"Trafficking Data: The Digital Struggle – with China" with Aynne Kokas
Andrew Hammond: Hi, and welcome to "SpyCast." I'm your host, Dr. Andrew Hammond, historian and curator here at the International Spy Museum in Washington, D.C. "SpyCast's" sole purpose is to educate our listeners about the past, present and future of intelligence and espionage. Every week, through engaging conversations, we explore some aspect of a vast ecosystem that looms beneath the surface of everyday life. We talk to spies, operators, mole hunters, defectors, analysts and authors to explore the stories and secrets, tradecraft and technology of the secret world. We are "SpyCast." Now sit back, relax, and enjoy the show.
Andrew Hammond: This week's guest is Aynne Kokas. The podcast is based on a program we had for her here at the International Spy Museum on her book "Trafficking Data." Information has always been shaped or constrained by the technology available and by other issues of supply and demand. For example, a largely illiterate population won't have a huge demand for books on the demand side, and supply can be constrained by the time it takes to produce books and to distribute them. But with huge increases in literacy and the information revolution, we are now in a brave, new, technologically enabled world of data overload. Thus, data, of course, can be harvested for intelligence insights by intelligence agencies.
Andrew Hammond: Aynne helps us prise apart how the data we generate is used, misused and abused in the context of the relationship between the world's two largest economies - the U.S. and China. She argues that exploitative Silicon Valley data governance practices help China build infrastructures for global control. Aynne is an associate professor of media studies at the University of Virginia and the C.K. Yen chair of the University of Virginia's Miller Center. For over 20 years, she has researched the U.S. and China as a consultant, professor, Fulbright scholar and employee of Fortune 500 companies. She is also the author of the award-winning book "Hollywood Made in China." For detailed notes, links to resources, and full transcripts, go to cyberwire/podcasts/spycast (ph). If you're feeling particularly wild, you can always leave us a five-star review on Apple Podcasts because, well, why the heck not?
Amanda Ohlke: Welcome to Trafficking Data with Aynne Kokas. I'm Amanda Ohlke, director of adult education at the International Spy Museum in Washington, D.C. Thank you so much for joining us today. Our historian and curator, Dr. Andrew Hammond, will be interviewing Aynne about her new book, "Trafficking Data: How China Is Winning the Battle for Digital Sovereignty." So enough from me. Over to you, Andrew and Aynne.
Andrew Hammond: Thank you, Amanda. I'm really pleased that this one has came about. Aynne and I were at the Kluge Center at the Library of Congress in February, March 2020. Everything was going swimmingly. We were working on our respective projects with a great bunch of people. And then, one day, we had a meeting, and everything went rather crazy because of COVID-19. So I'm really pleased for you to do this with us today. And thanks ever so much for your time.
Aynne Kokas: Thank you so much, Andrew. It's such a pleasure to see you in this wonderful environment and to see you here at Spy Museum. And I feel really lucky to be able to share this book, which I actually wrote most of during the COVID-19 pandemic. So it really is a full-circle moment.
Andrew Hammond: It really is. Well, one of the first things that I wanted to ask was - I was (ph) quite late to ask my wife, what's the one question that you would like to be answered on this program, because she's not a specialist in this kind of area. And she's like, is Echo or Alexa listening to us? So I think that that ties into your book. So maybe you can answer that question based on all the years of research you've done on this.
Aynne Kokas: Yeah. So this is, I think, a great question. And not that - and I think your wife is really on target with this. So Echo, Alexa, Siri - if you haven't - and if you haven't changed your settings, your factory settings, it is listening to you because that's part of the service. If you want to be able to say - if you want to be able to voice - use voice-activated commands, the platform has to be able to hear and use your voice. So is - now the question of, if that - if Alexa is listening to you and gathering your gossip and trying to get information about you and maybe sharing it...
Andrew Hammond: That's what I was trying to get at. Yeah.
Aynne Kokas: Yeah. That's a little bit less likely. But - more - happening is your demographic data is being gathered to be able to better sell you products and services.
Andrew Hammond: OK. Well, that was my rather playful introduction to your books. So interesting, and it's a very serious topic that we're speaking about. So we're talking about this huge explosion of data and information and how it gets used. And so I just want to really briefly read a quote from your book, which I think sets everything up.
Andrew Hammond: (Reading) Users wishing simply to scroll through funny videos, attend school during a COVID-19 quarantine, play video games with their friends, map their family tree, or clean their floors with a robot vacuum are drawn into a transnational cycle that they neither understand nor have the power to influence.
Andrew Hammond: So could you just help us unpack that? What's going on there? So we go about our modern 21st century lives. We're using all of these pieces of tech that are hooked up to the internet. Help us understand what's going on here. What - how is our data being trafficked?
Aynne Kokas: So one of the big challenges that we face as users is that a lot of these services, a lot of the digital services that we're engaged with, are designed to help us save time, connect with people more quickly. And they are the products of platforms and corporations that are able to gather our user data, particularly in the United States, through very unclear terms of service and through agreements that we may not fully understand or appreciate.
Aynne Kokas: So, for example, one that I look at a lot in the book is the transfer of data to third parties. Third parties could mean anything. And in the case of a lot of the parts of the book, it could also mean the Chinese government. So what we see here is a dynamic where users are just trying to live their lives by doing things like playing video games or getting a robot vacuum. And their data is being gathered through these unclear consent agreements.
