Net neutrality has been in the news again recently with the latest FCC ruling in April of 2024. And today, in the United States at least, we're thinking through what this means for how we access information on the Internet going forward, especially in terms of social media.
And TikTok in particular has been top of mind for US government officials both elected and in more behind the scenes security roles. And in this episode, a returning guest, TJ Sayers, cybersecurity subject matter expert with the Center for Internet Security, joins us to talk about net neutrality and its implication for social media and specifically the national security concerns with TikTok.
My name is Philip Gervasi, and this is Telemetry Now.
Hey, TJ. Welcome back to the show. It's, it's good to see you and talk to you again.
Now this particular topic that we're talking about today, of course, is, it's a pretty heavy one. It it can be divisive for some, especially in the tech community. I I'm gonna say in particular in the networking community, but your background is is not necessarily networking. It's much more broad technology and then specifically cybersecurity.
So as we get going today, can we get a little bit of your background and especially as it pertains to this subject? Yeah. Sure. Thanks again for having me on, Phil.
Looking forward to the discussion.
This is gonna be a really interesting one, especially, you know, the topic and subject area with tie ins to some social media stuff. So I think it's gonna be really, really interesting.
My background, I'm the currently the director of intelligence and incident response at the Center for Internet Security. So CIS is a cybersecurity non for profit, and they focus on best practices, industry standards for the cybersecurity industry.
My background is mostly in what we consider operations. So my current responsibilities are working within the digital forensics and incident response team, the cyber threat intelligence team, and also our red team.
Prior to coming to CIS, I spent some time, in the US military doing, similar work, and the two have kind of dovetailed nicely together, and brought me into both being able to do a an operation slash intel role, but also couple it with cyber. And I have always been a huge fan of both, so it's really, really a great opportunity, and I'm enjoying it.
Right. And and, net neutrality kind of is a broad topic isn't necessarily the purview of of of the center center for Internet security per se. But I have to imagine that the legislation, the FCC rulings, the entire broader discussion does relate to what you do either on a daily basis or maybe your approach to security. And and as we're gonna discuss today, especially in the context of social media, information gathering, security in a broad level. Right?
Right. Right. Exactly. Yeah. So net neutrality is one of those things that there's a proponents and opponents, on the on the issue.
And it's also interesting because those opponents and proponents don't necessarily agree on all of the the substance, on either side either. And there are implications, you know, just in the general, you know, Internet landscape with Internet service providers. But there's also this really tangible element of national security, that is being brought up more recently, in the discussion that I think hasn't been as prescient in prior discussions with, the FCC and net neutrality in particular. And that's that's what's actually got my my big, interest, is on that national security side.
Right. Which is exactly why I wanted to talk to you today because, generally speaking, as far as my experience attending various tech events and things like that and the discussions that you see online, the the discussion is usually around just the access to information, freedom, the effects on society in general, American society, because net neutrality does pertain to the United States. Yep. And and the the concept or the idea of security isn't really discussed that much. And so this is the angle that I really wanted to explore with you today. And for our audience's sake, I do wanna stop and and just, make the point that we're not necessarily taking any sides here, for or against net neutrality.
Really, what we're doing is talking about what this is all about and what the effects how this relates to today's, or rather how we use social media today in the United States, and we are gonna bring up some specific social media platforms as well. So let me kick this off now, by asking why is net neutrality back in the news? And and I'll just throw out an answer to get us going, TJ. Back in April, there was an FCC ruling, a three two vote, three two two vote.
So it's in favor of adopting new net neutrality regulations. I'm gonna say new, but it's sort of going back to some regulations that we used to have, not quite a decade ago that were that were rescinded or repealed, whatever, overturned. And we're sort of going back to that. And I think the impetus here was that there were wireless Internet service providers, wireless providers, that were selectively speeding up or slowing down or even blocking users' Internet traffic, presumably, over the cell and and then by using their cell phones. So that's sort of where this started and this new discussion in the spring of twenty twenty four, ultimately paving the way for kind of a new discussion about the entire broadband industry as a whole and and how service providers, interact with society in general. Right? So, you know, what what is net neutrality then from a broad concept without getting into the specifics necessarily, TJ?
Yeah. Sure. So I I think broadly, it's this notion that Internet traffic generally should be treated equally by the breadth of Internet service providers out there, irrespective of what the traffic is, where it's coming from, what type of traffic it is, and basically just treating it equally.
So it kind of alludes to this idea that, you know, ISPs would not be able to prioritize good or bad content. They wouldn't necessarily be able to block certain content, or slow down certain data streams and services depending upon that type of content.
But as you well noted, this is a highly debated topic, and even some of those those finer points of controlling Internet traffic and making sure it's all treated equally comes with its own arguments, pro and cons. And I will also allude to, given that this is largely gonna be an FCC ruling. Right?
They would say that it is to, you know, quote, ensure open and fair Internet, where providers treat all online content and applications equally and without bias.
So it kind of looks at broadband, right, Internet access as an essential critical service, kind of like electricity, water, things like that. So it's putting it on the same standard, of criticality and and basic necessity in the society that that we're in.
So I think that kinda covers the basics of of what it is, and then we can get on to the to the nuances of it as well. Yeah.
Right. And there are nuances, but that's that that brings me to my first point, which is indeed a nuance of this entire entire conversation.
When you say ISPs treating all, network activity and content and applications equally, we're talking about only, that which I guess we can identify as legal content, legal applications. Right? Or is this really a blanket statement to anything that somebody puts on the Internet?
So there's already laws on the books as it were that enable control of illegal illegal or illicit content.
