U.S. Requires Servers to Ban TikTok, WeChat Traffic

On Sunday, Sept. 20, Chinese company ByteDance’s TikTok and WeChat die. President Trump’s executive order, which prohibits any “transactions” with ByteDance thereafter, has now been clarified to note that “transactions” include both the transfer of data to and from TikTok, as well as the hosting or downloading of the applications that make TikTok work. As such, millions of Gen Z’ers will be violating U.S. national security sanctions when they post—or attempt to post—15-second short-form videos. Internet service providers, routers, hubs, etc., will be committing a violation of sanctions and damaging national security if they don’t update their settings to preclude traffic to or from the TikTok or ByteDance domains.

Not satisfied with what the Treasury Secretary called a “technological partnership” between ByteDance and Oracle that might have (details pending) required Oracle to host TikTok’s U.S. data in a way that precluded (or at least inhibited) the wholesale transfer of personal information about U.S. subscribers and users to the Chinese Communist Party, the administration is insisting on a sale of the video-sharing company to a U.S.-based corporation. Oh, and the U.S. government also wants to get its beak wet—a vig—on the sale; you know, for brokering the art of the deal. Also included in the ByteDance sanctions is the online messaging application WeChat.

On Aug. 6, the president issued an executive order indicating that he would prohibit “transactions” with TikTok and WeChat, but he did not indicate what he meant by “transactions.” In response to a lawsuit by TikTok employees, the Commerce Department backed down and indicated that paying employees was not a prohibited transaction. In its press release Sept. 18, the Commerce Department defined what it meant by prohibited transactions and noted that, as of Sept. 20, the following transactions are prohibited:

  • Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  • Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of Sept. 20 for WeChat and as of Nov. 12 for TikTok, the following transactions are prohibited:

  • Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  • Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
  • Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
  • Any utilization of the mobile application’s constituent code, functions or services in the functioning of software or services developed and/or accessible within the U.S.

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date.

In short, U.S. companies and platforms such as Apple and Google will be prohibited from hosting the WeChat and TikTok apps. U.S. ISPs, hosting services, routers, hubs, switches, etc., will be required to update their configurations so they don’t carry IP traffic from or to these applications. TikTok and WeChat users will be prohibited from posting or viewing videos or chats using the apps. With respect to WeChat, the funds-transfer functionality of the service will have to be blocked and disabled by U.S. companies. Companies that “optimize” access to these services (by caching or otherwise) will be required to stop.

Put more succinctly, the apps come off the app store, the traffic is blocked, and the servers shut down. Don’t cross the streams, Ray.

So what is likely to happen on Sunday? Probably nothing.

The “sanctions” imposed by the Commerce Department have no, well, no “sanctions.” They are not self-enforcing. What happens if Apple, Google, Cisco Systems, Verizon, AT&T and everyone else does absolutely nothing? At that point, the Commerce Department (or some other agency or department) will have to step in and either get a court order compelling enforcement of the executive order or use some other means (e.g., unless you cooperate, your government contracts are defunded) to enforce the sanctions. Inevitably, this will have to be decided in a courtroom, either as a motion to enjoin either the Department of Commerce or the companies (depending on who files the injunction), a temporary or permanent restraining order or an order for declaratory judgment. You have meddled with the primal forces of nature, and I won’t have it!!

What’s the Point?

So what, exactly are the “national security” concerns about 15-second cat videos? You see, while TikTok’s platforms and data storage are in the United States, its corporate parent, ByteDance, is a Chinese company. This, according to the CIA and the Department of Defense, means that the data collected on the platform is always available to the Chinese Communist Party, which can use the information about cat videos and new teen dance moves to—well, to undermine the security of America! It must be stopped!

One way to look at the U.S./ByteDance controversy is as another tit-for-tat battle in the war between the United States and the People’s Republic of China; a war involving trade battles, intellectual property disagreements, dumping allegations, covert surveillance and, of course, the coronavirus—dubbed the “Wuhan flu,” amid vague allegations that the virus was “manufactured” in a laboratory in Wuhan, China, then released as part of some nefarious effort to inflict economic damage on the world by the Chinese Communist Party.

