ToTok Is an Emirati Spying Tool

The smartphone messaging app ToTok is actually an Emirati spying tool:

But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.

ToTok, introduced only months ago, was downloaded millions of times from the Apple and Google app stores by users throughout the Middle East, Europe, Asia, Africa and North America. While the majority of its users are in the Emirates, ToTok surged to become one of the most downloaded social apps in the United States last week, according to app rankings and App Annie, a research firm.

Apple and Google have removed it from their app stores. If you have it on your phone, delete it now.

Posted on December 24, 2019 at 1:13 PM • 30 Comments

Comments

Electron 007December 24, 2019 2:37 PM

App Annie, a research firm.

Nice. The Piston Annies Motorcycle Club ladies carry cell phones. Those girls really know how to curry favor with the cops, don't they? Oh, she's pressing charges? I didn't know that. You mean you aren't in jail yet? How can that be? There's a warrant out. No, wait a second, that's not a warrant. When was your court appearance supposed to be? Oh, no, that was for something else. Hold on a second. Do not leave. The boss just said we've got to put you in handcuffs. That's all I know. Well, you're free to go now. Next time it'll be a felony. You're going to need an attorney.

ToTok may well be a piece of dastardly malicious spyware, but so are Facefokk, Twatter, Instaglam and all the others.

Ross SniderDecember 24, 2019 3:25 PM

US intelligence did something similar in an effort to cultivate a revolution in Cuba with the so called Zunzuneo app modeled after Twitter. Was really the CIA.

Is there a scalable way to prevent this kinds of activity without allying oneself to a specific intelligence/government?

AlexTDecember 24, 2019 3:38 PM

Is there any reason to believe that Whatsapp (any many others) are fundamentally different?

They might be not as brazen and / or better implemented but at the end of the day...

JonKnowsNothingDecember 24, 2019 3:42 PM

@Ross Snider
re:

Is there a scalable way to prevent this kinds of activity

Yes but you won't do it.


  1. Dump your "smartphone" for a "dumbphone"

  2. Never load an APP EVER

  3. Remove all Default APPs you can find and Delete any data with them

  4. Never UPDATE anything. Yes you will miss those "security fixes" but you won't get slammed with an Extra Surprise. (fwiw Happen to me on the last Apple iOS13 update a complete mess)

  5. You won't need half the so called updates if you aren't using those insecure APPs to start with

  6. Never believe anything said about any product is a consumer benefit.(at least in this epoch)

  7. Hope for a complete meltdown of the system. It's the only way Disaster Capitalism will fund something different. Note: It's Capitalism so that doesn't mean better, just different oligarchs at the feed trough.


Even so the 3LetterCharmers are everywhere. If you worry that the Usual Suspects are monitoring you, you are right. They are. It doesn't matter what country you are in the internet is a porous sieve and you are fish in the net no matter what.

Gerard van VoorenDecember 24, 2019 4:01 PM

@ Ross Snider,

Do you recall Pokémon Go? That was funded by the NSA. But I doubt whether that is still downloadable by the so called App Stores. I don't have a so called "smart phone" anymore so I am not knowledgeable about this.

SpaceLifeFormDecember 24, 2019 6:19 PM

"Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information."

(parse closely. Note that there are likely accounts that are authorised to inappropriately access the personal information)

hxxps://techcrunch.com/2019/12/24/twitter-android-bug-phone-numbers/

Who?December 25, 2019 6:16 AM

The only difference I see among ToTok and Facebook, Twitter, LinkedIn, Chrome, or even Android or Windows themselves is that the former has not been blessed by industry and [U.S.] government.

Not let us start talking about those called "intelligent speakers" like the Google Home or Amazon's Echo Dot ("speaker" is an interesting synonym for "microphone", much less frightening, isn't it?)

ToTok is not the problem, it is just the product of a broken society and its surveillance-based capitalism.

Unfixable by design.

JaasonDecember 25, 2019 7:31 AM

I find it odd that an app designed for use in the Emirates, has suddenly become popular in the US.
Who exactly is downloading this app in the US?

JaasonDecember 25, 2019 7:41 AM

Another thought passed through my mind, banning this app when we have the exact same thing (FB, Insta, etc) makes me think it's more about money, as though they don't want anyone outside the US circle making money from your data.

I'm not sure what use an app used by a foreign nations civilians would be to the designers, other than making money off of their data.

But I'm no spy.

tdsDecember 25, 2019 10:17 AM

Let's not forget the largely unregulated location data vendors, in addition to ISPs, cellular providers, other surveillance capitalists, gov'ts and so on

https://www.nytimes.com/series/new-york-times-privacy-project

https://www.nytimes.com/interactive/2019/12/21/opinion/location-data-democracy-protests.html

"By tracking specific devices [from a location data corp.'s data trove], we [journalists, not spooks or cops] followed demonstrators from the 2017 Women’s March back to their homes. We were able to identify individuals at the 2017 Inauguration Day Black Bloc protests. It was easy to follow them to their workplaces. In some instances — for example, a February clash between antifascists and far-right supporters of Milo Yiannopolous in Berkeley, Calif. — it took little effort to identify the homes of protesters and then their family members."