So lots of things like drug sales, child pornography, things like that are already controlled, and there's already ways for them to control that type of information. So this is kind of looking more, not so much at the legality of the traffic. It's looking more at the accessibility of legitimate traffic.
Okay. And then by legitimate, though, there's then even nuance within that. We took a first step, and we differentiated between legal and illegal. So clearly, child pornography, illegal, drug sales, and things like illegal drug sales, I should say, illegal.
But all the various social media and websites and anything that's not in the bucket of legal or rather illegal is therefore okay.
But there's nuance in there as well. I mean, coming from your background, now we're starting to broach the subject of, is this a security concern? Is this, a danger to society, to American society? Who gets to decide that actually? Is it is it the FCC?
So, ultimately, that's one of the the pinnacle points that I think the SAC's FCC is putting forward here, is that net neutrality would give them additional tools to, fight, back against, for instance, adversaries that were identified in US infrastructure.
It would enable them to, you know, essentially have a better, better resources, better insight, into trying to protect our Internet infrastructure from what we very well know is happening from foreign adversaries, from cybercriminal groups, basically permeating US infrastructure, Internet service providers, things like that to try to get access to the American consumer.
So it'd be very similar in their disposition of how they've kind of designated other things as being critical services or even potentially critical infrastructure.
It gives them different, authorities and different abilities to actually come into that process and try to, from their perspective, secure, that access and make it accessible again. Like, there's a notion of accessibility to all at an equal level. So that's one of the biggest things again, this idea of the security component.
And that's where we see a lot of the the discussion around this topic, you know, with China and Russia and some other, you know, near peer, superpowers.
We're seeing a lot of cybersecurity related, news out there where they are getting into certain elements of telecommunications infrastructure.
They're getting into other elements of of critical infrastructure in the US, and I think that there's more push on the FCC to try to, address that. And from their perspective, right, right or wrong, really, we're not taking sides here, they see net neutrality as a as a critical step towards having some type of national standard and the national ability to better protect Americans consumers from those aggressions.
I see. As opposed to individual service providers sort of making their own decisions on an application or service by service basis or geographic area by geographic basis. Right?
Right. Right.
Right. Okay. And by ISPs, perhaps this is a moot point, but for anyone not in the US, ISPs, unless I I'm mistaken and there are a couple of exceptions, are private entities. Though they are, certainly very important for American society at large and for, our culture, They are private entities as opposed to, like, municipal services like my local town water service or water supply, whatever it's called, or local fire department or those kind of services where we say these are necessary.
The power company sort of almost though private in many instances, it's a paragovernment organization in that it works very closely hand in hand with the government. ISP is that's not the case necessarily, but maybe we're inching in that direction. I remember that being a conversation, really, when I started to get into, not tech per se, but when I was starting to get into networking about fifteen years ago, that was very much a a topic of conversation in a lot of the after conference, having a drink at the bar kind of situation.
Is, Internet access a a commodity and therefore, should be free and accessible to all.
Right.
In any case, rather than go down that road, TJ, how did we get here? Here we are talking about a recent three to two vote that the FCC made in in the spring of twenty twenty four. But what were some, I guess, notable FCC rulings, legislations, things that have occurred over the decades that got us to this point?
Yeah. So we could start in I guess, go back go really far back to nineteen ninety six with the telecommunications act. Right? So this was essentially the the first major overhaul of telecommunications law, you know, in the sixty years that it's been around to that point, and it kinda laid the groundwork for the modern Internet.
That kind of in many ways is a moment of history that's looked back upon, that, again, has kinda laid the foundation and the groundwork for where we're presently at.
So it Right. That essentially aims to deregulate, the broadcasting market and include certain provisions for Internet service, though it didn't expressly address this notion of net neutrality. And it certainly didn't didn't talk about it in terms of national security and and public safety, the way that the FCC and and and others are are talking about net neutrality today.
Okay.
There's many other pinnacle points, like, throughout history, and we can quickly go through them. And feel free if you you have additional ones to add in there. But, I mean, it goes back again to it's sort of an administrative, US administration type of thing too. You'll see that as we go through the history that certain administrations were very for net neutrality, and then other administrations were not for net neutrality. And so we'll start in two thousand four.
The first FCC chair that president Bush had in place, challenged the broadband network industry basically to, quote, unquote, preserve Internet freedoms. And, in two thousand five, the SEC then further issued a policy statement, which essentially affirmed open open Internet principles.
And then there was kind of a low for three years, until we hit two thousand eight when president Bush's second FCC chair, began to try and enforce these principles, under that two thousand five, affirmation.
And it was basically around talking about some specific Internet service provider. So, enforcing the principles began with Comcast, and and it was a a quote here where they said unduly squelching the dynamic benefits of an open and accessible Internet.
Mhmm. So two thousand ten comes along, and there's the open Internet order. The FCC adopts this order to establish some basic, again, this notion of net neutrality principles, things like preventing ISPs from blocking lawful content. Right? Here's this idea of lawful versus, unlawful content again. But the order was overturned, partly by a DC Circuit Court. So two thousand fourteen, three years three or four years later, DC Circuit overturns the two thousand ten rules in a Verizon versus FCC case on the grounds that the rules were basically only grounded in the authority granted by a specific section, section seven zero six of the act, and it was not also title two, which is in the news now as title two.
Jumping forward to two thousand sixteen, DC circuit court affirms, additional rulings that were made in two thousand fifteen, and then two thousand sixteen, excuse me, seventeen rolls around, which was the beginning of a new administration. And they essentially repealed the two thousand fifteen open Internet order, which reclassified broadband Internet as an information service under title one of the communications act.
There was a lot of really interesting rules rulings that happened around this time.
