When TikTok Bans Come to Campus
The cybersecurity logic of state bans, and insights from UNC Prof. Deen Freelon
Happy 2023, and happy impending Year of the Rabbit! I promise this is not a TikTok-tracker newsletter, but there’s been a great deal of movement on the app’s fate in the United States, and recent events spurred some thoughts. If you’re new to this newsletter, you can read about it here and, if you like, subscribe.
Subscription is free, those who especially wish to support my effort on these issues have the option of becoming a paid supporter. Thanks for reading.
North Carolina last week joined a more than 20 U.S. states banning the use of TikTok (and in N.C.’s case also WeChat) on state-owned devices, purportedly over cybersecurity concerns.
First thing’s first. Governments and other organizations have good reason to scrutinize what gets installed on their devices. A good information security team will have rules about which devices can access sensitive systems and about how those devices are configured, including what’s installed. Full compartmentalization or “air-gapping” is a typical strong form of control that keeps, e.g., classified systems or industrial control systems off the open Internet. For the majority of systems that need Internet access, there is a whole field of different controls—at the network level, at the device level through malware/antivirus monitoring, administrator approval for software installs, etc.
The question is which risks the organization is trying to address, and at what cost to ease of function.
In a reasonable framework, you might have an allowed app list, prohibiting all non-vetted software; or you might have a banned app list. Network traffic can be blocked from known malicious actors.
So whether or not the security logic is reasonable, and whether or not the various orders are legally sound, US states are doing something that can look familiar: adding a particular app to a banned list and/or blocking network traffic in the name of security.
These actions raise a lot of questions, but I want to take up two in a preliminary discussion:
Do TikTok’s information security risks justify a ban on state devices?
When the scope of a ban extends to university campuses—as is the case in North Carolina, Texas, and elsewhere—what are the implications for research?
On the second question, I reached out to Prof. Deen Freelon of the University of North Carolina, a computational social scientist who, in addition to research and teaching, maintains a software package for researchers to gather information from TikTok—one that it sounds like he may not be able to use from his work laptop anymore.
I’ll share some of his early thoughts on the impact below.
Do TikTok’s infosec risks justify a ban on state devices?
A limited argument for “yes.”
TikTok, like many mobile apps, collects a great deal of data from user devices, ranging from location to browsing activity to unique identifiers that can be checked against data collected through other apps or avenues. These data could be misused, but while studies have found TikTok either more or less data-hungry than usual, seemingly innocent apps ranging from ebooks to games to weather also enjoy the harvest—and ad network trackers are ubiquitous.
To justify banning TikTok from state devices under the rubric of data security while ignoring the rest of the data hungry digital economy, one must argue TikTok is a special threat, and most who believe it is argue that’s because the company or its personnel may, voluntarily or under coercion, turn over data to China’s government. The nature of this risk is hard to estimate; it’s a non-zero chance that it could occur now or in the future, but it takes some imagination to come up with serious potential harms.
(The potential deal between TikTok and the Committee on Foreign Investment in the United States [CFIUS] would be designed to significantly decrease this risk by physically storing US user data in the United States and installing vetted data access controls and oversight. I’ve argued that even if such a deal is well-formed, the politicized nature of the issue and lack of general principles in the US for these problems will render any deal likely short-lived, but that’s not necessarily how I think it should be.)
Nonetheless, if you’re dealing with critical infrastructure or other national security-sensitive function in state government, or if you’re in an office negotiating with Chinese counterparts for some commercial deal, it’s reasonable to keep excess apps, especially those with known connections to China, off devices with access to the sensitive data. Even if no abuse is identified, prudence is called for: A targeted ban, or the lack of inclusion on an approved apps list, makes sense for sensitive functions. You’d also want to avoid any other extraneous apps, regardless of origin, in these sensitive roles. Every ad network, every service provider, and every extra bit of code is a risk vector. In other words, there are cases where banning TikTok (and a bunch of other stuff) makes good sense.
An argument that no, blanket bans are counterproductive.
A TikTok ban at the device level can be unproductive or actively harmful to desirable uses. Let’s start with the extreme cases where there’s a fairly strong argument for locking down devices and banning, among others, TikTok. Above I gave two general examples: security-sensitive functions and negotiating with Chinese counterparts. In both of these cases, still, total bans can be problematic.
