In late 2017 the fitness app Strava published a map of the different running and cycling paths used by its 27 million users around the world. It was reminiscent of the time Netflix released 10 million anonymized movie rankings by 500,000 customers in 2006, or when AOL released 20 million search queries, also in 2006, to aid researchers—efforts meant to provide useful and interesting large data sets to the public that turned out to have some more serious, unintended consequences. But Strava’s map landed it in a strange place. A few months after the release of the map, Australian university student Nathan Ruser pointed out on Twitter that the exercise activities tracked on the map made it easy to locate U.S. military bases. In response, the Pentagon announced that it would investigate the matter. Months later, in August 2018, the Pentagon banned all members of the U.S. military stationed in combat zones from using any GPS software on their electronic devices.
Two years later, the Defense Department isn’t taking any chances with apps that could be used against it. In December, it began advising personnel to delete the popular TikTok app, owned by Chinese company ByteDance, and several branches of the military have since banned or blocked the app from military-issued devices.
The Defense Department hasn’t specified exactly what prompted the ban or what threat TikTok poses beyond warning employees of a “potential risk associated with using the TikTok app.” But the most likely explanation is that the Pentagon is concerned that the data being collected by the video app is accessible to the Chinese government, given that the parent company is headquartered in Beijing. In late 2019, the Committee on Foreign Investment in the United States, citing similar concerns about the potential for TikTok to be used for espionage, censorship, and foreign influence, decided to initiate a national security review of ByteDance in 2019. Not much about that investigation has been made public, though the New York Times reported that the U.S. government “had evidence of the app sending data to China.”
TikTok responded by insisting that it stores all of the data it collects from its U.S. users in the United States and Singapore and does not operate any data centers within China. More recently, it also published its first transparency report of how many requests for user information it had received from law enforcement authorities around the world during the first half of 2019—India and the United States had issued the most requests (107 and 79, respectively) according to the report, while China had issued zero.
And yet these announcements that TikTok data is kept outside China’s borders and that the Chinese government has not tried to access any TikTok user data are less than comforting. As Sens. Chuck Schumer and Tom Cotton pointed out in an October 2019 letter to acting Director of National Intelligence Joseph Maguire, just because TikTok data is stored outside China’s borders does not mean it is beyond the Chinese government’s reach. “ByteDance is still required to adhere to the laws of China,” they wrote. “There is no legal mechanism for Chinese companies to appeal if they disagree with a request.”
So on the one hand, it can seem a little silly that the U.S. military views an app designed for making short videos as a “cyber threat” (though no sillier than when it banned Pokémon Go back in 2016 on the grounds that it was a distraction). On the other hand, it’s probably not a great idea to have a Chinese company collecting vast quantities of video footage and location data and IP addresses and other information from military personnel. But it’s hard to see how the military will scale that approach to address all of the various apps owned or operated by companies based in China—or other untrusted countries, or even domestic companies, like Strava, that may collect data on military personnel and, in doing so, inadvertently present security problems.
To its credit, the military has clearly been trying to be proactive about the risks that new apps and technologies may pose. In addition to warning personnel about TikTok, it also recently advised against using home genetic testing kits. A Dec. 20, 2019, memo cautioned that “genetic tests are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk to the joint force and mission,” according to Yahoo News. As with TikTok, it’s not immediately clear what scenarios the Defense Department was envisioning in issuing this warning. (Did it have in mind the possibility that foreign powers would be able to access the genetic information of military personnel, use it to learn about their secret children, and then blackmail them? Who knows.)
It’s hard to gauge exactly how serious any of these threats are individually, but it’s sensible for the military not to wait until it has an embarrassing Strava-style situation on its hands to react. Still, by making these decisions app by app, service by service, it’s hard to see exactly how the military will keep up with a changing technological landscape and all the many, many foreign-owned apps that do not achieve the popularity of TikTok or Pokémon Go.
The vastness of the mobile software ecosystem makes it almost impossible to keep up with all the security risks posed by new and lesser-known services. Just last month, Apple and Google removed a chat app called ToTok (not to be confused with TikTok!) that was allegedly being used by the United Arab Emirates for espionage purposes. Eventually, the military may have to move to a whitelisting system in which only a designated set of vetted apps can be downloaded on devices and all others are off-limits by default. Otherwise it’s hard to see how it could possibly keep pace with the growth in mobile threats.