Several, what they would term as violations were studied, for this two thousand seventeen repeal. And, basically, those were YouTube and Netflix, were suspected of slow, were slowed by, suspected of being slowed by wireless carriers.
And you were using a fraction of the available speed. The second was Verizon's throttling of services affected the Santa Clara County Fire Department's ability to provide emergency services during the California wildfires. And then the set, the third, element was, again, Comcast.
It's noted.
And and people listening can see a lot of this information on the FCC's website. They they document some of the history here.
But this last one is Comcast introduced new speed limits where videos would be throttled to four eighty p on mobile plans unless customers paid extra.
So, again, kinda getting at this availability aspect and throttling certain content for, maybe large organizations that are willing to pay more for that premium bandwidth, whereas maybe average consumers, will have to pay additional to bump up their mobile plan to get better audio or video or things like that.
And then couple other highlights here. So two thousand eighteen, after that change of administration, the FCC abdicated the open Internet rules and the authority over the Internet, which is this net neutrality concept.
And then twenty twenty rolls along.
California actually institutes their own net neutrality law, and that goes into effect with other some other state laws and orders.
And then, administration changes, again, beginning to happen. And in twenty twenty three, the current chair of the FCC proposes to essentially reclassify broadband, So reintroducing this idea of net neutrality, and that's what's kind of got it into the to the news in present day.
Okay. Yeah. There's a lot there. It does seem like it's been contentious going back and forth over, over the years, especially since the late nineties. I don't remember that in nineteen ninety six personally other than my research for this podcast, but I don't remember it. I was in high school at the time. But I do remember, in two thousand sixteen, two thousand seventeen when there was a repeal of some of the components of net neutrality.
And, there was an there was an outcry, among among some that, you know, we're gonna end up with ISPs offering certain packages of you can purchase access to Facebook, TikTok, and well, maybe there wasn't TikTok at the time, but Facebook, YouTube, and whatever whatever platforms and and and Netflix, and you can buy it as a package, which I do believe some other countries around the world do right now, ISPs in other countries. But there was an outcry for that, that we're not gonna just have open access to information in the Internet. Now one of the things that you mentioned is that there was a throttling of the actual quality of video.
So there wasn't a a complete restriction of access. It was just a throttling down to four eighty p unless you pay more for, presumably HD service. So what is interest it is interesting to me that it is it it is indeed very nuanced. What what what is access?
And I guess that's a discussion for the lawyers and some of the philosophers.
Well, I say that, but it is a discussion for us as well working in technology and and figuring this stuff out. So let's talk about some of the implications, maybe some of the concerns for those Sure. Yeah. For those of us in technology, for sure, but really for, for our society in general.
I mean, what what are those that are proponents of that are for net neutrality, say? What are their arguments?
Yeah. Yeah.
So one actually, hearkening back real quick. So TikTok, it's interesting.
They they were founded in September of, I think, two thousand sixteen.
They were just not very well known, and there was a, I think it was just a Chinese variant at the time called Douyin, and the American TikTok didn't really become popular until till recent years. So you are spot on, name in TikTok there.
Implications and and concerns. So maybe it would be helpful to kinda give, like, a a compare and contrast here, and then and then maybe we'll jump into, like, the specifics of some of the positive implications and and, what those folks thinks and and then the other side. So, those who are generally for net neutrality would say something like, you know, an ISP can't filter or throttle content without a court order. Right?
So those would be the folks saying, you know, that's that's the idea here of net neutrality is they can't filter or throttle any content unless they're authorized by a court. Those against net neutrality would say, well, not everyone needs the same speeds. Right? So this idea that, like, in order for the consumer to get, you know, really good Netflix quality or to be able to render videos on YouTube really quickly, Netflix and YouTube may need additional bandwidth. Right? So, an ISP may need to boost or throttle content in order to cater to those services, which also has a consumer benefit.
Those four net neutrality would also say something like freedom of information exchange. Right?
That net neutrality will enable freedom of information exchange.
Those against net neutrality would say, well, freedom of information exchange already exists, and they would then try to challenge those who are proponents of net neutrality to give examples of where has information exchange been impacted in terms of accessibility. If it's illegal content and it's out there in the Internet, what are what are some use cases of where that would happen?
And they you know, proponents of of net neutrality may hearken back to those two thousand seventeen repeal efforts, right, that that were noted with YouTube and Netflix and Verizon, in Santa Clara, County and the Comcast stuff with mobile plans.
But, again, it's a it's a highly contentious issue, and and I just wanna reaffirm as we continue to go through this that it's proponents and and opponents to net neutrality don't even agree in in in in their own side. There's a lot of nuance that I don't even think we'll have time to get into on on each side of this, but these are just kinda general concepts of of where we're at.
So, again, people for net neutrality would say net neutrality is gonna promote competition and innovation. Right? So this idea that the small guys who may not get the bandwidth that a YouTube or a Google or something like that gets will also be able to compete in the marketplace because everybody's gonna have the same accessibility and same speeds.
People who are against net neutrality would say the same exact thing, but on the contrary, they'd say, well, it actually reduces competition and innovation. Right? Because it's it's not gonna be, you know, it's not gonna be an incentive maybe for Internet service providers to expand their their, you know, their their accessibility in rural areas and whatnot because it may cost them more to provide that service, and they're not having those costs offset by some of the higher paying companies out there who are paying more for extra bandwidth and whatnot.
And it may actually stifle, competition and innovation. So it's again, this is a good example because you can see both sides want competition and innovation, but they take completely contrarian viewpoints to to those two things.
They also, for those who are for net neutrality, would say things like pricing and and access should be all the same.
