Frankly Speaking - Congress is confused about security
My thoughts on the TikTok hearings
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
This is the last week to get 50% off an annual subscription to Frankly Speaking. The last day is 3/31.
For the past week, Congress held hearings with the CEO of TikTok, Shou Chew. They asked a variety of questions, but it was clear that many of the questions were political — treating Shou as a conduit for communism and the Chinese government rather than trying to understand the issues at hand. In many ways, this reminds me of the Congressional hearings for Facebook related to the Cambridge Analytica scandal. It seemed like they were trying to have a well-prepared tech CEO admit something blatant whereas the reality of the tech and its implications are more nuanced. If anything, this proves one thing: Congress doesn’t understand the current tech landscape, including security, and this misunderstanding will be represented in the policies it creates.
I won’t discuss in this post whether we should ban TikTok or not. There are great perspectives on this, including a well-written one by Noahpinion. I do want to discuss Congress’s approach through the questions they ask, and why some of their questions created credibility issues in the eyes of the public.
It was unclear what Congress was trying to achieve with the hearing, and TikTok has been careful. That’s not a great combination, especially since many of the tech companies have learned from previous hearings. Shuo was well-prepared to prevent Congress from digging up any additional issues. He stated that the data was stored in the US and that they didn’t take biometric data. He presented technical details that showed credibility, and in many ways, made it clear those in Congress are technically illiterate. The moment in that captured most people’s attention was when Congressman Richard Hudson asked if Tiktok accessed wifi.
I can point to multiple instances where the hearing seemed ridiculous, such as asking for Shuo’s opinion on various political issues in China, which were irrelevant, but they all show that Congress is technologically illiterate and had an ulterior motive. They didn’t win any fans or change any minds. It’s clear that the data privacy and general laws governing social media are outdated. Shuo’s argument is that they are no worse than other social media companies in terms of moderation and other features, which is a fair argument. However, it doesn’t justify the functionally unregulated way that social media and major tech companies handle user data.
Many social media companies hide behind Section 230 regarding content on their site, which justifies loose moderation, and there are no federal laws governing data brokers. This is highly problematic.
What are some solutions?
At the root of the problem is that we need a Congress that understands technology and can create policies that can practically address today’s tech privacy issues. It’s hard to regulate something you don’t understand.
First, Congress has to acknowledge they don’t understand and bring in the right experts to help them create these policies. Just because Congress doesn’t understand now, it doesn’t mean they can’t learn. However, they have to bring in the right experts, i.e. people who have worked at these large tech companies and dealt with privacy/security issues, not those who worked at outdated companies like Symantec or IBM (sorry!).
Second, like the FDA for food and FTC for trade, the US should create a dedicated agency to regulate tech, whose primary job to start is to manage privacy issues. Although data might seem invisible, we should regulate it like we regulate medicine and food because they impact people’s lives.
With this type of agency, they are able to provide recommendations to Congress on policies and other issues. In many ways, similar to the other agencies, Congress can delegate power instead of needing to create legislation for specific applications like TikTok.
Third, through the agency, expert panels can create rules and provide recommendations as well as review issues. For example, they can create panels to review new types of data and how they are being used, including how companies are selling data. This happens in other industries like pharmaceuticals.
Lack of incentive
Right now, there’s no incentive for tech companies to be careful with their data other than consumer trust. However, it’s clear the average consumer doesn’t understand what they are giving to these tech companies and the implications (as evidenced by the questions in Congress). Consumer education will take time, but regulation and conversation around it will help accelerate this.
More practically, the use of data is a huge driver of business and profit for tech companies, and without regulation, companies will continue to use data for gain because the privacy risk is unclear, i.e. it’s easier to take on privacy/security risk around data than business risk.
Similarly, many of the compliance requirements we have now, such CIS, ISO, and SOC2, are outdated and not meant for the modern cloud and application world. Just fulfilling those requirements are insufficient for proper privacy and security.
Takeaway
What our current Congress and its members are doing is insufficient to effect change across the tech industry. Security and privacy will become more important, and as consumers become more educated, they will demand change. To get ahead of this, Congress needs to set up knowledgeable agencies and panels that can properly engage with tech companies to create regulations and processes that make sense. It’s clear from these hearings they are unprepared and haven’t been given the proper recommendations or context. Banning TikTok or holding hearings doesn’t change anything.