Aynne Kokas: Now, this is already a problem in a U.S. context. And Shoshana Zuboff has written a lot about the rise of surveillance capitalism, or the monetization of the human experience. But in a U.S.-China context or a trade with China context outside of the U.S., we're also dealing with a moment where the Chinese government is expanding its vision of what sovereignty includes - to include things like digital platforms and maybe some of the digital platforms that you are using on a daily basis at your house.
Andrew Hammond: Let's talk about one of those digital platforms. Let's talk about TikTok, which I think is an interesting one. So just to go back into the combination of personal and focusing on your book - so my niece is on TikTok. She uploads a video. Help us understand the journey of that video. So focusing on one specific - in the book, you speak about how - one particular example. If you multiply that across the billion users of TikTok, then, it starts to get very interesting. But just help us understand. So listeners out - viewers out there who - listeners who upload a video on TikTok or have a family member who does it, well, why should they be concerned? What's going on? Was this set up by the - by Chinese intelligence services? Was this, well, this happens, and now we may as well, like, utilize the information that comes about as a result of TikTok? Or - help us understand the journey of a TikTok video and how - or in what ways Chinese intelligence services are involved.
Aynne Kokas: So I think this becomes a really interesting question in a lot of ways. So first of all, there is the process of your niece uploading the video to TikTok. And whatever data she's sharing is part of that. And then, there's the process of what TikTok is able to gather about her from her phone, from any audio information they're able to gather, from her biometrics, things that she's agreeing to as part of the term - signing the terms of service of TikTok. Now, these are not necessarily issues that are exclusively related to China. They're related to any kind of digital platform that your niece might be using. So these are concerns with Instagram as well.
Aynne Kokas: Now, the part that becomes really interesting is because of protections for corporations that are operating in the United States, it's actually very difficult to track where user data is stored and who ultimately has access to it. Now, this has been a way that the U.S. has supported the growth of Silicon Valley firms. So a lack of kind of robust oversight has enabled really massive increases in shareholder value as these firms have been able to operate in a relatively unconstrained way.
Aynne Kokas: Now, what happens in the case of a company like TikTok is it's also able to operate in that relatively unconstrained environment, but is also subject to Chinese government regulations that allow the Chinese government to - specifically the cyberspace administration of China to conduct national security data audits of firms like ByteDance, TikTok's parent company, or to do searches or to make potential national security claims against people who might be uploading things that would work against the national security of China according to the Hong Kong National Security Law. So I would say that the biggest challenge is there isn't really a very robust oversight mechanism to know precisely what happens with your niece's data.
Andrew Hammond: OK. And in what ways, if at all, are Chinese intelligence services involved? Help us understand that. I like the way in the book you say - or you mention that someone says that the China threat can become a self-fulfilling prophecy. If you keep saying something's a threat, then...
Aynne Kokas: Right. Right, right.
Andrew Hammond: ...Eventually, it will be a threat. So obviously, we don't want to do that. But, you know...
Aynne Kokas: Right.
Andrew Hammond: ...The focus of your book is on the U.S. and...
Aynne Kokas: Right.
Andrew Hammond: ...China. So how are Chinese intelligence services involved on TikTok and the information that these companies gather? Because the relationship between Chinese intelligence services, the Chinese state and Chinese corporations is very different from here in the U.S. So just help...
Aynne Kokas: Right.
Andrew Hammond: ...Us understand that relationship on the China side.
Aynne Kokas: Yeah. So this becomes really - this is really important. Now, one of the reasons why I was really interested in this book is because a lot of these mechanisms aren't actually through the intelligence services. They're actually just digital oversight. So it would be like if the Federal Trade Commission or the FCC could conduct data security oversights over Facebook or Instagram. So in some ways, this doesn't even need to rise to the level of the intelligence services to do the most basic level of oversight. It's very clearly stated in Chinese law and is not necessarily connected to the intelligence context.
Aynne Kokas: Now, that does not mean that it has no intelligence applications, of course. The thing that I focus on in the book is the fact that this is (inaudible) many ways, normal commercial transactions that have intelligence implications. The principle that I think is most important to understand for viewers is this idea of military civil fusion, or also sometimes translated as civil military fusion, which means that the Chinese government can extract anything of value, any kind of products of value from Chinese corporations for military purposes. And this is a very broadly defined right or capability.
Aynne Kokas: We learned about an analog to this in the U.S. called the Defense Production Act, when there was an effort in the very beginning of the COVID-19 pandemic to make - to force the U.S. - or to force companies to make masks. And that was a major failure, as many of us saw. But - though there was the success with the COVID-19 vaccine. Now, in the Chinese context, this is much more expansive and can apply in a much wider range of different contexts. So in the case of something like TikTok, we see user data can be very valuable for counterintelligence purposes. We also see a company like Tencent, which is the parent company of the social media platform WeChat, that is also heavily involved in the U.S. gaming industry - not just involved in commercial enterprises for media and technology, but also in China's AI military intelligentization or AI military growth.
Andrew Hammond: I'm trying to get a sense, Aynne, of how much the Chinese government or Chinese intelligence agencies have their thumb on the scale or are influencing some of these corporations like TikTok, Alibaba, Baidu. Is it the - these companies are just doing what companies do, which is trying to boost profits, and then the government - because of the type of society China is, the government takes advantage of the information that they collect, or is the government or are Chinese intelligence involved in saying, OK, we really want to get this information on people in the United States or here's what you need to do next? I'm just trying to get a sense of, like, how much of these companies just operating autonomously over here...
