Groupthink Is To Blame for Recent TikTok Bans

A growing number of countries have banned TikTok for alleged security threats. If the threat from China is real, a TikTok ban alone is too limited and leaves nations exposed from many other Chinese-made apps. If the threat is overstated, these bans are a wasteful exercise in security theater, distracting from legitimate threats and giving nations an illusion of security. Either way, these bans are misguided.

India started the trend in June 2020 when it banned TikTok, along with dozens of other Chinese apps, for the entire country. The Indian Ministry of Electronics and Information Technology alleged these apps represent a threat to the “sovereignty and integrity of India,” but the ban appeared to be retaliation against China over a border dispute. Pakistan followed in October 2020 with a similar nationwide ban, arguing that the app has “inappropriate content on the platform,” and the government has subsequently reversed and then reinstated its ban multiple times. While other countries, such as Japan and Australia, flirted with similar nationwide bans, momentum soon waned.

Two years later, TikTok bans have become popular again. In the last year, at least 25 U.S. states have banned the short-form video app from state government networks and devices, including at public universities, citing security considerations. For example, the University of Texas at Austin announced that it would block students and faculty from accessing TikTok from its campus Wi-Fi network. In December, Congress passed the “No TikTok on Government Devices Act” as part of a government funding package, and this week the Office of Management and Budget issued guidelines requiring all federal agencies to remove the app and block its access on federal networks within 30 days. Sen. Josh Hawley (R-MO), who sponsored the legislation, justified the ban by arguing that TikTok is “a major security risk to the United States, and until it is forced to sever ties with China completely, it has no place on government devices.” Other jurisdictions have followed the United States in banning TikTok from government devices. Last week the European Commission banned its staff from using the Chinese-owned social media platform “to protect the commission against cybersecurity.” And Canada announced this week that it has banned TikTok on government devices because of an “unacceptable level of risk to privacy and security.”

Other countries are wondering if they should hop on the bandwagon. For example, Alicia Kearns, a British Conservative MP, argued that the UK should ban TikTok on government devices to avoid being seen as a “tech security laggard among free and open nations.” And indeed, other countries are likely to follow because it is easier to go along with groupthink than to challenge conventional wisdom. After all, what could a government leader say to rebut the possibility that the Chinese-owned app might present a risk? As former U.S. defense secretary Donald Rumsfeld once remarked, “Simply because you do not have evidence that something exists does not mean that you have evidence that it doesn't exist.” In other words, it is hard to prove a negative.

Moreover, the idea that China’s government might use its authoritarian power to spy on foreigners who use Chinese-owned commercial apps is not unreasonable. Yet if this possibility is a legitimate national security threat, then why ban only TikTok? While TikTok is popular, there are hundreds of Chinese-owned apps with millions of downloads. Allowing those apps on government devices is just as risky. And why stop there? The Chinese government is certainly capable of outsourcing software development. If it wanted to develop secret spyware, why not pose as a legitimate company based out of Vietnam or Indonesia? Unless governments plan to review and approve every app installed on government-owned devices, they have done little to mitigate the underlying risk.

The more likely conclusion is that these bans are security theater—actions designed to make people feel they have addressed a security threat, while achieving little to nothing of consequence. Unfortunately, security theater also gives a false sense of security and wastes resources. So instead of having cybersecurity teams monitoring for suspicious traffic or securing endpoints, they are spending their time ensuring that government officials are not learning new dance moves on their lunch breaks.

“Security through conformity” has only one objective—to protect whoever is in charge. Security experts rarely get blamed or fired for going along with the crowd, even if the crowd is ultimately wrong. But they do get criticized and second-guessed if they buck conventional wisdom. Perhaps that is unfair, but the job of leaders is to lead, and the fact that so many countries are enacting bans without tangible proof of a security threat shows a tragic failure of leadership to create evidenced-based cybersecurity policy.

TikTok is still seeking the Biden administration’s approval of Project Texas, its billion-dollar initiative to restructure its U.S. operations, segment its data processing about U.S. consumers from its Chinese owner, and provide independent government and third-party oversight of its algorithms and servers. There will be enormous pressure on the administration to stall, hedge, or deny the company’s request because it will simply invite criticism from armchair quarterbacks, but the administration should follow the facts.