Washington: we have an exceptional problem

Learning from the Tik Tok debacle, why it doesn’t really matter where Tik Tok is based or owned, and how exceptionalism and extra-territorial overreach are starting to backfire on the USA.

Mass surveillance: When companies do this it’s called data misuse when your own government does this it’s called national security, but when another country does this it’s called spying. Whatever you call it though, the Chinese government practices mass surveillance within China on an incredible scale, but outside their borders, they lack the means to do much. The real masters of extra-territorial snooping are the US and UK and they don’t want the Chinese to catch up.

There is some personal information that we need to share: health data with our doctors, identity data with the government (for driving licenses and passports), and financial data with the taxman (by law). We may also have a criminal record, recorded for us by the criminal justice system.

There is other data that we choose to share on social media platforms, on email, etc. – our choice.

Then there is personal data that needs to be guarded at all costs – biometric data. If a password is lost, it can be reset. You can’t reset your DNA, fingerprints, or face. Once biometric data falls into the wrong hands you are vulnerable to identity theft for the rest of your life. This is why biometrics and facial recognition is so sensitive.

Where and how is mass surveillance most likely to occur?

While it is easy to scapegoat the Chinese, their equipment manufacturers like Huawei and the social networks like Tik Tok, their American peers are equally if not more guilty on all fronts

1) The Social Networks: You can use privacy settings to define what data you wish to allow social networks to use more widely. Not enough people bother to look at their privacy settings. And social networks don’t always abide by their own rules or promises in any case, as we have seen with Facebook. They also leave data vulnerable at times or even leak it. If once US-owned Tik Tok behaved as Facebook has done, the change of ownership might not be much of an improvement.

The data that you don’t restrict using your privacy settings is then used by the social networks themselves as well as shared via APIs with companies like AdTiger which aggregate data from multiple social platforms as well as other sources to profile you for accurate targeting by advertisers. These aggregators and advertisers are based all over the world, making the whole nationality thing almost irrelevant.

It is also somewhat hypocritical for the US to focus on the possibility that the Chinese could tap into content on Tik Tok and WeChat when we know for a fact that the NSA taps into Facebook, Twitter, LinkedIn, Instagram, Gmail, Youtube, Amazon, etc.

2) Equipment: Huawei submitted its 5G software for extensive testing by the UK (at GCHQ), the Italians, and others. No backdoors were found. Even so, once the equipment is sold to operators like BT and Vodafone it is beyond the control of the manufacturer. Any attempt to divert traffic for mass surveillance would be noticed by the operator. The only real means of snooping is via the Legal Intercept (LI) mechanism, built into all such equipment which would allow the local authorities on the production of a warrant to tap into a network for a given purpose. LI is a standard approach that applies to all nations and all manufacturers. The only known examples of tampering were disclosed by Edward Snowden, where the NSA intercepted computer network devices from US technology company Cisco, bound for China, and installed malware on them, or where the NSA ran an operation code-named “Shotgiant” in which they hacked into Huawei’s HQ and stole its source code.

3) Governments: As with the Legal Intercept (LI) mechanism, there is an international standard for judicially approved interception for law enforcement within the country. Things get controversial when you start to snoop on or enforce your laws on other countries, especially when they are supposed to be your allies.

In a recent article I explained why Europe has recently rebuked the US for its mass surveillance activities and how in a landmark ruling on 16 July, the Court of Justice of the European Union (CJEU) handed down a final ruling in the case between privacy activist Max Schrems and Facebook. This case was all about a supposed level of equivalence between the EU and US in the protections that each provided the other when personal data was transferred across the Atlantic. The agreement had been undermined by measures such as the US CLOUD Act, FISA 702, and EO 12.333. These are the main surveillance mechanisms used by the US, and they have no territorial limitation – i.e. they are US laws that are deemed to apply worldwide, even if and when they conflict with local privacy laws. In the EU court ruling, the US was told to stop spying on its allies, or its tech companies would forfeit their right of access to our personal data.

Furthermore, when the US starts to criticise Russia and China for their failure to abide by the rule of law, you have to ask why the US chose not to abide by its obligations under various treaties: from the data sharing treaties with the EU (Safe Harbor and Privacy Shield) to the Iran nuclear deal. Also, we need to ask why the US is seeking to hijack the operations of TikTok and in an even more dangerous escalation, why the US is asking to extradite Huawei’s CFO Meng Wanzhou from Canadia where she was detained and questioned without a lawyer being present, before eventually being told that she was to be arrested.

What’s all the fuss then?

I am not for a moment suggesting a level of moral equivalence between NATO nations like the UK and US, even under their current leadership, and others like China and Russia, where the human rights records and rule of law are open to question. However much of the scapegoating has been hypocritical given our own surveillance activities. Without greater honesty here it would appear that we are applying rules for others that we would not dream of complying with ourselves.

Much of this is down to American exceptionalism. Imagine how the US would react if:

• China announces that it is going to sell Facebook to Alibaba, as the US is doing with Tik Tok
• China hacks into Cisco and steals its source code, as the NSA did to Huawei
• China installs malware onto Huawei equipment sold to other nations, as the NSA did with Cisco equipment (note that no malware or backdoors have ever been found on Huawei kit)
• Russia signs a data sharing agreement with the US offering privacy equivalence and then signs an executive order to say that privacy rules apply to Russian citizens only and not to others, as Trump did in his first week in the White House, undermining Privacy Shield
• Russia enacts a law that allows it to issue secret warrants to seize data on servers residing anywhere in the world (even in America) – as the US has done with the CLOUD Act.
• Russia or China detain or question senior executives from US companies before arresting and seeking to extradite them – as the US has done with Huawei’s CFO. 

If any of these things happened, the US would be up in arms, but under American exceptionalism it sees no problem taking actions that it would not accept if done in return. Under previous US administrations, when the US was seen as more benign, most other nations were willing to turn a blind eye to such exceptionalism, but this is no longer the case.

Firstly, US tech companies will be particularly badly hit by the Privacy Shield ruling. They are no fans of the CLOUD Act and its extraterritorial measures as this undermines their credibility and ability to operate outside the US. They now face being banned from using Standard Contractual Clauses (SCCs), the only remaining legal mechanism for trans-Atlantic personal data sharing after the demise of Privacy Shield, until there is legislative reform in the Congress to end the extra-territorial measures.

Secondly, exceptionalism relied on the trust of others which has been undermined by the Trump administration – with its disruption and its ‘America first’ attitude - and on America’s role as the sole economic superpower. The problem is that countries don’t want to be caught up in America’s trade war with China. They see China as an increasingly important trade partner for the future, even if they condemn its human rights record and its recent actions in Hong Kong.

Finally, the US is setting a number of dangerous precedents – especially with its action on TikTok and its detention of Huawei’s CFO. Soon other countries will start treating it in the same way that it has done to them. As its economic might declines, it may come to regret not behaving fairly.

We need a resolution that allows individual countries to guard their respective national security while keeping promises that they make to their allies to respect each other’s privacy, and that also maximises opportunities for commercial collaboration for the benefit of all. And it needs to be fair.