Technological Ignorance - Weaponizing Xenophobia
Tortured Political Theatrics and Montana’s TikTok Ban
Visit the Evidence Files Facebook and YouTube pages; Like, Follow, Subscribe or Share!
Montana became the first US state to ban downloads of the TikTok app and in-state operation of the company on May 17 of this year (effective January 1, 2024). Republican governor Greg Gianforte applauded his signing of the law stating in a press release, “The Chinese Communist Party using TikTok to spy on Americans, violate their privacy, and collect their personal, private, and sensitive information is well-documented.”
Montana Attorney General Austin Knudsen called the law “a critical step to ensuring we are protecting Montanans’ privacy.” Kaitlin Price, the press secretary for Gianforte, emailed, “While the Chinese Communist Party may try to hide their nefarious spying and collection of individuals' personal, private, sensitive information under the banner of our First Amendment, the governor has an obligation to protect Montanans and their individual privacy right, as guaranteed by the Montana Constitution, from the Chinese Communist Party's serious, grave threats." Joel Thayer, president of the Digital Progress Institute and a Washington-based telecom, attorney, and contributor to the Federalist Society, testified in support of the bill and later wrote, “Banning the app is… an absolute necessity if we want to prohibit the Chinese government from spying on us.” Senator Shelley Vance, a co-sponsor of the bill, claimed, “We know that beyond a doubt that TikTok's parent company ByteDance is operating as a surveillance arm of the Chinese Communist Party and gathers information about Americans against their will.”
It all sounds good if you’re concerned about Chinese spying.
The Montana legislature is not the only government body to show concern about TikTok. Of primary issue is that the parent company of TikTok, Bytedance, sits in China and could presumably share all kinds of private data of TikTok users with the government there. During a congressional hearing in March, US officials grilled TikTok CEO Shou Zi Chew—who was born and raised in Singapore and is not a citizen of China—about TikTok’s data collection practices. (A video of the whole hearing is available here). The hearing hinted more at performance for the cameras, and less to find actual answers to intelligent questions. Representatives hardly allowed Chew to respond, and often asked complicated questions while demanding yes or no answers. None asked questions based on any any concrete evidence, and some asked questions that indicated complete ignorance. Others simply engaged in rhetorical nonsense that was unhelpful by any standard.
Republican Representative Cathy McMorris Rodgers of Washington started out the hearing by saying, “[we] do not trust that TikTok will ever embrace American values.” Having sat in many suspect interviews, I can tell you it is rarely productive to start by intimating to the interviewee that you will not believe whatever they say. Moreover, if Chew and his company really are in cahoots with a geopolitical opponent, accusing them of failing to “embrace American values” may not resonate the way this representative hoped it would given the US government’s very public history of spying on its own citizens and allies, let alone adversaries. Moreover, a report was just released by the Office of the Director of National Intelligence indicating the US government “persistently” tracks “millions of Americans” phones without a warrant, and buys massive of amounts of other data on American citizens in contravention of constitutional rights.
Republican Representative Kat Cammack played a video indicating an apparent threat of violence against the committee, claiming “You damn well know that you cannot protect the data and security of this committee or the 150 million users of your app because it is an extension of the CCP.” This rings hollow given Cammack’s attempt to characterize requests to remove threats of violence from other social media sites as government overreach or intimidation during the so-called “Select Subcommittee on the Weaponization of the Federal Government” hearings, an equally farcical use of taxpayer dollars. Moreover, calling TikTok an “extension of the CCP” smacks of cheap rhetoric without providing evidence, which she did not.
Democratic Representative Frank Pallone stated that the CCP can compel TikTok through legal process to share data with the government. It seems the Chinese could fairly make the same argument of the US government.
Democratic Representative Anna Eshoo stated, “I’m one that doesn’t believe that there really is a private sector in China.” She also pointed to laws compelling businesses in China to turn over data on demand of the government. Again, the Chinese could make this same argument about demands for information by US government entities. Her statement about China’s private sector is particularly stunning given the vast number of other Chinese companies doing business in the US who, themselves, surely have troves of data about Americans, not to mention the many American companies doing business in China. She did not complain about them.
