Anton (Tony) Dahbura is co-director of the Johns Hopkins Institute for Assured Autonomy, the executive director of the Johns Hopkins University Information Security Institute, and an associate research scientist in computer science at the university’s Whiting School of Engineering. His research focuses on AI assurance, security, fault-tolerant computing, distributed systems, and testing.
He spoke recently about the potential for a TikTok ban in the U.S. The House, citing national security concerns, last week overwhelmingly passed a bill that could lead to a ban.
What should we know about the House of Representative’s recent vote on TikTok?
To summarize, the House passed a bill to force ByteDance, the parent company of TikTok, to either sell the company within six months or face the possibility that the app would be banned in the U.S.
The bill still has to pass the Senate and we’re hearing that ByteDance is considering the option of suing the government and letting the courts decide. They would bring in free speech as an argument to prevent this action by Congress.
What has been happening over the past several months is that multiple government agencies have asserted that TikTok and its parent company present a security problem for the United States in a couple of ways. One is by usurping user data, specifically location data to infer where users live, work, and who they associate with. Things like that. And secondly, that ByteDance is using its influence at the behest of the Chinese government to influence people’s feeds on TikTok and filter messages they don’t like. For instance, they don’t like messages that cast the Chinese government in a negative light and they seem to like the message that the U.S. economy is not doing well.
Do you think those are valid criticisms?
Yes and no. If those concerns are absolutely factual and there’s full transparency, those are things all Americans should be worried about, not just Americans who work for the government or the military. Critical infrastructure includes not only the kinds of things that we think about right away, like military installations, or power plants, but also things like food manufacturing and pharmaceutical and financial institutions.
That is really fertile ground for a foreign actor, especially the Chinese government, to get a hold of. To know that a certain person goes into a certain facility every day, that they have an email account, mobile device, and TikTok. All of that put together is a great formula for a foreign actor to target that person with a phishing attack or something similar.
But the issue I see is the government is being very cautious about the information it releases about TikTok. These concerns are being discussed behind closed doors and in classified meetings.
So that makes it a bit hard to tell if there’s reason to take drastic action. You have to read between the lines of what members of Congress who have been in these meetings are willing to say. Right now, I’m getting the impression that in these classified meetings, the federal agencies charged with monitoring TikTok are saying “despite everything we do, it’s in [the Chinese government’s] nature to keep dipping their hand in the cookie jar, getting user data, influencing the messages that go or don’t.”
To really be able to say one way or another if the ban is justified, the government is going to have to be much more transparent with this information. I’m a little bit on the fence given what Congresspeople said last week.
What kind of internet regulation would you like to see?
The problem is TikTok is, in a way, the tip of the iceberg. If it’s TikTok today, it’s commercially available drones tomorrow. We already know that Chinese-made drones have been doing nefarious things. There’s concerns about the data Chinese-made cars can collect.
It’s like a game of Whack-a-Mole and the U.S. doesn’t have a strong hammer because we don’t have federal privacy laws, unlike places like the E.U. That’s what technologists are really crying out for—that the U.S. needs a very strong set of privacy laws. We need something analogous to HIPAA, which protects medical data, for internet user data—something that defines what it is, who has access and who should have access to it, what we have control over, and what the penalties are for breaking those laws. Just for starters.
That’s a big gap that needs to be addressed. It could be several years before Congress does anything. These issues are just going to line themselves up as foreign actors take advantage of the weakness we have in the United States.