JonKnowsNothingDecember 25, 2019 6:17 PM

@Anon1

re: 4. Never UPDATE anything.
...your name is way too on the nose.

Well... Update whatever you like, there's nothing stopping you.

However, you won't have any idea what the update actually contains other than some marketing slime overview of "new features" and "several security fixes".

After the experience of having devices bricked, additional non-secure features, reductions in options and loads of other things that are not in your personal interest installed, altered or removed, you might well want to add that to your handle too.

ht tps://en.wikipedia.org/wiki/IOS_13#Photos

The Photos app includes a redesigned UI and uses machine learning to auto-hide "clutter" images such as screenshots and documents.

Well isn't that just ducky.. Apple ML/AI decides what where and how my photos are displayed including not-displaying them.

And that's not the only thing that was altered.

In spite of my handle I did the update because I followed numerous tech reviews that said the update was really good and safe.

It wasn't.

Clive RobinsonDecember 25, 2019 6:56 PM

@ Jaason,

makes me think it's more about money, as though they don't want anyone outside the US circle making money from your data.

Whilst you can make the "data theft" for money argument. Google and Apple work in different ways. Thus the near simultanious action by both of them buy pulling of the app from their respective "walled gardens" would tend to suggest the reason is more of a PR one or perceived liability one.

I actually expect when people pull ToTok appart that they will find thinly disguised US Gov IC agency technology inside of it.

The Emirates has more recently decided to flex it's muscles. In theory Project Raven was about anti-terrorism and involved US Agency staff. Some of them realised that in fact it was not anti-terror that was foremost in the Emirates leaders requirments.

Have a read of this from just under a year ago,

https://www.reuters.com/article/us-usa-spying-raven-specialreport-idUSKCN1PO19O

There are quite a few senior US fingers in that pie, including some in the Whitehouse under the previous administration, and ToToK is almost without doubt significantly related.

So the lid got lifted on a sewer with an almight stink rising, that neither Alphabet nor Apple want to be associated with.

What this does show without doubt is that the arguments for "walled gardens" with regards user privacy and safety are "weapons grade baloneyum", as some of us on this site have noted for years. And it's the "walled gardens" where the money and control you are thinking about actually happen.

And the last thing these "walled garden" operators want is to have that money and control taken out of their hands, hence their rapid response. But it's not just them if people start asking questions about "walled gardens" they will probably start talking about UEFI and similar mechanisums that take the right of ownership away from cirizens and instead vests it in corporations...

Anon1December 25, 2019 9:15 PM

@JonKnowsNothing

You seem to have gotten burned by one particular update, on one particular device/manufacturer/ecosystem, which changed the usability of a feature you liked, and your update process seems not much more involved than pushing the button that says "Install Update" and hoping for the best.

That's still no reason to tell everyone else to /never/ install updates, or for you even to not update /anything/ you own... As someone who professionally manages many thousands of servers and endpoints for large business customers, I'm sorry but I /have to/ call that out as really-ultra-terrible security advice.

Yes, change/patch management and testing is a royal PITA.

Yes, some device manufacturers do not clearly or entirely publish what each patch does to your device, or give you options on whether to pick and choose which patch or group of patches get applied, or they hide the detailed change logs behind approved developer accounts or other non-public places, or at least require you to jump thru hoops to get it.

If you prefer to have more control over the device you own, or ease of access to change logs, buying an iProduct maybe not for you. The choice of hardware / manufacturer is just as important as your patch management process is...

Many businesses shared your frustration and opinion about patching... until things like BlueKeep became a thing one day, and they learned a very hard and very expensive lesson.

Now they're my begrudgingly happy customers.

1&1~=UmmDecember 26, 2019 1:23 AM

@Anon1 :

"You seem to have gotten burned by one particular update, on one particular device/manufacturer/ecosystem"

Examples can be found on all commercial OS platforms.

For instance Google updates things in it's OS that almost always makes a users privacy worse, or slower.

Apple notoriously put out a patch to slow down older products.

Microsoft, and the patches that tried to force people into Windows10 updating. Where it happened it bricked or made unusable preveiously usable hardware. Oh then there is the ongoing battle for getting increasing levels of telemetry into Microsoft products.

None of these were or are in the users interests, and they are caused by a mistaken belief that these companies can have ownership of peoples devices and private data.

If you look on this blog people have recommended various things to try and stop the corporate "carpetbagging" of users computers. The one thing that becomes clear is these corporates are treating their customers as at best vassals ranging upto enemies they are fighting in mortal combat.

Thus there is other advice given that indicates that stopping such consumer OS's connecting back to the likes of Microsoft via the Internet was a good thing to try and halt their rapacious behaviour. So Microsoft changed the way things worked to 'tunnel around' the attempts most users would be capable of making without expert assistance.

Which brings us onto the point of the "eco-system" it's basically a faux marketplace, set up by Microsofts considerable and repeated failings to produce a product capable of passing the relatively simple level of 'fit for purpose' that is the minimum requirment for 'putting on the market'.

More recently the Upton Sinclair statment has been surfacing. Which is kind of ironic when we see you saying,

"Now they're my begrudgingly happy customers."

