Post ATiEixITn4ZPphtm3k by maxtappenden@me.dm
(DIR) More posts by maxtappenden@me.dm
(DIR) Post #ATgplEoMx3aqigqXb6 by simon@fedi.simonwillison.net
2023-03-17T00:29:35Z
1 likes, 0 repeats
Has anyone seen an explanation of the TikTok privacy scare that's written for people who understand how web and mobile applications actually work?I want to understand if it's doing anything that's any different from other apps, and whether the "government X bans TikTok from staff devices" stories are rational or driven by technical superstition
(DIR) Post #ATgqGPl0J0SLe18eDg by Green_Footballs@mastodon.social
2023-03-17T00:35:21Z
0 likes, 0 repeats
@simon Been wondering the same thing. It’s not like I’d put it past China to attempt some kind of undercover long term data collecting scheme, but something about all the agita seems over the top and possibly manipulative. As of today, I haven’t seen enough solid evidence to convince me it should be banned.
(DIR) Post #ATgqTIi7obuBYSw8A4 by jbaggs@infosec.exchange
2023-03-17T00:37:07Z
0 likes, 0 repeats
@simon I haven't, and I'm almost willing to bet on how likely you are to find one.
(DIR) Post #ATgqex7buNI64aPg7k by monkeyninja@mastodon.cloud
2023-03-17T00:39:50Z
0 likes, 0 repeats
@simon I could probably put one together geared towards the non-infosec crowd if that would be helpful. I spent a lot of time digging into this so I feel like I’ve got a reasonable handle on it. Let me check to see if someone else hasn’t already tackled this…no need to reinvent the wheel and such.
(DIR) Post #ATgrJL7A7glW4JSg4G by cameronlamp@newsie.social
2023-03-17T00:47:00Z
0 likes, 0 repeats
@simon I’m speaking w no app experience. Felix Krause does & says browser can track w keylog & also provides no ability to open the OS’s default browser. So you have to go out of your way to not get keylogged, whereas the other platforms at least have a data-safe alternative.
(DIR) Post #ATgrV3RpdIfwkeiR4y by zl2tod@mastodon.nz
2023-03-17T00:47:26Z
0 likes, 0 repeats
@simon Dunno, but were I the gumint there would be a very very short list of apps allowed on phones.Very few of them are trustworthy or constrained by the local jurisdiction.
(DIR) Post #ATgrfP9xlPqaz9IEMK by J12t@social.coop
2023-03-17T00:47:46Z
0 likes, 0 repeats
@simon IMHO Imagine you have real-time access to behavior, social network, some fidelity of location/movement of a big portion of your adversary's command structure (military, supply, diplomatic, political) in wartime. I would suspect that capability affects the outcome of a war more than just at the margin. I don't think it needs to be more privacy-invasive than the "normal" social app for this to work. All discussion about ownership is to cut off data flow to Chinese gov't as far as I can tell
(DIR) Post #ATgruIXGfrv4miINKS by MattHodges@mastodon.social
2023-03-17T00:51:01Z
0 likes, 0 repeats
@simon It's not doing anything different from other apps, it's that government X doesn't trust government Y.https://www.washingtonpost.com/technology/2023/02/03/tiktok-delete-advice/
(DIR) Post #ATgs5dfkQdPfWafZeC by glent@aus.social
2023-03-17T00:52:27Z
0 likes, 0 repeats
@simon Looking for a technical answer to a question of politics.The basic question is will ByteDance do what the Chinese government asks, eg: if the government ask ByteDance to extrajudicially disclose communications, or alternatively to censor communications, or to deploy malware via their app. The answer is obviously yes, you need look no further than WeChat. Moreover the government has no qualms detaining tech company CEOs.So measures like banning the Tiktok app on US government devices absolutely make sense.In my mind the next question is if the US government is seeking another step -- to protect US companies from overseas competition. And I think that's the case. Forcing the sale of Tiktok -- well there's only a few VCs, a few US software companies, of the scale to buy Tiktok and use it well. And if someone else buys it and runs Tiktok poorly, that's even better for Facebook and Google (less so for Microsoft).
(DIR) Post #ATgsJJtYkyKOEzeZuK by josh@barelysocial.org
2023-03-17T00:54:52Z
0 likes, 0 repeats
@simon Can you share if someone finds something for you? I’m exceedingly curious, as well.
(DIR) Post #ATgsV0748FJsMXXaTY by maxtappenden@me.dm
2023-03-17T00:57:54Z
0 likes, 0 repeats
@simon On devices that will let it, it’ll save anything in your clipboard, even if you don’t paste into the app.It also saves keystrokes, even when not submitted and even in its (non-optional) in-app browser.There’s also the fact the CCP can request any data the company holds, on anyone, for any reason and regardless of where the data is stored (ie their US and EU data centres are smokescreens).
(DIR) Post #ATgtvk6br49AUPdudM by be@floss.social
2023-03-17T01:16:11Z
0 likes, 0 repeats
@simon The explanation is racism.
(DIR) Post #ATgu6kH9YxoUCboxkm by simon@fedi.simonwillison.net
2023-03-17T01:17:01Z
0 likes, 0 repeats
@maxtappenden Interesting! I'm trying to figure out how to open https://inappbrowser.com/ in the TikTok app (to see what scripts they inject) but it's proving difficult to find any opportunities at all to actually add a link which I can click on in order to open the in app browser for it
(DIR) Post #ATguIA2m68zdJ2XTdY by simon@fedi.simonwillison.net
2023-03-17T01:18:04Z
0 likes, 0 repeats
@monkeyninja I'm interested in a guide specifically for the infosec crowd! I want to understand the technical arguments around what it's doing
(DIR) Post #ATguVirrvyyd4ku8tk by jalcine@todon.eu
2023-03-17T01:19:54Z
0 likes, 0 repeats
@simon it's frankly a political issue. The fact that a foreign social networking company has one of three US citizens as an active user in a state that allowed Cambridge Analytica to occur with little recourse and a growing divide in how media should be run is what's pushing this. Anti-Chinese sentiment.
(DIR) Post #ATguW1NN7as6TfmYV6 by jalcine@todon.eu
2023-03-17T01:20:36Z
0 likes, 0 repeats
@simon and I say this because it's no different to the reach that Google, Amazon, and Facebook nee Meta have currently.
(DIR) Post #ATguhYPCeuB26P8c7c by simon@fedi.simonwillison.net
2023-03-17T01:20:23Z
0 likes, 0 repeats
@glent I'm an iPhone user, so there's generally a limit to the amount of damage malware can do (unless they're exploiting a zero-day vulnerability in iOS itself)I'm trying to understand what kind of specific bad things the app has been caught doing, plus the bad things it is anticipated to be able to do in the future
(DIR) Post #ATgvDhKqzdu543QmXY by monkeyninja@mastodon.cloud
2023-03-17T01:22:57Z
0 likes, 0 repeats
@simon OH! I’m sorry, I thought you were looking for a less technical write up. I can do that too. I just did a quick nontechnical one though, give me a few to get my kiddo to bed and I can hit it from the technical side too
(DIR) Post #ATgvODBrPc7IkyEo2i by maxtappenden@me.dm
2023-03-17T01:24:56Z
0 likes, 0 repeats
@simon They saw you coming, pal. You need 10,000 followers to post links!
(DIR) Post #ATgvvdOF1VANZNxx0S by simon@fedi.simonwillison.net
2023-03-17T01:32:12Z
0 likes, 0 repeats
This thread by @monkeyninja has some useful details: https://mastodon.cloud/@monkeyninja/110035991592217792
(DIR) Post #ATgw9uBlMY2JixvyvQ by gpshead@infosec.exchange
2023-03-17T01:38:59Z
0 likes, 0 repeats
@simon Banning software from devices of people who may represent elevated access to things seems like a pretty normal security policy implementation to me.Imagination provides scenarios:Assume software is considered pwned by an adversary. Meaning they can include code and push updates, possibly targeted to only execute on certain people's devices. Despite best efforts, side channels and zero days on platforms always exist. Especially to resourced adversaries might spend an undisclosed one by deploying it if deemed worthwhile. The more information they have on networks of people the better they can plan targeting.Similarly, direct access to individual people with a tailored content feed is a manipulation side channel. Reduce the number of opportunities people have to see said feed, reduce the manipulation.
(DIR) Post #ATgwNqddMNhilbcRJw by AaronNGray@fosstodon.org
2023-03-17T01:42:05Z
0 likes, 0 repeats
@simon Waiting for the zero day to come ?
(DIR) Post #ATgyNdoJFlautGdq1A by maxtappenden@me.dm
2023-03-17T02:06:19Z
0 likes, 0 repeats
@simon @monkeyninja Yup, this is pretty good. The second point is really important.
(DIR) Post #ATh0lRBA4HMsZanyHQ by glent@aus.social
2023-03-17T02:33:03Z
0 likes, 0 repeats
@simon That's still a question of politics. Could the government force a zero-day payload onto ByteDance?
(DIR) Post #ATh3khjLLRUTTl8SDQ by mterhar@bfd.so
2023-03-17T03:06:10Z
0 likes, 0 repeats
@simon from what I've seen, there are some mildly alarming things about data locality that the kind folks at fadebook and google are amplifying. The competitors seem to be using marketing and lobbying teams to work on the public perception and legislated bans at various levels. This is kinda compounded by how cozy Facebook and Google are with the intelligence community. Intelligence folks see how valuable those connections are and worry about an adversary wielding similar capabilities.
(DIR) Post #ATh5pJT5B8UjaSr3wG by PublicLewdness@freespeechextremist.com
2023-03-17T03:31:35.725053Z
0 likes, 1 repeats
@simon It's closed source software. Nobody can say for certain what it is doing in the background with total accuracy. All the more reason it shouldn't be on governmet devices.
(DIR) Post #AThuVz9xYXHWlIS3XM by ncweaver@thecooltable.wtf
2023-03-17T12:57:42Z
0 likes, 0 repeats
@simon It is NOT doing anything different, but the corporate ownership is different. The real problems are two-fold, the first is so many apps are data hoovers, and TikTok is really no more or less than others, and the "how do you say 702 in Mandarin": if data is collected, the corporate host government can access it.It shouldn't be on official phones, but banning it beyond is just stupid, we really need to stop the data collection itself, not one particular offender.
(DIR) Post #AThvnPr7eZYwR4W3RA by FuckElon@mastodon.social
2023-03-17T13:12:03Z
0 likes, 0 repeats
@simon I get your question and I would like to see the answer, but for staff devices, none of these apps should be allowed unless they have social media/ comm position, and nobody should be allowed to install anything that is not vetted by the company and not related to work. And frankly, nobody should want to do anything personal in a work device anyway, it is so incredibly stupid. When I see people sending me personal emails from their work email I just have to sigh.
(DIR) Post #ATi39LS1PVpqpAB9tY by simon@fedi.simonwillison.net
2023-03-17T14:32:51Z
0 likes, 0 repeats
@FuckElon how common are staff mobile devices these days though? Everywhere I've worked in the last decade has given me a laptop but left me to use my own personal mobile device, which inevitable fills with work-related applications
(DIR) Post #ATi6fYQizQUcCucefY by micheldesjardins@mstdn.ca
2023-03-17T15:13:51Z
0 likes, 0 repeats
@simon the problem is that Chinese companies are forced by law to give their data to the Chinese government when asked. The Chinese could then use the info to "influence" other governments and people.
(DIR) Post #ATiD8yMKGSzKkPyZ8K by simon@fedi.simonwillison.net
2023-03-17T16:26:37Z
0 likes, 0 repeats
@monkeyninja OK, I think I understand nowTiKTok hoovers up the maximum possible amount of information given the platform it runs on - clipboard data, locations, contacts etc - less of an issue on iOS just because Apple have locked things down so much there, but potentially much more of a problem on other platformsThe bigger deal is that they're extremely likely to ignore US/EU privacy protections and share user's private data with the Chinese government, if demanded to do so
(DIR) Post #ATiDXnBYwdpFKhmCWW by timbray@hachyderm.io
2023-03-17T16:28:14Z
0 likes, 0 repeats
@simon @monkeyninja Shorter: It's not a tech problem. It's a China problem.
(DIR) Post #ATiDlhY2hXzbu2vKEq by maxtappenden@me.dm
2023-03-17T16:29:50Z
0 likes, 0 repeats
@simon @monkeyninja You’ve got it.
(DIR) Post #ATiEixITn4ZPphtm3k by maxtappenden@me.dm
2023-03-17T16:41:10Z
0 likes, 0 repeats
@simon @monkeyninja Oh, this just dropped.https://www.nytimes.com/2023/03/17/us/politics/tik-tok-spying-justice-dept.html?smid=nytcore-ios-share&referringSource=articleShare
(DIR) Post #ATiEixv7TPTjlXydHs by simon@fedi.simonwillison.net
2023-03-17T16:43:59Z
0 likes, 0 repeats
@maxtappenden @monkeyninja reminiscent of some of the dirty tricks Uber were using a few years ago https://www.theverge.com/2014/11/19/7245447/uber-allegedly-tracked-journalist-with-internal-tool-called-god-view
(DIR) Post #ATiF9nBFVnVSH9JUoK by russss@chaos.social
2023-03-17T16:47:36Z
0 likes, 0 repeats
@simon @monkeyninja Worth noting that their privacy policy is transparent and fairly easy to read. I don't think they get much more out of Android than iOS these days.https://www.tiktok.com/legal/page/eea/privacy-policy/en
(DIR) Post #ATiFMVfHwfkbiVQc2C by maxtappenden@me.dm
2023-03-17T16:48:36Z
0 likes, 0 repeats
@simon @monkeyninja Yup. But Uber is an American company we can do something about. ByteDance is subservient to a hostile state. That’s what most of this boils down to.
