Changelog: TikTok is the new Kaspersky
Eyestetix Studio / Unsplash
Welcome to Changelog for 3/21/2024, published by Synack! README senior editor Nathaniel Mott here with a reluctant defense of TikTok following the passage of a bill looking to ban it.
TikTok has been having a rough time.
The U.S. House of Representatives passed the “Protecting Americans from Foreign Adversary Controlled Applications Act” on March 13 with 352 votes in favor and 65 votes against. The bill isn’t technically limited to TikTok—it would also give the president the ability to identify other software owned by companies in China, Russia, North Korea and Iran as “foreign adversary controlled applications”—but its focus on the ByteDance-owned social network has led many to refer to it as an attempt to ban the app in the U.S.
This isn’t the first time the U.S. government has acted against TikTok. The U.S. Army and Marine Corps banned it from government-issued devices in January 2020, and in March 2023, the Biden administration ordered all federal agencies to remove the app from their devices. (Some 39 states have also banned it from their government-issued devices.) A document published alongside this bill (H.R. 7521) recounts concerns from leading intelligence officials about the national security risks posed by TikTok as well.
The warnings seem to fall into two categories: fears that TikTok can tweak its algorithm at the Chinese government’s request to assist with the spread of misinformation and disinformation and concerns that TikTok could be used to collect information about the more than 170 million Americans who use the app each month or, perhaps, compromise those devices in service of China’s cyber operations.
Let’s take a moment to consider both categories.
TikTok certainly wouldn’t be the first social network whose recommendation algorithms have —intentionally or not—assisted the spread of misinformation and disinformation. Amnesty International said in 2022 that “Facebook owner Meta’s dangerous algorithms and reckless pursuit of profit substantially contributed to the atrocities perpetrated by the Myanmar military against the Rohingya people in 2017,” for example, and Foreign Policy said in 2023 that “Elon Musk’s Twitter is becoming a sewer of disinformation” because “changes to the platform have systematically amplified authoritarian state propaganda.”
But let’s set that aside for a moment to focus on risks posed by TikTok’s app itself. The Intercept noted on March 16 that U.S. intelligence officials have always been careful to say their concerns about TikTok are hypothetical; they have never publicly shared evidence of any security risks associated with the app. The Washington Post also reported in July 2020 that “TikTok doesn’t appear to grab any more personal information than Facebook” from the devices on which it’s installed, and Citizen Lab said in 2021 that TikTok does “not appear to exhibit overtly malicious behavior similar to those exhibited by malware.”
All of which means that pretty much all publicly available evidence suggests the primary difference between TikTok and social networks like Facebook and Twitter is that it’s owned by a company based in China rather than the U.S. Do not conflate this observation with me saying there are no privacy or security risks associated with using TikTok or Douyin, its counterpart in China. There are notable differences between TikTok and Douyin despite their shared origins.
In that context, TikTok is the new Kaspersky. The antivirus company’s software was similarly banned from U.S. government devices and networks in September 2017, with the restrictions extending to federal contractors in September 2019. But once again, as Wired reported in October 2017, these bans weren’t accompanied by publicly available evidence that Kaspersky’s products had been abused or somehow posed a greater risk than similar antivirus tools for any reason other than it operating out of Russia.
But there are some differences between the U.S. government’s treatment of TikTok and Kaspersky. H.R. 7521 wouldn’t just ban TikTok from government-issued devices—it would also prevent companies like Apple and Google from distributing the app on their platforms, which would prevent the social network from operating in the U.S. at all, if for some reason you operate under the assumption that nobody has ever found a way to install software they aren’t supposed to have on their devices. Many of the bans on Kaspersky are specific to government-issued devices; consumers are free to continue using its products.
H.R. 7521 also specifically gives ByteDance the opportunity to sell TikTok to an American-owned company within six months of the bill’s passage. Again, the problem isn’t that TikTok can be used to spread misinformation and disinformation or to surveil hundreds of millions of people, it’s that it can do so under the ownership of a China-based company rather a U.S. one. I haven’t found evidence that Kaspersky was similarly pressured to join the red, white and blue.
Of course, TikTok and Kaspersky are very different companies, and that could help explain the differing approaches to managing them. It’s much easier to conduct influence operations via social platforms than antivirus tools—what are they gonna do, make “VOTE TRUMP 2024!” dialog boxes appear in the Windows notification tray every hour on the hour?—and TikTok has less access to the systems on which it’s installed than Kaspersky does. Both companies’ countries of origin could also be a consideration.
The U.S. has been increasingly focused on the economic and national security risks posed by China over the last few years. (See my report from October 2022 and previous installments of this newsletter related to Volt Typhoon, warnings from America’s leading cyber officials, etc.) Combine that with political factors—a TikTok ban could easily be seen as tit-for-tat retaliation for China banning American social networks from its country—and it’s not hard to see why the U.S. government seems to be more keen on banning TikTok entirely than on removing Kaspersky from every American’s device.
Caveats
There have been signs that ByteDance is willing to abuse the information it collects about TikTok users. Forbes reported in October 2022 that ByteDance “planned to use the TikTok app to monitor the personal location of some specific American citizens,” and that December, The New York Times reported that several ByteDance employees had accessed data associated with journalists in an effort to discover who was leaking information to the press. TikTok fired the four employees involved with that incident, however.