Republican Bob Latta focused on whether TikTok was committed to moderating harmful content, which was largely irrelevant to the stated purpose of the hearing. He claimed that TikTok was a primary reason Congress should consider reducing or eliminating protections under Section 230—which is the law that holds internet platforms harmless for 3rd party content posted on their sites. This same representative found Section 230 protections “concerning” when social media companies removed Donald Trump’s accounts for his routine violations of moderation rules and what was deemed misinformation, hate, and pro-violence speech. So here, Latta wants to eliminate protections for social media with dangerous content. When it is politically expedient, however, he objects to companies who remove such content.
Possibly the most ridiculous question was asked by Richard Hudson, a Republican out of North Carolina, who queried if TikTok can access the user’s home WiFi network. When Chew replied, yes (of course—it’s a mobile application), Hudson sputtered off the topic and onto something else. He was apparently trying to imply that TikTok (or by “extension” the CCP) could somehow hijack American home WiFi networks, but it seems probable he had no idea how this would work, did not prepare in advance to offer even vague suggestions about it, and thus ignominiously transitioned to another point.
Notwithstanding the grandstanding and intellectually bankrupt questioning at the TikTok Congressional hearing, the event remains pointless, just as the Montana law does. They are both examples of political theatrics driven by ideological concerns and made to convince their constituents that they are doing real legislative work on digital issues. (They are not). The hearing and the Montana law blatantly fail to apprehend the digital world that exists now. Lawmakers’ self-exposed ignorance showed that they have little interest in understanding real problems or learning how to solve them.
First, there is the question of data-vacuuming ending up in the hands of the Chinese Communist Party (CCP). Long before these hearings, it was publicly reported that China has been collecting data on foreign journalists and academics since at least 2020 from Facebook and Twitter. Twitter spokesperson Katie Rosborough told the Washington Post in December of 2021, that Twitter “prohibit[s] use of our API for surveillance purposes, as per our developer policy and terms.” If the implication is that foreign spy services will not violate a social media company’s terms of service, it is hardly a compelling defense. Moreover, Twitter’s former security chief Peiter “Mudge” Zatko told the US Senate Judiciary Committee in September of 2022 that “Twitter was too dependent upon the revenue stream [from China] at this point to do anything other than attempt to increase it.” Since Elon Musk’s inglorious takeover of Twitter, the situation has only worsened with the resignation of two of its security executives and a raft of other dismissals or exits. Musk’s purchase of the platform sparked the same types of concerns that have arisen about TikTok, in particular because the majority of Musk’s wealth is tied to Chinese financing and markets related to Tesla. Just this past month, Musk made a trip to China about which he largely kept quiet. And as several representatives pointed out the dangerous content on TikTok, Twitter has been flooded with it since Musk’s acquisition, yet Twitter remains unbanned.
2017 - Musk and Chinese Vice Premier Wang Yang; Source: Xinhua News
In 2018, Facebook publicly admitted that it had data sharing agreements with several Chinese companies, including the controversial Huawei Technologies. In fact, in November 2022, the Biden administration banned future imports of telecommunications equipment made by Huawei based on security concerns. Early in 2023, one Republican and one Democrat Senator together sent a letter to Meta/Facebook stating,
It appears from these documents that Facebook has known, since at least September 2018, that hundreds of thousands of developers in countries Facebook characterized as 'high-risk,' including the People’s Republic of China (PRC), had access to significant amounts of sensitive user data.
In April of this year, Facebook settled for over USD $725 million a case in which it was accused of illegally sharing user data with a data analytics firm that worked with the Trump campaign. That same company, Cambridge Analytica, announced in 2017, the year before its Facebook scandal broke, that it was “setting up” in China. Facebook has not been banned.