Aynne Kokas: Yeah.
Andrew Hammond: ...And how much are they being directed centrally over here? Because that's one of the relationships that you look at in the book, the relationship between corporations in China and the Chinese government and how they're quite different from the relationship in the United States.
Aynne Kokas: It's really interesting because it varies according to corporation and varies by CEO. There are different - different CEOs have different visions of themselves as - in relation to the Chinese government. So the founder of Huawei is a former military officer, so he obviously has different types of links to the Chinese government than, for example, the founder of ByteDance, who, you know - or Jack Ma, who has his - whose origins were in education. So certain founders, like Jack Ma, have really pitched themselves as global humanitarians, global leaders in the tech sector. And we've seen in the context of the Chinese government recently that that model has not been as successful. Jack Ma disappeared for three months quite recently and has only started to reemerge. We also are seeing a model where companies like Didi that went against cyberspace administration of China data oversight regulations and moved forward with an IPO and an initial public offering on the New York stock - or in the United States - were then really roundly punished by having their app removed from the app store in China and their IPO totally crashed.
Aynne Kokas: We're also seeing examples of, for example, ByteDance's competitor, Kuaishou, recently had the Chinese - had a Chinese government entity take a board seat and also special management shares of the company - so essentially, partially making it a public or a government-run firm on a very small scale. So the really interesting part about this, and the part that I think makes it very important for domestic regulations in Democratic (inaudible) and their allies, is that each of these companies operates differently. The government operates differently with them. And there's also not a lot of clarity about what those relationships look like because they're also conducted internally through things like Communist Party committees that operate in Beijing within - internally within those firms.
Andrew Hammond: And for our listeners who read about China in the news and so forth, how much of this is connected to Xi Jinping, the current leader? Is this something that predates that? I mean, I know that the growth of this technology is constantly evolving. So in some sense, it's a difficult question to answer. But what's his role in any of this, or is he - is this a system that's operating almost independently of what the premier is doing, or - help me understand how much he's involved in some of this stuff or not involved.
Aynne Kokas: Yeah. So this is definitely part of Xi's vision of what more expansive Chinese sovereignty or more expansive Chinese global power would look like. So for example, Xi Jinping was directly involved in the establishment of the World Internet Conference, a conference that's held in Hangzhou, which is also the founding location of Alibaba and is a conference that's designed to help establish standards globally and to bring tech firms and other noteworthy individuals and influencers in the tech sector, as well as different countries, together to establish tech standards on a Chinese - from a Chinese perspective and according to a Chinese model. We also see Xi's involvement in something called the Digital Silk Road.
Aynne Kokas: So the Belt and Road Initiative is a major Chinese trade and investment initiative that is designed as a way to expand China's influence and the influence of Chinese firms globally through trade and investment practices. We also see, addition to this, the Digital Silk Road, where a lot of digital platforms are being used to advance those trade and investment practices, things like WeChat Pay or Alipay, Chinese payment platforms that can then be used as a way to undergird construction projects, to pay people who are working on those construction projects. They're really closely entwined and also fit into what Xi calls a community of common destiny or a community of shared destiny that includes these digital platforms.
Andrew Hammond: We'll be right back after this.
Andrew Hammond: And just while we're on the topic of the Digital Silk Road, could you just explain for our listeners that haven't came across it before, what's the Great Firewall of China, which is, you know, an interesting play on the Great Wall, of course (laughter)?
Aynne Kokas: Yeah. No. So I'm so glad you asked this question because that's actually why I wrote the book, in some ways. I was working on my first book, "Hollywood Made in China," as a Fulbright scholar in China. And I was having difficulty accessing the internet. And I happened to be able to work inside the offices of a virtual private network company - or a proxy server company - that was, essentially, leaping over the Great Firewall of China, or a system that's put into place to limit what people in China can access online and also put into place to anticipate and censor content within the Chinese context.
Andrew Hammond: I think it would also be quite interesting, just before we dig into the content of the book a bit more, could we just set out a stall for our viewers on what we're talking about here? So in terms of intelligence services, we're talking about the Ministry of State Security and the Ministry of Public Security. Which one of them or out of all the different intelligence agencies, like, who's involved in this? Many of our viewers will know about the CIA's role compared to the NSA's roles. But just help us understand the actors in Chinese intelligence that are around about the story of your book.
Aynne Kokas: So definitely the Ministry of State Security, the Ministry of Public Security. The People's Liberation Army also has a very active presence in hacking and exploits. And also, the Cyberspace Administration of China is heavily involved in oversight and has its own capacity for tracking user data and for tracking individual users. So one of the things that I think is really interesting within a Chinese context is the way in which oversight of users and the way in which the oversight of consumers and citizens doesn't necessarily have to be limited entirely to just the Ministry of State Security or the Public Security Bureau.
Andrew Hammond: And for our viewers, state security is mainly foreign intelligence and espionage. And public security is more domestic.
Aynne Kokas: Yeah.
Andrew Hammond: Help our listeners understand as well - so here, we wake up. We get out our phone. We look at Twitter, LinkedIn, Facebook and so forth. Help us understand what it's like for the average Chinese person. Like, what's the technology landscape like there? Help our viewers understand. I believe Baidu is, like, the Chinese Google. Alibaba is, like, the Chinese Amazon. Just help us understand the way that Chinese people are interfacing with the modern world.