Mhmm. Those who are against net neutrality may say something like, well, those who are paying, like, using an enormous amount of bandwidth, they should pay their fair share. Right? They they should pay more when they're using more. Right? So, again, comes down to consumer versus, like, commercial companies, how much bandwidth is being used, and it's it's really not a clear cut black and and white type of debate here.
There's also the the security aspect.
And when we talk about security as you well know, Phil, it's it's always a trade off between security and privacy.
Right? And that's in any any situation, you have to give up more than likely a little bit of privacy to have better security.
So maybe that's cameras you put up. Right? That's less privacy that you have.
Certain filters and things that you put on Internet traffic that may lead to you having less accessibility to certain things or whatnot. Right? There's always this implication that the more privacy you have, maybe the less secure you are, the more security you have, the less private you privacy you have. But it's not a a perfect parallel, but, those who are for net neutrality would say security is is paramount.
Right? It's kind of the FCC's, point there that, you know, we're facing a incredibly sophisticated and dynamic threat environment more so than we ever have in our history, and the US is a massive target for, you know, cybersecurity, intrusions, everything from cyber criminal activity to advanced advanced nation states, or what we would term as state affiliated, cyber threat actors. Right? So security is paramount.
Those who are against net neutrality, what do you think they argue? They still say, well, privacy is paramount.
That's the number one concern we should be focused on is is privacy.
And really, when you look at the companies that are out there, they they tend to kinda be, mostly, taking one side or the other even though it is a nuanced, discussion. So those who typically have come out, and some of them have changed their positions. But, historically, those who have been for net neutrality were, like, Amazon, eBay, Google, Microsoft, and Yahoo are pretty prime examples of of references for companies that have come out and made public statements.
And then those who are against that neutrality, are more so in that Internet service provider space. Right? So the AT and Ts Right. Comcast, the Verizons, things like that. And, again, that's why it's a in a hot hotly contested debate as well because there's private sector companies on both sides of the spectrum that have their bottom line, you know, on on view. And and they may be interested in the security and privacy implications, but there's also that element of, you know, they're they're out to support a particular side potentially because they're they wanna sustain their business, promote growth of their business, and whatnot. Sure.
So Yeah.
Yeah. We've touched on some things like equal access to information for the population in general. So that's not necessarily an ecommerce or a free market thing. But it is a it is a thing that that directly affects a a a populace as a society's ability to, have information for whatever they're they're thinking through as far as politics and, trends in society and even things with regard to ethics and morality.
We've also touched on, like, things, affecting business and and, the free market or the pseudo free market that we have in the United States wherein private companies can make choices and that there is fair competition. But all of these things, you know, withstanding, there is still regardless of where you fall on the issue, and and as you said, TJ, even on both camps, there is significant disagreement within each camp. So regardless of that, you know, so put putting that aside, there are implications to security that we have to deal with, that we have to think about, whether we, are for or against new net neutrality or we have some kind of in between idea that blends, some of the the bullet points that that TJ went through.
So let's focus in on that now, TJ, if we can. I wanna focus in on social media for a couple of reasons. One, I have teenage kids, and social media is a big part of our lives, and for me as a dad, managing the access and the use of social media is a big part of our life, for me personally as well. But it's also a a very big part of our culture today.
Partly how some or maybe completely how some get their news and information altogether. That is their primary mechanism for news information. So so social media is not just entertainment.
And I I don't think I'm taking the position. I'm just observing here. It is a it is a tool that people use today, whether we like it or not, whether whether we want to believe it or not, that people use for news. And and they use that to to vote in in the next election or to make a decision about all the way under the local dog catcher. Right? So I'm gonna start off by asking, is all social media is it to you just content, information?
Is it just, you know, that that kind of an entertainment quality, and therefore, people should be able to access it freely or maybe not should be able to access it freely? Or is it more complex than that?
Well, social media, generally speaking, I think is a pretty complex topic, for many of the reasons you just outlined. Right? It's not it's not just for entertainment.
It's it's used for a variety of other things, connecting with family, communicating, you know, with speed across the world with colleagues, friends, family.
As you noted very aptly, social media is one of those, outlets that is now one of the predominant ways, if not the leading number one way, that people consume, news, that they are finding things, in the marketplace to buy.
So it's it's more than just this traditional idea of social media being a way for people to interact with one another, and just chat. Right? Where the Facebook you used to get on Facebook and, you know, you have your friends and you have a little bit about yourself and you just have a, like, a friend network.
Social media companies have very effectively kind of enveloped a lot of other elements of of daily life into these social media platforms. And so it can sometimes be a one stop shop, for a lot of the things that people are doing. Right? You can, you know, buy things through some of the social media, marketplaces.
You can post stuff about, you know, your company. You can, you know, put agendas on there. You can talk to people. You I mean, it's it's pretty much endless, what you can do on some of these platforms now.
So trying to assess certain elements, like, where we get into some of the national security concerns where these platforms may be exploited, for malicious purposes to access the consumers on those social media platforms, I think is where it gets into that really deep complexity of, like, how free of access should, you know, nations have in particular, like governments have in some of these platforms without restrictions being placed, on them. And I think that's really where the debate is today. Right? It's mostly on you have these social media platforms that billions and billions of people are on them, including in the US.
You're getting most of your news from these applications. You're doing a lot on these applications. Some of them are installed. If not, most of them are installed on users' phones, and users' phones have endless data about them.
It's connected to a bunch of other apps on their phone. So it's really like a really, close microscope.
It can be a close microscope into the life of these users, given that it's on their phone. What happens when you have a foreign a foreign adversary, right, to the US who's running a social media application, and they don't have the best intent of the American consumer or the American citizens using that application.
