This is an opinion piece.

TikTok is a Chinese social media network that allows creators to publish short videos. It started with a ton of slapstick comedy and karaoke but has since matured with much more diverse content. It has become one of the most popular social media platforms because of its powerful video pairing algorithm. It has an incredible ability to show you a continuous stream of content you will find interesting, and it is usually correct.

You can see samples on their trending webpage without needing an account.

TikTok belongs to a large Chinese company called ByteDance. This is problematic for western politicians because (it is suspected) Chinese corporations have been stealing IP from their western counterparts for decades.

But why is the USA talking about banning TikTok (a rare censorship move by the US government)?

It is important to remember that China has banned most western social media apps within its borders. Without working around the great firewall of China, a citizen cannot access Facebook, Twitter, Reddit, or any Google property. It banned them to stifle conversation, to censor free speech and to monitor its citizens.

You can use a website like Blocked In China or Comparitech to check if a site is accessible from China

I have lived in Hong Kong and worked in China for a considerable amount of time. So I hope that I can bring some interesting perspectives about China and this TikTok discussion.

The first thing to remember is that you cannot evaluate this matter through an American lens.

Every medium-sized company or larger (think larger than 50-75 employees) is beholden to the Chinese government. This means that the Chinese government can seize, capture or use any information held by any Chinese company. Unlike US authorities, they do not need a court order to undertake any of these activities). Even though the Chinese government has allowed companies to operate with a semi capitalistic model, they theoretically own all Chinese companies operating in China.

A more risky point is (it is said) the fact that the Chinese government incentives Chinese companies and citizens to expand internationally and sign partnerships with western organizations to steal IP. The goal (it is said) is to use this knowledge to build a Chinese variant. Once perfected, the end-goal is to export this Chinese version overseas and take over that market (this works in every vertical from clothing to aerospace).

Read about their 14th five year plan here. Think of the five-year plan as a master blueprint for their economy. It lists the industries they want to lead in during that five year period. The next one (2021-2026 will cover the environment and green tech). During those five years, they want to become industry leaders at any cost (remember the IP theft claim above).

If you watched Silicon Valley on HBO, they alluded to this characteristic when Jìan-Yáng "borrowed" American company ideas to start copies in China (time-code 0:44).

Sometimes patriotic hackers could also attack foreign companies to aid China. The US Department of Justice pinned the Equifax hack on 4 Chinese hackers. This hack gave hackers ,and (it is said) the Chinese government, access to the credit records of millions of Americans. They also had access to confidential Equifax business processes.

So what?

Let's summarise

every Chinese company is owned by the Chinese government
The Chinese government has access to all the data these Chinese companies have

So considering the above, prima facie, Tiktok should be a national security threat. Last year American senators "woke up" and asked their national intelligence agencies for analysis.

Obviously, Tiktok pushed back by saying that they use American servers running in the USA. TikTok also appointed an American CEO.

Think of all the data these companies collect about you (name, location, social graph, habits, likes, etc.). Used "properly" it can generate a ton of obviously useful and some less obviously useful data points.

Read my 2014 article about how Target predicted its’ customers were pregnant before they knew it by data-mining their buying habits. Now imagine what could be done with a ton more information.

Regardless of where the data sits, the company that owns TikTok is ByteDance, a large, fully Chinese organization. Even if the data sits in the USA, ByteDance (it is believed) cannot refuse a request from the Chinese government (regardless of where the data sits).

Remember that Chinese employees have access to the American servers and data. It is claimed that ByteDance has ties to the communist party back home. All of these simply bring TikTok closer to the Chinese government and make obtaining information that much simpler.

In addition to concerns about China gaining access to traditional social media users’ data, there is the concern of TikTok being a tool to exercise soft power.

A popular tool used in cyber offensive activities is Psychological Operations (PsyOps). The goal of a psyops program is to secretly fuel the fire in a foreign country's population to take actions desirable to you.

We heard about TikTok users coordinating on the platform to troll Trump's Tulsa rally.

Was this truly a grassroots movement, or was a foreign adversary secretly working in the background to encourage actions aligned with its interests? Remember that a good psyops program is secret and almost impossible to identify.