Aynne Kokas: Yeah. This is a really important question, particularly following the (inaudible) -19 pandemic. So unlike in the United States and a lot of - and European countries and places like Japan and Korea, rather than using multiple different apps for different purposes, in China, there's really one central app that really guides most interactions with the digital world, and that's WeChat. So people can pay on WeChat. Their health information is tracked on WeChat as a way to manage access related to the COVID-19 pandemic. It's a way in which people pay their bills, in which people are able to get onto trains and to be able to access different types of municipal services. So unlike this kind of very fragmented Western landscape, WeChat is really at the core of communication.
Aynne Kokas: Now, the thing that's really important for Western viewers to understand about this is, in order to communicate with China from the United States or from other Western countries or other countries around the world, WeChat is actually necessary because there are no other highly functional (inaudible) apps in China. And WeChat is also a highly surveilled platform. So it creates this really strange dynamic where, on one hand, the WeChat Users Alliance advocated and sued the Trump administration because the Trump administration tried to shut down WeChat, but at the same time, users were also still having their data censored and their content censored. But it was the only way that they could connect with their friends and family in China or with business associates in China. So this is a - once these platforms take hold, they become really kind of essential, not just within a Chinese context but globally for anyone who wants to interact with China.
Andrew Hammond: And just before we dig into the content of the book, just one more question as a way station on the way there. Is there are Chinese Silicon Valley, and where is it in relation to Beijing and Shanghai?
Aynne Kokas: Yeah. So there are multiple sites in China where there's really robust growth of the tech sector. So in Beijing, there's a neighborhood called Zhongguan Xinyuan, which is right in between Tsinghua University, the MIT of China, and Peking University, the Harvard of China. And so a lot of firms like ByteDance have their - or have their headquarters there or are very active there. There's also Shenzhen, which is one of the - which is closely located to Hong Kong. And now, according to Chinese geographers, is called part of the Greater Bay Area. So this kind of integration of the - Hong Kong's robust technical systems and Shenzhen's has become a really interesting feature that we see evolve after the Hong Kong national security law in 2020. But Shenzhen is a major mecca for the growth of the tech sector. And then finally, Alibaba's headquarters in Hangzhou, which is - but these are all coastal - or all on the eastern part of the country. So that is an important geographic distinction to understand.
Andrew Hammond: Because that's the most developed and populous part?
Aynne Kokas: Right. It's the most developed part. It's the most populous part. So when we're talking about these kind of robust systems of surveillance that exist in a commercial context for the benefit of users, it primarily exists on this - on the East Coast.
Andrew Hammond: And help our listeners get their head around your book, which they can get from the Spy Museum store, if any of them are around Washington, D.C. And I believe you're going to come in and sign some copies for us...
Aynne Kokas: Yeah (laughter).
Andrew Hammond: ...Later today. So thank you. You can get a signed copy (laughter). Help them understand the book and the elevator pitch, saying - you're going in the elevator. Like, what's the main thing that you set out to do, and what's the main takeaway?
Aynne Kokas: So the main argument of the book is that the U.S. has grown and Silicon Valley has grown powerful through extracting user data and through a system where users are not really able to control or understand where their data is being used. Now, that's a problem. It becomes an even bigger problem in trade with China, where the Chinese government has established a clear system for overseeing and grabbing that data as part of Chinese government oversight mechanisms. And there's very little that countries like the U.S., without strong tech regulation, can do to respond to it because we're - because this is how our system works. This is the strength of the system. And so I argue that we need to - there needs to be a really massive reevaluation of what the role of the tech sector is in our society, in the context of global competition with China.
Andrew Hammond: Help our viewers understand that relationship between the United States and China, so how the information, the data flows between both of them, because it's quite interesting. In the book, you discuss how in China, the information is centralized. To be able to play the game, you have to sign up to them getting your data and to sign up to this oversight. But in the U.S., it's - in some ways, it's the opposite. It's relatively unregulated. The government doesn't have anywhere near as much oversight. And even in terms of regulation in China because the - because you don't want to get frozen out of the market, you have to almost overshare information to make sure you're complying. But in the United States, it's - begrudgingly, you give the least amount of information that you can. So we're talking about an exchange between two poles, but both of those poles are very different in the way that information flows through both of them. Can you help our viewers get a sense of how that all takes place?
Aynne Kokas: Yeah, so this - so I think it's helpful to understand what the U.S. digital landscape looks like. So in the U.S., you can have - there are laws for patient data for health, but not - but it doesn't include, like, your Fitbit or your Apple Watch data, even though that might be health data. There are financial laws that only apply to the state of New York for financial data. There are biometric laws that only apply to the state of Illinois. California has its own consumer privacy laws that don't apply elsewhere. There are also competing consumer privacy laws. There are content moderation laws in Texas, competing consumer privacy laws in Virginia and Utah and then no actual national data regulation for anyone except for children aged 13 and under.
Andrew Hammond: Wow.
Aynne Kokas: And those are only enforced...
Andrew Hammond: I was getting a headache there (laughter).
Aynne Kokas: Yeah, exactly. And you have to imagine that enforcement is not so easy. So, you know - so for example, (inaudible) fine through the Federal Trade Commission of $5 million because of their violations of the rights of children under 13. But $5 million to Facebook is actually not that bad of a penalty. If you're really thinking about ways to penalize a wealthy tech firm, $5 million might not be the exact answer you're going to be looking for. But - so that's how the U.S. context operates.
