Conversations in Cybersecurity: Foreign Surveillance in America

You’ve seen it in the news. You’ve heard it from your politicians. You’ve listened to your family talk about it at the dinner table. But how much do you really know about Chinese social media applications? And what sorts of risks do foreign apps really pose to people like you and me? Is it possible that our policies about privacy and cybersecurity need to recognize the threats we face from foreign adversaries? Or is it all just a bunch of fake news?

To answer these questions, I needed to talk to someone I could rely on to speak about the topic with a mastery of the technical ins and outs. Naturally, I reached out to my friend Ray Duran, who currently serves as the lead Mac Cybersecurity Engineer at NASA’s Jet Propulsion Laboratory where he has been for the past 7 years. In his time with JPL, Ray has worked on contracts with Raytheon, Lockheed Martin, and Leidos. Before that, he spent 5 years at Apple. Currently, Ray also serves as Chief Technical Officer for a technology startup called The Sulfur Group in Los Angeles, California. He is an expert by any definition of the term. So, I sat down with him to get some in-depth questions answered about the risks that foreign social media applications pose to us. Today’s question:

Do Chinese and Russian social media apps, like TikTok, pose a greater threat to consumer privacy than American apps?

“There is absolutely a problem with Chinese social media applications.” As Ray explains, despite the level of protections we offer in the United States, the Chinese legal system offers little protection to individuals. In contrast with our views on privacy, Chinese companies are required by their state laws to share information with their government. “ This puts everyone from children to our military personnel, all who use the Chinese owned TikTok app at risk. It ultimately turns each device into a surveillance tool for the Chinese government,” says Ray.

Famously, China and Russia are heavily invested in surveillance, and continue to engage in active and passive counterintelligence actions. “Both state and criminal organizations in both countries understand the effectiveness of social media apps to sway the citizens of other countries. This translates into money, control and power.” Naturally, social media platforms that are, by law, so closely tied to their governments means that the data those platforms can access is equally accessible by their governments. Recent reports show that China and Russia have even been coordinating on foreign investments to prevent interference with one another, “indicating a potentially much larger intelligence strategy.”

This makes me curious, because if you follow this issue in the news, you will see that a lot of the support for TikTok comes from people who say that these applications are being targeted because they are Chinese. But that begs the question, is there a difference between Chinese applications and applications that are created in America? The answer is yes.

One of the first things to remember is that when American companies collect data in private enterprise, it is often just for the purposes of advertising or shared service enablement. But countries like China and Russia utilize collected data for counterintelligence and government related purposes.

As Ray explains, China is a country with a government known to employ spies, agent provocateurs, and “state funded programmers (black-hat hackers really) to ensure every bit of technology being exported has some back door or reporting tool that links right back to the government.” Intentional back doors have a habit of being discovered, thus increasing the odds that another government like Russia or Iran will eventually discover and exploit those very same back doors. “What’s the only way to prevent unwarranted access into a back door? Don’t create one in the first place.”

Now considering all of this, how do we protect ourselves?

From a national security perspective, it would be wise to at least quarantine applications that show a strong tie to government controlled state entities, and administer a stronger protocol and scrutiny before allowing the application or hardware to be placed in the hands of our people.” Huawei, for example, has been designated as a telecom hardware company that is essentially an arm of the Chinese military. Developing a framework that puts foreign controlled software (and hardware) through a more vigorous check would be one way to control some of this without outright banning foreign companies.

“A great example of such a process, already in place with our government is the FAA’s requirements for airline ownership. Entities that are more than 49% foreign owned may not fly commercial interstate flights, greatly for the benefit and safety of our people and national security interests.”

From a business perspective, however, it is diplomatic to ensure any participation in using apps with such dubious ties be properly isolated from internal company technology.” The saying that “good fences make good neighbors” applies here. As Ray describes, “your company needs to use high levels of data hygiene to ensure any and all social media apps operate on devices that have no direct connection to any internal company databases. This would enable a secondary wall or moat around foreign applications gaining access to our company and business data.”

Ray goes on, “An additional consideration would be to examine the relationship we have with a country like China that bans our social media apps, while exploiting the graciousness of our American system, which allows foreign companies to operate in this great state. The concept of reciprocity is an important one, both in foreign affairs and in business.”

Last question, how do we protect our children from foreign surveillance?

American and European hardware and software developers, including social media companies, provide robust privacy controls and parental protection to their consumers. These are developed by companies we know and trust to be accountable to our standards. Understanding how to use these controls can go a long way to protecting your children online. Here are a few additional pointers:

Ensure that parental controls are enabled on your child’s device as a whole. This will allow you to review the permissions and settings inside of the device such as location services and other app connections. It should be treated like a driver’s license. Only a certain maturity should be allowed access.

Don’t forget to check! Periodically check in with your child and/or their device to see that there has been no cyberbullying, inappropriate behavior, or explicit content, including hashtags. Making your child’s account “private” so that it is not available to any and all public is a recommended option that still allows them to use the app while blocking the common public from seeing their profile.

Last but not least, sit down with your child and talk to them about being safe on the internet. The more they understand the risks, the better they can protect themselves. It’s a great way for parents to actually learn about the ins and outs of these apps also and become more aware of what’s at risk.

Shoeb Mohammed, Policy Advocate