These social media platforms do present significant and specific security risks, which include gathering data about phone hardware information, network information and installed apps. TikTok is under investigation for exfiltrating facial recognition information from California to China; WeChat users, regardless of their location, are subject to content surveillance. But conducting data security regulation via fiat only injects uncertainty into the U.S. tech industry, undermining firms’ confidence in investing in new technologies while doing little to make Americans safer.
These executive orders have a fundamental flaw in their reasoning: Data exfiltration by Chinese firms from the United States is so pervasive that targeting a few big names merely distracts from the severity of the problem. Large numbers of firms serving U.S. consumers — whether they’re physically based in China or in the United States — are under pressure by the Chinese government to exfiltrate data. Combined with data gathered through hacks of Equifax, Marriott, Anthem and the Office of Personal Management, the Chinese government has a treasure trove of information to support intelligence-gathering activities for decades to come, regardless of last week’s bans. Without comprehensive data security regulation, the executive orders are merely window dressing.
Tencent, which owns WeChat, has a wide range of other products that it partially or wholly owns in the United States, and which are not covered by the Executive Order. Tencent owns 5 percent of the gaming giant Blizzard, which has censored players who advocated for Hong Kong protesters on its Hearthstone platform. The firm also wholly owns Riot Games, the parent company of League of Legends, as well as 40 percent of Epic Games, best-known for Fortnite, an online video game with over 350 million players. Gaming platforms gather huge amounts of data about users ranging from their in-game behavior to their passwords to their social networks and more. Blizzard, Epic Games and Riot Games have all pushed back against the assertion that data from users is shared with Chinese parent companies. But in June, China adopted a law which subjects any firms in China with operations with large databases to national security review. It’s impossible to know how this new law has affected data collected in the United States: Tencent and its subsidiaries do not have data transparency mechanisms that report what data is gathered, where it is stored and who sees it in a way that can be externally verified.
The issue of data exfiltration extends beyond these entertainment platforms. Zoom, a videoconferencing firm based in the United States, but with extensive engineering operations in China, is a perfect example. The platform has become the go-to social and professional event destination for people with nowhere to go: In a pandemic-driven flurry, users downloaded Zoom from the App Store 94 million times during the second quarter of 2020, smashing TikTok’s first-quarter record. When Zoom events cross borders, the lack of U.S. consumer data security laws leaves Americans unprotected. On June 4, for instance, Zoom shut down a conversation between users in China and the United States with Tiananmen Square activists, allegedly following Chinese law — but violating the first amendment rights of American users. The firm has since updated its policies, but its data security practices can’t currently be externally verified by the very users who rely on the platform for everything from preschool to last rites.
Zoom also forms the backbone of efforts by U.S. educators to serve hundreds of thousands of Chinese students, but presents serious data-sharing risks. The June 1 law, combined with a December 2019 regulation that asserts potential criminal or civil liability for sharing “unhealthy online content,” allows students, teachers and universities to be surveilled, or held criminally or civilly liable in China for information they access or share. Imagine a student in China taking a class on Tibet from their home university in the United States. The student taking the course, the professor teaching it and the university providing the proxy server to access course materials could be held criminally or civilly liable by the Chinese government for sharing that content. Hong Kong’s National Security Law from July 1 demonstrates that the Chinese government has no problem holding people liable for crimes extraterritorially. Zoom has repeatedly asserted that it complies with Chinese laws in its operations, which then extends legal risks to U.S. users.
Other platforms, beyond the communications industry, also gather extensive data. Alibaba, China’s leading e-commerce platform, now operates in the United States for business customers under its Alibaba brand. Roughly one-third of the firm’s 10 million active business users are U.S.-based (and if you were trying to source masks back in March or April, you probably stumbled on it). Cash-rich e-commerce firms like Alibaba freely harvest user data and are poised to make big financial gains in the United States at a moment when brick-and-mortar businesses are dying on the vine.
Data exfiltration from the United States to China is systemic, and presents a pressing national security issue. Keeping consumer data safe would require comprehensive oversight of, and transparency from, all firms operating in the United States.
Spotty executive orders, half-written in response to stunts by K-pop fans, won’t cut it.