But back to cat videos. The U.S. government’s allegations around the ownership of TikTok essentially come down to an assertion that the privacy of personal data about users of the video-sharing service represents a clear and present danger to the security of the United States. While governments have frequently asserted that cybersecurity in general—and cybersecurity of telecommunications equipment in particular—are legitimate areas for national security regulation, the TikTok case represents the first major case in which the U.S. government has asserted that data privacy is a national security concern. It’s an interesting theory, particularly in light of the fact that the U.S. has no national data privacy law or regulation and tends to push back on international law or regulation of data privacy that prevents data on foreign nationals from being transported, used, processed or seen by U.S.-owned companies.

Privacy as a National Security Concern

When TikTok captures user information on its servers in the United States, it is a national security crisis because, until the company’s assets are sold to someone like Oracle, the parent company of TikTok is based in China, where the Chinese Communist Party can force the parent company to cooperate in a national security investigation and pony up the personal data.
When Facebook, Ireland, captures user information on its servers in Dublin, it is a national security crisis because the parent company is based in the United States, where the FBI and NSA can force the parent company to cooperate in a national security investigation and pony up the personal data.

The Delphic Oracle?

So the U.S. government’s concern about TikTok is that there might be an onward transfer of data from the U.S. servers to China.

Simple solution: Prohibit the onward transfer, or impose a technological solution that would prohibit the onward transfer. It appears that this was the point of the ByteDance/Oracle deal announced Sept. 14. At that time, Treasury Secretary Steven Mnuchin indicated that U.S. cloud software provider Oracle had reached a deal with ByteDance to become the U.S. technology provider for ByteDance and that the U.S. government planned to review the deal this week. Munuchen noted, “I will just say from our standpoint, we’ll need to make sure that the code is, one, secure; Americans’ data is secure; that the phones are secure; and we’ll be looking to have discussions with Oracle over the next few days with our technical teams …” For its part, Oracle noted that it “confirms Secretary Mnuchin’s statement that it is part of the proposal submitted by ByteDance to the Treasury Department over the weekend in which Oracle will serve as the trusted technology provider.”

It’s not clear what the parameters of the “Oracle deal” might be, but it’s likely much less than the full divestiture of TikTok from ByteDance that the Commerce Department insisted was essential for the preservation of U.S. national security. More likely, Oracle will serve some role in ensuring that data contained on TikTok’s U.S. servers (and now maybe transferred to Oracle cloud servers in the U.S.) do not migrate to servers in Beijing or to the Chinese government. In fact, China’s state broadcaster CGTN reported that ByteDance was not selling TikTok to Oracle and was specifically not selling the AI software that makes TikTok “tick.” So Oracle might be acting as a custodian of the sensitive code and data. Again, the details are sketchy. But apparently that was not enough for the Commerce Department, which is insisting on a wholesale shutdown of the service and its sale, or both.

At its core, the ByteDance case illustrates the current administration’s position that the privacy of the data on TikTok represents a national security threat to the United States of America, and that, because TikTok is owned by a foreign company subject to foreign law (and foreign compulsory process), it cannot be trusted to enforce its own data privacy policy.

In pleadings filed in federal court, the Commerce Department has justified the use of federal sanctions to prohibit TikTok from operating in the United States for as long as it remains a subsidiary of the Chinese company ByteDance. As authority, the Commerce Department noted that “Chinese law imposes broad obligations on citizens and companies to cooperate with the PRC by providing data and technological support to security agencies and the military,” and that Bytedance is “headquartered in Beijing, [and is] subject to Chinese intelligence laws.” Even though TikTok’s American users’ data is stored in the United States and pursuant to its privacy policies are not removed to China and are not available to the Chinese government or the Chinese Communist Party (CCP) or the People’s Republic of China (PRC), the U.S. Commerce Department asserts that the promises in the privacy policy cannot be trusted because, “[w]hen users submit to TikTok’s Terms of Service and Privacy Policy, they agree that their data may flow to ByteDance and (as such) may be turned over to the PRC.”

