Should TikTok be banned in the US?
Clearly, TikTok’s executives would have you believe that there is no risk when using TikTok. Is there a national security risk, though? Yes. Let’s explore.
Bytedance
TikTok is presently owned by Bytedance. Bytedance’s company headquarters are located at Room 10A Building 2 No. 48 Zhichun Road, Haidian District, Beijing China. We also need to understand that businesses operating in Beijing China operate under Chinese law (such that it is). What that means for TikTok is that in order for this company to operate within China, it must always abide by China’s rules and regulations including spurious Chinese government requirements and mandates both existing and instantaneously required by the government.
For example, if Xi Jinping decides that Bytedance must turn over all information it has acquired to the Chinese government, Bytedance must comply or face the possibility of China pulling its licenses to operate its business in mainland China.
On the one hand, you have the TikTok CEO Shou Chew claiming that TikTok’s user data is safe. On the other hand, you have China’s government which can instantly require (i.e., force) Bytedance (or any Chinese based company) to hand over its data or face the loss of operating a business in China. Because China is a communist government, whatever China wants, China gets. Meaning, TikTok can absolutely make no assurances that user data is truly safe while Bytedance remains under China’s overreaching communist government authority. The rule of law only applies in China when the Chinese government WANTS it to apply, a key takeaway here. Internationally, China’s government does whatever it wants under the guise of appearing to support the rule of law.
Oracle Cloud
TikTok’s CEO has assured congress that it could move its data to within the Oracle cloud environment. While moving TikTok’s data storage to a United States owned business might sound great on paper, in reality it means nothing. Data stored in the US can STILL be easily exported, backed up, copied and recovered to computer equipment which resides in China. In fact, it would be entirely surprising if TikTok didn’t keep live backup copies of all user data somewhere on Chinese servers.
In other words, the CEO’s statements about using data storage on US shores as a “protection scheme” rings hollow. It’s far too easy to create copies of data and put it anywhere you want. It’s also guaranteed that if the Chinese government were to mandate that Bytedance turn over all relevant data to the Chinese government, TikTok would be forced to comply with those orders or face China’s government retaliation. In this case, not only can Bytedance not protect user data, they would have to appear completely willing to hand it over to the government instantly. Why? Because of Bytedance’s allegiance to China and not the United States… and because if TikTok doesn’t, China will close them down.
Allegiance
This word denotes a whole lot of things all at once. However, the most important thing this word signifies is what happens if China requests something from Bytedance and they refuse? A US based company protects all data of its users under the laws of the United States. If there were a subpoena by law enforcement issued for that data, a US based company would either have to comply with the subpoena or file an objection to quash the subpoena under specific grounds. In China, such avenues of refusal don’t necessarily work.
Because the United States is, at least thus far, based on the rule of law, the government would be required to allow an objection to funnel through the court processes before requiring the company to turn over whatever data is required by that subpoena. Even then, it would only be required if the court upheld the subpoena instead of siding with the appeal.
On the flip side, because China is a communist operated government, businesses operate under the whims of the Chinese government, which is not always based on the rule of law. While China does put up appearances suggesting that rule of law exists, the realities within China don’t always match that “rule of law” narrative. Meaning, China’s rule of law facade is just that, a facade.
For this reason, Bytedance’s allegiance must remain with China and never with the United States. The only reason Bytedance can operate within the US borders is because the United States, at present, allows it. But, that may be changing…
Is My Data Safe with TikTok?
The short answer is, no. Why? Because Bytedance’s allegiance remains solely with China because that’s where its business is incorporated. Regardless of what the executives of Bytedance may claim, that Chinese allegiance means that if Xi Jingping requires Bytedance to turn over all user data to China’s government about TikTok users, Bytedance must comply… and with no questions asked.
It doesn’t work like this if Bytedance were a company owned and operated within the United States. Rule of law actually matters in the United States where in China it only appears to matter, but doesn’t actually matter when the Chinese government wants what it wants.
What’s Wrong with China Knowing About Me?
If you don’t live in China or plan to visit, it might not matter that much. However, if you were ever to visit China, what you post on TikTok might be considered a legal offense in China and could see you legally apprehended, detained and/or jailed.
In other words, if you intend to post on TikTok and you have said or done anything that China takes offense to, you could become wanted in China. That’s a fairly extreme outcome, but China takes offense easily to many things and it takes those offenses seriously… so why poke that bull if you don’t have to?
Worse, because China is all about the money, having critical data from your phone device could allow would-be Chinese hackers to infiltrate your device, steal your identity and steal your money.
Should I use TikTok? — Should I allow my kids to use TikTok?
