Logan T. Miles M.S.ISA, CISSP, HCISSP
Long Beach, CA

Logan is an Information Security Engineer based out of Long Beach.

The content and opinions displayed on this website are mine and mile alone. None of the content here is presented on behalf of any of my employers and the content seen here does not reflect the positions or opinions of anyone else.

Blog Information Security Politics Privacy Technology

Facebook Has Already Done What They’re Worried TikTok Will Do

on
August 11, 2020

TikTok is in the news, Trump is going to ban it and a couple other Chinese apps as well. The Department of Defense and various military branches have banned it from government phones and have strongly discouraged its use on personal devices. The reasoning according the the Department of Defense was, “the app’s popularity with Western users including armed forces personnel, and its ability to convey location, image and biometric data to its Chinese parent company, which is legally unable to refuse to share data to the Chinese government”

It makes sense, I’m not sure how constitutionally, but in terms of risk, I see it. Having a geopolitical foe with virtually unlimited access to location, biometric, and other sensitive attributes of government employees and even soldiers in the field is a catastrophic risk. For example, India banned TikTok only a short period after Indian troops squared off on the Chinese border that ended with 20 Indian soldiers killed and an unknown number of Chinese casualties. It happened at a remote part of the disputed Indian/Chinese border that both countries are investing new infrastructure in. 12,000 Indians workers are currently involved. Was data mined from any apps installed on the phones of any of those soldiers or workers connected to this?

Having full visibility like that is omniscient, it’s Godlike and the risk at that point feels limitless, but it doesn’t even stop there. If TikTok was able to collect enough datapoints on enough of the general population, those same data points could be mined and then predictions can be made from those points, and then those predictions could be reverse engineered to influence behavior. The gap between prediction and manipulation is much thinner than people think.

Just think about it, with enough data points, you could accurately predict to a very close degree of how a subset of a population could react to let’s say 10 different types of inputs. Target for example, was allegedly able to predict that a teenage girl was pregnant based on her shopping habits. So of those 10 inputs, which one would be the most effective in influencing that population to accept a fiction, destabilize trust in institutions, or even just increase societal chaos in general. If you were a malicious geopolitical entity, which one would be the most effective at achieving your goals?

Don’t forget about data retention. In 20 years, are the TikToks of children or teenagers who grew up to run for office suddenly going to make an appearance? It might be easy to scoff at the idea, but think about it, the right app collecting enough information on enough users could essentially give them a profile on an entire generation of people and when the time comes, could be used on anyone and everyone that is in office. And the context here is TikTok videos that are public, what about things that are thought to be private?

Inside the App

So what data does actually TikTok collect? Security Researcher Baptise Robert did a deep dive focused on the application here and Proofpoint looked at TikTok’s permissions here. Proofpoint found that TikTok has permissions to view all contacts, location, read sd card, and other permissions typically seen from social media apps.

The TikTok app requests several permissions that are obvious for a social media app focused on audio and video; however, outside of U.S. users, it does not provide specific information on where the data is stored. It provides standard social media privacy controls which can be used to restrict access to content but does require user interaction to lock it down tightly. All in all, TikTok should be treated like any social media app: one that can be used with relative safety if you’re aware of the information it gathers and what it does with the data. This is where review of their privacy policy is useful, as well as taking time to review all the information available around the app, the service, and data storage. And finally remember that what you record, others will see.
S.Degrippo., (2020) Understanding The Information TikTok Gathers and Stores.

Baptiste is still digging at some events logging, but his initial conclusion wasn’t much different than Proofpoint’s.

“As far as we can see, in its current state, TikTok doesn’t have a suspicious behavior and is not exfiltrating unusual data. Getting data about the user device is quite common in the mobile world and we would obtain similar results with Facebook, Snapchat, Instagram and others.”
B. Robert., (2020) TikTok: Logs, Logs, Logs

Are we just paranoid here then? Even though one could question the motives of any drastic policy move with only a few months before an election, I don’t believe that’s the case here. China has long been accused of numerous cyber attacks all over the world. The FBI has charged 4 Chinese PLA members with the Equifax Hack, a hack that was “one of the largest thefts of personally identifiable information by state-sponsored hackers ever recorded”, involving “145 million Americans”. Odds are that you and I are both in that breach. Every single time I get a stupid Equifax email trying to sell me something about alerting I get pissed right off.

One thing to remember here is that the state-backed Chinese advanced persistent threat (APT) groups are among the world’s oldest, most skilled and most active agents of cyber espionage and shouldn’t be underestimated. Check your American exceptionalism at the door. If you have some time and would like to see a longer report from Fireeye on APT41 (Double Dragon), click here.

