November 05, 2019

How Corporations and Big Tech Leave Our Data Exposed to Criminals, China, and Other Bad Actors

Testimony Before the Senate Judiciary Committee's Subcommittee on Crime and Terrorism

I. Key Observations and Assessments

Chairman Hawley, Ranking Member Whitehouse, distinguished members of the subcommittee, thank you for the opportunity to discuss a topic of critical importance to the United States. I want to begin with a few observations:

  1. Americans face systemic risk when using platforms operating in or owned by companies in countries with a history of cyber espionage, forced tech transfer, and a lack of rule of law. Without the same system of checks and balances against misuse we have in the United States, U.S. citizens are at high risk for data exploitation via these platforms. In addition to an established precedent of IP theft and espionage against the United States, private Chinese technology companies’ ability to resist the Chinese government is highly circumscribed at best. This is due in part to the Chinese government’s deliberate blending of the public and private digital landscape through Article Seven of China’s 2017 National Intelligence Law, where Chinese organizations and citizens are compelled to cooperate with “state intelligence work.” China’s much-examined 2017 Cybersecurity Law and subsequent updates also bolster this tactic. As public policy researchers noted last year, these laws “[entail] strict provisions requiring data to be housed inside China, as well as spot inspections and even black-box security audits.” If a company stores U.S. data overseas, that data may be subject to similar foreign legislation. “Country-agnostic” approaches (or, relatedly, vendor-neutral approaches to building out critical infrastructure like next generation wireless technology)—while rhetorically expedient—do not strike at the heart of these systemic issues.

    Further, American lawmakers and citizens possess even less insight into the data security practices of foreign-owned technology companies than they do businesses in the United States. The lack of granularity provided on real-time data collection, levels of access, storage, server locations, and third-party partnerships present a national security risk. In the case of TikTok, David Carroll, writing in Quartz in May 2019, asserted that an earlier version of TikTok’s privacy policy allowed data on the app to be shared with "with any member or affiliate of [its] group" in China before the policy’s revision in February 2019. While TikTok claims to store its data in the United States as of today, its Beijing-headquartered parent company, ByteDance, is subject to the Chinese legislation noted above. In addition to this legislation, technical vulnerabilities in systems built and owned by Chinese companies abound. These can include much-discussed “backdoors” in code that would allow the Chinese government access to third party systems and security flaws hidden in a programming vulnerability, or “bugdoors”—flaws could even be introduced later via a software update.
  2. China is exporting its values embedded in the technology itself and legal frameworks to the world. Leaked documents from TikTok indicate the company censors content on Tiananmen Square and Tibetan independence, and possibly reporting on the Hong Kong protests and the imprisonment of approximately one million Uighurs in Xinjiang detention camps. Not only is China exporting technology, particularly AI-related surveillance tech, but the Chinese “party-state” is also transmitting the laws and policies that govern its use. For instance, Vietnamese officials were trained in and attempted to implement a cybersecurity law modeled after China’s version of the legislation in 2018. This draft law contained strict data storage provisions (which gives access to a government “task force”), a mandate to open offices in Vietnam if requested by Vietnam’s Public Security Ministry, and overarching definitions of content. It is also expanding that access through its legislation: China’s full “internet security plan,” encompassing a soon-to-be-implemented 2020 Foreign Investment Law, will no longer render foreign-owned companies in China exempt from the Cybersecurity Law. Effectively, any data on communications networks in China will be soon be subject to the Chinese Cybersecurity Bureau’s scrutiny, without requiring an official request. This ability to access more data from more sources lays the groundwork for its exploitation.
  3. Private companies play an outsized role in this environment due to their sustained and unfettered access to a high volume and variety of personal data—behavioral and biometric—with high commercial value. A May 2019 survey indicated almost half (46%) of 18-24 year olds accept tech privacy agreements without reading a single word. This bargain has led to private tech companies’ often overwhelming access to consumer data, such as when IBM scraped millions of photos from unwitting citizens using photo hosting site Flickr at the beginning of this year.
  4. The digital environment is growing more complex. The strategic intent of bad actors is increasingly difficult to delineate, and emerging technologies are exacerbating existing threats. Emerging technologies, particularly machine learning, will give malign actors the ability to turn data into insights. In addition, the strategic intent of nation-state actors, cybercriminals, and hacktivists is increasingly intertwined, heightening the chaotic nature of the landscape. Protecting the United States against these supercharged threats from various attack vectors will only get harder.
  5. Solutions are overdue. If democratic societies do not establish the rules of the road for data security and privacy protections, authoritarians will do it for us. By next year alone, approximately 30 billion devices will be connected to the internet, and by 2025, almost five billion people will have access to the web. This amounts to a huge attack surface for cybercriminals, adversarial nation-states, and other bad actors to both wreak havoc and set their own standards.

Read the full written testimony.

