TikTok is a Distraction. To Protect the US from China, Preserve Strong Encryption

Caitlin Vogus is a senior advisor for advocacy at Freedom of the Press Foundation.

Earlier this month, The Wall Street Journal first reported on a “catastrophic” security breach known as Salt Typhoon, a hack that may have given the Chinese government months-long access to US wiretapping systems used by internet service providers, or ISPs.

Salt Typhoon seems to have taken lawmakers by surprise. Many of them have been laser-focused on TikTok, not hacking, when it comes to Chinese cyberthreats. They’ve been left scrambling to understand this latest Chinese exploit, with members of Congress calling on the telecom companies to explain the extent of the Salt Typhoon breach.

But China exploiting legally mandated backdoors to US communications systems isn’t shocking to cybersecurity experts, who have been warning of the risk of this type of breach for years.

Salt Typhoon should be a wake up call for Congress: Rather than pushing to expand the openings that adversaries can exploit — for example by requiring backdoors be added into end-to-end encrypted messaging services — lawmakers should start looking for ways to close or narrow them.

End-to-end encryption is the gold standard when it comes to privacy. When email or messaging services are end-to-end encrypted, it means that the messages sent and received on them can only be viewed by the parties to the communication. No outsiders, including the platform itself, can view the content of end-to-end encrypted messages sent through the service.

When communications aren’t end-to-end encrypted, outsiders can listen in. The government has relied on that fact for lawful interceptions, like wiretaps. In the early 1990s, Congress passed the Communications Assistance for Law Enforcement Act (CALEA), which required telephone companies to ensure they have the means to allow the US government to surveil customers’ calls, with a legal order. Later, the Federal Communications Commission expanded CALEA to also include ISPs.

CALEA creates a significant backdoor into Americans’ communications, and not just for US law enforcement acting under a legal order. In Salt Typhoon, the Chinese government appears to have taken advantage of CALEA’s backdoor as well. If, as the US suspects, the Salt Typhoon hack included the wiretapping systems of ISPs that CALEA requires, the Chinese may have gained access not only to information about who the US has under surveillance, but also the data being collected, such as targets’ internet traffic or content of some online communications.

As Signal’s Meredith Whittaker, the Electronic Frontier Foundation, and others have pointed out, Salt Typhoon is just the latest example of how bad actors inevitably attempt to exploit backdoors. Lawmakers and law enforcement often promise that backdoors will only be used by the “good guys” (already a dubious assertion when the “good guys” have been known to illegally spy on millions of Americans). But time and time again, the “bad guys” have found their way in through backdoors.

Yet lawmakers have done nothing to limit the US’s own backdoor spying on Americans’ private communications and have actually pressed to expand it. In the past, the Department of Justice and FBI have pushed for CALEA to be applied to require a built-in back door for all online communications.

Those efforts were rebuffed, but opponents of encryption have simply changed tack. Recently, Congress (again backed by the FBI) has proposed numerous bills that would make end-to-end encrypted platforms like Signal illegal or so legally risky that they’d be driven out of business. The idea appears to be to strongarm companies into creating backdoors or else risk endless lawsuits.

Lawmakers and law enforcement claim the government needs a backdoor to end-to-end encryption because criminals and terrorists are “going dark.” Never mind that the government has access to more personal data than ever before; officials continue to disingenuously claim that end-to-end encryption stymies criminal investigations and harms national security.

Journalists, dissidents, and activists around the globe rely on end-to-end encrypted services to safely and securely communicate. The secure communications that encryption allows in these cases serve democratic principles of freedom of speech.

But it can also protect our national security. Foreign intelligence agencies have attempted to hack national security reporters, for example, presumably to gather information about their reporting and sources. End-to-end encryption can help keep that information safe. If Congress creates an encryption backdoor that’s “only” for use by the US, it surely won’t be long before China, Russia, and other authoritarian regimes are targeting those same backdoors to spy on those who oppose them.

Lawmakers have found a way to talk tough on China while at the same time contemplating legislation that would create further backdoors for its hackers to exploit: cracking down on TikTok. Earlier this year, the US passed a constitutionally-dubious law requiring TikTok be sold to a government-approved buyer or banned.

TikTok undoubtedly collects huge amounts of Americans’ personal information (as do most social media companies). But Congress banned the app based on the hypothetical, unproven risk that TikTok is passing that information to the Chinese Communist Party and to combat perfectly legal speech on the app with which lawmakers disagree. Even a recently declassified transcript from Congress shows nothing more than conjecture when it comes to TikTok’s supposed national security harms.

We now know that, around the same time that Congress was speculating that the CCP was exploiting TikTok to sweep up Americans’ data for nefarious purposes, the Chinese government appears to have begun actually hacking American telecom companies’ backdoors mandated by US law.

Perhaps if senators and representatives were less worried about grandstanding and more worried about confronting the actual national security threats that China poses to our country, they would have taken a serious look at the backdoors that are threatening Americans’ private data, rather than wasting time on a TikTok ban.

While it may be too late for Congress to make changes to our laws that would have stopped Salt Typhoon, it’s not too late for them to stop their attacks on end-to-end encryption. Nothing less than our national security depends on it.