If you value your family’s privacy, no. YouTube and Facebook both offer similar enough video sharing features to more than make up for TikTok’s functionality. Both YouTube and Facebook are US based companies not under the Chinese government’s thumb. Why risk potentially losing your (or your child’s) personal data to China needlessly when you don’t have to?
This author definitely recommends avoiding the use of TikTok entirely. There’s really no reason to risk losing your family’s personal data to China over the use of a silly video sharing platform… a platform that already exists on YouTube and via other US operated companies.
Creators
The argument on not banning TikTok seems to stem mainly from both the TikTok executives (naturally) and from TikTok’s creators. Ignoring TikTok’s weak executive arguments for the moment, let’s focus on TikTok creators. While I agree that many creators may not have understood the ramifications of investing their creative efforts and skills into a platform of questionable origin, unfortunately they have. What that means is that a ban on TikTok in the US means that these creators must lose the audiences they have worked to gain. I get it, but that’s not reason enough.
For creators, this is a problem. However, it’s relatively simple for creators to ask their audience to move with them to a new platform. If a creator’s audience is truly committed to that creator’s content, most (if not all) of that audience should will be willing to move to any other platform that that creator may choose to use. A simple video which requests fans to sign up for and move to a new platform shouldn’t be a big deal.
If you’re a TikTok creator considering that you may lose your ability to create on the TikTok platform, you should definitely consider a movement plan to another platform. Whether that be YouTube, Instagram, Snapchat or any other short video sharing platform, moving away from TikTok is the key. You shouldn’t remain complacent and simply assume a ban won’t happen. You should take action now and, yes, complain if you like, but you should also prepare to move your fans and content to another platform. Don’t wait, take action now!
Creator arguments about engagement or loss of revenue or any other such arguments are simply not strong enough arguments to sway regulators away from the above China data sharing problem. There are too many other platforms owned and operated by US companies for such creator arguments to hold any weight at all. Simply, they don’t. This is why creators need to be proactive and take steps to plan to move both your fanbase and content to another platform now. Don’t sit on your hands and think it won’t happen. Plan ahead.
TikTok Audience versus TikTok CEO
While creators make up a relatively small portion of TikTok users, they are the ones responsible for bringing in the viewers. Still, having an audience is not an argument to keep TikTok from being banned. It’s not whether TikTok offers a valuable video sharing service, it’s that a Chinese based company manages TikTok’s data and always remains at the whims of China.
The CEO has stated that TikTok is beholden to no country, but that’s simply not a true statement. That statement cannot possibly be true. Every company must go into business under some country. Every country has laws and requirements for businesses to remain in business within that country. Bytedance incorporated its business within China. That means that Bytedance is beholden to China’s laws and regulations, no matter how, when or why they might appear. Because China’s government only appears to abide by its written laws and regulations, it only does so when it is convenient to the Chinese government. When it’s not convenient, new laws instantly come into being to cover whatever “thing” China is trying to make happen.
Instant laws don’t occur in the United States. It takes time, effort and lots of congressional or state legislator bickering and months of wrangling before a new law can come to exist. Most new laws require ballot measures to be voted on by the population, something that China doesn’t offer to its citizens.
What this all means is that TikTok’s CEO can say whatever he wants, but the realities of the way China operates remains. If Mr. Chew is so willing to lie about Bytedance’s allegiance to China, what else is Mr. Chew lying about? Lying to congressional members really doesn’t say great things about Bytedance or TikTok.
Should TikTok be banned in the United States?
We’ve come full circle from the beginning of this article. After all the above arguments are considered, I’d say that it is most definitely worth banning TikTok (and any other Chinese based apps) from the app stores. This situation shouldn’t be limited to TikTok. TikTok is simply so visible because it’s now used by more people than, in some cases, YouTube. The shear audience sizes alone for some TikTok creators means ever more and more people are signing up to use the service. Many of these new users are children (aged 17 and younger).
Children are unable to comprehend what sharing of personal data to China really means. They just see silly videos, but have no idea what information TikTok may be collecting while these children use TikTok.
Additionally, because Bytedance is a Chinese operated company, it doesn’t have to abide by federal regulations like COPPA. TikTok might choose to voluntarily comply (or simply put up a facade of doing so) as a measure of apparent goodwill. However internally, it may not at all comply with COPPA because it doesn’t have to. Because the TikTok company exists and operates outside of the US’s borders, United States federal laws don’t apply and cannot be enforced upon TikTok. This aspect right here is the single biggest elephant in the room and the single biggest reason why TikTok should be banned.
Without the federal regulations to help protect US citizens from nefarious or malicious use of data collected, Bytedance can literally do almost anything to non-Chinese citizens without any legal ramifications by the United States. Even if the United States were to try and bring suit, China wouldn’t allow it. This situation alone is why TikTok (and other Chinese operated services) should not be allowed to operate within the United States. TikTok is literally one Chinese company among many taking advantage of its Chinese locale to avoid being held accountable to United States laws.