Aynne Kokas: Now, in the Chinese context, we see a really different landscape, where firms get shut down. As I mentioned with the Didi IPO, they didn't work with the cyberspace administration of China on their data security audit and were taken off the app store, which had really significant immediate financial impacts. There are also things like exit bans. So tech CEOs might not be able to leave the country if their company is not in compliance. We also see these kind of very expansive national regulations that include things like all tech companies and all critical infrastructure providers have to store all of their user data on Chinese government-run servers. That's a level of oversight that's impossible to even conceive of and definitely not one that I'm advocating for within a U.S. context, but we don't even have a national - a basic national privacy law. So that's a really big difference that I think we can see.
Andrew Hammond: For the United States as well, help our listeners understand the way that the system is set up. Who's driving it? Is it just that government are focusing on other things in the tech sector? As long as they are making money, as long as they're propping up the stocks, as long as people's pension funds are making money from Amazon and Facebook and so forth - is it just, well, it's not a problem, so let's just let it keep running as it is? Or is it - yeah, I'm just trying to get a sense of the intentionality behind the U.S. system. Is it just Silicon Valley organically grew, and it's just been left to do its own thing? Or - yeah, help us understand how the government is or isn't involved in this sort of Wild West that you describe.
Aynne Kokas: Yeah. I think for a long time there was this kind of - an alliance between the interests of the U.S. tech sector and the interests of the U.S. government. Because, let's be very frank, Facebook and Amazon and Google have really served as engines of U.S. power in the 21st century. So on one hand, there is that aspect of it, where there's a reluctance to regulate. People have also earned a lot of money in the stock market. Pension funds have earned a lot of money. Contributors to congressional campaigns have earned a lot of money and are able to contribute and raise money for candidates. There's also - there is awareness, though, of these issues in - particularly as they relate to China. The big challenge is there isn't necessarily even consensus on data issues within parties, let alone across parties.
Aynne Kokas: And over the summer, there was the possibility of an American Data Privacy and Protection Act that would have given some lower-level data protection in the U.S., much less than we would have seen through GDPR, like we would see in a European context. But what was really interesting was U.S. domestic politics really, before, when we were thinking about risks that presented - because before the Dobbs decision related to issues of abortion and abortion access, there was some consensus between the Republicans and Democrats on data security and data privacy. After the Dobbs decision, when data related to, for example, period trackers or movement to and from abortion clinics became more related to other types of domestic political issues, this fragmented. And it wasn't necessarily about questions of data security or U.S.-China relations anymore. It also became an issue of U.S. domestic politics.
Aynne Kokas: Similarly, in the Democratic Party, for example, there are differing levels of interest in overseeing the tech sector because the California delegation, for example, has a lot of interest in protecting the companies that they represent. And those companies don't necessarily want higher levels of data oversight. So it's a really interesting dynamic. And even if people are aware of these issues, it's difficult to move forward with them.
Andrew Hammond: You give an interesting example in the book where there's a teenage girl who gets some promotional material through about pregnancy before she's told her mother that she's pregnant because of the way that she's interacting with technology. Could you speak about that one a little bit more?
Aynne Kokas: Yeah. So this is - this isn't - this speaks to an important concept called mosaic theory, where we really want to think not just about the individual pieces of data that we're sharing, but how all those pieces of data can be shared together. So, for example, when you gave the example of your niece on TikTok - so it's not just about what your niece shares at that particular moment. It's also where she's located, why she might be sharing that information, who she's with and what they might be sharing, who she tags, what networks might be accessed and what that actually tells about your niece, much more than what she's posting or what might be interesting.
Andrew Hammond: And for this explosion of information, what can your average person on the street do? So in the book, you almost say that for the individual, it's kind of - it's almost futile to go about trying to protect your - I mean, not completely. But it's a systemic problem that needs to be addressed systemically. And me or you or everybody on this program right now changing what they do is not going to amount to a hill of beans, really, in the grand scheme of things. So what can people do to try to protect their information, to try to protect their company's information or the government's information? What would the road map for them look like?
Aynne Kokas: So this, I think, is a really important question. And one thing I don't want to do is contribute to this idea of digital resignation or the fact that we...
Andrew Hammond: (Laughter).
Aynne Kokas: ...Can't do anything and that we're just caught and stuck. But I do think that we can think about this as being very analogous to the climate question, where it's true; there are things that individuals can do. We can - in our case, we can change our privacy settings. We can limit what apps we use and when we use them and what information we share with whom. Or in the climate context, you can become vegan. You can drive less, et cetera. But ultimately, without major changes in how terms of service operate or how data privacy functions within the context of a national government, those changes will be on the margins, and they won't necessarily offer protection. So what I would argue is that there's a need for more collective action. There's a need to pressure lawmakers and to pressure industry associations to push back and also to educate consumers. So thank you for having me on.
Andrew Hammond: (Laughter).
Aynne Kokas: Hopefully this is doing our small part to educate students on what these issues mean and what the implications are for when we download a new app, when we use a new technology and what that means not just for our personal privacy but for national digital sovereignty.