A former ByteDance executive in the U.S. also said in 2023 that the company “was taking user content from other platforms, mainly Instagram and Snapchat,” and that “a committee of China’s Communist Party members accessed the data of TikTok users in Hong Kong in 2018.” (TikTok denied both claims.) But it’s worth noting the executive, Yintao Yu, worked at ByteDance for just one year before he was fired in 2018. The revelations were made in a wrongful termination suit filed in 2023—which strikes me as a large gap, though I’m not a lawyer, and don’t play one on TV—and supporting evidence hasn’t been made public.
ByteDance has also reportedly used Douyin to help the Chinese government surveil and repress the country’s Uyghur population. This demonstrates the company’s willingness to comply with the Chinese government’s demands, and should absolutely be criticized and condemned, but that doesn’t necessarily mean TikTok has been or will be used for similar purposes outside of ByteDance’s home country.
David Orban / Flickr
As for Kaspersky: The New York Times and The Wall Street Journal both reported in October 2017 that the company’s antivirus had been abused in various ways.
The first report indicated that “Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs” in 2015. The New York Times cited an incident where classified documents were stolen from an NSA employee (more on that in a bit) and said “what additional American secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive information, is not yet publicly known.” That’s a hell of a leap, but let’s roll with it.
The second report offered additional information about the NSA incident. “Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after [an NSA] contractor removed the highly classified material and put it on his home computer,” The Wall Street Journal reported, adding that “the hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab.” It also cited several other incidents where NSA contractors leaked data.
Kaspersky investigated these claims and confirmed that classified documents were uploaded from an NSA contractor’s device. But the company also noted that the contractor appeared to be running pirated software on the system—which is mind-boggling to me, but hey, public sector salaries ain’t what they used to be—including “an illegal Microsoft Office activation key generator… which turned out to be infected with malware.” Kaspersky’s antivirus detected the malware and then… did what antivirus software does by uploading suspicious or relevant files to the company’s network for further examination.
The company also said that its founder and chief executive Eugene Kaspersky was informed that classified documents had been uploaded to its network. Then, “following a request from the CEO, the archive was deleted from all our systems” and “was not shared with any third parties.”
Should those claims be taken at face value? No. Of course not. But there’s a stark difference between “Kaspersky obtained sensitive information via an NSA contractor bringing home classified documents and storing them on a system infected with malware because they didn’t want to pay for Microsoft Word” and “Kaspersky is a personal Google for Russian hackers.” Do not conflate this statement with me saying there’s no reason to be suspicious of or concerned about Kaspersky, especially following Russia’s invasion of Ukraine. Banning the antivirus from government systems makes perfect sense to me.
So where am I going with all this?
There are several reasons to be skeptical of H.R. 7521; I recommend checking out the Electronic Frontier Foundation’s take on the issue. The bill is clearly politically motivated, pressuring ByteDance to sell TikTok to an American company seems like an attempt to maintain U.S. dominance over the global social media market and the U.S. government has yet to provide evidence that TikTok poses as great a threat as this bill would suggest.
We’ve seen this play out before with Kaspersky, albeit to a lesser extent, as I explained above. Will the expanded scope of the TikTok ban prompt the U.S. government intelligence apparatus to be more transparent about the risks posed by this Chinese social network over that Russian antivirus? Maybe! But it also wouldn’t surprise me if TikTok’s fate is similar to Kaspersky’s in that we’ll have to wait years to learn what exactly these officials are so worried about—assuming that explanation ever comes.
Does that mean TikTok and Kaspersky shouldn’t be scrutinized? No. But it seems disingenuous to pretend they’re all that different from their American counterparts. The U.S. Air Force made a similar point when The New York Times asked if it would follow the Marine Corps and Army in banning TikTok:
“The threats posed by social media are not unique to TikTok (though they may certainly be greater on that platform), and DoD personnel must be cautious when making any public or social media post,” the Air Force spokeswoman said. “All DoD personnel take annual cyber-awareness training that covers the threats that social media can pose, as well as annual operations security training that covers the broader issue of safeguarding information.”
But I also like the U.K. National Cyber Security Centre’s take on Russian software following the invasion of Ukraine: “We have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, but the absence of evidence is not evidence of absence.”
So this all comes down to a matter of assessing the risks posed by this software and responding accordingly. It makes sense to ban TikTok and Kaspersky from government devices. (And, apparently, the devices of contractors who like to pirate software.) I’ve made similar choices for my own systems, and I’ll admit that software with strong ties to China or Russia gives me pause, but I’m also skeptical of their American counterparts. My stance: The data broker industry can go pound sand, surveillance capitalists are terrible people and a lot of people probably spend far more time on social media than they should.
That doesn’t mean H.R. 7521 is the solution—or, if it is, that the U.S. government has successfully made a case for banning software like TikTok from every American’s devices. This is a nuanced issue that would be difficult to navigate even if all of the facts had been laid on the table. That they haven’t been makes it that much more complicated to reason about, let alone discuss, especially when it’s easy to come off as supporting a company based in an authoritarian country engaged in active cyber operations targeting U.S. critical infrastructure. (Hence my resorting to bold-faced text for particularly important caveats.)
Anyway. On a much lighter note, it’s deeply funny to me that Kaspersky published an article titled “TikTok privacy and security - Is TikTok safe to use?” when it essentially laid the path ByteDance is walking on.