US intelligence and defence officials are increasingly concerned about foreign access to troves of personal data sets. This month, the US Treasury announced new regulations to limit foreign investment in companies that provide data-driven services. Policymakers fear some foreign firms might share that data with adversaries or use it in ways that threaten individuals and the nation. For example, TikTok is an artificial intelligence-based app for making videos and the first viable global competitor to Facebook’s messaging apps. In 2019, the US Army successfully used the app to attract new recruits. However, because the app is owned by a Chinese company, some analysts warned that the company could share the personal data it obtains with the Chinese government, which in turn could use that data to threaten national security. Although the company denied the allegations, the US government announced it was investigating the firm. The army warned its staff not to use the app . Yet TikTok is still available to both Apple and Android customers. ToTok is a messaging app that is one of the top free apps in Saudi Arabia, Britain, India and Sweden, and increasingly popular in the US. The app was available on both the Android and Apple platforms. After an extensive investigation, The New York Times reported in December 2019 that US intelligence officials had warned that the app was developed for and used by the United Arab Emirates for surveillance purposes. However, the US government has not warned users away from the app and it has returned to the Google app store. Why going global is no fun and games for China’s internet giants The US government has misdiagnosed the basic problem and put forward an ineffective response. These apps are security threats because the US, home to the world’s data behemoths , has adopted no federal rules governing how firms can acquire, utilise and monetise personal data. The threat will only mount as more people are connected to devices and provide more data. Many mobile applications have taken advantage of this governance gap. In 2017, European Union information security officials asserted that app governance is a real problem because “there is still a serious gap between legal requirements and the translation of these requirements into practical solutions that protect personal data”. A 2019 study found that more than 95 per cent of mobile apps and websites available in India – the fastest-growing global digital market – share data with third parties without the explicit permission of the user. The portrait editing app, FaceApp , illuminates this issue. The firm complies with national laws regarding personal data protection. However, its terms of service granted the company a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licencable licence to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your user content “without compensation to you”. In addition, if a user deletes content from the app, FaceApp can still store and use it. The FBI concluded that the app could be a counter-intelligence threat. Did you download FaceApp? Privacy issues you need to know The US government has not developed an effective response to this problem. In 2013, the Department of Defence’s research arm, the Defence Advanced Research Projects Agency (DARPA), funded a study examining whether the availability of data provides “a determined adversary with the tools necessary to inflict nation-state level damage”. The results were not made public. In March 2015, DARPA initiated a research programme “to develop tools and techniques to facilitate data sharing and personal data protection”. Five years later, DARPA has yet to release the findings. Because the US has not yet found a technical solution, it has relied on ad hoc responses. In 2018, the US government prohibited defence department employees from using geolocation features in operational areas. The US also told a Chinese firm that owned an LGBT dating site, Grindr, it must sell the site , reflecting concerns that Chinese entities might tie this very personal data to other data sets. In 2019, the Trump administration proposed using export controls to secure data used in applications such as artificial intelligence, and warned members of the military not to buy directly consumer genetic test kits because it could expose personal information and create security issues. Love down to a science: is DNA matchmaking the ultimate dating tool? Taken in sum, these efforts will do little to solve the problem of inadequate personal data protection or the weak regulation of firms that sell, use and mix large data sets. Instead, US intelligence and defence agencies should be vociferous advocates for protecting personal data. America’s national security strategy should include the development of comprehensive national and international rules governing the protection, sale and use of personal data. The US should prohibit the collection of personal data for secondary purposes without an individual’s explicit permission. Moreover, it should work with other nations to develop internationally accepted and interoperable privacy rules. Data is an integral asset to our economic and national security, but policymakers must also ensure that personal data is protected effectively. After all, if loose lips sink ships, lax data protection could send ships in the wrong direction. Susan Ariel Aaronson is a professor at George Washington University where she directs the Digital Trade and Data Governance Hub, and is a senior fellow at the Centre for International Governance Innovation Purchase the China AI Report 2020 brought to you by SCMP Research and enjoy a 20% discount (original price US$400). This 60-page all new intelligence report gives you first-hand insights and analysis into the latest industry developments and intelligence about China AI. Get exclusive access to our webinars for continuous learning, and interact with China AI executives in live Q&A. Offer valid until 31 March 2020.