Not surprisingly, that’s not quite what TikTok’s Terms of Service and Privacy Policies say. The privacy policy notes that:

We may disclose your information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims, or government inquiries, and to protect and defend the rights, interests, safety, and security of TikTok Inc., the Platform, our affiliates, users, or the public. We may also share your information to enforce any terms applicable to the Platform, to exercise or defend any legal claims, and comply with any applicable law.

Also unsurprisingly, TikTok’s Terms of Service say nothing about agreeing that users’ data may flow to ByteDance and turned over to the People’s Republic of China.

But, the U.S. government argues, because ByteDance is a Chinese company, it must comply with Chinese law including the Chinese National Intelligence Law. Article 7 of China’s National Intelligence Law states, “Any organization or citizen shall support, assist, and cooperate with state intelligence work in accordance with the law, and maintain the secrecy of all knowledge of state intelligence work.” Article 28 of China’s Cybersecurity Law states, “Network operators shall provide technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law.” Finally, Article 11 of China’s National Security Law states, “All citizens of the People’s Republic of China …. shall have the responsibility and obligation to maintain national security.”

The Commerce Department’s argument goes that ByteDance is required to comply with these laws; therefore, data collected in and stored in the U.S. cannot be assured to be safe. The personal data shared on TikTok “presents serious national security risks in the United States, where use of TikTok has exploded in popularity” and that “TikTok poses a direct threat to the privacy and security of U.S. persons.”

But any company doing business in China is required to comply with Chinese law, just as any company doing business in the U.S. must comply with U.S. law. In fact, any company with assets in China is subject to having those assets taken if it does not comply with Chinese law, just as any company with assets in the U.S. is subject to having those assets seized and forfeited if it does not comply with U.S. law. The fact that ByteDance is a “Chinese” company might mean that their executives have more “loyalty” to China, just as Facebook employees might have more “loyalty” to a U.S. request for access to social media data, but at the end of the day, each entity has to comply with the laws of the countries in which they operate.

If ByteDance were forced to sell TikTok to Microsof and Microsoft kept all the TikTok data on servers in the U.S., the Chinese government could still compel Microsoft to pony up that data because Microsoft has business operations in China. The concept of “data location” and corporate location are so 20th Century.

Schrems II

At the same time, the European Union is considering the same rationale for prohibiting transfers of data about EU residents to U.S. companies such as Facebook and Google.  These U.S. companies cannot be trusted to adhere to their own privacy policies because they are U.S. companies subject to having to follow U.S. law, which includes an obligation to comply with requirements to secretly provide data to the U.S. government pursuant to FISA warrants, bulk FISA warrants and National Security Letters under the USA PATRIOT Act. The July 2020 decision of the EU Court of Justice called “Schrems II” limited the ability of U.S. companies to transfer data about EU residents to the United States because of the requirements of cooperation imposed on companies in the U.S.  In that case, Maximilian Schrems sued Facebook in Ireland, alleging that “United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). He submitted that, since that data was “used in the context of various monitoring programmes in a manner incompatible with Articles 7, 8 and 47 of the Charter, the SCC Decision cannot justify the transfer of that data to the United States. In those circumstances, Mr Schrems asked the Commissioner to prohibit or suspend the transfer of his personal data to Facebook Inc.”

Data privacy is a legitimate national security concern. But you don’t have to own a company such as LinkedIn to have access to the data of LinkedIn. The personal data can be accessed, scraped and analyzed (well, some of it, at least) from anywhere in the world.

Right now it looks like TikTok will be shut down on Sunday. So get your fix of 15-second videos now. And if you are an internet lawyer, start writing …

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark