Category: Information & Communication Technology

TikTok Logo
Computer SecurityComputersInformation & Communication TechnologySocial Media

TikTok: Is It The Next Cyber-Security Threat?

TikTok has been the most downloaded app globally in 2020. Although it has existed since 2018, TikTok surpassed 2 billion downloads back in April, during the apex of the new socially-distanced reality engendered by the pandemic. The ability to share and create content such as comedy skits, dance challenges, and lip-syncing clips, has appealed to various age groups around the world, especially teenagers. However, TikTok has been at the center of controversy for raising cyber security concerns not just here in the United States, but around the world. 

The problem with TikTok is twofold. The first issue is the app is owned by a Chinese company called ByteDance. Because ByteDance is not American-based, it does not follow U.S. federal and state consumer privacy laws. TikTok announced the data collected by American users is backed-up in Singapore, which is not subject to Chinese law. Though true, it is possible the Chinese government could pressure ByteDance to relinquish its user information. 

Second, TikTok has a large accumulation of data related to the types of videos Americans watch and post. Because it has turned into an important platform for political activism, people are worried the Chinese government could influence public opinion and control speech. For instance, according to both The Guardian and The Intercept, last year, TikTok company officials told their employees to censor content considered sensitive to Beijing. TikTok claimed their policies were outdated when the reports were released. As a result of this incident, they established a “transparency center” so security and technology experts from around the world can observe their policies. 

Despite TikTok’s official statement, President Donald Trump issued an Executive Order in August declaring the prohibition of all business with ByteDance. Unless ByteDance announces a plan to sell TikTok, the app will be banned on September 29th, 2020. Several American agencies and companies, such as the U.S. Army and Wells Fargo, have been proactive, requiring servicemen and employees to uninstall the app in response to these security concerns. Other countries, like India, have followed suit, banning the app altogether. 

Many people, including computer security experts, believe banning the app in the United States would be an extreme course of action. Not only would it invite questions about censorship in a free country right before an election, but it would affect various companies here in the U.S. who use the platform for marketing purposes. A solution technology experts have mentioned is to implement policies for protecting consumer privacy and measures to minimize data misuse from companies around the world. Currently, with the exception of a few state laws, the responsibility of American privacy and data sharing belongs to companies such as TikTok, Facebook, and Twitter. 

On September 14th, 2020, ByteDance accepted Oracle’s proposal to be their new technology provider. This means Oracle would be held accountable for protecting all user information collected through TikTok. Although this deal is pending approval by the U.S. government, this would keep businesses invested in TikTok afloat and allow up to 100 million users to continue posting creative content. Tresury Secretary, Steve Mnuchin, told CNBC that the government will be reviewing the proposal this week, as their top priority is to keep American user data from the Chinese Communist Party.   

Four days later, the U.S. government announced the removal of TikTok and fellow Chinese app, WeChat, from American app stores supplied by Apple and Google. Distribution, updates, and maintenance will be expelled for purchase unless the Trump administration, TikTok, and Oracle can close a deal by September 20th. Commerce Secretary, Wilbur Ross, told Bloomberg WeChat would be shut down for practical purposes, but Americans could still use the app for payments in China and talk to loved ones overseas. He added TikTok’s official shut down is scheduled after November 12th if the deal with Oracle falls through.  

On Monday, September 21st, 2020, President Trump announced his approval of the deal between Oracle and TikTok. As a result of the ongoing proposal, Oracle and Walmart will share a 20% stake in TikTok Global, a new company headquartered in the United States. ByteDance will own 80% of TikTok Global and allow Oracle to review its source code. Ceding algorithms and other technologies was not included in the deal. Allowing Oracle to review the source code is still not fool-proof as ByteDance could easily instruct the code to send data back to China in secret. Trump’s approval has postponed the ban for now, but the removal of TikTok through American app stores is still in effect. As relations between the United States and China remain tumultuous, the final outcome of the TikTok debate remains to be seen. 

Computer SecurityExpert WitnessInformation & Communication TechnologySecurity

Is New Hampshire the Next Iowa Voting Disaster? Information Technology Expert Analysis

A hastily-developed app and combined with a lack of user testing caused a ruckus in Iowa Caucus voting this week. What’s in store for New Hampshire, Super Tuesday, and beyond?

It has been an exciting week in US politics. We had a State of the Union address and an impeachment vote. A whirlwind week by any standard! Before we could even get to those two events, we started the week with an outrageous technology failure in the Iowa Democratic Caucus. For purposes of this blog post, I’m not going into the differences between a caucus and a primary. Let’s just assume they accomplish the same result: selecting a candidate for political office.

For the Iowa Democratic Party, Monday night was a disaster and then it continued into Tuesday, Wednesday… you get the idea. As I write this blog post on Friday morning, I’m not even sure if they have an official determination of who won. The news stories seem to be conflicting.

So here is what we know about the app (IowaRecorder) failure based on available reports. The Iowa Democratic Party hired a marketing technology company to build an app which would be used, statewide, to report results of local caucus votes (I’m simplifying for purposes of brevity). The app was going to be used to submit voting results. Nobody was actually voting through the app.