In 2019, researchers uncovered the monitoring by the CCP of at least 19 million people outside of China using WeChat, many of them Americans. Data included message content and GPS data. Tencent, the parent company of WeChat, built upon its algorithm to identify words and phrases it sought to block, and to create a system to sweep up all kinds of other information. Chinese intelligence services, according to the researchers, could monitor this data through an apparatus similar to what the US NSA was exposed for incorporating in 2005. The Trump administration did attempt to ban both TikTok and WeChat, but neither were ever enforced and both were revoked when Trump left office. The primary reason is that the Trump administration did not offer any actual evidence supporting its ban. As such, at least two federal courts found the ban to be an “arbitrary and capricious” decision. In both cases, no one had uncovered evidence that these platforms were giving the information directly to the CCP. Or, if they did uncover such evidence, the Trump administration did not offer it when compelled by the courts to defend its ban. An arbitrary and capricious decision by a governmental body is “a decision without reasonable grounds or adequate consideration of the circumstances… [and therefore is] an abuse of discretion or otherwise not in accordance with law.” As virtually every application today monitors users and collects their data, singling out two without further evidence of malfeasance is arbitrary and capricious according to the courts.
Discussion of these social media entities ignores the vast amounts of data that goes to China through other means, such as online purchases. Retail outlets selling goods online are not required by law to inform purchasers of their products’ country of origin. And the pipeline to Chinese products for American consumers is growing fast. SEKO Logistics noted an increase of 225% of direct imports from China to American consumers following COVID. Many of these items are promoted on YouTube. American purchasers enter all kinds of information in online retail forums, including bank accounts, addresses, and other personally identifying information. Furthermore, Chinese companies have rapidly bought-up companies across the globe and taken over their businesses. Many of these include American companies, such as Ingram Micro in 2016, which also surely possess huge amounts of Americans’ information. (Ingram Micro was later acquired by an American Investment group in 2020). Even Americans’ DNA has been bought by Chinese companies. If Representative Anna Eshoo’s comments about the lack of a private sector in China were sincere, Congress should view this as an equally serious problem. Yet, it has made no sober inquiry into the issue, nor banned anyone on the premise. (Note: the ban of Huawei is based on hardware, not data collection specifically).
Which brings us back to the Montana law. The alleged basis for the law—Chinese spying through data collection allegedly provided by TikTok—has not been proved by anyone. (One former ByteDance employee has come forward claiming he “saw” some kind of CCP spying happen, but as of this writing has provided no proof). The best the FBI has come up with so far is merely to say that the Chinese government “could” potentially use the app to control user devices or influence users. As James Lewis, an information security expert at the Center for Strategic and International Studies, has said, “It’s not that we know TikTok has done something, it’s that distrust of China and awareness of Chinese espionage has increased.” Rob Joyce, the National Security Agency’s director of cybersecurity, also could not directly implicate TikTok or China in any specific act of espionage. Joyce told reporters, “People are always looking for the smoking gun in these technologies... I characterize it much more as a loaded gun.” Even the so-called “damning report” released in December 2022 in which ByteDance confirmed that four employees gathered data from two TikTok accounts belonging to US journalists was unavailing. Compare this act to the 50,000 people—many journalists and activists—targeted on Facebook and Instagram. No one is prohibiting those platforms. The Montana law is banning one company that happens to be a convenient target in today’s political climate with no factual evidence to support its alleged purpose.
That is because the purported purpose does not align with what appears to be the actual purpose.
Montana Attorney General Austin Knudsen, who drafted the law, stated publicly that he and legislators considered drafting the ban based on “complaints from parents about TikTok content referring to drugs, suicide or pornography.” This does not sound like the real reason had much—if anything—to do with Chinese spying. Furthermore, these alleged complaints seem to be part of a conspiracy much closer to home. Meta/Facebook hired a consulting firm called Targeted Victory, otherwise known as the “the GOP’s go-to technology consultant firm,” to specifically flood Republican Attorneys General with supposed parental complaints about TikTok content. It’s unclear if the complaints were real or fake. Many have alleged, and Meta has not explicitly denied, that its intent was to essentially harm its rival. A Meta spokesman defended the hiring stating, “We believe all platforms, including TikTok, should face a level of scrutiny consistent with their growing success.” The italicized phrase (my emphasis) seemingly confirms the allegations of Meta’s intent. Attorney General Knudsen’s office opened an investigation into TikTok shortly after the consulting company’s campaign, which was all about content, with only a single sentence devoted to Chinese spying. It seems unlikely that Knudsen was fooled by Facebook’s campaign to sabotage TikTok, and instead that he seized an opportunity to advance a previously held agenda.