Andrew Hammond: On that topic of digital resignation, I think that's an interesting one - the sense of, well, why bother? You know, you sign up for some app, and they make you scroll through a "War And Peace"-sized consent form, and then you click a box at the bottom. And, I mean, it could say practically anything you've agreed to. But just on that topic, you mention in the book - so the Office of Personnel Management, there is a data breach there where information surrounding security clearances and so forth is leaked. And then that same year, there's one of Anthem, a health care company. In 2017, Equifax, the credit rating agency. Marriott Hotel was - I think that one drew just, like, hundreds of millions of individuals' information that's out there. So with all of them, I mean, do you think that some - to some extent, the public has been normalized into this? Oh, it's just another data breach. You know, I mean, what can you do at this point? It's just - what can you do? Almost everything has been hacked, even the Office of Personnel Management, places that have very robust cyberdefense systems and so forth. So, yeah, what's your thoughts on that, Aynne?
Aynne Kokas: This, I think, is something that we all need to look at. And this is where the climate analogy becomes useful as well. You know, if you can - it's true. A lot of bad things have happened, and there are a lot of things that can't be fixed. And so, for example, Grindr was sold to a Chinese firm, and there's a lot of, you know, personal information about people - images, HIV status - that's now accessible to the Chinese government. And even though it was eventually sold back to a U.S. firm, that data transfer already happened. TikTok is already a piece of - is already critical communications infrastructure in the United States. So we could say, we'll just throw up our hands, and we won't do anything. And that's an option.
Andrew Hammond: (Laughter).
Aynne Kokas: It's also an option in the climate context. I'm thinking about COP27 as we're talking about this, which is why it keeps coming up. But I think there's also the possibility that we can try to mitigate future damage. So just because you, as a kid, had your parents post your pictures up on Facebook doesn't mean that you have to do that for your children, just because, like...
Aynne Kokas: Just that's - you know, at a very basic level, we can choose what technology we bring into our homes and when we use it and why. We can advocate for these issues with our elected officials, even though they're dealing with a lot of other things now as well. So I guess I'm not a realist; I'm an optimist in this sense. But I do think it's really important to understand these issues at a very minimum and try to advocate for change where we can.
Andrew Hammond: You know, I think it's really, really interesting as well. If you think about the incentives, it seems to me that for tech companies - in the book, you talk about how they are busily harvesting our data, busily putting us to work during a free time by collecting information about everything that we do, but the privatized gains - and then when there's a data leak or when they're hacked, then the losses are collectivized. It's just everybody has to suck it up. So I spoke to someone not long ago, and they said, for me, if any company had to pay people whose information was leaked a dollar for every day of the leak, then they would actually start to take it - it's not that they don't take it seriously now, but they don't take it seriously enough. Some of these leaks have been low-hanging fruit and so forth. So I just wonder, how can government - if you had magical control over the U.S. government, what are a few things that the government could do to just get this whole sector realigned along the ways that you suggest in the book?
Aynne Kokas: There are a couple of things that I talk about in the book. One key area is, I think, trying to work with allies and partners to establish international data transfer agreements and standards so that data trafficking is less likely to occur, or it occurs - or if it does occur, it's occurring in the context of already established standards and protocols. So that's one key area, doing this through things like trade agreements. The CPTPP, the follow-up to the Trans-Pacific Partnership, offers data governance frameworks that present a transnational framework. There are also - there's also the possibility of working with governments like the European Union and Japan, which have established data adequacy agreements for data transfer. Other areas that can be worked on are establishing national data privacy and protection regulations that aren't just state by state or sector by sector that offer a more comprehensive vision. Another possibility, which is one I think that speaks to the financial question that you're bringing up here, is requiring insurance for companies that have major leaks or major hacks and an insurance underwriting process which then internalizes the externality of that hack and internalizes those costs and then, as a result, requires a lot more intentionality about how one deals with those issues.
Andrew Hammond: And just very briefly on externalities, can you just explain what they are?
Aynne Kokas: So an externality would be something that might be a negative outcome of something that - so an externality of a hack would be that you would - that someone would lose their data. So internalizing that externality would be requiring that company to pay for or to have some sort of financial or otherwise other type of consequence for that negative outcome.
Andrew Hammond: OK. I find that one really interesting, and that also has implications for the climate issue, right? If you make money off a facility and a lot of people performing a particular thing and then the results of that are that a lake is polluted, for example, then that's not built into the business model, is it? That's just, well, we make money, and if everything goes wrong, then it's the local government or the municipality or the federal government that pick up the check because that's not built into what we are thinking about.
Aynne Kokas: I think sometimes - I think now we're sometimes seeing pollution being built in, but definitely carbon capture or carbon emissions is something that we're definitely looking at ways to build into the costs that companies are facing.
Andrew Hammond: For your book, give us a sense of the conversation that it's situated within. So is this something that there is a conversation about data trafficking, and you're on one call and someone else is on another? Or - yeah, what's the kind of landscape? Is there someone out there that completely disagrees with you, or is it everybody agrees with you, but everybody disagrees on the tactics or the strategy or the analysis? Yeah, just give us a sense of the context within which your book is situated. Like, what's the conversation surrounding the trafficking of data?
