Forget TikTok. Feebly Secured Infrastructure Is Our Real Problem
One of the dumber aspects of press coverage of the TikTok kerfuffle is the lack of broader context. How, exactly, does banning a Chinese-owned teen dancing app solve our security and privacy headaches in a world where apps and services everywhere are collecting most of the same data, if not more? And why the myopic focus on just TikTok when Americans attach millions of totally unsecured Chinese-made "smart" IOT devices to their home and business networks with reckless abandon? If you're going to freak out about U.S. consumer privacy and internet security -- why not focus on actually shoring up overall U.S. consumer privacy and security?
Many press outlets and analysts have innately bought into the idea that banning TikTok somehow seriously thwarts the Chinese government's spying efforts. In reality, China's spying capabilities, fueled by an unlimited budget, have no limit of potential other ways to get far more data thanks to United States' lax privacy and security standards. Case in point, last week in the midst of TikTok hysteria, a report quietly emerged showing that the U.S. satellite communications networks have the security of damp cardboard:
"More than a decade has passed since researchers demonstrated serious privacy and security holes in satellite-based Internet services. The weaknesses allowed attackers to snoop on and sometimes tamper with data received by millions of users thousands of miles away. You might expect that in 2020-as satellite Internet has grown more popular-providers would have fixed those shortcomings, but you'd be wrong."
The security researcher in question showcased how it wasn't particularly difficult to hack into these satellite networks to observe all manner of online activity, from airliners receiving unencrypted navigation data in flight, to utility administrators managing wind turbines. Many of these vulnerabilities have been known about for fifteen years yet still haven't been fixed:
There are still many satellite Internet services operating today which are vulnerable to their [the previous researchers'] exact attacks and methods-despite these attacks having been public knowledge for more than 15 years at this point," Pavur told me ahead of Wednesday's talk. We also found that some newer types of satellite broadband had issues with eavesdropping vulnerabilities as well."
Which is all to say: if you're going to freak out about TikTok, why not at least spend some of those calories discussing actually trying to fix our broader cybersecurity and privacy problems? Why not create systems that are simply resilient, transparent, and accountable by design?
The U.S. still doesn't have even a basic privacy law for the internet era, companies routinely face no serious penalty for privacy missteps, our privacy regulators are routinely kneecapped and under-funded, consumer data is routinely left open on the cloud, a new hack is revealed at least once a week, and nobody wants to spend the funds necessary to upgrade older infrastructure because doing so simply isn't sexy. To ignore this, then become utterly hysterical because the Chinese government might get some teen phone data, seems divorced from the broader context.
Yet most of the biggest pearl clutchers about the dangers of TikTok have been utterly absent from this broader reality.
They were nowhere to be found among efforts to fix a massive SS7 flaw that makes our cellular infrastructure vulnerable. They were dead quiet as folks tried to hold the cellular industry accountable for selling everybody's location data to any nitwit with a nickel. In fact, most of the folks that have hyperventilated the most about TikTok have repeatedly shot down attempts at internet-era privacy laws and fought against funding to secure U.S. elections. Why, it's almost as if many of them don't actually care about U.S. privacy and security, and instead are performatively upset about TikTok for xenophobic, financial, and political reasons.
Seriously concerned about U.S. cybersecurity and privacy issues? Why not work to actually try to fix those problems instead of engaging in histrionics about a teenage dancing app? Because it only takes a few hours of reading about the U.S. cybersecurity and privacy incompetence before you come to realize that TikTok is among the very least of this country's problems on that front.