Right? That's where we get into the weird nuance of, like, well, should that access be restricted? Should it not be restricted? How do you inform the population that that's happening? There are certain things that you you may know about, right, because you've done an investigation, but it's confidential in information, and it can't really be made public. But it's it's has grave implications for security and privacy for the American consumer.
So I guess in a very long winded way, yes, it's extremely complex. And whether or not access should be free, I think comes down to a lot of these elements, public safety, national security, the free market, and all these things are really, really intertwined. And it's it's not an easy, yes or no answer. It's a very much a it depends.
Yeah. Yeah. As as most things in tech. Not to mention that we are, very much in the tech world, especially well, I guess it's safe to say that all of us, whether we work in tech or not, are in the tech world, you know, with the multiple devices that we run, both at home and and on our person.
We are we are much more globally connected. So it's I think it's, shortsighted to say, well, it's just, applicable to to us here in the United States accessing applications that are sitting here in the United States when we when we both know that's not true. The reality is that half of the stuff that we're looking at is coming out of, like, AWS is, like, Europe region or something like that. And, you know, we have to think about things like GDPR and think about things like Right. Data sovereignty and all these other types of things.
Right.
But there is a tension here between, we want, equal and open and easy access to information for all Americans because social media does provide, again, whether we like it or not, an avenue for information that helps them make, important decisions about their lives, about, elections and, family and all these things. So so okay. We got that. However, it is therefore also a primary attack vector for some very malicious actors, many of which are not within the United States at all. Therefore, elevating the concern beyond just, you know, a a perhaps a financially motivated attack to, like you were talking about, national security issues.
That's tough. How do we how do we how do we balance that so that way we are providing, correct type and amount of security and and, protective measures while still providing that freedom to information, and access to the information ultimately. I mean, it's not necessarily information per se, but it's the access to it that we're we're talking about here with with net neutrality. Right.
So so could could net without without net neutrality policies in place, right, could an ISP, a service provider, then throttle one social media platform and then maybe not another? Or maybe just choose to block one social media, platform unless you pay them a certain amount of premium or something like that?
Again, this I think this gets back to, you know, this the hotly contested, you know, theory behind, net neutrality and and some of its implications. And I guess in theory, yes. Yep. Whether or not that would that would actually become something we saw, saw, in the social media space, I I think is is where the contested part is. Right?
So Yeah. I don't think there's an easy answer to that one. But I I concur completely with your your, you know, former statements on on access to things. I think that's one of the pinnacles of of, American culture in particular is the the freedom of access to information and the freedoms generally that we enjoy.
And so those should always be, coupled and and balanced against when, things like national security come up. And it it's Yeah. Clearly not an easy thing. Right? And and I think you mentioned TikTok earlier.
TikTok in particular is is bringing this to the forefront right now as as as we speak.
TikTok has become a national security issue.
And it's one of those issues too, right, where this balance of the free and fair and equal access for all Americans to use TikTok juxtaposed and balanced and even buttressed up against this idea of TikTok being, what everybody in government basically.
It's very bipartisan. Both Democrats and Republicans are are are kind of in agreement on this that it is a national security threat.
And so, you know, we're we're in unprecedented, times in this in this respect.
And I think, you know, this this is this is gonna be something interesting to see that is it within the bounds of of the US government to, limit access to, a foreign social media platform.
And we'll see what congress ultimately decides and, you know, it looks like it it's passed and it's been signed, and we'll see what the outputting of that is. But it is a very bipartisan thing. And, typically, by the polling that's been out there, the American population is does consider TikTok a pretty serious security concern.
So we'll see, we'll see what happens. And I think it will be it's both unprecedented the time that we're in, but I think this is gonna be precedent setting.
And I think the crux here, that kind of is really important to to to balance is that this, law or this this, legislation that was passed, it's not TikTok specifically that is on the line here. It's access to TikTok is predicated on the ownership of TikTok not being the Chinese Communist Party.
That's that's the notion here. That's kind of really driving this conversation. It's not that, the law, if passed in which I I I should clarify, it has passed and has been signed, but if the outputting of this law results in TikTok no longer being accessible in the US, the reason for that is is according to to the bipartisan discussions is that it's not necessarily the application itself. It's who owns the application and what they're doing with that data.
Understood.
Okay. If they divest, if the tuck TikTok and the Chinese ownership divest from it and it's acquired and it's a US based, entity, TikTok will still be available.
It just will not be available with the ownership that it currently has. So I think that's interesting element there. Right? Because it's different from the Facebooks or the Twitters or all these other social media applications that are out there is because a lot of them that US, users use are are American based. So however this works out, it won't have direct implication to, those US American, US or American social media companies.
Right.
And and, again, for the audience's sake, make no mistake that my question wasn't can ISPs in the sense of do they have the ability to block access or throttle to a particular social media platform? Of course, they do.
Right.
You know, I've having worked in networking for fifteen years or more and, and then working where I do now, it's very easy to accidentally leak some prefixes in, you know, in BGP and then block an entire country's access to Facebook. It's happened many times. It's been in the news. Well, I said accidentally.
It's just as easy to do it, with malicious intent as well. It's not that difficult for ISPs to from a technical perspective, block access, throttle access, whatever it happens to be. Right. What we're talking about here is the government instructing ISPs to indeed block access, and so from a policy and an administrative standpoint is what we're discussing here.
Right?
Right. Right. Exactly. Yep.
So, why why TikTok? Why is TikTok a concern? We've talked about this once before. In fact, it was almost a year ago to the day, actually, TJ, which is funny.
I I was in London at the time, and we were I was recording from the hotel. And we were we were discussing TikTok, and here we are. And I I really do believe it's the same week. But why is TikTok specifically now I I mean, you already let the cat out of the bag a little bit that it is Chinese owned. Mhmm. Well well, who cares? What does that what does that mean?