Download PDF

  1. A portion of these observations are derived or pulled directly from a paper written exclusively by the witness and dated October 2019, “Reclaiming Cyber Governance as a Bulwark Against—and Not a Tool of—Illiberalism” for the U.S. government’s Congressionally-mandated Cyber Solarium Commission. Expected release is 2020.
  2. “Beijing’s New National Intelligence Law: From Defense to Offense,” Lawfare, July 20, 2017, https://www.lawfareblog.com/beijings-new-national-intelligence-law-defense-offense; Further, the CCP’s September 2019 decision to send Chinese officials to work in 100 private companies in Hangzhou continues to muddy the waters between public and private industry.
  3. “Translation: China's New Draft 'Data Security Management Measures,'” New America, May 31, 2019, https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinas-new-draft-data-security-management-measures/; https://www.zdnet.com/article/chinas-cybersecurity-law-update-lets-state-agencies-pen-test-local-companies/; and https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/.
  4. Ibid.; “Breakingviews - America can define down China’s harsh cyber rules,” Reuters, April 2, 2019, https://www.reuters.com/article/us-usa-trade-china-breakingviews/breakingviews-america-can-define-down-chinas-harsh-cyberrules-idUSKCN1RE08F; and “China’s Ambitious Rules to Secure ‘Critical Information Infrastructure,” New America, July 14, 2017, https://www.newamerica.org/cybersecurity-initiative/blog/chinas-ambitious-rules-secure-critical-information-infrastructure/.
  5. Samantha Hoffman, "Engineering global consent: The Chinese Communist Party's data-driven power expansion," Policy brief Report No. 21/2019 (Australian Strategic Policy Institute, October 2019), https://s3-ap-southeast-2.amazonaws.com/ad-aspi/2019-10/Engineering%20global%20consent%20V2.pdf?eIvKpmwu2iVwZx4o1n8B5MAnncB75qbT.
  6. David Carroll, "Is TikTok a Chinese Cambridge Analytica data bomb waiting to explode?" qz.com, May 7, 2019, https://qz.com/1613020/tiktok-might-be-a-chinese-cambridge-analytica-scale-privacy-threat.
  7. Kara Frederick, "The 5G Future Is Not Just About Huawei," Foreignpolicy.com, May 3, 2019, https://foreignpolicy.com/2019/05/03/the-5g-future-is-not-just-about-huawei/.
  8. Alex Hern, “Revealed: How TikTok censors videos that do not please Beijing,” theguardian.com, September 25, 2019, https://www.theguardian.com/technology/2019/sep/25/revealed-how-tiktok-censors-videos-that-do-not-please-beijing; and Drew Harrell and Tony Romm, “TikTok’s Beijing roots fuel censorship suspicion as it builds a huge U.S. audience,” washingtonpost.com, September 15, 2019, https://www.washingtonpost.com/technology/2019/09/15/tiktoks-beijing-roots-fuel-censorship-suspicion-it-builds-huge-us-audience/.
  9. “Vietnam: Withdraw Problematic Cyber Security Law,” Human Rights Watch, June 7, 2018, https://www.hrw.org/news/2018/06/07/vietnam-withdraw-problematic-cyber-security-law
  10. “China’s New Cybersecurity Program: NO Place to Hide,” China Law Blog, September 30, 2019. https://www.chinalawblog.com/2019/09/chinas-new-cybersecurity-program-no-place-to-hide.html.
  11. This section is taken directly from the witness’s unpublished report for the U.S. Cyber Solarium Commission.
  12. Kim Hart, "Privacy policies are read by an aging few," Axios.com, February 28, 2019, https://www.axios.com/few-people-read-privacy-policies-survey-fec3a29e-2e3a-4767-a05c-2cacdcbaecc8.html.
  13. Olivia Solon, “Facial Recognition’s ‘dirty little secret’: Millions of online photos scraped without consent,” NBCNews.com, March, 12, 2019, https://www.nbcnews.com/tech/internet/facial-recognition-s-dirty-little-secret-millions-online-photos-scrapedn981921.
  14. Kara Frederick, "The Rise of Municipal Ransomware," City-Journal.org, September 3, 2019, https://www.cityjournal.org/ransomware-attacks-against-cities.

In addition to new material, this testimony includes original content from the witness’s previously published work and media commentary.

  • Reports
    • June 3, 2019
    The New War of Ideas

    A new battlespace emerged in the post-9/11 counterterrorism era, encompassing the halls of U.S. technology companies and the alleys of Raqqa alike....

    By Kara Frederick

  • Video
    • September 4, 2019
    The Low Road: Charting China's Digital Expansion

    As Beijing tightens control of the Internet within its own borders, what consequences lie ahead for people living under other authoritarian regimes and fragile democracies?...

    By Kara Frederick, Daniel Kliman & Ely Ratner

  • Commentary
    • The Wall Street Journal
    • March 15, 2019
    The Autocrat’s New Tool Kit

    Chinese authorities are now using the tools of big data to detect departures from “normal” behavior among Muslims in the country’s Xinjiang region—and then to identify each su...

    By Richard Fontaine & Kara Frederick

  • Commentary
    • Foreign Policy
    • May 3, 2019
    The 5G Future Is Not Just About Huawei

    This week, representatives from the United States and more than 30 European Union and NATO countries met in Prague to hash out security principles for 5G—fifth-generation wire...

    By Kara Frederick

View All Reports View All Articles & Multimedia