WASHINGTON — Two lawmakers questioning TikTok CEO Shou Zi Chew before a House panel last week flashed their tech credentials, challenging Chew’s reassurances about the safety of the video sharing app for U.S. users.
Rep. Jay Obernolte, R-Calif., who owns a video game development studio and is a rare House Energy and Commerce Committee member with a background in computer science and information technology, pushed Chew to explain how a third-party review of software code would work. Chew told the panel such a review could check for gaps that could allow China to snoop on Americans.
Rep. Bill Johnson, R-Ohio, a former U.S. Air Force officer turned entrepreneur who owned information technology companies providing services to the Pentagon, took Chew on over his interpretation of a report on the app’s privacy, security and censorship.
As lawmaker after lawmaker expressed disbelief about Chew’s efforts to put a lid on the anger in Congress over TikTok’s protection of data, its relationship to the Chinese Communist Party and the risks the app poses to young users, Obernolte and Johnson used their questions to probe for technical details or expose shortcomings.
TikTok agreed to a third-party review of its software code in a deal with the U.S. government that called for the company’s U.S. operations to be separated from its Chinese parent ByteDance, and for all American users’ data to be stored in the U.S.
Chew said the $1.5 billion effort, titled Project Texas, is key to reassuring lawmakers and the U.S. government that TikTok isn’t providing a technical backdoor to Beijing.
Obernolte wanted Chew to explain how TikTok would integrate new code, including reviewed and vetted code, into its existing code base that could run into millions of lines of software instructions.
Would TikTok use a custom-built integration software that updates the existing code base with new lines of code, Obernolte asked, and if so would that integration software be subject to third-party review as well?
Chew said the review process would have “several layers of monitoring to make sure that everything that somebody has reviewed … there’s a secondary review, so that one malicious actor is not able to create damage.” In what became a common refrain to the questions, Chew also said he would get back to lawmakers with details.
Obernolte said a malicious actor wouldn’t necessarily put a damaging piece of software code in one place that can be easily discovered.
“I would put unrelated lines of code in different sections of the code that work together to do something malicious,” he said, adding that there “are too many backdoors through that process.”
Oversight or ownership
The exchange revealed the potential limitations in obtaining reassurance through oversight, said Lindsay Gorman, senior fellow for emerging technologies at the German Marshall Fund’s Alliance for Securing Democracy.
“I think there’s a fundamental disconnect with Project Texas, between oversight and ownership,” Gorman said. “The national security consensus is really that ownership is what matters more so than oversight,” she said.
Chew repeatedly tried to persuade lawmakers that ownership didn’t matter.
Even if a review finds no backdoors or security gaps in software code, individuals with buy-in from “leadership or whoever is pulling the strings at the company can get around these systems,” said Gorman, who previously was a senior adviser in the White House Office of Science and Technology Policy for the Biden administration. “No technology system and oversight system is going to be perfect.”
Software developers often find it hard to review their own code, Gorman said. “It’s really worse to review someone else’s code.”
Or, as Obernolte pointed out, it would be hard to ascertain intent by reviewing software code and algorithms.
“How could looking at the algorithm confirm that it’s free from foreign influence?” Obernolte said. “Because the algorithm is just a neural net architecture with inputs and outputs and weights and how to train that. … I mean influence is an external factor.”
“I am concerned that what you’re proposing with Project Texas just doesn’t have the technical capability of providing us the assurances that we need,” Obernolte told Chew.
Chew said he would provide written answers to the technical questions.
TikTok’s U.S. entity was established with a 20% ownership stake jointly held by software maker Oracle Corp. and retailer Walmart Inc. The agreement calls for Oracle to oversee data entering and exiting its data centers in Texas as well as help review the software that runs TikTok.
TikTok is in negotiations with the Committee on Foreign Investment in the United States about details of Project Texas and whether those steps are adequate to satisfy U.S. national security concerns.
While several lawmakers have called for an outright U.S. ban on the app, the administration is said to also be examining a forced sale of the company. China’s Commerce Ministry last week said it would oppose a forced sale because it would involve the export of Chinese technology.
Johnson used his question time with Chew to say the CEO was misinterpreting a report on Tiktok’s privacy, security and censorship. He was referring to a 2021 report prepared by Citizen Lab, based at the Munk School of Global Affairs & Public Policy at the University of Toronto, which specializes in examining backdoors in communications technologies.
Chew said the Citizen Lab report “found that there was no overt data transmission by TikTok to the Chinese government and that TikTok did not contact any servers within China.”
But Ronald Deibert, Citizen Lab’s director, published a statement March 23, the day Chew testified, saying the CEO was misquoting the lab’s research in statements to governments as “somehow exculpatory.”
The Citizen Lab report found that TikTok was similar to social media apps, acting like a “vacuum cleaner of personal data,” but the researchers had no “visibility into what happened to user data once it was collected and transmitted to TikTok’s servers,” Deibert’s statement said.
“Although we had no way to determine whether or not it had happened, we even speculated about possible mechanisms through which the Chinese government might use unconventional techniques to obtain TikTok user data via pressure on ByteDance,” Deibert wrote.
The lab also found that TikTok contained dormant software code originally written for the Chinese version of TikTok, called Douyin and also owned by ByteDance.
“While Citizen Lab may have been afraid to say the obvious conclusion, Mr. Chew, I’m not,” Johnson said. “TikTok source code is riddled with backdoors and CCP censorship devices,” he said, referring to the Chinese Communist Party.
“In a million lines of code, the smallest shift from a zero to one on just one of thousands of versions of TikTok will unlock explicit CCP censorship and access to American data,” Johnson said.