Security experts weigh in on the real scenarios in which China or other nations could exploit data collected by online platforms and how to mitigate the risk.
Short-form video platform TikTok has come under fire in recent months. US lawmakers and citizens have questioned its data collection practices and potential ties to the Chinese state. Concerns were heightened after Buzzfeed published an article indicating that the data of some American users had been accessed repeatedly from China. TikTok’s parent company, Beijing-based ByteDance, denied sharing information with the Chinese government and said it had migrated traffic from its US users to servers operated by Oracle. But that wasn’t enough to clear up the situation, and security and privacy experts continue to worry. “In China, politics and business are inseparable,” said Joseph Williams, partner, cybersecurity, at Infosys Consulting. He argues that “the Chinese government could focus on specific users, specific keywords, or specific video footage to identify anything it might find interesting.”
In theory, TikTok could collect all kinds of data, including text, images, videos, location, metadata, message drafts, fingerprints, or browsing history. The social network, which has grown rapidly in recent years, exceeds one billion monthly active users worldwide, of which 100 million were based in the United States. According to a survey by the Pew Research Center, 67% of American teenagers have installed this application more than Instagram, Snapchat, Facebook or Twitter. The issue of companies handing over information to governments goes far beyond TikTok or the country. “China isn’t the only nation-state with an insatiable appetite for data,” said Matt Chiodi, chief trust officer at Cerby. “Consider that the United States has been the biggest requester of data for many of the most popular social media platforms.” Once governments have access to data held by companies, they could exploit it in three ways.
1. Learn about citizens and foreigners
The most concerning thing governments could do is combine data from multiple sources to “better understand and target individuals, as well as understand the relationships between people,” says Dakota Cary, a consultant at the Krebs Stamos Group. There are many possibilities for cross-referencing data. “Don’t think of TikTok data in isolation, but what a state might do with it in conjunction with data from public sources and the dark web,” says Matt Chiodi. In China, in particular, the government is already experimenting with its social credit system, and indeed access to TikTok data could help it take it to the next level and create accurate profiles of users in China and elsewhere.
“All data collected on foreign nationals by China ends up in this type of system and will probably only be used when it determines that a person is of interest,” adds Dakota Cary. This would, for example, allow the country to monitor Western businessmen traveling to China or Western students enrolled in its universities. Besides, it could also help the government get more valuable information about Chinese nationals working or studying abroad.
2. Theft of intellectual property
China has long been accused of stealing intellectual property from Western companies. The economic costs of this type of theft are difficult to quantify, but FBI Director Christopher Wray said in 2020 that China’s economic espionage was the “greatest long-term threat” to the US economy. Over the years, security companies have caught several groups of Chinese hackers engaged in cyber espionage operations. In May 2022, Cybereason researchers published a report on Operation CuckooBees, stating that the Winnti/APT41 group was targeting industries in East Asia, Western Europe and North America, with the aim of stealing the intellectual property.
Suppose the Chinese government is allowed to access TikTok data. In this case, he could develop “targeted campaigns to identify people with access to sensitive intellectual property and execute spear-phishing campaigns to gain access,” says Matt Chiodi. “For example, if you work in defense or a telecommunications company, you could be a prime target.”
3. Highly targeted influencer campaigns
After the 2016 US presidential election, where Russia was accused of boosting Donald Trump’s candidacy, the idea of a nation using social media platforms to influence what people think has gained traction. It is possible to use apps like TikTok to “influence the opinion of a group by promoting a certain point of view advantageous for the geopolitical successes of a state and its allies”, explains Mr. Chiodi. One way to do this is through algorithms that recommend specific videos to users. China could, for example, promote content that “supports ‘core socialist values’,” adds Dakota Cary. “The willingness to guide recommendation algorithms and adhere to China’s ideology could be exported as part of the TikTok platform, once policymakers are confident in their ability to influence the app,” adds she.
For now, the technical details of “guiding” a recommendation algorithm seem hard to pin down. That’s why Cary thinks China may soon focus on things like content moderation, which are easier to implement, rather than developing a well-crafted influence operation. Matt Chiodi is a little more pessimistic. Even without these algorithms, China could create a long-term campaign “to uniquely identify the people it predicts will have the most future influence in industry or society,” he says. “Predictions can be based on varying degrees of separation, among other factors.” These individuals could, in theory, be influenced over many years and could eventually be approached for espionage purposes, he adds.
How should companies react?
Experts who manage risk must understand the dynamic geopolitical environment. “The problem with TikTok is a systemic problem with software of all kinds coming from China,” says Dakota Cary. “Any company based there can be forced to collect and share data with the government, including TikTok.” One tip is to try to understand the rules that apply to Chinese companies. Another is to have an up-to-date register of company assets, knowing where the data is and how it is processed. “A complete accounting of company operations in China, the nature and storage of data, and the types of access available to China-based employees on company networks is essential for companies. that focus on high value-added goods and services,” says Cary.
Individuals should also limit their public persona as much as possible, knowing that anything they put on the internet may be accessible for national security purposes if not properly encrypted. This includes services that operate on US soil. “We are now at a point in the history of technology where sharing and making sense of massive amounts of data is possible,” said Matt Chiodi. “The consumerization of IT has meant that even nation states with limited resources can use the commercial services of cloud providers to conduct data scraping and analysis campaigns once reserved for the G7.”
Change of perspective on technology platforms
A list of recommendations can be helpful to experts managing risk, but what might be needed is a change of perspective. The Internet has changed profoundly in recent years, and no country controls all technological platforms. Today, more than half of Internet users come from Asia, and of the 20 most visited web addresses in the world, 12 are already Chinese. “The United States has grown accustomed to its unparalleled position in the online world, which makes it difficult to adapt to no longer controlling all technology platforms,” says Mikko Hyppönen, director of research at WithSecure (formerly F -Secure).
Europe, on the other hand, has lived in this reality for many years. “Our technological platforms and applications come from afar, and their authors have little interest in our wishes, our culture or our rules,” explains Mikko Hyppönen. “Going forward, this will be increasingly true for the United States.” The European Union has developed several rules to minimize this risk. For example, it requires companies to store European customer data on European soil, and it funds programs to combat misinformation and misinformation.
China, a rising online power
“Countries must require their consumer data to be stored locally, and service providers must obtain independent certification that out-of-country data transfers are not occurring or possible – both technically and from a people and process perspective,” says Chiodi.
According to Mikko Hyppönen, the concerns over TikTok are just a taste of what is about to happen. “China is a rising power online, and it’s just the beginning,” he says. “China’s gross domestic product is growing at a staggering rate. It will overtake the United States within a few years and overtake Europe soon after. This country is becoming the king of Texas (King oh the Hill)”.