We’ve seen other apps very recently connected to Chinese intelligence ask for a dangerous suspicious amount of permissions, but let me be very clear here in regards to TikTok. Nothing I have read so far has been a smoking gun that TikTok is an intelligence collection tool for the Chinese government, but given that China’s currently committing genocide in Xinjiang and its suppression of speech has turned Hong Kong into a ghost of the city the world used to know. I think it’s perfectly reasonable here to examine China’s involvement with TikTok and it’s 800 million users.

Put yourself in China’s shoes. If you had the ability of harvesting data on hundreds of millions of people, most of which are citizens of your geopolitical foe and that data could give you some unknown, yet overwhelming powerful advantage geopolitically…Why wouldn’t you?

The point of this blog post isn’t to run defense for TikTok at all. I personally don’t plan on ever installing it and honestly, the last year has made me rethink my entire usage and approach to many things. The point that I’m driving at is that while we’re all in an uproar and panic about TikTok, all of the accused types of data collection, mining, usage, and even manipulation that Tiktok is accused of doing or would eventually do, Facebook is already guilty of.

Facebook Has Been Here First

Reminder, Facebook currently reads all of your private messages. Facebook is also tracking your activity even when you leave Facebook to visit other sites. Facebook also tracks people who don’t even have Facebook accounts as “Shadow Profiles” so even if you leave, they’ll still have some stuff from your friends.

I received this ad today on Facebook, it stuck out to me, because it was so relevant to me.

Full disclosure, I’m a bit of a sweater at night and it annoys my girlfriend, but I’m 99% sure I haven’t searched for any solution like this though. I remember being aware of it years ago, but at the time, in my head, I wrote them off due to cost, so I know i haven’t searched for something like since I lived in Sacramento in 2017. That was one of the things that stuck out, just how relevant it was and the lack of recent data points. Or was there? I’m fairly certain, the only place that I have discussed this issue is with my girlfriend over Facebook Messenger. I haven’t used messenger in a few months, but I was able to still go through and do a little search to check if I ever discussed it with my girlfriend.

It gets worse…

Facebook will also share your private messages with other companies like Spotify, Netflix, the Royal Bank of Canada, and others. This shouldn’t be surprising to you because you already agreed for Facebook to do this, remember? And no amount of Facebook statuses quoting the Rome statute will change it.

Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show.
Dance, G., LaForgia, M., & Confessore, N. (2018). As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants.

In 2009, a Canadian woman who was diagnosed with major depression and who was receiving benefits lost them because her employer’s insurance company saw her Facebook photos smiling with friends at a bar. Notice that story occurred 11 years ago, imagine the type of integrations that have been developed since. Ask yourself this, would you be comfortable if your insurance company tracked your vehicle speed via Facebook Messenger, or saw the private messages between your close friends? Did you know that the IRS can check Facebook as part of research to “assist in resolving a taxpayer case,” according to a 2009 training manual obtained by the Electronic Frontier Foundation.

Remember, Instagram is Facebook and literally yesterday, Instagram is now involved in a lawsuit which alleges that Instagram datamined biometric data on posts and built profiles of people who were in photos, but don’t even have Instagram accounts themselves.

In 2015, Facebook filed a patent that would allow lenders analyze your Facebook friends before deciding if you get approved or denied. In other words: If too many of your friends have poor credit histories, the bank could reject your loan application even if your own credit was fine. Hell, who’s to say they can’t check your messages either. Sorry Joe, you can’t get a loan, you shared too many weed memes on Facebook.

It gets even worse… Cambridge Analytica, cool sounding name, but don’t forget it, it’s important.

In 2016, Cambridge Analytica became infamous when it improperly harvested Facebook user data to create profiles and target specific groups of people based on their personality traits in that year’s election. It then profiled who were the most impressionable and susceptible to fear and fringe conspiracy theories and then it focused its effort on those most vulnerable. Founded in 2013 their goal from the very beginning was the aggregation of datapoints on people. They were very aware of the eventual power that could exist beyond that prediction veil.

An internal Cambridge Analytica email Between Dr. Alex Kogan and Chris Wylie

Psychographic profiling — derived from CA’s modelling of Facebook user data — was used to segment U.S. voters into targetable groups, including for serving microtargeted online ads. The company badged voters with personality-specific labels such as “highly neurotic” — targeting individuals with customized content designed to pray on their fears and/or hopes based on its analysis of voters’ personality traits.
N. Lomas., (2018). Here’s Cambridge Analytica’s plan for voters’ Facebook data.

