Yves here. Despite the anodyne title, this article described some of the technical means that could be used to implement a TikTok ban and how users might circumvent them. Note this piece steers clear of surveillance state provisions in the RESTRICT Act that extend well beyond TikTok.
By Robert Olson, Senior Lecturer of Computing Security, Rochester Institute of Technology. Originally published at The Conversation
TikTok is not be the first app to be scrutinized over the potential exposure of U.S. user data, but it is the first widely used app that the U.S. government has proposed banning over privacy and security concerns.
So far, the discussion has focused on whether TikTok should be banned. There has been little discussion of whether TikTok could be banned, and there has been almost no discussion of the effects on cybersecurity that a TikTok ban could cause, including encouraging users to sidestep built-in security mechanisms to bypass a ban and access the app.
As a cybersecurity researcher, I see potential risks if the U.S. attempts to ban TikTok. The type of risk depends on the type of ban.
Blocking TikTok in the Network
Blocking access to TikTok by filtering traffic destined for addresses believed to be owned by TikTok is possible but would be difficult to accomplish. Server addresses can be changed and a TikTok ban could devolve into a game of cat and mouse.
Additionally, this sort of block could be bypassed using virtual private networks (VPNs), which encrypt data flowing between servers and devices. VPNs can be used to shield traffic between servers in other countries and devices in the U.S. VPNs were once widely recommended for people using public Wi-Fi, and people are already using VPNs to access blocked streaming services. While security experts no longer recommend VPNs for public Wi-Fi, many people have used them and so are familiar with a tool that would help them bypass a TikTok ban.
DNS sinkholes are another technique that could be used in TikTok bans. DNS, the Domain Name System, is a network protocol that behaves like the internet’s phone book. Computers need to know the IP address of a server in order to communicate with it. DNS allows a computer to look up that address using a name convenient for humans to remember, such as www.google.com.
DNS sinkholes stop that lookup. DNS sinkholes don’t directly block access to a server. Rather, they stop other computers from being able to look up the server’s address. It’s fair to think of a DNS sinkhole as removing someone’s name from a phone book.
DNS sinkholes are often used to stop malware and advertisements. They could be used in a TikTok ban. However, DNS sinkholes only work if lookups are confined to DNS servers that are configured to be sinkholes. A ban using DNS sinkholes would likely cover most DNS servers that people’s computers use by default.
However, you can relatively easily change DNS settings on your computer to circumvent a ban based on DNS sinkholes. There are many public DNS servers that people could use instead of their current DNS servers, which are commonly maintained by internet service providers. Blocking TikTok with DNS sinkholes would require significant international cooperation to make it difficult for people to find DNS servers that could access TikTok.
People circumventing a ban by looking for an alternate DNS server would be at risk. Unless a DNS server uses an uncommon extension named DNSSEC, you can’t verify the integrity of a DNS response. A malicious DNS server could reply to a lookup with an IP address of a server that’s under criminal control. This opens the door for a number of different kinds of attacks that could put your data at risk.
Banning TikTok from Your Phone
Another way TikTok could be banned is by blocking the TikTok mobile app. This would not affect U.S. users’ ability to access the TikTok website, but it could change how and how often people access TikTok. Blocking the app could address the concern that TikTok could be used without the user’s knowledge to access other systems on a network that a mobile device is connected to. This has been the motivation for some local TikTok bans.
Removing TikTok from app stores is unlikely to succeed by itself. Both Android and iOS devices have the ability to install apps from alternative sources, a technique known as sideloading. While this added step may discourage some people, sideloading tutorials are widely available online, and there is already popular software that must be sideloaded to be used on a phone.
Mobile devices assume that mobile apps are coming from a trusted source. Both Google and Apple audit mobile apps prior to the app being available for download. While these reviews aren’t perfect, they help ensure apps don’t contain vulnerabilities or malware. When app stores aren’t involved, security responsibilities change. Sideloading makes users responsible for verifying an app’s legitimacy, and criminals could trick users into installing malicious apps from third-party sources.
But what about the millions of people who already have TikTok installed on their phones? Enforcing a TikTok app ban would likely require that it be removed from mobile devices. Apple has long had the ability to remove software from iPhones, and Google could remove apps using Google Play Protect. These tools are important security controls that, at least on Android devices, can remove malware even if it was sideloaded. Enforcing a ban using security controls could motivate users to disable these controls, which would weaken the security of their devices.
Users might even be motivated to “jailbreak” their iOS devices or “root” their Android devices to prevent Apple or Google from removing the TikTok app, which would further weaken security. Jailbreaking an iOS device allows users to bypass security restrictions in the operating system. Rooting an Android device means gaining the highest level security access, which allows users to make changes to the operating system. Jailbreaking and rooting are prohibited by Apple and Google. Both actions void the user’s warranty and undermine the security controls that limit criminals’ access to mobile devices.