Americans see TikTok as a bastion of free speech, but it isn't. Many have claimed Tiktok removes other types of videos that would not normally be considered bad in the west:

TikTok Is Reportedly Removing Videos of People with "Abnormal Body Shapes"
TikTok 'tried to filter out videos from ugly, poor or disabled users'

We have heard other complaints about videos critical of China also were removed. I don't know if this is true, but it would be consistent with how we believe China operates. Don't forget China uses TikTok to flex its soft power by encouraging creators to publish pro Chinese content.

This goes back to the original point of not evaluating TikTok with your American lens. Whereas the removal rules for videos on Youtube, Facebook or Twitter are relatively well accepted (harmful, child abuse, exploitation, promoting hate, etc.), Chinese rules for removal of content are very different. China has an ambiguous law that aims to “prevent the spread of rumours”, What constitutes a rumour is purposefully vague and this law has been used to shut down dissenting voices. When watching online complaints about the types of videos actually being taken down, it seems more aligned with enforcing this law to protect the Chinese “face”.

My assessment is that the Chinese government doesn't care about users discussing American politics. They want to ensure no one criticizes China, the Chinese system or the government's authoritarian rule. This is exemplified by TikTok deleting a video by a makeup channel. She talked about the plight of the Uyghur while doing her makeup and had her video deleted.

China believes in free speech as long as it doesn't impact them or their narrative of the world. Try searching TikTok for videos discussing Hong Kong independence, Taiwan independence, or anything else criticizing China.

Here is a shocking trend for you. Teens in the US and Europe that believe they may have been shadowbanned will publish videos with the Chinese national anthem playing in the background, with pictures of Xi Jinping and professing their love for China. Even though this is being done mockingly, doing this enough could have unintended psychological consequences and start creating positive associations in these teens about China.

Conclusion

I am anxious to see if the USA will ban TikTok and on what grounds. Will they conduct a full and impartial review, or will it simply be a decision of political convenience. Don't get me wrong, as a security professional; I don't trust any company based in China that is beholden to the Chinese government. The general public making dance videos may not care that their data could be used to build a profile of each user.

That if the Chinese government wanted, they could use the videos to create a sizeable facial recognition database with a robust social graph.

That this data, merged with other data from other breaches and leaks, could help build a reasonably reliable profile of hundreds of millions of people.

That the platform could be used to sway younger voters in a particular political direction more aligned with Chinese interests.

I am curious about how the US would implement a ban? Even if they mandated the appstores remove the apps, Android users could sideload it, or TikTok could build a Progressive Web App (a web page that looks and acts like an app). We simply don’t have the same censorship tools as China.

I don't know if the platform IS a risk to national security, but I personally don’t trust it.

If I start seeing more "Chinese contraband" content on TikTok, then I will be inclined to believe they are independent of the Chinese government. I want to see

videos about the Muslim minorities being sent to re-education camps
videos asking for freedom to be restored in Hong Kong
videos talking about Taiwanese independence
videos criticizing the communist government
videos discussing he persecution of Falun Gong members (even imprisonment)

Until then, I hope users understand what could happen with their data. Particularly parents of younger children. Once something is uploaded to the internet, it can never really be removed.

A Canadian company breaking Internet censorship

July 3, 2020GeneralEdward Kiledjian

Controlling the flow of information is a critical tool in the arsenal of despots, dictators and authoritarian regimes. Some countries want to block a handful of internet sites (Facebook, Instagram, Twitter, etc.) while others exert an almost inconceivable stranglehold on the internet (think Iran).

When we think of censorship, the typical list that comes to mind is North Korea, Iran, China and Cuba. The list is much more worrisome than that and includes countries such as Bahrain, Ethiopia, India, Pakistan, Russia, Saudi Arabia, Sudan, Syria, United Arab Emirates and more. Other countries typically offer an open internet to their population except during major events like Egypt during the spring uprising.