This first really good article I read that outlined the technology implementation failure, came from Slate. Here was a good summary from a couple of days ago:

“It’s still unclear what exactly went wrong with the app, but all of these issues appear to have something in common: The Iowa Democratic Party clearly wasn’t prepared for any possible issues with the app and a more involved method of vote reporting introduced this year—and sure enough, it reportedly turns out that the app was never tested on a statewide scale. Shadow, which is run by alumni of the Barack Obama and Hillary Clinton campaigns as well as Google, was paid $60,000 to develop the app, but it had just two months after party officials decided to abandon plans to report results over the phone.”

There’s some updated information on the failure from Motherboard, which was released yesterday (along with the app code). Below, you’ll see that they released an app that was still in beta format:

“And Instead of going through proper app store review processes conducted by Apple and Google, Shadow used beta testing platforms like Apple’s TestFlight to distribute the software so it could meet the Monday deadline. So when it came time for the app to do its most critical role — letting Democratic precinct leaders report results from Iowa on Monday — it failed in every way imaginable.”

Expert Analysis:

As I do when these major stories break, I turn to Experts.com members to get insights. You may recall Dr. Stephen Castell. Dr. Castell, Chartered Information Systems Practitioner and Member of the Expert Witness Institute, is Chairman of CASTELL Consulting. He is an internationally acknowledged Independent Computer Expert who has been involved in a wide range of computer litigation over many years.

Dr. Castell and I wrote a blog post back in 2018, regarding West Virginia’s Blockchain voting program. They are actually expanding this plan, which may necessitate a separate blog post.

Below, please find my questions and Dr. Castell’s answers (Disclaimer: these questions and answers provided on February 5th, 2020):

Nick: From available reporting, it appears the Iowa Democratic Party failed to do a statewide testing of this vote reporting application. What type of tests would have been necessary to identify errors in the system before statewide roll-out?

Dr. Castell: As other ICT professionals comment in the reports, there should be thorough systems testing and QA procedures, including User Acceptance Testing and Pilot Trials, plus scaled-up ‘soak testing’, before contemplating any real-world launch, such as this statewide roll-out. You expect to get errors in systems testing – its main purpose is to identify faults and fix them. Sadly, software systems and Apps these days do seem often to be launched publicly without adequate systems testing, let alone with adequate prior User Testing and Pilot Trials. If such standard professional QA processes were omitted, or truncated, for something as high-profile and important as an App to collect and relay voter data in the Iowa Caucus, that does appear rather astonishing.

Nick: It doesn’t appear that all of the fault lies with the app developer. It seems the Iowa Democratic Party only gave the app developer 2 months to develop and deploy this application. What sort of time-frame would you anticipate to develop, test, and implement a software of this scale?

Dr. Castell: That is difficult to estimate without more knowledge of the actual detailed Customer Requirements Specification that the developer’s App was contracted to meet. On the face of it, an App simply to in-gather voting data, aggregate and transfer it, sounds in principle like fairly straightforward functionality to code, test (at scale) and implement, and 2 months may not have been an unrealistic timescale for development, testing and deployment.

Nick: Would you expect there to be a certain level of user sophistication for those using the app on this scale? Should there have been company representatives available at caucus sites?

Dr. Castell: Reports suggest that there was little prior familiarity, let alone ‘training’, or ‘user sophistication’, with the App on the part of those expected to employ it for real, in the high-pressure, real-time Iowa Caucus conditions. Whatever the state of compliance of the App with its contractual specification – perhaps reasonably well delivered to time, budget, specification, and of suitable quality, ‘fit for purpose’ – if there was no program for adequate user familiarity and training, plus some sort of support and trouble-shooting team from the developer company at caucus sites, that alone could account for the problems encountered in statewide roll-out operation.

Nick: From what I’ve read, it looks like the company was paid $60,000 to build this application. Is there any way to gauge whether this is too little or too much for this type of application development?

Dr. Castell: Again, that is difficult to gauge without more knowledge of the actual detailed Customer Requirements Specification, and thus the likely complexity of the functionality needed, and its associated software design and coding; also, there may have been a tight budget to which the developer company was obliged to work. It is not unusual for software developers to invest in a ‘plum’ assignment such as this high-profile Iowa Caucus project, for the promotional and marketing impact that gives them in securing hopefully more lucrative and profitable development jobs later. In this case, the $60,000 could have been much less than the true cost to the developer company of the analyst, designer, coder, tester, deployer and trainer man-days expended in building and launching the App with a statewide roll-out, against a tough deadline.

Nick: What sort of testing, trials, and quality assurance requirements would you have employed prior to such an implementation?

Dr. Castell: There should ideally have been thorough systems testing and QA procedures, including User Acceptance Testing and Pilot Trials, plus scaled-up ‘soak testing’, well understood by ICT professionals, before the real-world launch of this statewide roll-out. Relevantly, I teach a Course Avoiding IT Disasters – the Expert Way, the principles of which are also covered in my seminal paper “Forensic Systems Analysis: A Methodology for Assessment and Avoidance of IT Disasters and Disputes”, issued as a Cutter Consortium Executive Report, Enterprise Risk Management & Governance Advisory Service series (Vol. 3, No. 2, March 8, 2006).


 

We cannot say that New Hampshire is next. All available information tells us that New Hampshire is not using the same company/app used in the Iowa Caucuses. Furthermore, there was talk of Nevada using the app, but they have claimed they will not move forward with the application.

That’s the end of this particular blog post. Though, we’re already in talks about another post related to voting systems.