The timeline and nature of Knudsen’s conduct gives strength to the argument that the law he drafted and Montana later passed is a violation of the 1st amendment of the US Constitution. Knudsen’s statements directly contradict Joel Thayer’s constitutional defense of the law, who himself has also complained about content on TikTok before. Thus, the avowed foundation of the law most certainly relates to content and not to Chinese spying. The law’s preamble itself illustrates the real reasoning behind it, noting that TikTok has “failed to remove” certain content including:
throwing objects at moving automobiles, taking excessive amounts of medication, lighting a mirror on fire and then attempting to extinguish it using only one's body parts, inducing unconsciousness through oxygen deprivation, cooking chicken in NyQuil, pouring hot wax on a user's face, attempting to break an unsuspecting passerby's skull by tripping him or her into landing face first into a hard surface, placing metal objects in electrical outlets, swerving cars at high rates of speed, smearing human feces on toddlers, licking doorknobs and toilet seats to place oneself at risk of contracting coronavirus, attempting to climb stacks of milkcrates, shooting passersby with air rifles, loosening lug nuts on vehicles, and stealing utilities from public places.
In other words, the preamble’s verbiage, in addition to the comments of the bills’ author, legislative voters, and supporters clearly indicate that this is about censorship veiled under the pretense of vaguely alleged Chinese espionage. In a normal world where the Supreme Court actually issued holdings based on the law it would almost certainly be unconstitutional.
Even if one were to suspend disbelief and accept the Chinese spying argument, Montana’s governor, legislature, and attorney general nonetheless do not seem to understand how the internet works. Many experts call the law “technically incompetent.” Digital data does not care about arbitrary political boundaries like state lines. This was noted before the bill’s passage in an amendment that removed telecoms from any culpability under the bill. Why? Because the US telecommunication infrastructure does not “see” state lines. People living on the borders of Canada or Mexico can readily attest to this as they have likely received notifications welcoming them to those countries on their phones from time to time. For telecoms to establish boundaries on internet or cellular use from state to state would require employing extraordinary surveillance tactics to positively identify the location and activity of user devices.
Internet Protocol addresses (IPs) are also not organized by state. The first sections of an IP address indicate the network the user is on, which itself is not delimited by state boundaries. The latter sections do allow the Internet Service Provider (ISP) to identify the location of the request, but this does not necessarily positively identify the user’s physical location. To demand that the ISP enforce the law by preventing Montana users from downloading or updating TikTok, it would have to do several invasive things. First, it would have to flag the specific address requests not just to the Google or Apple stores, but to the TikTok-related pages. It is not clear if the ISP has this level of granular detail on those platforms, or if Google or Apple would allow it access to it. Then, the ISP would have to run that traffic against its customer database to confirm that the request came from a service address within the state of Montana. Even if the ISP chose to do all of this, users could easily evade such scrutiny.
Unsurprisingly, Montana lawmakers have no answers for the inevitable event of users simply bypassing the restriction through technologies such as VPNs or Proxy Servers. When legislators were asked about users doing this, the answer was crickets. As Evan Greer, director of consumer advocacy group Fight for the Future, noted “Any teenage anime fan or British TV aficionado can tell you how to circumvent such a silly ban using a VPN.” Many Montanans will likely resort to free VPNs, which themselves are often an elevated security risk.