Today in the United States we have somewhere close to four or five thousand data points on every individual …So we model the personality of every adult across the United States, some 230 million people.—

Alexander Nix, chief executive of Cambridge Analytica, October 2016.

If you’re curious if your information is part of that original Cambridge Analytica breach, click here to check.

So where did that trove of data end up? We aren’t sure exactly, but we do have an idea based on the investigations of the special counsel..

In 2018, Konstantin Kilimnik, a Russian-Ukrainian political consultant who worked previously with former Trump Campaign chairman Paul Manafort with alleged ties to Russian Intelligence was indicted by The U.S Special Counsel on charges of obstruction of justice and conspiracy to obstruct justice. This was done in conjunction with charges against Paul Manafort. A short time after being charged, Kilimnik who was living in Ukraine at the time, escaped to Russia in order to avoid extradition.

According to a court filing in 2019, The U.S Special Counsel alleges that Paul Manafort and some of his associates shared voter data of Americans with Konstantin Kilimnik, this is all very central to the investigation of Russian interference in the 2016 United States elections.

Both Mr. Manafort and Rick Gates, the deputy campaign manager, transferred the data to Mr. Kilimnik in the spring of 2016 as Mr. Trump clinched the Republican presidential nomination, according to a person knowledgeable about the situation. Most of the data was public, but some of it was developed by a “private polling firm” working for the campaign, according to the person.
S.LaFraniere.,K. Vogel., M. Haberman., (2019) Manafort Accused of Sharing Trump Polling Data With Russian Associate

The Trillion dollar questions here all revolve around that data. Who exactly was that private polling firm in question? It doesn’t explicitly say in the filing, but Steve Bannon, the eventual replacement to Paul Manafort on the Trump Campaign was a co-founder to a political polling firm in 2013 focused on the data mining and aggregation of voter data. In fact, it’s actually the same firm that Sam Patton, an associate of Paul Manafort worked for before being charged by the U.S. government for failing to report as a foreign agent.

Take one guess what that firm is, or feel free to ask google.

Was the data Kilimnik received that same Cambridge Analytica data? Or let me ask that differently. Did Russian Intelligence receive close to four to five thousand data points on millions of American voters? At this point you have the all the necessary people in contact, it literally comes down to whether something like a hard drive or USB is passed off. With a nice fiber line, you don’t even need that. Remember what I said about China, but think of Russia, “If you had the ability of harvesting data on hundreds of millions of people, most of which are citizens of your geopolitical foe and that data could give you some unknown, yet overwhelming powerful advantage geopolitically…Why wouldn’t you?

Some people seem to think that’s the case, it would also at least explain the social media strategy similarities between Russian nationals indicted by the Department of Justice and the Trump Campaign.

Update 8/19/20: The U.S. Senate Intelligence Committee nearly 1000 page report goes further and states directly that Kilimnik is a Russian intelligence officer and that Manafort’s proximity to both the Trump Campaign and Russia represented a grave counterintelligence threat.

What Can We Do?

Democracy has an inherent vulnerability, it’s humans. We’re emotional, predictable, and a quite frankly, we’re stupid. We’re easy to manipulate and the and the tools built to do that manipulation require one type of fuel to operate, our data. Your data doesn’t have an intrinsic value to everyone. It’s not like gold, or oil that you can trade a few data points for money. Your data is a liability to you, its an open door into your mind that you cannot shut. Even if you claim you have nothing to hide. Entities can see it, mine it, and predict everything about you. You have to grant many of these services access to it in order to use them and they walk right in and make notes of what they can. Collectively, it’s a liability to us all, the right entities with access will have that godlike omniscience like I spoke about earlier. Without any sort of regulation of social media in regards to personal information, we are allowing anyone with enough money to conduct Psychological Operations (PSYOPS) on the voter population within the United States.

If we’re not careful, we could find our loved ones warped and manipulated into angry, bitter people we don’t even recognize, in fact, many already have. It’s no stretch of the imagination to assume that this problem will only get worse until we put our foot down collectively and make a change. This isn’t a million or even billion dollar issue, the value in being able to effectively influence the election of a superpower is worth trillions. Until we resolve it, we have to admit there is a non zero level of foreign influence that is currently taking place.

Was Facebook ever punished for the negligence in failing to protect users data from being harvested by Cambridge Analytica without their consent? Yes, they were fined $643,000, or about 0.000918% of their 2019 revenue, or about the amount of money Facebook made in about 240 seconds.