Yeah. So I I I think this is kind of what undergirds and and lays the foundation for why TikTok is being treated so differently, from other social media companies out there. Because with the exception of a few instances, that have been documented and reported on, It it, by and large, collects similar information to what a lot of other social media applications do.
But there's a there's an intent element to this, and there's also a legal element to it. So I'll start with the legal element, and it's particularly comes down to what's called the national intelligence law of the People's Republic of China.
So being a Chinese owned application, specifically via ByteDance, which is the parent company, this national intelligence law in China has two articles in it that are are hotly contested and, give authorities to the Chinese Communist Party, the ruling party in China, legal grounds to do certain things with Chinese owned companies. So article seven basically compels Chinese owned businesses that are registered or operating in China to hand over information to Chinese intelligence agencies.
And not just to hand it over, but they have to actively conceal the fact that they're doing this.
So this is basically the polar opposite of a lot of the executive orders and statutes that govern US intelligence law. Right? There's enormous restrictions on what can be collected on US persons, everything from US citizens to people who've been in the country for a certain amount of times, to people who are here on visas, to companies that are incorporated, in the US or outside the US that have more than a certain percentage of American persons in the same way that China is going to do it. Right?
Mhmm. So this idea, right, that you have this application TikTok, that is could be compelled under this article of the national intelligence law is of great concern. Right? And there's article seven ten as well, which is it basically makes this forcing mechanism, this legal forcing mechanism for Chinese companies to hand over information to Chinese intelligence agencies and to conceal that they do so, it makes it extraterritorial, meaning that it has implications for not just Chinese businesses that are operating within the borders of China or are registered within the borders of China.
It also applies to Chinese businesses that are operating overseas.
So you could have a Chinese owned company that's incorporated in, like, another country. Right? They a lot of times, you'll see this with international companies. They'll have, like, their headquarters or they'll have certain locations all around the world. And even though they may not have been founded there or whatnot, they may have a headquarters in another country. This is very similar to actually what what TikTok does. Those organizations are still compelled to hand over data even when operating in foreign jurisdictions.
So that's the law element. Right?
Is that this organization, TikTok and TikTok, I should say, this is they're in the news, and this particular software is in the news, but it it applies unilaterally across all all incorporated organizations in in China. Chinese businesses are compelled by this law. And then you get down to the to the intent side. So that second, big element is you read every single public intelligence report, every statement from intelligence agencies all the way from the, you know, ODNI, the FBI, the CIA, etcetera.
They named China, specifically the Chinese Communist Party, the ruling party in China, as the US's number one geopolitical adversary and that they do not have US consumers' best interest in mind. So with those two things kinda coupled together with the the malintent and the ability for the PRC, to get access to the data in this application, there's a lot of concern from a national security perspective. And basic notion bipartisan notion is that the amount of data that that is getting collected on TikTok, on US users is not being used and will not be used in the future for good purposes.
It can only be I see.
For the detriment of US consumers.
Can we can we get into that? And feel free to get as technical as you like. I'd really like to understand more clearly what is going on with TikTok specifically that some, that our government itself and you mentioned several three letter agencies would consider it a security concern, a security issue for America?
Yeah. Sure. So I'll I'll just run through some some information Sure. Absolutely. That would, yeah, get covered by by TikTok or captured by TikTok.
So, again, as we go through this and as you listen, think the organization that is collecting this information could be compelled by the US's number one adversary on US persons, and leverage this information, for intelligence initiatives, and the collection of it and use of it is obfuscated by the company. Right? So for TikTok device data, right, they collect enormous amount of device data. So the name of the device, the make and model of the device, certain hardware specifications.
Right? So what's the CPU? What's its processing power? What version number is it? Things like that.
Right? The time zone, the location of the device, potentially other applications that are installed. It may look at contact lists, not just for your phone, but there's been certain, reports that it tries to pull contact lists from other applications on the phone as well.
There's also more granular, identity concerns. So for every mobile device, you have a international mobile equipment identifier, which is basically it's assigned. It's a unique number that's assigned to every phone, and it's usually printed on the inside of the phone behind the battery pack if you were to take your phone apart. It's a fifteen digit mean the, the IMEI. Correct? Correct.
Right. Oh, okay. I never actually heard the the the entire thing spelled out like that. But Yeah.
Yeah. Okay. So it's it's yeah. It's that fifteen digit, you know, string. That's the IMEI.
So the phone maker makers basically allocate this unique number, to every phone. So it's highly unique.
You also have the international mobile subscriber identifier, so or IMSI.
So telecommunication companies basically assign this number to the SIM card. So it used to be a physical SIM card that you could take out of the phone. Now it's an eSIM, which is a it's you can't really take it out, same principle. But it's it's assigned to the phone. It's another fifteen digit number.
Not always that long, but, again, it's just a a string that's unique. And it identifies, like, the subscriber's country, their network that they're on, other information related to the SIM card, like, maybe at the the type of SIM card and whatnot.
And that one in particular is a problem when it comes to data collection because that can follow you from phone to phone. So the IMEI typically is specific to the device. So if you get a new phone, it won't necessarily follow you, but the IMSI could follow you. So if you go get a new phone, you pop in your SIM card from your other phone or your eSIM is transferred, that could follow you from phone to phone.
Right? So there's been instances where you're able to see, like, one user is using this application. Right? And they realize maybe they're being tracked.
Maybe they're a political dissident, maybe they're a, a minority group that's persecuted in a particular country, right, and they're being tracked for those reasons. There's been instances where you can see they will get a new phone and the tracking persists because it's getting tied to this IMSI number. There's also a whole bunch of network data that's collected. So, obviously, your IP address, your location via GPS, tagging of images.