Aynne Kokas: Yeah, I think that there are two conversations that this book speaks to. One is conversations on U.S.-China relations and to what degree it's - to what degree the U.S. wants - the U.S. and other countries want to decouple from China, particularly from the Chinese tech sector, and what the potential risks of that might be. So this is in part contributing to that discussion of what those risks would look like and how consumer behavior is impacting those risks. Then the other is the conversation about what are the potential risks and damages of using a lot of these technologies, and is it that using platforms like TikTok or even using platforms like Instagram is something that is just part of our modern world, and we accept, and we move forward with, and commoditization of the human experience via data is something that we just need to, you know, recognize is, you know, what it means to be a 21st century person? Or is it something that presents some security risks, personal risks, political risks, that we need to address? And so that's the other conversation. So obviously - so I'm making the claim that it's important to recognize that countries now need to think about what digital sovereignty means to them and that tech platforms and how we work with and interact with tech platforms, both as people and as governments, needs to shift.
Andrew Hammond: So we spoke about the Ministry of State Security and the Ministry for Public Security, so Chinese intelligence agencies. How, if at all, are American intelligence agencies involved in this picture, whether it be just purely internal to the U.S. or whether it's China or the relationship between both?
Aynne Kokas: In the Snowden revelations, we learned that through FISA courts, the U.S. security agencies and U.S. spy agencies can have access to our user data through pathways that are not actually transparently articulated. So there's a - there are very good reasons why the Chinese government may not be interested in having U.S. tech platforms operating in China. Now, it's an interesting choice, knowing that, that the U.S. still allows Chinese platforms to operate in the U.S. So that's an interesting dynamic that we see. However, one of the key points that I think is important to remember in terms of the distinction between the United States and China is the relative power of the tech sector vis-a-vis the government. So while we did see, through the Snowden revelations, government access to tech platforms, we also have seen that there's really very little oversight and very little regulation, even when there's a lot of will.
Aynne Kokas: So, for example, the Federal Trade Commission has had a lot of interest in addressing potential antitrust issues in the tech sector for the past two years, and there's been very little, if any, progress in that area. So the - by contrast, we see that the Chinese government has been able to take board seats in major Chinese tech firms with very little pressure and very little change in regulation. So there are really important differences of scale here when we think about the interaction between government and technology companies.
Andrew Hammond: And just before we hand it back to Amanda, I was just wondering, would you recommend anybody that's on WeChat or TikTok get off of them?
Aynne Kokas: Oh.
Andrew Hammond: Or - yeah. Sorry, I know it's a tough one, but I had to do it.
Aynne Kokas: No, no, no. I think...
Andrew Hammond: (Laughter).
Aynne Kokas: ...I mean, it is a really tough question. So I think the WeChat question is tougher than the TikTok question because there are people who have family members that they can only contact via WeChat or business associates that they can only contact via WeChat. I think it's helpful to maybe have a separate device that one uses to create some barrier between your - all of your personal information. But that's actually also good advice for anyone who has a corporate phone. I wouldn't recommend keeping your personal information on your corporate phone either. TikTok - I don't use TikTok apart from - for research purposes. And even with that, I find it, like, shocking and appalling how much TikTok knows about me and how good the algorithm was in picking apart little, small pieces of my personality. So I would stay away from TikTok and stay away from WeChat unless it was strictly necessary if we're going to China, living in China, contacting people in China.
Andrew Hammond: We'll turn it over to Amanda. And I definitely need to get you to have a chat to my niece (laughter).
Aynne Kokas: It would be my pleasure, though probably not her pleasure.
Amanda Ohlke: This poor niece, Andrew, she's going to say, you're using me as an example.
Andrew Hammond: (Laughter).
Amanda Ohlke: Well, I want to thank you both for being so optimistic with sometimes rather dark answers in some places, but I appreciate the good share. One of our frequent guests had a whole bunch of questions right at the beginning, saying, what is the risk of using VPN in China to bypass the firewall? You know, any thoughts on that?
Aynne Kokas: Yeah. So this is a - so using a VPN is technically illegal. So there are legal risks that one would face using a VPN in China. And so that's something that I think is important to know. In 2013, when I was doing it as part of my research, it was not illegal. I was not doing anything illegal at that particular time. But those laws have changed. That being said, it's a weird dynamic where a lot of people need to use VPNs to tunnel outside of the great firewall. So it's something that a lot of people do that is also not legal in most contexts. That would be the biggest risk that I would point to.
Amanda Ohlke: It seems like a risk. What about the old turning off your location? Does that help at all?
Aynne Kokas: So turning off your location when you're using an app? So not allowing the app to track you?
Amanda Ohlke: Just in general.
Aynne Kokas: Yeah.
Amanda Ohlke: This person asked, in general, does turning off your location help at all?
Aynne Kokas: I mean, I think that definitely, there are different types of settings that we can adjust that limit the way in which we can be tracked, especially by apps that don't necessarily need that information. Like, does Yelp need to know where you are when...
Amanda Ohlke: At all times.
Aynne Kokas: ...You're not ordering food? No, it really doesn't. So those are things that we can pay attention to. Also, just being cognizant of what apps you have on your phone, what different platforms you use, what their security protocols are. One thing that I talk about in the book is that especially consumer products companies for the Internet of Things, those are companies that don't really have a lot of budget for security. And so when you're buying a new robot toy and you're not sure where that data is being stored, just think twice before you put that app on your phone. That's all. You know, and as the holiday season is coming up, a cheerful message for everyone.
Amanda Ohlke: Here's a very specific one. Is Proton email secure from Chinese hacking?
Aynne Kokas: I could not answer that question with confidence, so I will punt that.
Amanda Ohlke: What do you think about - told you we had really smart guests - what do you think about federated AI technology as a way to protect user data?
Aynne Kokas: Yeah, I think this is a great potential solution. And we're seeing a lot of apps and platforms use this. I think the biggest challenge is scaling and scaling up that type of technology more broadly because it's not necessarily as financially lucrative for a lot of tech platforms.
Andrew Hammond: Could you just briefly say what federated AI technology is, please, Aynne?
Aynne Kokas: Yeah. So this is when different AI server - this is when there are distributed AI entities that work together. So all data isn't necessarily stored in one central location. So it's more difficult to track user data or to aggregate it.
Amanda Ohlke: All right. Now, I want you guys to optimist your way out of this sad question. There are recent articles out of Canada revealing Chinese government funding of political candidates, how - we can't imagine that isn't happening here. And here's the dark part. Given that, and along with the lobbying by tech companies, what are the odds of getting anything meaningful done?
Aynne Kokas: Well, thank you for that really important question. And unfortunately, it's not just in Canada. We also see this in places like New Zealand and Australia. And also companies like TikTok in the United States have been able to join tech lobbying or tech, you know, professional organizations that have significant impact on U.S. policy. So it's not just U.S. tech firms, it's also tech firms that have very close ties with China. It's very difficult to think about how we might move forward and what the future landscape of data security will look like. I do hope that by raising awareness to users of what their data means and what the kind of different use cases are, so thinking about that mosaic theory, about the way in which, you know, your individual pieces of data might not be useful, but that whole picture of who you are and what your society looks like might be something that you would want to avoid. I really hope that learning more about that becomes useful and people think about that.
Aynne Kokas: But, I mean, frankly, we're also seeing a really rapid expansion of China's sovereign claims, not just in the digital realm, not just - but also in maritime contexts, in the context of space, in the Arctic. So this is part of a larger picture that we see. And I don't know what the future brings, but all that I can do in my small role is to help to educate people on the world that they're living in and hope they can make different types of decisions.
Andrew Hammond: And can I ask one more serious question, one that I wanted to ask? What keeps you up at night? You mentioned critical infrastructure in the book and also health care data, which I find particularly disturbing even - it may not just be about you. It could be about two generations on from you and so forth. So what's the thing that kind of worries you the most about everything that you discovered in the research for the book?
Aynne Kokas: Yeah, I think it's probably a toss-up between the health care data and the agricultural data, so precision agriculture and the oversight of ChemChina by - the oversight of Syngenta by ChemChina and - which is - precision agriculture means the monitoring and management of agricultural systems through technology and through AI. So that, I think, is a particular risk, but also, as you point out, the generational challenges of biodata trafficking is something that I find really concerning, particularly as we learn more about different types of precision medicine tools that might be available only to certain populations and not to others, or when we think about bioweapons in the future. But I try, actually, not to think about it because I won't be able to sleep, and I know I can't...
Andrew Hammond: Sorry.
Aynne Kokas: But you're right. These are all really, really scary long-term considerations. And even if there isn't comprehensive data security, I really hope that there's more comprehensive oversight of our biodata 'cause I think that's crucially necessary.
Amanda Ohlke: Big question, but just quickly as we're wrapping up - what can the U.S. learn from China? What can we model? I mean, let's learn from what they're doing.
Aynne Kokas: Yeah. China has great national consumer data protections. If you're a Chinese consumer, you are protected from corporate data oversight and from corporate data extraction more than you are in the United States. You're not necessarily protected from government data extraction, but corporations can't necessarily gather as much of your user data, and I think that's great. And that's something I would love to learn from the China - something I'd love to bring over here.
Amanda Ohlke: Andrew, any final words before I wrap this up?
Andrew Hammond: No. It's been a pleasure to speak to you, Aynne, and - yeah, congratulations again on the book.
Aynne Kokas: Thank you so much, Andrew and Amanda. This has been a delight. I've learned so much from the audience and from each of you, and I really appreciate the chance to share my book with the Spy Museum.
Andrew Hammond: Thank you.
Amanda Ohlke: Well, thank you for this clear-eyed and incredibly optimistic look at something that is troubling in many ways, but also, we have opportunities here. So thank you. And please check our website for programs like this, for - and for programs for all ages. And if you enjoyed the program, we don't mind if you make a donation to the Spy Museum. Do we, Andrew?
Andrew Hammond: Not at all (laughter).
Amanda Ohlke: Nope, not one bit. Not one bit. Thanks to everyone for being here. Stay well. And have a great rest of your day or start of your day or end of your day, wherever you are.
Andrew Hammond: Thank you. Bye-bye.
Amanda Ohlke: Bye.
Aynne Kokas: Thank you.
Andrew Hammond: Thanks for listening to this episode of "SpyCast." Go to our web page, where you can find links to further resources, detailed show notes and full transcripts. We have over 500 episodes in our back catalog for you to explore. Please follow the show on Twitter at @INTLSpyCast and share your favorite quotes and insights or start a conversation. If you have any additional feedback, please email us at firstname.lastname@example.org. I'm your host, Dr. Andrew Hammond, and you can connect with me on LinkedIn or follow me on Twitter at @spyhistorian. This show was brought to you from the home of the world's preeminent collection of intelligence and espionage-related artifacts, the International Spy Museum. The "SpyCast" team includes Mike Mincey and Memphis Vaughan III. See you for next week's show.