
TikTok, Trump, and the Future of Open Source Surveillance - ryangoldman
https://fossa.com/blog/tiktok-trump-and-the-future-of-open-source-surveillance/
======
not2b
For open source/free software code, provided that it is well designed,
transparent, and straightforward to review, its nation of origin does not
matter. The history can be relevant to maintainers, to understand why certain
decisions were made. But "this code was written by someone in country-I-like"
is not a code review shortcut.

~~~
Rolpa
Linux has over 25 million lines of code (as of 2018 [1]). Would an audit be
straightforward?

[1] [https://www.phoronix.com/scan.php?page=news_item&px=Linux-
Ke...](https://www.phoronix.com/scan.php?page=news_item&px=Linux-Kernel-
Commits-2017)

~~~
tombert
"Straightforward" might not be a great choice of words, BUT, if you have
enough money and engineers, you _could_ get them to do a full audit of
everything. The source code is freely available, there's nothing stopping you.

Compare this to something like, for example, TikTok, where the code is
completely closed. The only kind of auditing one may do is looking at network
traffic, and maybe some disassembly/hex-editing.

I'm not saying that everything needs to be OSS but it _is_ nice to have
options.

~~~
saagarjha
Auditing code that you don't have the source to is like an order of magnitude
harder. Not the same, but not way impossible.

~~~
i-am-curious
> Auditing code that you don't have the source to is like an order of
> magnitude harder.

If you don't have code you can't audit code!

~~~
saagarjha
Perhaps you’re thinking of source code?

------
conductr
I find it silly that this is seemingly the same privacy issues other privacy
conscious people have pointed to for years with the more legacy tech/SM
companies. However, now a Chinese company comes into the picture and it’s a
big deal. Pretty sure if China govt wanted this data so bad they would have
it, probably do.

~~~
biddit
Why is it silly that Americans and the US government would make a distinction
between a US-based company and a Chinese company? The CCP certainly makes this
distinction.

~~~
conductr
Maybe I’m just in a cohort that doesn’t trust US companies with this data
either. If it’s stored, CCP can find a way to get it, it’s probably as easy as
offering to buy it. So I don’t see a big difference. I operate from a mindset
that TikTok isn’t opening a new floodgate of data. Maybe I don’t fully
understand what data they’re allegedly collecting and if it’s any different
than what Google, FB would have on an active user. That said, I still don’t
agree that we should strive to be like CCP in terms of censorship, audits,
govt regulations, etc.

~~~
ergocoder
But this should be looked at from the US government's perspective though.

US government definitely trusts US companies more that Chinese companies.

I don't find it unreasonable to want to ban TikTok. Seems like the national
security's risk is real.

~~~
yibg
My problem with this is now it shifts the goal post on what's considered bad.
Chinese companies collecting data is bad, US companies collecting data is
better so we don't focus on it as much. When in fact in general massive data
collection is a problem and should be dealt with. This is providing a smoke
screen.

~~~
themacguffinman
The US has much stronger legal barriers and recourse for abuse of data as well
as strong separation between state and industry. It's not hard to think of why
corporate data collection should be treated very differently in the two
countries.

~~~
obmelvin
Unfortunately, only "top tier" companies really care about your data. I get
where you are coming from, I just wish we'd also pass legislation that did
something about negligent custodians of data.

------
sandworm101
TikTok is not software. It is a _service_ that uses software. It is therefore
not directly comparable with F/OSS projects.

I don't much care who contributes to an open source project. Let them inject
their malware if they want to. Because it is OPEN source such efforts will be
discovered and the bad actors brought to task. And F/OSS principals extend
beyond the code. Because it is open, any user is free to walk away from
suspect code. Fork the project. Create your own code. Use the version created
by someone you do trust. If I suspect that the particular flavor of linux on
my desktop has been infiltrated by bad actors, absolutely nothing is stopping
me from switching to any of a hundred other distros. That freedom is the real
power, the real safeguard against wrongdoers, not vetting who or who isn't
allowed to contribute.

~~~
Barrin92
> Because it is OPEN source such efforts will be discovered and the bad actors
> brought to task

as the article points out this isn't realistic because nobody actually has the
resources or time to audit every piece of software this rigorously, let alone
read or understand the entire codebase. A ton of open-source code is
maintained by one or two or at best a handful of people and we'd be none the
wiser if they'd put malicious code into the software until its to late, and as
the article points out the permissiveness of open-source software makes it
impossible to know for sure who contributed, after all the point of open-
source is to let everyone contribute.

So as a system of trust open-source is no solution. The economics of it make
it impossible to audit every bit of code, and the code could come from
anywhere regardless even of what a Github profile says.

------
achou
Three points:

(1) This issue isn't going away, no matter who wins the next election.

(2) Data collection is not the only goal or threat. The article mentions other
critical systems: energy, financial, healthcare, transportation, military.
Even agriculture is heavily software dependent now[1]. Also, once you depend
on a cloud service, the open source used by it is brought into the attack
surface.

(3) Open source is theoretically reviewable, which is good. But even if
resources were brought to bear to review it at scale, you'd need to do it
continually and track what has passed. This brings pressure to fork. Worse,
because review is imperfect even with the best people and tools, it will never
be enough by itself to establish that a system doesn't contain malicious code.
Current program verification technology is simply not up to the task of
formally verifying the behavior of large scale software systems. Maybe it
could be used for smaller libraries.

[1]: [https://www.deere.com/en/technology-products/precision-ag-
te...](https://www.deere.com/en/technology-products/precision-ag-technology/)

~~~
holri
"it will never be enough by itself to establish that a system doesn't contain
malicious code."

The track record of popular free software projects like for example Linux in
preventing malicious code is very good as far as I know.

~~~
achou
Linux isn’t all of open source, nor likely to be the most attractive vector of
infiltration for any given target, and not all of even Linux is examined with
the same level of scrutiny.

------
nimbius
>On the other hand, some pundits believe nefarious foreign state data access
is the greatest existential threat to the safety of the world’s richest
democracies.

Id say its something else entirely. Zucc needed a foil to get the president
trained on something other than his own platform which, until the convenience
of TikTok, was looking at serious legislative curtail. Knowing our president
has the attention span of a jack russel terrier made it all the easier to
torpedo what is arguably his biggest competition for Gen Z and younger, the
lifeblood of his platform and what his advertisers arguably want the lions
share of.

