How Corporations and Big Tech Leave Our Data Exposed to Criminals, China, and Other Bad Actors

I. Key Observations and Assessments¹

Chairman Hawley, Ranking Member Whitehouse, distinguished members of the subcommittee, thank you for the opportunity to discuss a topic of critical importance to the United States. I want to begin with a few observations:

1. Americans face systemic risk when using platforms operating in or owned by companies in countries with a history of cyber espionage, forced tech transfer, and a lack of rule of law. Without the same system of checks and balances against misuse we have in the United States, U.S. citizens are at high risk for data exploitation via these platforms. In addition to an established precedent of IP theft and espionage against the United States, private Chinese technology companies’ ability to resist the Chinese government is highly circumscribed at best. This is due in part to the Chinese government’s deliberate blending of the public and private digital landscape through Article Seven of China’s 2017 National Intelligence Law, where Chinese organizations and citizens are compelled to cooperate with “state intelligence work.”² China’s much-examined 2017 Cybersecurity Law and subsequent updates also bolster this tactic.³ As public policy researchers noted last year, these laws “[entail] strict provisions requiring data to be housed inside China, as well as spot inspections and even black-box security audits.”⁴ If a company stores U.S. data overseas, that data may be subject to similar foreign legislation. “Country-agnostic” approaches (or, relatedly, vendor-neutral approaches to building out critical infrastructure like next generation wireless technology)—while rhetorically expedient—do not strike at the heart of these systemic issues.⁵
   
   Further, American lawmakers and citizens possess even less insight into the data security practices of foreign-owned technology companies than they do businesses in the United States. The lack of granularity provided on real-time data collection, levels of access, storage, server locations, and third-party partnerships present a national security risk. In the case of TikTok, David Carroll, writing in Quartz in May 2019, asserted that an earlier version of TikTok’s privacy policy allowed data on the app to be shared with "with any member or affiliate of [its] group" in China before the policy’s revision in February 2019.⁶ While TikTok claims to store its data in the United States as of today, its Beijing-headquartered parent company, ByteDance, is subject to the Chinese legislation noted above. In addition to this legislation, technical vulnerabilities in systems built and owned by Chinese companies abound. These can include much-discussed “backdoors” in code that would allow the Chinese government access to third party systems and security flaws hidden in a programming vulnerability, or “bugdoors”—flaws could even be introduced later via a software update.⁷
2. China is exporting its values embedded in the technology itself and legal frameworks to the world. Leaked documents from TikTok indicate the company censors content on Tiananmen Square and Tibetan independence, and possibly reporting on the Hong Kong protests and the imprisonment of approximately one million Uighurs in Xinjiang detention camps.⁸ Not only is China exporting technology, particularly AI-related surveillance tech, but the Chinese “party-state” is also transmitting the laws and policies that govern its use. For instance, Vietnamese officials were trained in and attempted to implement a cybersecurity law modeled after China’s version of the legislation in 2018. This draft law contained strict data storage provisions (which gives access to a government “task force”), a mandate to open offices in Vietnam if requested by Vietnam’s Public Security Ministry, and overarching definitions of content.⁹ It is also expanding that access through its legislation: China’s full “internet security plan,” encompassing a soon-to-be-implemented 2020 Foreign Investment Law, will no longer render foreign-owned companies in China exempt from the Cybersecurity Law.¹⁰ Effectively, any data on communications networks in China will be soon be subject to the Chinese Cybersecurity Bureau’s scrutiny, without requiring an official request. This ability to access more data from more sources lays the groundwork for its exploitation.¹¹
3. Private companies play an outsized role in this environment due to their sustained and unfettered access to a high volume and variety of personal data—behavioral and biometric—with high commercial value. A May 2019 survey indicated almost half (46%) of 18-24 year olds accept tech privacy agreements without reading a single word.¹² This bargain has led to private tech companies’ often overwhelming access to consumer data, such as when IBM scraped millions of photos from unwitting citizens using photo hosting site Flickr at the beginning of this year.¹³
4. The digital environment is growing more complex. The strategic intent of bad actors is increasingly difficult to delineate, and emerging technologies are exacerbating existing threats. Emerging technologies, particularly machine learning, will give malign actors the ability to turn data into insights. In addition, the strategic intent of nation-state actors, cybercriminals, and hacktivists is increasingly intertwined, heightening the chaotic nature of the landscape. Protecting the United States against these supercharged threats from various attack vectors will only get harder.
5. Solutions are overdue. If democratic societies do not establish the rules of the road for data security and privacy protections, authoritarians will do it for us. By next year alone, approximately 30 billion devices will be connected to the internet, and by 2025, almost five billion people will have access to the web.¹⁴ This amounts to a huge attack surface for cybercriminals, adversarial nation-states, and other bad actors to both wreak havoc and set their own standards.