The United States has every right to protect its citizens from unlawful interference by other countries. TikTok is one among many companies where this reality now exists, not just companies located in China. The United States legislators need to take a step back and really think long and hard about (the lack of) legislation around companies operating in countries which are mostly unfriendly to the United States.
China only tolerates the United States at this point because of the buying power the United States offers. Other than buying power, that’s where China’s civility with the US ends. China (and a Chinese operated company) doesn’t care how many people in the United States die, get maimed or get injured as a result of products made in China. The same can be said of services like TikTok. Anyone who legitimately believes that the TikTok CEO legitimately cares about United States citizens, other than for their wallets and the almighty dollar, is clearly deluded.
Yes, TikTok should be banned, along with every other app-based service operated out of unfriendly territories around the globe.
First Amendment?
Some have claimed that the First Amendment will be violated by banning TikTok. Let’s definitively state here and now that there is no First Amendment problem at play. Because TikTok is a Chinese company wholly operating out of China, Constitutional laws don’t apply to TikTok. The executives who operate TikTok aren’t United States citizens.
Even though there are United States users using the service as creators and viewers, the service itself is not bound by the United States Constitution. In effect, by you as a user choosing to invest your time and effort into putting your videos onto a wholly owned Chinese entity, you’ve effectively forfeited your right to First Amendment protections.
While some First Amendment advocates might disagree with the above stance, one thing is certain, the United States Constitution does not apply to non-US citizens… which would include any and all executives and staff who were hired and operate out of Bejing China. While it is possible that Bytedance has hired some United States citizens to help operate its service globally, that doesn’t wholly, suddenly or automatically then make Bytedance as a company bound by the United States Constitution.
↩︎
Rant Time: Bloomberg and Hacked Servers
Bloomberg has just released a story claiming SuperMicro motherboards destined for large corporations may have been hacked with a tiny “spy” chip. Let’s explore.
Bloomberg’s Claims
Supposedly the reporters for Bloomberg have been working on this story for months. Here’s a situation where Bloomberg’s reporters have just enough information in hand to be dangerous. Let’s understand how this tiny chip might or might not be able to do what Bloomberg’s alarmist view claims. Thanks Bloomberg for killing the stock market today with your alarmist reporting.
Data Compromise
If all of these alleged servers have been compromised by a Chinese hardware hack, someone would have noticed data streaming out of their server to Chinese IP addresses, or at least some consistent address. Security scans of network equipment require looking through inbound and outbound data logs for data patterns. If these motherboards had been compromised, the only way for the Chinese to have gotten that data back is through the network. This means data passing through network cards, switches and routers before ever hitting the Internet.
Even if such a tiny chip were embedded in the system, many internal only servers have no direct Internet access. This means that if these servers are used solely for internal purposes, they couldn’t have transmitted their data back to China. The firewalls would prevent that.
For servers that may have had direct access to the Internet, these servers could have sent payloads, but eventually these patterns would have been detected by systems administrators, network administrators and security administrators in performing standard security checks. It might take a while to find the hacks, but they would be found just strictly because of odd outbound data being sent to locations that don’t make sense.
Bloomberg’s Fantasy
While it is definitely not out of the realm of possibility that China could tamper with and deliver compromised PCB goods to the US, it’s doubtful that this took place in the numbers that Bloomberg has reported.
Worse, Bloomberg makes the claim that this so-called hacked hardware was earmarked for specific large companies. I don’t even see how that’s possible. How would a Chinese factory know the end destination of any specific SuperMicro motherboard? As far as I know, most cloud providers like AWS and Google buy fully assembled equipment, not loose motherboards. How could SuperMicro board builders possibly know it’s going to end up in a server at AWS or Google or Apple? If SuperMicro’s motherboard products have been hacked, they would be hacked randomly and everywhere, not just at AWS or Google or whatever fantasy Bloomberg dreams up.
The Dangers of Outsourcing
As China’s technical design skills grow, so will the plausibility of receiving hacked goods from that region. Everyone takes a risk ordering any electronics from China. China has no scruples about any other country than China. China protects China, but couldn’t give a crap about any other country outside of China. This is a dangerous situation for China. Building electronics for the world requires a level of trust that must exist or China won’t get the business.
Assuming this alleged “spy chip” is genuinely found on SuperMicro motherboards, then that throws a huge damper on buying motherboards and other PCBs made in China. China’s trust level is gone. If Chinese companies are truly willing to compromise equipment at that level, they’re willing to compromise any hardware built in China including cell phones, laptops and tablets.