Whatever happened to Cambridge Analytica? On May 1st, 2018, Cambridge Analytica filed for insolvency proceedings and closed operations, but that doesn’t actually mean anything, because after closing operations people involved have been continuing operations under the legal entity Emerdata Limited. It makes sense then that people such as Brittany Kaiser believe the data Cambridge Analytica built is still being utilized as of 2020. You don’t think they just deleted that golden key of data did you?

It’s so much easier to just say, “delete Facebook”, without taking into consideration the full extent of how to do that for everyone. For many people, they have tied their lives and relationships purposefully into it. Facebook has an enormous interest in keeping you on the site, so if you try to quit it, you might find yourself having to jump through hoop after hoop only to experience FOMO (Fear of missing out) that pulls you right back in. I’ve been a Facebook user since 2005. I dove into the abyss as well when Facebook launched messenger and I regret ever doing so. I should have deleted my Facebook years ago, but felt handcuffed to it because of my attempt at building a comedy career. I have two sides of my brain, one Infosec driven and paranoid about risk, and one fascinated and neurotic driven by my fascination with technology without a care in the world.

I had no problem jumping into Facebook also out of simplicity and because a majority of my family used the service. Personally, I’ve set a personal goal to have my Facebook and Instagram accounts deleted by Septemeber 27th, 2020, and before I do so, I am hoping to write a guide on how to effectively leave it and replace the functions Facebook filled with other, safer alternatives.

If you’re wondering what you can do personally, First would be to delete Facebook and Instagram, but that doesn’t go far enough. Facebook and Instagram leverage as much as they can to data mine the information of people even not on the app and create shadow profiles. Second, You should also get more informed democratically. Who is your US. Representative and Senator? If you don’t know, you should. Click here to find out who your U.S. Representative is. I’m in the 47th Congressional District in Long Beach and mine is Alan Lowenthal. He’s on twitter here. My Senators are Feinstein and Harris. Wherever you can, you should advocate some sort of regulation of the data privacy of Americans.

Who are your local politicians? So often we forget the local politics which can often be far more pivotal for us. My Assemblymember is Patrick O’Donnell from District 70. My State Senator is Lena Gonzalez from District 33. Recently, she submitted SB1130 which raises the broadband standard speed in California from 6mbps/1mbps to 25mbps/25mbps. Even though I would love to Matt Mcconaughey “Wolf of Wall Street” those numbers, I applaud anytime one of my representatives consult with the Electronic Frontier Foundation.

If you want to be more accurately represented, ensure that your congressional representative knows about you, your story, your concerns, your roadblocks. If you know who they are, write them a letter, tweet at them, annoy the fuck out of them. Whenever they are advocating for something, you want to make sure that you are in the back of their minds. If they are incompetent, get involved to vote them the hell out.

Make sure you also respond to the 2020 US Census here, the census is the data used to ensure proportional representation. The cutoff date was pushed up to September 30th, the U.S. Census has a history of under counting Black and Hispanic communities, further widening that gap of representative equity in the United States. This is applicable to everyone reading this, regardless of your political affiliation. I can disagree personally if I think a specific person is a good pathway at accomplishing either of their goals or mine, but we all share a community space and deserve representation. If I truly believe in something, I have to believe in it for everyone.

You shouldn’t expect your issues to be adequately represented if you only sit back and passively give them a thumbs up or down in November when there’s an election. Democracy is not just voting, its full open participation throughout the entire life-cycle. Go to your city’s government meetings, learn everyone on the city counsel, hell, run if you’re willing. This leads into one of the other issues with Facebook is that it has allowed us to feel involved politically despite being completely isolated in a bubble. Sharing memes on Facebook is no replacement for the democratic process. In fact, in our current state, with the well actively being poisoned, doing so might actually make you complicit in undermining it.

Further Reading:

The Age of Surveillance Capitalism

Why Privacy Matters, Ted Talk by Glenn Greenwald

Facebook’s role in Brexit and the threat to democracy, Ted Talk by Carole Cadwalladr

Mindf*ck: Cambridge Analytica and the Plot to Break America

Christopher Wylie statement to Senate Judiciary Committee

Targeted: The Cambridge Analytica Whistleblower’s Inside Story of How Big Data, Trump, and Facebook Broke Democracy and How It Can Happen Again

Report On The Investigation Into Russian Interference In The 2016 Presidential Election

Zucked: Waking Up to the Facebook Catastrophe

The Great Hack

TAGS
RELATED POSTS