September 1, 2022

Impartiality in Content Moderation (!)

Post-2016 hysteria about “information warfare” – which should be labeled foreign influence operations (IO) – created serious concerns that U.S.-based social media platforms would collaborate with the U.S. government to censor foreign information sources that contradicted our state’s foreign policy narratives. Because the platforms are private actors, content moderation informally directed by the state might skirt the First Amendment. Such a turn toward nationalism in Internet content governance would undermine free exchange of ideas and make the internet into a tool of geopolitical competition.

Thus, we breathed a sigh of relief when Twitter and Meta announced that they had taken down accounts they believed to be associated with U.S. government IO in the Middle East. The campaign in Central Asia consisted of 12 Twitter accounts, 25 Facebook profiles and pages, and 10 Instagram accounts. According to the Stanford Internet Observatory, “the assets identified by Twitter and Meta created fake personas with GAN-generated faces, posed as independent media outlets, leveraged memes and short-form videos, attempted to start hashtag campaigns, and launched online petitions: all tactics observed in past operations by other actors.” You can download the Stanford/Graphika report here.

Bank Regulations vs E2EE

Some of Wall Street’s biggest banks are negotiating settlements with the US Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) to pay big fines. Their crime? Their employees’ use of encrypted personal messaging apps such as WhatsApp. Ten banks are expected to pay around $200 million each, a total of $2 billion, as reported in the Wall Street Journal and Bloomberg

Under SEC and CFTC rules, brokerage firms are supposed to preserve and monitor their employees’ written communications, generating a paper trail regulators can use to check for  compliance with investor-protection laws. Services such as WhatsApp and Signal are encrypted and regulators can’t see the messages. They also can be configured to automatically delete messages after time has passed or a chat has been read. The rise of private, encrypted messaging apps, coupled with the pandemic – which kept workers out of the office and relying on personal devices – magnified the deviation from regulations.

The incompatibility between E2EE and banking regulations was also evident as the IETF was developing TLS 1.3, a new, stronger encryption standard. As we explained in a paper, the Bank Policy Institute (BPI) fought against the perfect forward secrecy of TLS 1.3 on the grounds that banking regulators and enterprises needed to be able to spy on supervise and record communications. 

Is it beneficial – and viable – for the government to insist on “paper trail” rules in a digital world? According to one of their lawyers, the banks are concerned about how they can comply with the monitoring rules “when they really run counter to the way a lot of business is done today.” For 30 years, policy debates about encryption have see-sawed between advocates of regulated backdoors for governmental surveillance, and advocates of cybersecurity who emphasize that such exceptions open the door to anyone, not just the good guys. In banking, the default is on the side of transparency and surveillance; in many other online services, the default is on the side of encryption. How long can these two worlds co-exist?

TikTok Logs Yet Another Controversy 

TikTok was dragged into controversy again, this time due to revelations that its iOS app injects code into third party websites through their in-app browsers. Independent research performed by developer Felix Krause found “TikTok’s iOS app is capable of transcribing keystrokes (text inputs) happening on third party websites rendered inside the TikTok app…We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.” 

Keylogging is not necessarily malicious, and Krause is careful to clarify that “just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.” Further, TikTok is also not alone in tracking users through in-app browsers. Krause has also found Meta-owned Facebook and Instagram iOS apps were modifying third party sites enabling them to potentially follow users. 

However, the practice is concerning as it can potentially lead to recording sensitive user information such as passwords and credit card numbers. In the case of TikTok, the iOS app does not allow users to use default mobile browsers, meaning there is no way  to avoid TikTok’s tracking code from being deployed when users access third-party websites and services via the app. 

In a statement to TechCrunch, TikTok spokesperson confirmed that it does not offer users an option to use external browsers because it would make for a clunky, less slick experience. However the social media network has refuted the report’s conclusions calling them “incorrect and misleading”. The statement notes that “contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.” The company also pointed out similar code in GitHub that would trigger exactly the same response being cited by the research as evidence of improper data collection but is rather being used to trigger a command known as ‘StopListening’ that they said would specifically prevent an application capturing what is typed.

As a Chinese-owned company, Tiktok continues to be viewed with suspicion in the U.S. and the latest reports have reignited suspicions. Last week, the House of Representatives’ chief administrative officer (CAO) issued a “TikTok Cyber Advisory” for members of Congress asking them to avoid using TikTok as it has been deemed “high-risk to users due to its lack of transparency in how it protects customer data, its requirement of excessive permissions, and the potential security risks involved with its use.”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.