s ability to create something that looks exactly like a Cisco router magically. You know, only to find out that after the wrong investigation, they found some person that walked out of, you know, Cisco’s lab with all of the intellectual property on a USB stick. And what’s interesting to see in sort of that relationship is there’s no question China is doing economic espionage against the United States. I think that argument has been settled a long time ago. But the fact is, is that the resort to any means necessary in order to gain an advantage over the West.
We see this now playing out in the geopolitical sphere of China building blue water Navy capability and continuing to threaten Taiwan. Of course, the West has to respond, but we’re still very comfortable in sending an awful lot of business to China in terms of manufacturing and then buying a lot of Chinese manufactured goods as part of the Western economic dependence.
Not surprising then to see China saying, hey, this texting that you got going on, really interesting. And as my friend and colleague, Philip Ingram mentioned, this comes in a long line of potentially Chinese viral applications like the Pokémon Go, for instance, that became a phenomenon and could be, in some cases, demonstratively, was used for espionage to take pictures of sensitive areas, as you quote, captured your Pokémon, which happened to be at super secret bases.
CPM — So, yeah, maybe that’s why those Chinese students got arrested outside of Andrews Air Force Base.
Ian Thornton-Trump — Yeah, they’re poking on in that base, especially by that new stuff in the crowd.
CPM — So let’s talk about solutions to this. The first one that’s come up, yeah, other than an outright ban, which I guess India has already banned TikTok…
Ian Thornton-Trump — …and the UK government has basically advised the government that it shall be removed, even though in the UK we have government by WhatsApp. So, you know, it’s that slippery slope argument. But you know what the bottom line here is…
CPM — I want to specifically about one of the solutions that we’re presented at the Congressional Hearings from the CEO. Project Texas. We’re going to have the data on American soil in an American company run by American engineers. Is that going to work?
Ian Thornton-Trump — I think it’s going to work better than what we have now…
CPM — Yeah, you’re going to have a lot of Americans working in this data center, but there are also going to be Chinese nationals working in there. And by Chinese national law, they are required to pass along information overtly or covertly. Yeah.
Ian Thornton-Trump — Whenever the government asks them to. That’s right.
CPM — Yeah. So I mean, that’s kind of like saying, okay, we’re not going to have it spread out all over the country or controlled offshore. We’re going to put it all in one place. So, spies, everybody come here because it’s all here.
Ian Thornton-Trump — This goes back to a major problem that we have with the internet, which is now devolving into islands of data sovereignty. If you look at the Germans in terms of how robust their interpretation has been of the transfer of German citizen data outside of Germany. American tech companies are very frustrated when the Germans go bananas when they discover that the Microsoft Authenticator pings a GPS in order to locate where you are and authenticate whether you’re allowed to make a connection. This is a major problem that we have in terms of like how do we govern the ungovernable. How do we even apply all rules here?
In the case of the Chinese espionage act, does it have relevance in standing in the United States? There’s a whole legislative piece that needs oversight and due diligence, right? And I think what we’re seeing right now is an amazing commercial success. But we lack understanding about once we collect it, how do we control it? This is an area where I think we’re really struggling.
When you see the underpinnings, we’re going to start arguing about the fact that you could only use German DNS servers to find anything in Germany because it’s sensitive data. If Lou was in Germany and Lou was a German citizen and he was looking at things, we don’t want that information going outside Germany. It’s like peeling this onion that every layer leads to the next layer and there is no governance. We have no clue about how we’re going to regulate it or even control it.
Profit is all
CPM — And we’ve got a lot of companies that have been used to this complete hands-off experience fighting tooth and nail to keep it that way.
Ian Thornton-Trump —The venture capital world finds great ideas, and gives them gobs of money to execute. but washes their hands of when it comes to any sort of ethical regulatory framework. Then these big tech companies that have massive success start saying to the government, “You should regulate us because even we know we are completely out of control. We’re doing things that maybe we shouldn’t do but we have all this money and we gotta spend it on something.”
There is hope through all of this, right? You know, it’s sort of like the metaphor being that when the rainforest burns down, if no one turns it into a coffee plantation, new growth happens and new things flow out of that. And you know, there is issues around TikTok in terms of, you know, that they weren’t compliant with any of the regulations of terms of parental consent. And things like that. So kids started using it. There is no, I think, practical way that they can even monitor the content. And then, of course, you had all the viral challenges that came out.
CPM — We have some family friends of our family whose 12-year-old son was participating in the blackout challenge. And drowned in the bathtub. And the fact that… And that’s really the kind of thing that pisses me off. Because I know, I mean, I’m gonna be doing another interview with a TikTok user who’s who stated to me, this is what made me want to interview him. TikTok’s algorithm is scary good. Yeah, Facebook is crap. I mean, Facebook’s algorithm says I’m a 50-year-old gay Chinese national. Twitter is completely falling apart. LinkedIn isn’t too bad. They keep themselves pretty focused. But TikTok really knows what to send you to get you to do something that you would not normally do.
Ian Thornton-Trump — And just to think, Lou, I feel your outrage at tech. But my outrage is the American justice system through lawsuits, especially wrongfuldeath lawsuits, why there isn’t more activity and holding these tech companies to account when horrendous things happen, such as suicide occur. And this is the responsibility of those platforms.
CPM — And they can do something about it. They absolutely could, but it would cut into their profits.
Ian Thornton-Trump — 100%. And you know, that’s where we’re left with, Lou. I think is that when we realize and when regulatory action and legal action, especially wrongful death suits start happening. Again, these tech products that we make need to have some sort of governance and responsibility wrapped around them.
CPM — And it’s just not there. So in the end, to answer the question about what we can do about this, outright bans probably won’t work.
Ian Thornton-Trump — I agree.
CPM — Possibly banning certain, I mean, there’s no reason in God’s green earth that a congressman should be using TikTok or even an administrator in the Department of Transportation. We can ban it for use within the government. You can’t you can keep people from bringing devices in that are using it. You can’t necessarily ban it from use by private citizens. But you can pass laws that will make it very expensive for companies to not take responsibility for their products.
Ian Thornton-Trump — I agree. To put profit over safety. Yeah.
CPM — And that is what we need, that in the bottom line is what we need to do.
Ian Thornton-Trump — I couldn’t agree with you more, Lou.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.