Cat Videos and National Security

Unless someone blinks, this coming Sunday September 20, Chinese company ByteDance’s TikTok dies. The President’s executive order, which prohibits any “transactions” with ByteDance thereafter has now been clarified to note that “transactions” include both the transfer of data to and from TikTok, as well as the hosting or downloading of the applications that make TikTok work. As such, millions of Gen Z’ers, will be violating U.S. national security sanctions when they post — or attempt to post – 15 second short form videos. Internet service providers, routers, hubs, etc., will be committing a violation of sanctions and damaging national security if they don’t update their settings to preclude traffic to or from the TikTok or ByteDance domains. Not satisfied with what the Treasury Secretary called a “technological partnership” between ByteDance and Oracle which might have (details pending) required Oracle to host TikTok’s U.S. data in a way that precluded (or at least inhibited) the wholesale transfer of personal information about U.S. subscribers and users to the Chinese Communist Party, the administration is insisting on a sale of the video sharing company to a U.S. based corporation. Oh, and the U.S. government also wants to get its beak wet — a vig — on the sale, you know, for brokering the art of the deal. Included in the ByteDance sanctions is the online messaging application WeChat as well.

On August 6, President Trump issued an executive order indicating that he would prohibit “transactions” with TikTok and WeChat, but he did not indicate what he meant by “transactions.” In response to a lawsuit by TikTok employees, the Commerce Department backed down and indicated that paying employees was not a prohibited transaction. In their press release on September 18, the Commerce Department defined what it meant by prohibited transactions and noted that, as of September 20, 2020, the following transactions are prohibited:

• Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
• Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.
• As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTok, the following transactions are prohibited:
• Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
• Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
• Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
• Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.
• Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date.

In short, U.S. companies and platforms (like Apple and Google) will be prohibited from hosting the WeChat and TikTok apps. U.S. ISP’s, hosting services, routers, hubs, switches, etc., will be required to update their configurations so they don’t carry IP traffic from or to these applications. TikTok and WeChat users will be prohibited from posting or viewing videos or chats using the apps. With respect to WeChat, the funds transfer functionality of the service will have to be blocked and disabled by U.S. companies. Companies that “optimize” access to these services (by caching, or otherwise) will be required to stop. In short, the apps come off the app store, the traffic is blocked, and the servers shut down. Don’t cross the streams, Ray.

So what is likely to happen on Sunday?  Probably nothing.

The “sanctions” imposed by the Commerce Department have no, well, no “sanctions.” They are not self-enforcing. What happens if Apple, Google, Cisco, Verizon, AT&T, and everyone else does absolutely nothing? At that point, the Commerce Department (or some other agency or department) will have to step in and either get a Court order compelling enforcement of the Executive Order, or use some other means (e.g., unless you cooperate, your government contracts are defunded) to enforce the sanctions. Inevitably, this will have to be decided in a Courtroom, either as a motion to enjoin either the Department of Commerce or the companies (depending on who files the injunction), a Temporary or Permanent Restraining Order, or an order for Declaratory Judgement. You have meddled with the primal forces of nature, and I won’t have it!!

What’s the Point?

So what, exactly are the “national security” concerns about 15 second cat videos? You see, while TikTok’s platforms and data storage are in the United States, its corporate parent, ByteDance is a Chinese company. This, according to the CIA and Department of Defense, means that the data collected on the platform, is always available to the Chinese Communist Party, which can use the information about cat videos and new teen dance moves to — well, to undermine the security of America! It must be stopped!

One way to look at the US/ByteDance controversy is as another tit-for-tat battle in the war between the United States and the People’s Republic of China; a war involving trade battles, intellectual property disagreements, dumping allegations, covert surveillance, and of course, the coronavirus, dubbed the “Wuhan flu,” amidst vague allegations that the virus was “manufactured” in a laboratory in Wuhan, China, and then released to the world as part of some nefarious effort to inflict economic damage on the world by the Chinese Communist Party.

But back to cat videos. The U.S. government’s allegations around the ownership of TikTok essentially come down to an assertion that the privacy of personal data about users of the video sharing service represents a clear and present danger to the security of the United States. While governments have frequently asserted that cybersecurity in general, and cybersecurity of telecommunications equipment in particular are legitimate areas for national security regulation, the TikTok case represents the first major case in which the U.S. government has asserted that data privacy is a national security concern. It’s an interesting theory, particularly in light of the fact that the U.S. has no national data privacy law or regulation, and tends to push back on international law or regulation of data privacy which prevents data on foreign nationals from being transported, used, processed or seen by U.S. owned companies.

Privacy As A National Security Concern

When TikTok captures user information on its servers in the United States, it is a national security crisis because, until the company’s assets are sold to someone like Oracle, the parent company of TikTok is based in China, where the Chinese communist party can force the parent company to cooperate in a national security investigation and pony up the personal data.

When Facebook, Ireland captures user information on its servers in Dublin, Ireland, it is a national security crisis because the parent company is based in the United States, where the FBI and NSA can force the parent company to cooperate in a national security investigation and pony up the personal data.

The Delphic Oracle?

So the U.S. government’s concern about TikTok is that there might be an onward transfer of data from the U.S. Servers to China.

Simple solution – prohibit the onward transfer. Or impose a technological solution that would prohibit the onward transfer. It appears that this was the point of the ByteDance/Oracle deal announced on September 14. At that time, Treasury Secretary Steven Mnuchin indicated that U.S. cloud software provider Oracle had reached a deal with ByteDance to become the U.S. technology provider for ByteDance and that the U.S. government plans to review the deal this week. Mnuchin noted that “I will just say from our standpoint, we’ll need to make sure that the code is, one, secure, Americans’ data is secure, that the phones are secure and we’ll be looking to have discussions with Oracle over the next few days with our technical teams…” For its part, Oracle noted that it “confirms Secretary Mnuchin’s statement that it is part of the proposal submitted by ByteDance to the Treasury Department over the weekend in which Oracle will serve as the trusted technology provider.”

It’s not clear what the parameters of the “Oracle deal” might be, but it’s likely much less that the full divestiture of TikTok from ByteDance that the Commerce department insisted was essential for the preservation of U.S. national security. More likely, Oracle will serve some role in ensuring that data contained on TikTok’s U.S. servers (and now maybe transferred to Oracle cloud servers in the U.S.) do not migrate to servers in Beijing, or to the Chinese government. In fact, China’s state broadcaster CGTN reported that ByteDance was NOT selling TikTok to Oracle, and was specifically NOT selling the AI software that makes TikTok “tick.” So Oracle might be acting as a custodian of the sensitive code and data. Again, the details are sketchy. But apparently that was not enough for the Commerce department which is insisting on a wholesale shutdown of the service and its sale, or both.

At its core, the ByteDance case illustrates the current administration’s position that the privacy of the data on TikTok represents a national security threat to the United States of America, and that, because TikTok is owned by a foreign company, subject to foreign law (and foreign compulsory process) it cannot be trusted to enforce its own data privacy policy.

In pleadings filed in federal court, the U.S. Commerce Department has justified the use of federal sanctions to prohibit TikTok from operating in the United States for so long as it remains a subsidiary of the Chinese company ByteDance. As authority, the Commerce Department notes that “Chinese law imposes broad obligations on citizens and companies to cooperate with the PRC by providing data and technological support to security agencies and the military” and that ByteDance is “headquartered in Beijing, [and is] subject to Chinese intelligence laws.” Even though TikTok’s American user’s data is stored in the United States, and pursuant to its privacy policies are not removed to China and are not available to the Chinese government or the Chinese Communist Party (CCP) or the People’s Republic of China (PRC), the U.S. Commerce Department asserts that the promises in the privacy policy cannot be trusted because, “[w]hen users submit to TikTok’s Terms of Service and Privacy Policy, they agree that their data may flow to ByteDance and (as such) may be turned over to the PRC.”

Not surprisingly, that’s not quite what TikTok’s Terms of Service and Privacy Policies say. The privacy policy notes that:

We may disclose your information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims, or government inquiries, and to protect and defend the rights, interests, safety, and security of TikTok Inc., the Platform, our affiliates, users, or the public. We may also share your information to enforce any terms applicable to the Platform, to exercise or defend any legal claims, and comply with any applicable law.

Also unsurprisingly, TikTok’s Terms of Service say nothing about agreeing that users’ data may flow to ByteDance and turned over to the People’s Republic of China.

But, the U.S. government argues, because ByteDance is a Chinese company, it must comply with Chinese law including the Chinese National Intelligence Law. Article 7 of China’s National Intelligence Law states, “Any organization or citizen shall support, assist, and cooperate with state intelligence work in accordance with the law, and maintain the secrecy of all knowledge of state intelligence work.” Article 28 of China’s Cybersecurity Law states, “Network operators shall provide technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law.” Finally, Article 11 of China’s National Security Law states, “All citizens of the People’s Republic of China …. shall have the responsibility and obligation to maintain national security.”

The Commerce Department’s argument goes that ByteDance is required to comply with these laws, and therefore data collected in and stored in the U.S. cannot be assured to be safe. The personal data shared on TikTok “presents serious national security risks in the United States, where use of TikTok has exploded in popularity” and that “TikTok poses a direct threat to the privacy and security of U.S. persons.”

But any company doing business in China is required to comply with Chinese law, just as any company doing business in the U.S. must comply with U.S. law. In fact, any company with assets in China is subject to having those assets taken if it does not comply with Chinese law, just as any company with assets in the U.S. is subject to having those assets seized and forfeited if it does not comply with U.S. law. The fact that ByteDance is a “Chinese” company might mean that their executives have more “loyalty” to China, just as Facebook employees might have more “loyalty” to a U.S. request for access to social media data, but at the end of the day, each entity has to comply with the laws of the countries in which they operate.

If ByteDance were forced to sell TikTok to Microsoft, and MS kept all the TikTok data on servers in the U.S., the Chinese government could still compel Microsoft to pony up that data because Microsoft has business operations in China. The concept of “data location” and corporate location are so 20th Century.

Schrems II

At the same time, the European Union is considering the same rationale for prohibiting transfers of data about EU residents to U.S. companies like Facebook and Google. These U.S. companies cannot be trusted to adhere to their own privacy policies because they are U.S. companies subject to having to follow U.S. law, which includes an obligation to comply with requirements to secretly provide data to the U.S. government pursuant to FISA warrants, bulk FISA warrants, and National Security Letters under the USA PATRIOT Act. The July 2020 decision of the EU Court of Justice called “Schrems II” limited the ability of U.S. companies to transfer data about EU residents to the United States because of the requirements of cooperation imposed on companies in the U.S. In that case, Maximilian Schrems sued Facebook in Ireland, alleging that “United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). He submitted that, since that data was used in the context of various monitoring programmes in a manner incompatible with Articles 7, 8 and 47 of the Charter, the SCC Decision cannot justify the transfer of that data to the United States. In those circumstances, Mr. Schrems asked the Commissioner to prohibit or suspend the transfer of his personal data to Facebook Inc.”

Data privacy is a legitimate national security concern. But you don’t have to own a company like LinkedIn to have access to the data of LinkedIn. The personal data can be accessed, scraped, and analyzed (well, some of it at least) from anywhere in the world.

Right now it looks like TikTok will be shut down on Sunday. So get your fix of 15 second videos now. And if you are an Internet lawyer, start writing….

 

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.