(DIR) Post #ATiFpyKuQQ1L2MwdQ8 by 22@octodon.social
2023-03-17T16:56:31Z
0 likes, 0 repeats
@simon @monkeyninja could someone comment on the failure mode where, even if the majority of data brokers that Uber and Google and Grindr contract with respected US/EU privacy laws, that it just takes one data broker to sell all our info to [insert government/criminal agency] breaking the law?I mean, it seems painfully obvious that state security agencies currently enjoy total access to all the data YouTube app for example collects about us, and so TikTok is just more of the same?
(DIR) Post #ATiG4ZRxEaOKCICXY0 by acookiecrumbles@indieweb.social
2023-03-17T16:57:03Z
0 likes, 0 repeats
@simon @monkeyninja suppose where I struggle with this is, while all this is true, there’s nothing in place that prevents state actors (+ other bad actors) from buying data from data brokers (an insanely unregulated industry) or targeting American / EU citizens with ads on Facebook (Facebook’s increased vetting for political ads, but…). Also nothing in place to prevent American companies from doing things like Uber’s “god view” or Facebook employees having access to all user data / messages.
(DIR) Post #ATiGcekS2dh8TY6eEi by rabc@hachyderm.io
2023-03-17T17:05:15Z
0 likes, 0 repeats
@simon tbh, what they do is pretty much the same that Facebook, Google and other are doing for years. Just that this time it is a Chinese company, therefore no good and western companies can lobby to ban it to keep their market in the same status quo. TikTok probably collects more data just because of the scale they reached. Just like Instagram collected tons more than previous apps because they “unlocked” the next addictive stage at their time.
(DIR) Post #ATiH4i1bS7hKkKVOu8 by glyph@mastodon.social
2023-03-17T17:09:53Z
0 likes, 0 repeats
@simon I think the “privacy” dimension — while undoubtedly concerning — is somewhat overblown in reporting in comparison to the thing I’d be more concerned about, which is influence operations https://www.reuters.com/world/us/us-nsa-director-concerned-by-tiktok-data-collection-use-influence-operations-2023-03-07/
(DIR) Post #ATiH4kHd3Vhnkc1EA4 by glyph@mastodon.social
2023-03-17T17:09:54Z
0 likes, 0 repeats
@simon Like if you think of tiktok less as a data collection firehose and more as a covert weapon in mass psychological warfare, the concerns come into better focus. And this is not a hypothetical concern, they’re quite directly using it this way https://www.forbes.com/sites/emilybaker-white/2022/11/30/tiktok-chinese-state-media-divisive-politics/?sh=12ba32654bf0 — the only real question is how direct their ability to use the algorithmic filter to push their propaganda goals is, and how effective the tech is
(DIR) Post #ATiQhWDiAvKB12kXwW by FuckElon@mastodon.social
2023-03-17T18:58:12Z
0 likes, 0 repeats
@simon If an employer want you to use a personal device for work (you should not either way) then they have absolutely no say on whatever else is on it. If they want to control your device they better give you a different one. The remote erase many want to push is bullshit bullshit bullshit. If it really comes to it I would buy a second device just for work. Would never mix stuff. Too dangerous in many ways.
(DIR) Post #ATiRuhzjoCE3Fk4DPU by piccolbo@toot.community
2023-03-17T19:11:36Z
0 likes, 0 repeats
@simon @monkeyninja That's one side of the problem. The other is that TikTok exerts control on what users see, and several orgs have found evidence of censoring information that is unfriendly to China, see https://en.wikipedia.org/wiki/Censorship_by_TikTok https://www.technologyreview.com/2021/07/13/1028401/tiktok-censorship-mistakes-glitches-apologies-endless-cycle/ https://www.theguardian.com/technology/2019/sep/25/revealed-how-tiktok-censors-videos-that-do-not-please-beijing Complementary to censoring is promoting material that furthers China's goals, like fomenting extremism in the US. This is potentially concerning, but I haven't read of evidence yet.
(DIR) Post #ATuNpP0wskTz1CMo2C by shinyeliza@mastodon.social
2023-03-23T13:22:46Z
0 likes, 0 repeats
@simon this morning New York Times article was about this, and their framing made the potential ban seem extremely… petty? I think there’s a privacy discussion, but NYT really highlights that for American politicians, it seems to be about using the legal system to undermine a foreign company from a country we’re competing with.