First, some security-sensitive users may need access to TikTok to monitor social media for threat information. At least some of the state bans explicitly exempt those needing the app for law enforcement functions. Second, while TikTok may not be necessary, WeChat (another app banned in the North Carolina case) could be essential if state employees need to interact with Chinese counterparts in the course of their duties. Simply put, WeChat is the ubiquitous and unavoidable common medium for communications in China. In both cases, a strong ban on TikTok and WeChat that lacked appropriate carve-outs would push staff to conduct their duties on personal devices or using other forms of circumvention. This moves potentially sensitive functions to (presumably) less secure environs, undermining overall cybersecurity efforts for the organization.
Second, banning TikTok, like any ban, circumscribes the functionality of the devices or networks affected. State employees may have audiences they need to reach, or groups whose views they need to understand, who are best reached on TikTok. People who rely on university or other public wifi while going about their lives might need to turn to cellular data (which can be costly) or less secured networks even from their personal devices if the app is blocked.
One of the most prominent areas where reduced function poses problems is in university research, which leads me to question two:
When a ban extends to university campuses, what are the implications for research?
I asked Prof. Deen Freelon some pretty open questions about the ban might affect researchers, but it’s worth pausing to mention the kind of research social scientists conduct on social media. Researchers including my colleagues at the Stanford Internet Observatory rely on often large-scale collection and analysis of social media activity to identify and understand disinformation campaigns, including state-sponsored manipulation the likes of which some fear could result from TikTok’s Chinese ownership. Freelon’s own publications list is a pretty good demonstration of the range of political communication research that relies on crunching social media activity—from protest movements to polarization to meta-questions about what kinds of scientific insights one can gain from the available data. For TikTok in specific, academic researchers like those at The Citizen Lab are some of our best sources on what’s actually going on with the app’s security, while researchers are apparently just starting to publish based on data gathered with Freelon’s tool, there’s a huge field of research based on TikTok videos or metadata. I don’t know how humanities researchers could keep track of contemporary art forms without access to the flood of material published there.
There’s some variability in how the state bans are written, and there’s uncertainty as to how various exemptions may or may not be granted. But Freelon’s early assessment is that the impact is major:
“I do think these kinds of bans will effectively prohibit certain kinds of research on TikTok [TT] at public universities. I'd think they would affect anything except for survey and interview-based research that asks participants about TT—so i.e. all research that uses TT content as data.”
Some of the most predictable complaints come from undergraduate students who are as addicted to TikTok as I once was to Twitter, and now the app won’t work even on their personal devices if they’re connected to an affected campus wifi network. Even if you find this a desirable effect, there are of course workarounds: Use a VPN, or use cellular data, as NYT reports has been happening at Auburn.
But these workarounds are not necessarily available for researchers. Freelon notes seeking a workaround could be costly or prohibited:
“Under some circumstances researchers at state universities might be able to use a personal device, but that imposes a disproportionate burden on them—some may not have their own laptops. A bigger issue is that some research that requires IRB [institutional review board] approval may require PIs [primary investigators] to store their data on university-owned hardware that meets specific security requirements. Such research would be impossible without a ban exception.”
In other words, even if a researcher can afford a backup personal machine for use off-campus to conduct research (and this won’t always be the case, especially for researchers grinding through underpaid adjunct roles or working or studying at less well-funded institutions)—university requirements regarding data security or other IT practices could ban that workaround.
These barriers would not affect those at private institutions, but at affected public campuses, they would encumber the very highest-integrity forms of inquiry: methodologically sophisticated, peer-reviewed, IRB-approved social science research.
Again, the various states and campuses affected may implement bans in different ways and some negative impact could be mitigated, but without even touching on issues of academic freedom or freedom of expression, the bans stand to undermine public information on what’s really happening with a platform at the center of intense political and policy scrutiny.
That’s all for now. Like what you’re reading? Share it with a friend or colleague. Share on your favorite feed. And encourage others to subscribe!
Really enthusiastic? Don’t worry, full access to this newsletter is FREE. Those who particularly wish to support the effort may do so by becoming a paid supporter. I’m grateful for those who both have the means and the will to voluntarily pitch in. Subscribe free or become a paid supporter here.
About Here It Comes
Here it Comes is written by me, Graham Webster, a research scholar and editor-in-chief of the DigiChina Project at the Stanford Cyber Policy Center. It is the successor to my earlier newsletter efforts U.S.–China Week and Transpacifica. Here It Comes is an exploration of the onslaught of interactions between US-China relations, technology in China, and climate change. The opinions expressed here are my own, and I reserve the right to change my mind.