I find it unlikely that a TikTok ban would be technologically enforceable. Even China struggles with content filtering. These difficulties may be why proposed legislation includes significant punishments for bypassing the ban.
Even if the punishments are not aimed at the average TikTok user, this proposed legislation – aimed at improving cybersecurity – could motivate users to engage in riskier digital behavior.
Perhaps some might be tempted to root for the reasons given in the article, but users with sufficient technical capabilities to do this would also understand that it would be easier and safer to install a custom ROM minus the Google. This doesn’t require rooting. I have done this myself on one of my phones.
The big issue with Tik Tok is not data, it’s persuasion.
I can’t even talk about tech and data issues. Too long out of that field. But Tik Tok persuasion can literally swing close elections and alter national discussions.
Persuasion is now a science, and it works reliably every time on a large swath of population.
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
And you can’t yell fire in a crowded theater. Free speech is not absolute.
In 1776 persuasion and propaganda was in the Stone Age.
In last 20 years it’s become weaponized.
I spent my working life sweating in the tech trenches to make Internet work because I believed in free speech, but this is something different.
I don’t have an answer but having something as powerful as Tik Tok under control of a foreign government scares hell out of me. They literally have a “heat” button to make anything go viral.
And the bad actors in our own government have a heat button that consists of putting it on the front page of the NY Times. Your argument is not persuasive, to use the buzz word of the moment.
But as the above article indicates it’s moot anyway because trying to control the internet, short of cutting the thing off completely, is pushing on a string. Therefore we’d better hope that the traditional argument–the cure for bad speech is more speech–is correct and get to work on that rather than whining about persuasion. Here’s suggesting that those who try to block speech are those whose own arguments are too weak to stand the competition. To be sure some speech can be criminal and there are laws against that. Political speech, of all types, is protected in this country.
If you would have said that maybe, maybe, providing more education, literacy and enhancing the critical thinking of the population would be the proper path I would have said yeah, I buy this argument.
But your argument reminds me of the three monkeys that don’t look, don’t hear, don’t talk, and open up only to what is approved by the government…
If you were born Russian would you be terrified of outside influences impacting Russian public opinion? Would you be in favour of a “digital Berlin Wall”? I am guessing the answer is “yes”.
How is foreign government control any different than domestic government control, monopolistic corporate control, or any other control?
Another risk is that if you can’t use TikTok you may be herded back to Facebook or Google for social media apps.
With any big tech provider based in the US you have to assume that your privacy is essentially zero and you’re being spied on.
I’m not naive enough to think that the Chinese government isn’t doing the same, but at this point I trust them more than my own government.
It’s all about control of information.
At the very least, China is not part of the eyes groups. Thus any data they gather on us is unlikely to end up back in the hands of our governments, to be used against us once they can concoct some spurious parallel discovery story.
They don’t have to ban TikTok using a technological measure. The problem is, and what they’re likely currently wrestling with, is that as far as I’m aware, no specific software has ever been banned by the US government before — even malicious software. There was a legal battle over the export of a particular cryptography program at the turn of the century that came closest to being prohibited by name, and that went about as well as this will. (DeCSS, of “this t-shirt is illegal” fame, also came close.) It may not even be legally possible. In every situation previous to this one, whenever particular software got created that the US government didn’t like, it was the creators and users that got sanctioned instead.
So when they do ban it, it’ll probably come in the form of an extralegal campaign. A bunch of involved parties, especially payment providers and app stores, will “spontaneously” decide they’re not going to do business with ByteDance (TikTok’s parent company) anymore. The guy being quoted mentions sideloading apps. Most people are not aware they can do that. Just removing TikTok from the default app stores of Apple and Google would be enough. If the State Department was feeling especially spicy they might even put ByteDance and its employees on one of their famous lists.
I think that crypto program was PGP – and I agree with you that it is the best piece of history to use to project how this will play out.
This moral panic is misdirected as TikTok is already fully infiltrated by our favourite intelligence/security agencies: Chinese “Trojan Horse” Is Run by State Department Officials
I expect another RESTRICT justifying target will be selected shortly.
I think the key variable in all this is – the main users of TikTok are teenagers. Teenagers will figure out how to root their phones in 10 seconds and are hormonally inclined to defy authority. And I am sure we will hear a lot about “defying big brother will put you at risk!” … and I am confident that the teenagers will ignore such warnings.
Once one kid in a high school figures out how to install TikTok – the knowledge will spread like wildfire.