Google and Apple stores likewise do not “geofence” products based on the states in which they are available. Lawmakers knew that before passing the bill as well. Without national- or state-instituted firewalls or other censorial apparatus, the two tech companies would have to begin their own surveillance regime to thwart users from downloading or using the app specifically from Montana. As an example, for users who keep their location data off by default, would they accept Google or Apple forcibly turning it back on should they attempt to download or update TikTok in order for those companies to confirm their whereabouts? Employing a tactic like this would, in many circumstances, cause significant disruption (if, for example, a state were to ban other apps or services). Living in border areas of states with different laws would cause chaos for users in both states, and collecting more detailed data from users in both would be necessary to enforce the laws of the requisite state. Tech companies scoop up a ton of information already. Demanding that they do more hardly seems to protect user data as supporters of the law contend is their motivation.
Users who have already downloaded the app or who do so after the ban while out of state will run into another vulnerability caused by the law. Because the law does not require users to delete the app if they already have it, they will almost certainly continue to use it. Unfortunately, without access to it via the Google or Apple stores, they will not receive updates and security patches that would normally occur automatically. If an attacker finds an exploit in any versions of the TikTok app, they can simply target Montana users who will not have the available fix for the vulnerability to steal data or money (including Chinese spies, if they choose to). Attackers can specifically target Montana users simply by trolling their social media to find people who locate themselves there. Rest assured that the dark web will contain lists of Montana users of outdated TikTok apps before long. Undoubtedly, this will be a sufficient pool to satisfy their malevolent intent.
Because the telecoms successfully lobbied for removal of their culpability from the Montana law, but Google and Apple were not excluded, this further suggests that this law merely targeted “Big Tech” on content and political posturing rather than the flimsy national security argument. The Republican party has generally had an ongoing feud with Big Tech based on its false protestations about censorship of “conservative” political views—as opposed to the actual violent rhetoric and misinformation many from their camp tend to post. The law in Montana seems to be little more than an attempted escalation of that feud. In fact, only a single Democrat voted “Yes” for the TikTok ban in the Montana House of Representatives.
Montana’s government and the US Congress have partaken in a crusade against TikTok based almost totally on ideological agendas and China-targeted xenophobia. While there may be a security risk to using TikTok, the same is true for every single other online application, website, or program. Banning the use of these and any other security vulnerabilities on government devices makes sense, while banning them for the public does not. In Montana, the purpose seems to be to ride the anti-China rhetoric to impose rules built on an ideological agenda. The law does nothing for data security, or for the security of individual users. If anything, it is more harmful. Arguments about Chinese spying are little more than a “scary” deflection to forcibly implement a clearly unconstitutional law. In the US Congress, the issue seems to have more to do with complete incompetence about technology, and an unwillingness to face up against the true abuses of Big Tech.
The US Congress approval ratings, 2023. Source: Statista
The US Congress’s public approval rating is so low that a restaurant that suffered a Shigella outbreak, still receives better ratings. Engaging in theatrical performances like the TikTok hearing, does little to assuage nervous consumers and does even less to address real problems with Big Tech. If Congress was a serious deliberative body, it would engage with the vast theft of intellectual property by companies releasing language learning models, misuse of user data by companies against their own terms and conditions, sale of user data without the knowledge or true consent of users, the condoning or even encouraging of violent speech on social media platforms, theft of data through automobile computer systems, manipulation of the stock market through social media, and so many others. Legislators in the EU are making an embarrassment out of the US Congress by passing laws with actual teeth that address real problems facing users there. Data law in Europe is so effective that Sam Altman, CEO of OpenAI, has threatened to pull ChatGPT out of the EU if it continues on its regulatory path. The EU should accept the threat as a badge of honor.
