Barn Door Ajar

Whelp, that escalated quickly. I acquired my iPhone in 2009 and fifteen years later the Photos app reports a total of 44,721 photos and videos “on” “it”. The “it” here, of course, represents the fusion of a series of iPhones and the iCloud, an amorphous agglomeration of (among other things) storage that has accreted gradually through both space and time. In 2009 I imagined myself primarily to have bought a phone that as a bonus had a camera and a trivial amount of internal storage. I didn’t think much of “document management” then and certainly the destruction of my first (non-waterproof) iPhone about a year and a half later in a rainstorm, the iCloud’s release still a year in the future, reinforced the belief I was creating ephemeral data. When in 2024 I searched my phone for my maple walnut bourbon ice cream recipe and the hits included pictures from years ago of me standing next to maple trees — “whoah”.

Who knew that photos snapped in 2010 would one day automatically make their way to the cloud where Apple would do text extraction, feature tagging, and general AI training? Who appreciated that associating your name and face on the Internet by way of a Facebook profile would enable Clearview AI to build the Google of faces? Who comprehended that after Twitter had helped revolutionaries organize The Arab Spring it would then prove equally happy to point them out to the local secret police forces intent on capturing, torturing, and killing them? I hope the innocent pictures you sent to your pediatrician a decade ago don’t turn your life upside-down tomorrow when misclassified as pedophilia in a dragnet operation. I hope your reality doesn’t hinge on not being de-platformed on a whim by the capricious or the nefarious. I hope you were always classy enough not to take dick pics with your phone.

For now, though, let’s focus on one of the biggest current news pieces in this realm — the USG’s imminent threat to ban TikTok within the US.

If you imagine that the CCP’s influence over TikTok uniquely diminishes America’s national security posture, voter population robustness, or collective general wellbeing then you ought zoom out. We have for decades been nurturing a technological ecosystem of increasing pervasiveness, persistence, personalization, and consolidation as the cost of networking, storage, and compute approached zero. Power Law driven winner-take-all markets have yielded a handful of trillion dollar companies who have been gently but persistently coaxing us to go all-in on digital payments, public cameras, smart cars and buildings, ubiquitous IoT, social media, cloud storage, and consumer-grade battery-powered pocket-sized supercomputer-juiced all-purpose intelligence collection platforms.

Those who railed against government surveillance in the early 2010s meanwhile gleefully (or at least unwittingly) acceded to the desires of data hungry private enterprises. Crusaders who fought a War On Drugs stood idly by as private companies wove the technological fabric of our existence to be addictive by design. Every incremental erosion of privacy has seemed tolerable while the attendant benefits felt worth the trade. Compare the turn-of-millenium world to the quarter-century-later one, though, and the weightiness of what we cavalierly surrendered feels enormous. If the capabilities of an fMRI weren’t already scary enough then consider that today’s voluntarily implanted and crudely integrated Neuralink may give way to tomorrow’s involuntarily deployed grown-from-birth BrainPal of John Scalzi’s Old Man’s War Sci-Fi universe. Appreciate, for now, the luxury of enjoying privacy within the confines of your own skull, for even that last bastion of solitude may disappear within a generation.

The USG’s present bluster about banning TikTok in America hearkens back to the Crypto Wars of the nineties when a popular (for nerds) act of civil disobedience involved going to a website where the instructions read “click this button to become an illegal international arms distributor” and doing so FTP’d a copy of the RSA algorithm from a server in the US to a server abroad. As a practical matter, what would banning TikTok in America even look like? That quest might as well be a deep cover operation to bid up the price of VPN providers. On the surface it looks an awful lot like the flavor of activities for which the US has been wagging its finger at China since the dawn of the Internet. As a practical matter the most friction-creating user-facing approach the USG could muster would involve forcing Apple and Google to delist TikTok from their app stores which would just drive people to the good old fashioned web browser. To further turn the screws on TikTok the USG might additionally ban the hosting of its content on CDNs homed within the US which would drive up traffic costs while degrading the user experience.

Why might the USG want to plow forward with this or at least make a sufficiently credible threat as to shape TikTok’s behavior? The following list provides some top-level areas of concern. The threats are in fact real and severe.

