Beyond TikTok: Preparing for Future Digital Threats
By the end of September, the American social media landscape will undergo a profound transformation, and we cannot yet map this new terrain. President Donald Trump’s executive orders targeting Chinese-owned social media platform TikTok and messaging and payments app WeChat are aimed at confronting China’s tech enabled illiberalism. This is a worthy goal, but his fitful approach undermines this objective.
Instead, the U.S. government should articulate and adhere to a country-neutral framework that looks beyond TikTok, understanding that actions today might (and ought to) set precedents for tomorrow. While Chinese platforms like TikTok currently present the most pressing use cases, they are only the preface to a much longer plot. Without a smarter approach, American policy will fail to successfully confront fast-growing, foreign-owned digital platforms with systemic data and information security vulnerabilities. Prior to any future executive orders aimed at Chinese companies, the president — with input from the secretaries of state, commerce, and Treasury — should articulate a set of principles-based criterion for this framework. This would help strengthen Washington’s broader efforts to offer an alternative to Beijing’s authoritarian, self-serving vision for the future of the internet.
What’s the Deal with TikTok?
TikTok has earned Washington’s scrutiny. American policymakers on both sides of the aisle are justifiably disturbed by its data security risks and Communist Party of China-influenced information control and censorship. TikTok’s parent company ByteDance’s vulnerability to Beijing’s cybersecurity and intelligence laws reifies fears of Chinese party-state leverage over companies — and the individuals within them — with admitted access to data collected from U.S. citizens. This consists of American consumer data collected by TikTok when they use the app. For instance, ByteDance could possibly obtain a teen TikTok user in Idaho’s internet protocol address, GPS location, posted content, images, contacts, keystroke rhythms, other personally identifiable information, and — as of November 2019 — even the unalterable “media access control” address unique to a device. Further, early concerns over TikTok as a vector for Beijing-sponsored disinformation or interference in U.S. domestic politics will be field-tested this election cycle.
A Response in Search of a Strategy
Until now, the federal government’s approach to digital threats from foreign-owned platforms appeared less forward-leaning and more diffuse. Interagency bodies like the Committee on Foreign Investment in the United States and bipartisan legislators drove much of the action, including the forced sale of the dating app Grindr by the Beijing Kunlun Group, a national security review of ByteDance, and an investigation into the Russian-owned platform FaceApp. Yet in one week, the Trump administration mobilized to issue two executive orders targeting foreign-owned platforms and to update the State Department’s “Clean Network” initiative, signaling a more aggressive, top-down posture.
The doling out of executive orders piecemeal — company-by-company and as the threat arises — will be more difficult to defend going forward. A response that appears provisional obscures what should be a clear message to authoritarian regimes, particularly China, that the United States will continue to hold them accountable for malign digital practices. Any perception of an artificially accelerated approach motivated by the upcoming presidential election undercuts this message. Further, issuing broad, widely scoped directives also increases uncertainty among U.S. consumers and tech companies. As recently as late July, it was not obvious whether the Trump administration would allow the platform to continue operating in the United States under Chinese ownership, push the platform into the arms of a U.S. buyer, or ban TikTok from operating in the United States altogether. In the case of WeChat, the executive action as written may engender more questions than it answers. For instance, what of WeChat parent company TenCent’s holdings in American companies like Spotify? A lack of clarity launches U.S. consumers and companies into a state of uncertainty when policymaker actions should instead clearly redress the imbalance in the U.S. tech relationship with China.
Setting precedent for the future requires more than improvisation. TikTok’s meteoric growth suggests that more popular foreign-owned apps with analogous security concerns could be right around the corner. Trump telegraphed as much by teasing future executive action against Chinese technology company Alibaba, the owner of payment app Alipay, in mid-August. The government’s experience and actions with TikTok, however, feature nearly all of the essential factors it will likely confront in future cases: a platform’s overall security, data collection practices, target consumers, popularity, and home jurisdiction.
Finding the Right Framework
Regardless of TikTok’s ultimate fate, the U.S. government would be wise to prepare for future threats to the security, integrity, and reliability of the American social media landscape — from an array of actors and in a more disciplined fashion. To this end, the U.S. government should craft, publicize, and enforce a risk framework for foreign-owned platforms and apps seeking to operate within the U.S. marketplace. This framework ought to be led by the State Department and include participation from the Treasury Department, Commerce Department, and especially the National Institute of Standards and Technology — an agency and federal lab under the Commerce Department devoted to enhancing U.S. industrial competitiveness. As a starting point, the framework should account for an app’s parent company and the legal atmosphere of its home jurisdiction (e.g., to avoid Beijing’s rule by law approach or Moscow’s iron fist). It should encompass the type of user data the app collects, the size of the app’s American userbase and the scale of its growth, and the overall security of the platform. This framework could then point to specific policy actions — a ruleset — tailored to whether a foreign-owned app does or does not meet certain criterion, with the objective of protecting American users’ privacy and security from foreign intrusion and exploitation.
The executive branch should also be prepared to articulate these threats, along with future challenges, and justify its response. It should communicate to multiple audiences at home that these actions do not seek to punish technological advancements by any one state. The Chinese diaspora dependent on WeChat for connections to loved ones and dubious U.S. consumers deserve persuading. TikTok teens are part of the body politic, too. A risk-based framework would also lend less oxygen to Beijing’s propaganda attempts to mischaracterize American executive actions as haphazardly punitive or xenophobic. Rather, the executive branch should clearly state that its policies address the risks themselves and confront decades of unscrupulous practices encouraged by Beijing. These measures are meant to catalyze technology companies and U.S. consumers to break with the bad habits of the last two decades.
By the end of September, one of two outcomes will likely take place: TikTok’s U.S., Canadian, Australian, and New Zealand operations will be purchased by an American company, or the app will be banned from operating in the United States. In either case, the United States will still need a clear, sustainable approach and framework to address similar challenges in the future and help rally likeminded countries to an alternative vision for digital freedom. The window to do so is closing. Given the rapid growth of one popular Chinese-owned app with profound security vulnerabilities, a more pernicious version of TikTok may already be on the way.
Kara Frederick is a fellow for the Technology and National Security Program at the Center for a New American Security (CNAS).
Chris Estep is the communications specialist at CNAS.
Megan Lamberth is a research assistant for the CNAS Technology and National Security Program.
Image: Pixabay (Photo by Antonbe)