Meanwhile, Biden administration and Congressional officials dodder over concerns about “falling behind” in the tech industry should they regulate these deeply flawed systems and companies. They sit back and do nothing while unregulated tech creates problems across a variety of sectors of society. (*It is true that Congress passed an antitrust bill in December of 2022, but it has had little demonstrative effect, and a Big Tech lobbyist posing as a Congressman has been named as the frontrunner to oversee that law’s implementation). Worry of “stifling innovation” is foolish; strong evidence suggests that the US is continuously falling behind in scientific and technical output globally without any serious regulation. This will only be exacerbated by the failure to confront the corruption in Silicon Valley, and the heightening assault on educational institutions in the US driven by anti-intellectual politics. Attention needs to be paid to making education more affordable and accessible to more Americans if the worry truly is about falling behind. On tech specifically, legislation will need to prioritize the protection of users, including the strict regulation of how tech companies collect and use data, and the way Silicon Valley companies all but inhibit innovation. On those issues, the US is already far, far behind.
update 6/15/2023: There is a stronger case to focus attention on companies doing business in the USA that are solely based in China. IPVM reports on the issue of Chinese law that forbids China-based companies from sharing even basic data with foreign courts. Specifically, the law to which it refers is its new Data Security Law (DSL): Order of the President of the People's Republic of China; No. 84, enacted June 10, 2021. The law states in pertinent parts:
Article 2: This Law shall apply to data processing activities and security supervision and regulation of such activities within the territory of the People’s Republic of China.
Where data processing outside the territory of People’s Republic of China harms the national security, public interests, or the lawful rights and interests of individuals or organizations of the People’s Republic of China, legal liability shall be investigated in accordance with the law.
The definition of data is very broad, encompassing essentially any business record, whether in electronic or other format. In the event a business is compelled to share data by a court outside of China, article 36 applies.
Article 36: The competent authorities of the People’s Republic of China shall handle requests for data made by foreign judicial or law enforcement authorities, in accordance with the relevant laws and international treaties or agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principles of equality and reciprocity. Without the approval of the competent authorities of the People’s Republic of China, organizations or individuals in the People’s Republic of China shall not provide data stored within the territory of the People’s Republic of China to any overseas judicial or law enforcement body.
Note that judicial or law enforcement requests must be “handled” and “approved” by PRC authorities. Several US courts have noted that the regulation remains vague in that it does not describe what kinds of data would be covered under article 2. It seems no court has specifically addressed how to contend with failures to disclose information by invoking China’s DSL. One federal court in California, however, noted that the burden imposed by the law does provide at least one factor to consider regarding the responsibility placed on a defendant/respondent to turn over data.
Implementation and enforcement of the DSL remains in flux. No one knows yet whether Chinese authorities will regularly comply with data requests, or whether they will selectively protect preferred litigants. Some are concerned all data requests will simply be denied. Since it is unknown how this law will be managed by Chinese authorities, it is hard to say how it will effect civil or criminal litigation in the United States. Nevertheless, it indicates a much more serious imposition on the legal system in the United States than does the so-far petty concerns expressed in the debates and legislation over TikTok. How will US authorities regulate and control counterfeiting, fraud, breach of contract, or other legal issues if any company based in China must abide by the DSL thereby enabling them to deny discovery or ignore legitimate judicial or law enforcement requests?
***
I am a Certified Forensic Computer Examiner, Certified Crime Analyst, Certified Fraud Examiner, and Certified Financial Crimes Investigator with a Juris Doctor and a Master’s degree in history. I spent 10 years working in the New York State Division of Criminal Justice as Senior Analyst and Investigator. Today, I teach Cybersecurity, Ethical Hacking, and Digital Forensics at Softwarica College of IT and E-Commerce in Nepal. In addition, I offer training on Financial Crime Prevention and Investigation. I am also Vice President of Digi Technology in Nepal, for which I have also created its sister company in the USA, Digi Technology America, LLC. We provide technology solutions for businesses or individuals, including cybersecurity, all across the globe. I was a firefighter before I joined law enforcement and now I currently run a non-profit that uses mobile applications and other technologies to create Early Alert Systems for natural disasters for people living in remote or poor areas.
Find more about me on Instagram, Facebook, LinkedIn, or Mastodon. Or visit my EALS Global Foundation’s webpage page here.
For articles on how Artificial Intelligence is harmful in its current form, or for information on how Biometrics can be used to permanently sacrifice your security, see below.