This means that any company considering manufacturing their main logic boards in China might want to think twice. The consequences here are as serious as it can get for China. China has seen a huge resurgence of inbound money flow into China. If Bloomberg’s notion is true, this situation severely undermines China’s ability to continue at this prosperity level.
What this means ultimately is that these tiny chips could easily be attached to the main board of an iPhone or Android phone or any mobile device. These mobile devices can easily phone home with data from mobile devices. While the SuperMicro motherboard problem might or might not be real, adding such a circuit to a phone is much more undetectable and likely to provide a wealth more data than placing it onto servers behind corporate firewalls.
Rebuttal to Bloomberg
Statements like from this next reporter is why no one should take these media outlets seriously. Let’s listen. Bloomberg’s Jordan Robertson states, “Hardware hacking is the most effective type of hacking an organization can engineer… There are no security systems that can detect that kind of manipulation.” Wrong. There are several security systems that look for unusual data patterns including most intrusion detection systems. Let’s step back for a moment.
If the point in the hardware hacking is to corrupt data, then yes, it would be hard to detect that. You’d just assume the hardware is defective and replace it. However, if the point to the hardware hack is to phone data home, then that is easily detected via various security systems and is easily blocked by firewalls.
The assumption that Jordon is making is that we’re still in the 90s with minimal security. We are no longer in the 90s. Most large organizations today have very tight security around servers. Depending on the role of the server, it might or might not have direct trusted access to secured data. That server might have to ask an internal trusted server to get the data it needs.
For detection purposes, if the server is to be used as a web server, then the majority of the data should have a 1:1 relationship. Basically, one request inbound, some amount of data sent outbound from that request. Data originating from the server without an inbound request would be suspect and could be detected. For legitimate requests, you can see these 1:1 relationships in the logs and when watching the server traffic on a intrusion detection system. For one-sided transactions sending data outbound from the server, the IDS would easily see it and could block it. If you don’t think that most large organizations don’t have an IDS even simply in watch mode, you are mistaken.
If packets of data originate from the server without any prompting, that would eventually be noticed by a dedicated security team performing regular log monitoring and regular server security scans. The security team might not be able to pinpoint the reason (i.e. a hardware hack) for unprompted outbound data, but they will be able to see it.
I have no idea how smart such tiny chip could actually be. Such a tiny chip likely would not have enough memory to store any gathered payload data. Instead, it would have to store that payload either on the operating systems disks or in RAM. If the server was cut off from the Internet as most internal servers are, that disk or RAM would eventually fill its data stores up without transfer of that data to wherever it needed to go. Again, systems administrators would notice the spike in usage of /tmp or RAM due to the chip’s inability to send its payload.
If the hacking chip simply gives remote control access to the server without delivering data at all, then that would also be detected by an IDS system. Anyone attempting to access a port that is not open will be blocked. If the chip makes an outbound connection to a server in China and leaves it open would eventually be detected. Again, a dedicated security team would see the unusual data traffic from/to the server and investigate.
If the hacking chip wants to run code, it would need to compiled it first. That implies having a compiler in that tiny chip. Doubtful. If the system builder installs a compiler, the spy chip might be able to leverage it, assuming it has any level of knowledge about the current operating system installed. That means that chip would have to know about many different versions of Linux, BSD, MacOS X, Windows and so on, then have code ready to deploy for each of these systems. Unlikely.
Standards and Protocols
Bloomberg seems to think there’s some mystery box here that allows China to have access to these servers without bounds. The point to having multi-layer security is to prevent such access. Even if the motherboards were compromised, most of these servers would end up behind multiple firewalls in combination with continuous monitoring for security. Even more than this, many companies segregate servers by type. Servers performing services that need a high degree of security have very limited ability to do anything but their one task. Even getting into these servers can be challenge even for administrators.
For web servers in a DMZ which are open to the world, capturing data here might be easier. However, even if the hacker at SuperMicro did know which company placed an order for motherboards, they wouldn’t know how those servers would ultimately be deployed and used. This means that these chips could be placed into server roles behind enough security to render their ability to spy as worthless.
It’s clear, these reporters are journalists through and through. They really have no skill at being a systems administrator, network engineer or security administrator. Perhaps it’s now time to hire technical consultants at Bloomberg who can help you guide your articles when they involve technical matters? It’s clear, there was no guidance by any technical person who could steer Jordan away from some of the ludicrous statements he’s made.
Bloomberg, hire a technical consultant the next time you chase one of these “security” stories or give it up. At this point, I’m considering Bloomberg to be nothing more a troll looking for views.
If you enjoy reading Randocity, please like, subscribe and leave a comment below.
↩︎
Random Thoughts - Randocity! 
leave a comment