The integrity of our political process and national security requires taking a look at the broader digital ecosystem to better understand how foreign powers can easily track and exploit U.S citizens through digital channels.
In the U.S, things are looking worse and worse for China-owned social media app TikTok and its parent company ByteDance. In early August, the President signed an executive order giving owners 90 days to divest their assets in the U.S. Although currently in talks to hand operations over to Microsoft, Oracle and other potential U.S buyers, ByteDance is challenging its status as a national security threat in court. It is hard to imagine that it will succeed.
TikTok – a platform with 500 million users worldwide – has been under national security review in the U.S since November of last year, and has already been banned in India for similar reasons. Suspicions abound that the app is used by officials in mainland China to monitor consumers outside the country – particularly minors – and siphon their personal data through encrypted channels in violation of privacy guidelines set forth by Google, and other authorities.
In its crackdown against Chinese espionage and other foreign-originating threats, the current administration has already banned Huawei products within the U.S. To that extent, the TikTok ban is just one skirmish in a greater war to protect the privacy of Americans against malicious actors. But there is a long way to go: in fact, our research indicates that foreign powers are accessing U.S-citizens through the websites of prominent U.S politicians, including the president himself.
Trump, Biden and Foreign Advertisers
We scanned the websites of U.S presidential candidates, including the incumbent, President Donald Trump and democratic nominee Joe Biden, and detected at least one foreign-owned domain operating on both sites. In some cases, these domains may represent a risk to data privacy and even the U.S election process, as we will soon explain:
Here’s a breakdown of the domains representing countries outside the U.S for candidate websites:
- Trump’s website: 14% of 48 domains (7)
- Biden’s website: 2% of 55 domains (1)
The domains – which operate through third-party code – originated from a range of countries around the world including Bulgaria and Vietnam. Although China and Russia did not appear in our preliminary scans, code originating from nearby countries could easily represent Chinese sources.
How Third Parties Manipulate the Advertising Ecosystem
In case it’s not clear why code originating from foreign entities—digital third parties—is a risk to user privacy and even national security, consider the example of malicious advertising (malvertising), which is driven by third-party code.
In 2019, 20% of all Internet ad spend represented buyers who used their ads for fraudulent purposes, which include:
- Tracking users across the web through third-party cookies, browser and device ID fingerprinting techniques
- Redirecting users to a phishing site or fake eCommerce storefront to collect credit card details and other sensitive information
- Spreading fake news and misinformation targeting users with specific messages by region and demographic
Throughout the COVID-19 epidemic, malicious actors used web advertisements to promote fake “cures” for the disease and steal money from users desperate for medical supplies. According to research, ads have even been used by U.S adversaries to influence the American political process from 2016 onwards.
Today, third-parties – who may or may not reside in the U.S – provide up to 90% of the code executing the consumer experience on websites, which drives much more than advertising: it powers a wide-range of functionality from content recommendation to analytics, rich media and monetization features. All are open to abuse, and all have—at one time or another–been exploited by malicious actors to track and steal data from unsuspecting visitors.
Why Politicians Should Be Worried About Third-Party Code
Under executive order (EO) 13873, the Trump administration ruled that “information and communications technology or services” are regulated assets that may constitute a national security risk. For some time, it was unclear whether this order applied to digital code in any form. But the TikTok ban certainly implies that digital code may constitute a national security threat subject to regulation, and logically that should include code which runs the Internet.
The threat of foreign influence through unmonitored 3PC is not theoretical. Just last year, more than 25 million Android devices were hijacked in two unrelated malware operations that spread through 3PC and malicious online advertising: one originated in Russia, and the second originated in China. Just as U.S politicians and regulators are concerned about Chinese influence exercised through TikTok, they should be worried about the security of their own websites, and the safety of their visitors.
Avoiding Blind Spots in Data Privacy
In general, the TikTok ban has elicited little opposition from most commentators. The decision to hold foreign-owned companies and digital services accountable for the way they treat data originating from U.S consumers is laudable. However, the publicity of this ban also risks giving American leaders and citizens alike the impression that data theft and privacy violations are uncommon or exceptional.
TikTok is only a highly conspicuous example of the way that foreign powers have managed to access, track and otherwise exploit U.S citizens through the Internet. Ahead of what is likely to be a contentious election season, our leaders should turn their attention to the digital ecosystem at large to avoid blind spots that threaten the integrity of our political process and national security.