The logo of the social network application TikTok and a US flag shown on a mobile device screen in Miami, Florida, September 18, 2020, photo by Johnny Louis/Reuters

commentary

(The RAND Blog)

Could Time Be Up for TikTok?

The logo of the social network application TikTok and a US flag shown on a mobile device screen in Miami, Florida, September 18, 2020

Photo by Johnny Louis/Reuters

by Daniel Gonzales, Sarah Harting, Julia Brackup

September 24, 2020

The proposed TikTok deal with Oracle and Walmart has not been approved by the White House because ownership and national security concerns have yet to be resolved. TikTok's Chinese parent company, ByteDance, would still retain a significant ownership stake in TikTok Global if the proposed deal goes through.

Is it possible for ByteDance to maintain ownership in TikTok Global while ameliorating U.S. national security concerns? At the heart of any deal should be a highly technical agreement on data security issues—one that not only the two companies but the two governments might have to agree to.

There's reason for concern on the part of the U.S. government. Researchers have shown that TikTok has bypassed Google privacy safeguards in the Android operating system, enabling the company to track TikTok users even if they remove the app's tracking cookies. Also, according to the U.S. Department of Commerce the TikTok app sends a wide range of user data to cloud data centers in China, where it applies its closely guarded artificial intelligence (AI) algorithms to identify and spread viral posts.

Furthermore, it appears the app's communications with ByteDance servers in China are encrypted, making it difficult to discern exactly what data is transmitted to China. Such practices raise national security concerns: could that user data be used by the Chinese government to track individuals, conduct espionage, or for blackmail?

All details of the proposed deal aren't public, although some reports indicate Oracle would host all of TikTok's U.S. operations in the United States in a secure Oracle cloud. This is a necessary first step but is not sufficient to guarantee the data of U.S. citizens is not transmitted to China. Much more will be required to fully protect U.S. user data.

Oracle would need to address two major types of cybersecurity vulnerabilities.

Front door vulnerabilities occur when an actor installs malicious code on a previously secure app or hardware component through a software update, unbeknownst to the user. Because ByteDance may maintain majority ownership of TikTok and control the app software, it may still supply the app's software updates—providing a potential means for the Chinese government to access user data. To lock that front door, any agreement must allow Oracle to review and certify ByteDance's human readable source code for all TikTok software updates to ensure they do not include any malicious code.

No software updates should be installable on TikTok user phones or servers directly from China.

Share on Twitter

Furthermore, no software updates should be installable on TikTok user phones or servers directly from China; Oracle must control the update process for U.S. users and verify that only reviewed software updates are used in TikTok's U.S. operations. The review of the source code would uphold and respect ByteDance's intellectual property rights while allowing Oracle to certify that the code does not pose a national security risk. Oracle could only inspect ByteDance's software, while a ByteDance representative in the United States maintained control of the source code.

The proposal must also ensure that diagnostic data collected from user phones would be sent first to Oracle and not ByteDance. Oracle would scrub it of any personally identifiable information before sharing it with ByteDance software developers in China.

That still leaves back door vulnerabilities—malware in the original source code. Such hidden code could potentially copy user data and transmit it to an unauthorized outsider—in this case, potentially the Chinese government.

To lock both the back and front doors, Oracle will need to inspect all TikTok software to confirm that it does not contain any commands or processes that would send U.S. user data to China or any unauthorized servers. In addition to reading the source code, Oracle will also need to review ByteDance's algorithms that will run on U.S. servers to ensure this code is secure. However, ByteDance would retain control of the AI algorithms during the source code inspection process. In addition, ByteDance could also patent its AI algorithms in the United States to provide further protection of its intellectual property.

Finally, if there is evidence that American's user data is going to China despite Oracle's efforts, the U.S. government should retain the right to inspect TikTok source code at any time.

If this deal is to pass government scrutiny, Oracle will have to lock these front and back doors. If not, it might be that time's up for TikTok in the United States.


Daniel Gonzales is a senior scientist at the nonprofit, nonpartisan RAND Corporation, and works on cyber security, cyber supply chain risk management, and intelligence issues. Sarah Harting is a senior defense analyst at RAND. Her research focuses on U.S. defense strategy and doctrine, strategic planning, foreign policy, and national security issues. Julia Brackup is a research assistant at RAND focusing on defense and national security issues.

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.