For weeks, the Trump administration has hinted that it may ban TikTok, the Chinese social video app popular with Generation Z, touting concerns that the data it collects could go straight to China.
It's a concern that, while legitimate, comes with a certain amount of skepticism from cybersecurity veterans. For years, the U.S. has done little to force companies and even government agencies to protect Americans' personal data, which has already ended up in the hands of China’s hackers. And recent efforts from federal law enforcement officials to force companies to abandon encryption as a security measure have only weakened the U.S. government's standing on the topic.
“TikTok is a potential security menace, but banning TikTok hardly confronts the profound threat China poses to our national security, economy, and democracy,” said Sen. Richard Blumenthal, D-Conn., in an email.
“I have been dismayed by the Trump administration’s eagerness to buddy up to Beijing while Chinese hackers steal from American businesses, compromise consumer data, and launch political disinformation campaigns,” Blumenthal said.
TikTok's emergence as the target of concerns over data privacy comes after more than a decade of high-profile data breaches at U.S. companies that have been traced back to China. The U.S. has little legal mandate to force the companies that hold huge sets of Americans’ Social Security numbers, addresses and other sensitive information to a high security standard or to regulate the sale of that information. And when companies are breached, their finances rarely take a significant hit.
Michael Daniel, the cybersecurity adviser under President Barack Obama — a position Trump eliminated — said the U.S. needs a law regulating best practices for Americans’ personally identifiable information, or PII.
“We need to agree that if you were holding people's PII, that you are going to take certain steps to protect it, and you have certain obligation as a company to implement certain cybersecurity controls,” Daniel said in a phone interview.
“To me, that's the single most important thing that the government can do, is drive toward a nationwide privacy law and as part of that establish a standard of care for owners of PII. If you meet those standards, then you should gain liability protection," he added.
Cybersecurity experts widely agree that a country with advanced cyberabilities — which China has — will eventually break into a target if they want to badly enough. But in some cases, the companies holding American data have put up little resistance.
When Chinese military officers hacked Equifax in 2017, for example, they stole the Social Security numbers and other personal information of nearly 150 million Americans. Equifax’s neglect prompted widespread outrage in the cybersecurity industry, and the fallout resulted in some executive shuffling. But the company never faced serious sanctions for the breach, and its stock quickly recovered. The breach has gained notoriety in the cybersecurity community as something of an exemplar of how little is done about data breaches.
Equifax's hack was traced back to a well-known flaw in a commonly used web application that had gone unpatched. Neglect in patching is endemic in corporate America, said Tarah Wheeler, a cybersecurity fellow at the New America think tank.
“Patch management is the single biggest improvement most of corporate America can make in national security,” Wheeler said by text.
Historically, the market has done little to punish organizations that lost control of Americans’ PII data to China.
After China’s Ministry of State Security successfully hacked the health insurance company Anthem, stealing the personal records of nearly 80 million people, the company settled a class-action lawsuit for a then-record $115 million in 2017, most of which went toward credit monitoring for victims. The next year, Anthem’s revenue was $91.3 billion. By 2019, the company’s shares hit a record high.
The U.S. government has also had its own problem with breaches. After China spent years hacking of the U.S. Office of Personnel Management, stealing security clearance information on more than 21 million people, some government employees tried to sue the agency for violating their privacy. A judge dismissed their case after saying the Privacy Act only prohibited the agency from giving up users’ data willingly.
This kind of bulk personally identifiable information is particularly valuable to intelligence agencies. A former National Security Agency analyst, who spoke on the condition of anonymity because she wasn’t authorized to speak on the topic, said those kinds of massive data sets of personal information were of particularly high value for Chinese intelligence. Bulk data sets can be used with artificial intelligence capabilities to predict behavior, and it also gives China a baseline of information on potential targets.
“One, it's the combination of large-scale data analytics and the ability to build data science patterns,” she said. “And two, it’s the ability to build targeted spying, targeted collection on Americans of interest.”
But that doesn't mean TikTok is a particularly tempting target, Daniel said.
“The user base for TikTok skews young,” he said. “It's not that it has no intelligence value, but I would definitely say that other sources, like OPM or Anthem, would have more intelligence value.”
The most important data TikTok has available is likely metadata, particularly location data, that it tracks of people who carry the app on their phones.
But that kind of information is widely trafficked already by third data brokers — which are significantly regulated in Europe, and by some states’ laws, but not by federal U.S. law.
“To be honest, there are other more legal ways of getting large amounts of PII that the Chinese government has access just like corporations do,” the former NSA analyst said.
Efforts to create new legislation around data privacy have also faltered. The Government Accountability Office, the federal nonprofit watchdog, has been clamoring for consumer privacy laws since early in the Obama administration. But the Trump White House missed a golden opportunity in 2018, in the wake of the Cambridge Analytica scandal, to shepherd competing bills with support from both parties, said Amie Stepanovich, a cybersecurity and privacy law expert at the University of Colorado Boulder.
“The administration never formulated a policy on data protection or data privacy law,” she said. “At a time when there was bipartisan support to pass such law, there was no voice in the administration to support that effort to move it forward.”
While little has been done to make the companies that hold sensitive data more secure, efforts to limit their use of encryption have grown.
Attorney General William Barr and FBI Director Christopher Wrayhave each given recent speeches that singled out and condemned China’s track record of hacking to steal American data. But the two are also the administration’s loudest voices condemning end-to-end encryption, which protects data from being intercepted as it crosses from one device to another.
Cybersecurity experts have long warned against mandates to weaken encryption, arguing that any “backdoor” created in a device’s security is a hole that malicious governments or criminals could exploit.
Stepanovich warned that any such backdoor would also be an opening for China.
“They're going after encryption and potentially other business practices that help secure data and ensure people are protected from bad actors,” Stepanovich said.
Kevin Collier is a cybersecurity reporter based in New York City.