So a lot of users will upload images, and they don't realize there's geotagging happening there. The cellular and Wi Fi information associated with your device. So if you're connected to your home Wi Fi, if you're connected to a Starbucks Wi Fi or whatnot, if you're on five g or four g or five g wideband, or, you know, four g LTE, it it collects all that information. And, again, it could be very unique to you and your cell carrier in your specific phone number.
So that's, like, kind of the software and network and hardware related stuff that that that can get scooped up.
Mhmm. There's also every interaction that users have with the, application, so with respect to TikTok.
So, like, the name, the email, the date of birth that you use to sign up for the application, how long you spend on the application. Right? Are you scrolling most of the time? How fast are you scrolling?
Where is your finger placement on the screen, you know, do you pause at certain places, Like, what time of day were you using it? If you pause, did you view something? How long did you view it? Did you, like, skip around the video?
Did you watch the whole thing? Did you only watch half of it? You know, did you immediately, like, back out of the video because it wasn't what you wanted to click on and then you went into another one? Maybe you watched the video, like, several times.
That's really, really interesting why you would watch one video several times and other videos maybe only for a couple seconds or for half the time.
Things like, did you pause?
Right? Did you take any snapshots with your phone? Did you like, comment, suggest, or share the content with anybody?
All of this stuff is scooped up by the algorithm, right, that's used for whatever respective social media application. But TikTok in particular is really, really aggressive.
And it's not just aggressive in the the things that we just discussed. It's aggressive to the degree that it is also trying to obfuscate how much it collects.
So there's been some reverse engineering that's been attempted on TikTok, and you you'd basically have to go through and reverse every library to figure out the extent of the data collection that's happening with TikTok.
And that's important. What and that's really important because you get to this element of TikTok can be compelled under this national intelligence law in China to hand over government to Chinese intelligence agencies and also conceal the fact that they're doing so. Right? So that obfuscation is really important, especially especially if you're trying to, you know, get into the American market and there's American consumers using your application. That's gonna be a really serious both security and a massive privacy concern for US consumers, and it's gonna get the attention of the federal government, right, if that's happening. And that's kind of where, TikTok has kinda come and why they're they're really largely in the news, today.
Right. I get that from a privacy perspective. And and I have to assume that that's that that, US based social media companies are doing similar activities and collecting information. But isn't that generally to improve the user experience and to make it more sticky so they can make more money and not necessarily for nefarious purposes? Although, I will say, that some might consider what I just mentioned as nefarious purposes. But that aside, is TikTok using that information for specifically, the for for some sort of malicious intent beyond just making their app better, more sticky, and making more money?
Right. Yeah. So you make an excellent point. Most social media companies out there collect similar things, and they collect it because they want to make your user experience better. Right?
Yeah. On the side of TikTok, that may be the case in some instances. Right? TikTok does wanna make money.
They wanna have a big market. But what happens when according to the National Intelligence Law, the CCP, the Chinese Communist Party, steps in and says, I want you to collect this specific information on these individuals, And they wanna then go use that information for extortion, or they wanna target a subset of the US population with certain news or they wanna control a narrative around a certain policy or something like that. Right? That gets into much more sticky territory.
You also have concerns, right, where because of the control over the application and the forcing mechanisms that are legally compelled in, China.
Modifications can be made to TikTok without the consumer's knowledge, and TikTok is compelled to obfuscate those changes. So it could be something like changing the application from just being a social media application to actually becoming a, application through which China's able to spy on a a particular user. Right?
It also you gotta think all of this information in aggregate When you analyze it, you can kind of boil it down. It can map out a particular personality type. It can Sure. Help map out, like, proclivities that certain people have, certain things they like and don't like.
Right? And so it it becomes much more of a concern of a psychological operation rather than they're just trying to serve you content for entertainment or to be able to sell you things, better. It turns into this concern of, like, could users on TikTok be intentionally manipulated psychologically for a Chinese intelligence, purpose. Right?
And and it's a great it it is a concern because there's there's been hints of of stuff like this happening, right, where certain narratives have been banned on the platform.
There are certain groups like the the Uighur Muslim population in China, that has been targeted.
So there there's, like, a lot of smoke, there's known obfuscation with the platform, and there's known ties between TikTok and the Chinese intelligence agencies both through the compelling of that law, but also people who work at TikTok are highly affiliated with Chinese intelligence. Right? So you have this really close knit relationship beyond just the law that is that is a concern.
Right. It does beg the question. If, net neutrality applies, broad, wide, and deep, and all, Americans have access to any, platforms and applications and services, great. But are those applications and services and companies, social media platforms in particular, are they doing their own internal, internal processes of deplatforming and silencing certain narratives like you said. So there is that that's still part of it. This is this is significantly more complex than just does have every everyone have access.
Yeah. And I'll throw out there. And yeah, I'll quickly throw out there too, Phil. I mean, people can can go look this up, but there's there's two there's two different app variants, right, of TikTok.
Tik everyone knows TikTok because it's the American name for the application, and that's the one that's available in the US. Yep. But we talked about earlier Douyin, d o u y n. That's the Chinese variant.
And you will see a lot of reporting of how those two platforms, TikTok and Douyin, both owned by the same company, are are deployed much differently.
And some examples are there's, like, time limits and constraints that they put on use of the platform for young users. So very young users are not typically allowed to use the application all day long. The algorithm that's used in Douyin is very focused on, like, science, technology, medicine, being an astronaut, like, all of these fields that China's trying to gain dominance in, right, and compete directly with the US. That's the type of stuff that they're trying to get that Chinese population to consume in the application.