Enter Psiphon

Psiphon is a Canadian company that started at the Citizen Lab intending to design censorship busting technology. It is an open-source tool designed to allow citizens living in restrictive regimes to access "forbidden content easily." The basic version of Psiphon that is free for everyone forever without requiring is account is speed limited to 2Mb/s. You can earn (by watching promo advertising videos) or buy PsiCash, which allows you to unlock faster speeds for a certain amount of time (up to 5Mb/s).

Earning PsiCash

As an example, watching a 30-second video ad earns you 35 PsiCash. You can watch about 5 in a row (earning you 150 PsiCash). You can exchange 100 PsiCash for 1 hour of "speed boost."

This is likely how citizens of repressive regimes would use the tool. If you are willing to spend cash via the Google Play store, you can buy 1000 PsiCash for $0.99CAD (10 hours of "speed boost"), 5000 PsiCash for $4,99CAD (50 hours of "speed boost"), etc. Every chuck of "speed boost" you buy starts counting down once you activate it.

If you want a more traditional monthly subscription with unlimited use, you can opt for a recurring subscription.

Or you can opt for an onetime pass unlimited use pass (if you are travelling to one of the regions that censors the internet)

Who are these monthly recurring subscriptions for? They are for regions where the population is much better off (think Saudi Arabia) or for users that work in environments where undesirable internet sites are blocked (e.g. corporations, universities, etc).

DNS Leak Tests

I conducted a bunch of DNS Leak tests on Windows & Android and didn't detect any leaks. On some tests, Google DNS servers did show up but these were proxies by Psiphon so your confidentiality is protected.

Different App Versions

You can download Psiphon from the Google Play Store, from the Apple AppStore, from their website (for Android or Windows).

If you send an empty email to [email protected], they will respond with an automated response listing different AWS URLs you can download the client from. The purpose of this option is to make the download available from cloud providers that are typically allowed.

Some news-oriented newspapers blocked in certain regions recommend you use Psiphon to access them (BBC, The Intercept, etc.). These sites even set up the same type of email download link response service, to help you find Psiphon easier (e.g. The Intercept set up [email protected]).

Most platforms offer 2 versions of the Psiphon app (basic and Pro). The basic version is the all free version, capped at 2Mb/s and it comes with small ads.

The Pro version seems to have more prominent ads but offers the option to have them removed if you buy a monthly subscription.

The subscription and "speed boost" pricing is only available in the app, and pricing is region-specific (The high-speed monthly subscription seems to be $9.99USD/$14.99CAD/£9.99.)

Last year Psiphon offered a 30 day trial for the subscription but has now lowered the trial to 7 days.

Ease of use

Once you install the app, you can immediately start the speed-limited service. It does not require any type of registration. This lack of red tape speeds up the process but also means any PsiCash you buy is bound to that device and that particular installation. If you clear the app cache or reinstall the app (even on the same device), you PsiCash is gone.

During my initial test, I sideloaded the app on Android and wasn’t shown ads during use. That behaviour may change, so your mileage may vary. The Google Play versions I installed did show me ads.

You will notice a **Stats** menu option in the previous image; this shows you how much data you have uploaded and downloaded. This is less of a concern in industrialized regions, but many developing countries have expensive data plans. This **stats** option aims to help users make smarter data usage choices.

How secure is Psiphon?

This article will not be a technical evaluation discussion about their security; however, you should read this section to ensure you understand what it does and what it does not. Psiphon is, first and foremost, a censorship busting tool. It uses a variety of technologies to ensure they can bust through most of the time. They combine different technologies like always changing server IPs, a series of cascading protocols (SSH, VPN, handshake obfuscation, etc.) and other anti fingerprinting techniques.

These work excessively well. A buddy in China installed the Android version and freely accessed restricted sites (consistently over a test period of a week). All traffic from your device to the Psiphon servers is always encrypted, and they don't log any personally identifiable information. The last piece is that the software is open-source and can be inspected by anyone.

This service is NOT a replacement for other more common western VPNs like ExpressVPN, NordVPN, ProtonVPN, etc. Psiphon does a much better job of breaking through censorship controls. Still, it does not offer all of the privacy-protecting tools that traditional VPNs do (CyberSec DNS from Nord or the ability to control where you exit the network).

Psiphon does not claim to increase your privacy because they don't protect you from website fingerprinting, beacons on the web or other privacy destroying techniques.