1. Network Analysis — relationships reveal org structure, mission priorities, pressure points
2. Kompromat — compromising information enables blackmail of trusted individuals
3. Operational Security — unclassified digital exhaust may hint at classified information
4. Social Engineering — the ability to misrepresent oneself may enable privilege escalation
5. Privileged Access — phone apps often receive broad access to photos and contacts
6. Influence Operations — persistent nudges may sway public opinion on current events
7. Brain Sculpting — algorithms can slowly shape one’s ability to focus, reason, and know
8. Economic Warfare — asymmetries across national boundaries yield unfair contests

We should note that any actor might abuse any platform regardless of “ownership” to manifest such risks. Clearview AI snarfed up zillions of images by a variety of means that may have violated various Terms Of Service agreements to build their database. Recent news includes a Chinese national employed by Google standing accused of stealing AI-related secrets during the course of a multi-year inside job. Sophisticated SIGINT actors may contrive to attain midpoint and endpoint collection sources anywhere they please. Consolidation creates scary risks no matter who did the consolidating. All that said, though, we should recognize that you get to play the game on easy mode in a few important ways if you are an authoritarian regime (noting that countries exist on a continuum) and the platform you wish to weaponize is directly under your national thumb (in the form of people you can coerce and infrastructure you can seize)…

1. Accessibility — you can query telemetry that is not part of the public facing offerings
2. Steerability — you can not just read and contribute content but also modify and amplify
3. Latency — instead of polling for new interesting tidbits you can register event signatures
4. Scale — without the friction of mismatched APIs you can easily perform bulk operations
5. Secrecy — with privileged access to the data plane there is no audit log of your snooping
6. Impunity — without robust laws and an independent judiciary one can act unilaterally

Realistically speaking what we are seeing is a shoving match over who gets to be inside the data center and who has to figure things out from the outside.

China has taken a very China approach to many big US tech firms that have by their mere existence threatened its ability to control the narrative and maintain deep visibility into the activities of its citizens. Now the USG is pondering a fairly China-looking approach to TikTok if (nominally) just for defensive purposes. The legal precedent and collateral damage would prove enormous. And, in truth, the bigger problem stems from the USG’s lack of a coherent and comprehensive approach to managing the risks of any social media company whether they are based in America or a foreign country. Without such guiding principles any action will look capricious and ham-fisted. And, worse still, with many big US tech firms having recently rocketed up to market caps measured in the trillions of dollars, their accountability to any government seems questionable when you consider all the politicians, lawyers, and votes such a war chest can buy.

Instead of doing something that feels un-American perhaps we could consider a multi-pronged approach that aims to reduce the attack surface and blast radius of our assets while we also accept the inevitability that sometimes foreign countries will create (and then exploit) commercial products that our citizens want to use (and that, alas, our own Intelligence Community and Law Enforcement entities can’t as readily leverage). Such areas to ponder include…

1. Context Partitioning — encourage using separate devices and accounts across contexts
2. Sensible Defaults — develop guidelines that prevent careless/unintentional over-sharing
3. Transparent Configuration — ensure users can easily understand their security posture
4. Access Recertification — require that security configurations are re-validated regularly
5. Data Age-Off & Purge — require companies to empower users with better data ownership
6. Virality Abatement — police the algorithms that promote content, not the content itself
7. Compliance Consequentiality — have real auditing and consequences for privacy laws
8. Electioneering Transparency — shine a bright light on the role of Dark Money in politics
9. Voting Architecture Overhaul — implement Open Primaries and Ranked Choice Voting
10. Segregation Avoidance — randomly and regularly re-assign seating in congress
11. Groupthink Prevention — forbid clapping and other herd-like behaviors in congress
12. Theater Avoidance — limit the role of appearance and oration in political campaigning
13. Propaganda Inoculation — pull forward education on probability, statistics, logic, debate, and scientific method to pre-college years to protect citizens from being manipulated by bad faith cyber-actors both foreign and domestic

Perhaps a reasonable collection of thought problems looks like the following…

1. Can you curtail Chinese and Russian influence ops without bankrupting Kim Kardashian?
2. Can you allow a Trump-like figure on Twitter without the capitol getting sacked?
3. Can you trust the genpop to converge organically and safely on truth and decency?
4. Can the political majority of today recognize they will be the political minority of tomorrow and thereby break the endless cycle of revenge politics?
5. Can you be the citizen of the Internet you wish everyone would be even though many entities, from the individual to the nation state, are behaving like assholes?

If we could figure all this out then we might be able to give closer to zero fucks about who owns TikTok.