Right? So they're catering content via that algorithm to try to bolster interest in certain areas in that that demographic. Right? The TikTok version, you don't see that.
You see things like unfortunately, there's been reports of, like, particularly with with young audiences and particularly young girls, videos that will lead to self harm proclivities, to feeling, like a extreme lack of confidence, just Sure. Mindless entertainment that is designed not designed basically to try to encourage American consumers to get into STEM fields. Right? It's it's, again, that psychological element, that is a really big concern, and it's the ability to narratives.
It's the ability to impact the consumer so directly like that.
That that is is something I think that that if folks are using the application should be should be informed of.
Yeah. Yeah. And the real heart of the matter here with regard to net neutrality and TikTok is that, well, one, TikTok is not illegal. Maybe it will be. Yep.
And net neutrality promising, full and open and easy access to information is one thing, but TikTok opposing a national security concern is another. And and therein lies the tension and the dilemma with with, net neutrality, again, regardless of the the which camp you are in and, how it affects Americans' use of specifically TikTok. Perhaps social media more broadly, but I think it's clear TikTok in particular is is, is both an interesting and serious concern.
Yeah. Yep. Yeah. And it's like you can give, like, a, you know, a non technology example.
You know? Like, you may feel comfortable giving your bank your financial information, but do you feel comfortable giving your financial information to an unsavory, you know, individual who may go and commit identity theft? Right? So it's it it gets like you may use certain social media applications freely, and you're giving a lot of the same information.
But the intent behind that that company is to make it a better experience for you and to to try to, you know, cater the application to your to your likes, not necessarily for your your for harm to come your way. Same thing for, like, health care information. You're gonna freely give health care related details to your doctor. You don't wanna go give that to someone who's not in health care or who doesn't have your best intent in mind.
Right? So it's a calculated decision that you have to make, and that's why this is a really nuanced thing because, yes, a lot of social media companies generally collect similar information, but the bipartisan stance in, you know, congress and across the intel community is basically that the intent here is not for US consumers' benefit. It's to their detriment, in the short and long term Right. In particular with TikTok.
And a lot of that, decision making is done, unfortunately. I say unfortunately, but, perhaps it's not unfortunate. But a lot of that decision making about what is national security or what is a national security threat is done by by folks that are not elected into office, per se.
And so that I have to assume, TJ, is another debate, is another Yeah.
Real issue, at the core of this that I'm just thinking about now.
Yeah.
You know, who gets to determine what a national security threat is?
Right.
And, is it is it not quite a national security threat just yet because it doesn't have this far reaching effect? When where is the line, and therefore, we can flip the the switch and say this is now illegal. America can't use this. So I'm sure that's a that's a highly contested issue as as well.
It is. Yeah. That's that's why, you know, we we we both, you know, said earlier that we're really in unprecedented territory. You know, I I in my time, I I don't remember an instance where national security was at the forefront like this, particularly with an application or a service that was so widely used by billions of of people, you know, including in the US.
Right.
And the use of that application potentially being on the line. Right? And I I think in some ways, it's been interesting to see, that the bill going through that may compel China to divest from TikTok originated with elected officials, even though it was it was highlighted by the intelligence community, that, that this is a concern. So, yeah, again, it's really unprecedented.
It's gonna be interesting to see how this whole thing pans out and what TikTok decides to do and maybe what the implications are into the future. But it is gonna be precedent setting, though it's unprecedented territory, and, I'm, I'm interested to see what what what comes of it. But, nevertheless Yeah. It's good to know, right, that the companies, that you're you're giving your information to, what are they doing with that information, and do they have our best intent in mind?
I think as a general principle that is good in technology and and really good for, those interested in cybersecurity.
Of course.
In that light, if, if folks are interested in learning more, if folks are interested in learning may maybe not cybersecurity in general, or if they're not plugged into the cybersecurity world and they have more questions, they wanna learn more about this particular issue, especially with regard to social media and TikTok. Do you have any suggestions for resources, that are out there?
Yeah. So particularly in this vein, it is definitely something of interest to the cybersecurity community, both on a security and a privacy level. There's a two two blog posts, that my teams have put out. They're on C I security dot org, so Center for Internet Security's website.
One is a a blog we actually wrote years and years ago after analyzing TikTok and seeing some things that were unexpected.
There's a it's called why TikTok is the latest security threat. And then we actually did an updated version. Again, another blog post, called TikTok influence operations and data practices threaten US security.
So it gets into a little bit more of the minutiae and nuance of this particular topic area, if people are interested.
Absolutely. And, of course, you can always Google, all the FCC rulings and current legislation and Right.
Yep.
Really just Google net neutrality in TikTok. I'm sure you'll have, plenty to look through and wade through. So, TJ, this has been a very, interesting discussion. I really enjoyed it, and I look forward to having you on again. So for now, though, I would like to end. And if folks would like to reach out to you online, is there any way they can do that?
Yeah. If folks wanna reach out to me, you could reach out to media at c I security dot org. Always happy to chat further about this stuff. And, Phil, I just wanna thank you, again for the opportunity. It's been great being on the podcast, and, I look forward to the next opportunity to to be with you.
For sure. My pleasure.
And you can find me online still. I am not on TikTok, but I am on, Twitter still at network underscore Phil. I take that back. I do have a TikTok account, which I do not use anymore. I should delete it. Right, TJ?
Well, that's a calculated individual decision that you have to make, but I don't have a TikTok account if that tells you anything.
It does. Nevertheless, you can find me online also on LinkedIn. Search my name, Philip My blog network Phil dot com. Now if you have an idea for a show or if you'd like to be a guest on Telemetry Now, please reach out at telemetrynow@kentik.com. So for now, thanks very much for listening. Bye bye.