Psiphon shares aggregated information with its commercial partners.

Use Psiphon is you need to break censorship controls.

If you need strong privacy, go TOR (TOR does not work in most censoring regions).

Conclusion

I read a ton of discussions about Psiphon on different social media sites from people claiming to in repressive regimes. Even with the fact it is slow, clunky and not the most beautiful app, it provides a critical service that nothing else seems to offer.

Most users benefit from the free version, and Psiphon doesn't have an army of support people waiting to chat with you or respond to your emails.

If you are in a country that controls the internet, try TOR first. If it doesn't work, then jump to Psiphon.

If you live in one of the western countries where we enjoy relatively unfettered access to the internet, you would be better served by a traditional VPN service.

US bans use of Huawei technology through Defense Authorization Act

August 14, 2018GeneralEdward Kiledjian

US President Donald Trump has signed the Defense Authorization Act into law. Section 889 ( PROHIBITION ON CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT) bans use by government agencies and contractors of Huawei or ZTE technologies.

The language of the act is ambiguous and doesn't clearly list what technology is or isn't covered by the prohibition.

“procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system”

ZTE and Huawei should not be used to access government systems that display personal data, therefore it is safe to assume that most agencies and contractors will purge their networks of systems designed or that use these technologies.

I have not yet seen an official response from either of the tech complanies.

Stay tuned.

Alternative ways to get the TOR browser

December 22, 2017GeneralEdward Kiledjian

Tor is an incredible power privacy enhancing tool that every security-conscious netizen should have in their arsenal. It doesn't replace a VPN service, since TOR isn't optimized for high bandwidth usage (like streaming music/videos) but it definitely has a place in my internet usage portfolio.

To use TOR, you need access to a small kit of software that includes the TOR router and the TOR browser (a locked down customized version of the Mozilla Firefox browser).

The Great Firewall of China site test tool confirms that the TOR Project website is blocked.

Luckily I live in Canada where we enjoy incredible internet freedom but what if you don't? What if you need TOR (because you live in a zone where the internet is tightly controlled or monitored) but you can't access the website to download the installer kit? The TOR project has create the GETTOR strategy to help those people gain access to its power network.

You can:

Send an email to [email protected]
Send an XMPP message to [email protected]
Send a Twitter request (via DM) to @Get_tor

The system will then share with you a secret list of links to download the installer from GitHub, Dropbox or Google Drive.

Once you install the TOR package (after checking the validity to ensure it hasn't been tampered with), you can also use a TOR Bridge if your country, school, company or ISP performs deep packet inspection to block TOR. A TOR bridge is a relay to help circumvent censorship.

You are now ready to enjoy private, anonymous and secure web browsing. Once installed, all future updates to the TOR software will be delivered via the TOR browser itself so you don't have to worry about performing these steps again.

Chinese media demand sanctions against US tech companies

June 4, 2014technologyEdward Kiledjian

Photo by Rene Mensen under Creative Commons License

3 things we know governments will always do are:

Tax
Spend
Spy

The last point, fueled by the Ed Snowden leaks, seems to be keeping the media busy. Now the China-run state-owned media is calling on the Chinese government to sanction the major US technology companies who are "pawns of the US Government".

China Daily and People's Daily have called upon their leaders to "severely punish" the companies mentioned in the Edward Snowden leaks.

“U.S. companies including Apple, Microsoft, Google, Facebook, etc. are all coordinating with the PRISM program to monitor China,”

— Peoples Daily Microblog site

Most companies have openly and vehemently denied working with the NSA. One such spokesperson is Google Chief Legal Officer David Drummond

“We cannot say this more clearly - the (U.S.) government does not have access to Google servers - not directly, or via a back door, or a so-called drop box”

I believe the next few month will be interesting. Let's see how (and if) China takes an official position. It is important to remember that Chinese telcom equipment manufacturers were disqualified from bidding on US government contracts because of concerns about spying. Now that the Snowden leaks show the US may be intercepting Cisco equipment to implant its own hidden tools, could other countries start boycotting US telecom equipment manufacturers?

Source : Reuters