It fairly succinctly tells us where you stand in the "rent seeking" game.

PhaeteDecember 26, 2019 1:53 AM

Commercial patches can be commercially motivated, take the windows update that included the new FTDI USB driver and caused hell in all devices using a clone FTDI chip.
Customers didn't know they had a clone instead of a real chip inside their hardware and got punished for it.

On the other hand, i can point at a databreach involving 10k+ customer records that was made possible by NOT patching, at least for every patch that is an annoyance.

So if you are not patching your own stuff, that's ok.
If you are not patching the systems that hold my data (thus exposing my private data to the public), you will be criminally liable.

1&1~=UmmDecember 26, 2019 5:36 AM

@Larry:

"Criminally liable? Where is this?"

Perhaps you would prefere criminally and civily liable.

Not carrying out the terms of a contract would normally be considered a tort or matter for the civil courts. Unless, it can be shown that the actions or lack of actions were a deliberate attampt to obtain money or services by deception, at which point it becomes fraud and in most jurisdictions that's a criminal activity.

There are several problem with making it a criminal matter the first two are that the burden of proof is higher and the cost of both prosecution and defence very high, and it could be a multi-year event with appeals etc during which time things remain in limbo. But it does not stop there, worse with a company or other 'legal entity' is identifing the controling mind. Not being able to effectively limits the punishment taking any assets the legal entity has. Which become the property of lawyers and the state, which usually means there is nothing left for the injured parties to get recompense with after the criminal case. Also there are other people to consider such as the employees, by puting a large organisation into what would be bankruptcy could impose further sometimes significant losses and costs on the state.

Which is why in general such cases are rare or do not happen unless any potential assets obtained by the state are going to be above five or ten times the costs of the prosecution and still leave the legal entity in a position to continue to function with minimal burden on the state.

Obviously this is known to some criminals, who would take steps to ensure that they as individuals would not be involved with any such criminal proceadings. One such way as we know was by being "to big to fail" that is not refering to the size of the organisation but the effect they would have on not just the state but society as well if they were forced into bankruptcy etc.

Interestingly Iceland did go after executives with the financial crisis, I'll let others decide what effects that had overall.

Electron 007December 26, 2019 9:44 AM

@Larry, 1&1~=Umm

"Criminally liable? Where is this?"

Perhaps you would prefere criminally and civily liable.

I assure you, it doesn't make a whit of a difference in the USA. They seize your property, throw you in jail, and place you on the NICS list for TSA screening and extended background checks.

Mass corporate layoffs, home foreclosures, rental evictions, vehicle impoundments, bank account seizures, confiscation of the mails, it's all been happening for a long time now.

You end up as a homeless, penniless felon, and it's pretty much just off to the labor camps and gas chambers. America's holocaust continues.

https://www.foxnews.com/us/trump-warns-california-fix-homeless-crisis-or-feds-will-step-in

EtienneDecember 26, 2019 10:36 AM

"...according to American officials familiar with a classified intelligence assessment..."

In the 21st Century all sources will be anonymous, and the New York Times will be the judge.

Clive RobinsonDecember 26, 2019 12:29 PM

@ Think,

For those in business, in aggregate — patching is very important.

Patching is just one of several options.

At a high level you have,

1, Cross your fingers and hope.
2, If possible work around.
3, If possible patch.
4, If possible mitigate.

The first is the position of the eternal optimist, forever doomed despite the occasional respite. They indulge in "poor odds gambling" and call it "risk managment" or some other nonsense. Imagine if you will a roulet wheel where all but one slot is green for a house win, and that one slot only pays evens less tax would you play on it?. That would still be more favourable odds than most get with their Internet connected systems with modern commercial consumer OS's and applications. The only saving grace is that it is such a target rich environment your chance of being hit is realy quite small compared to everybody else, and there are realy not that many attackers... Thus maybe options two or three might happen before your door gets rattled.

But options two and three are by no means certain to happen so waiting for them is almost as foolish.

You have to consider that whilst a few people might be able to come up with an effective work around... outside of the software developers the number capable of producing a patch let alone an effective one is quite small at best. In some cases not even the software developers can come up with an effective patch in a realistic time frame once the vulnerability is known to a large enough number of people.

The simple fact is that for various reasons --that get lumped under the term marketplace-- we favour mainly pointless complexity over even a modicum of stability let alone security. Thus by now most should realise this effects both above and below the CPU ISA point in the computing stack and all points inbetween. But... whilst software developers can only realy work above the ISA usually by quite a margin attackers can be below what many consider the physical layer attacking upwards and no highlevel software running on the same CPU can protect against such attacks. As @Thoth pointed out a couple of days ago even Intel's much hyped hardware security enclaves are nothing of the sort and can be attacked via the likes of RowHammer and similar low level physical layer attacks.

Further it should be obvious that the first three options, like a man clinging on to a cliff edge by his fingernails, is such a tenuous position and not realy tenable. With it being just a question of "when" rather than "if" the descent will begin, and how bad the landing.

This leaves us with the fourth option, of which the most obvious solution is,

    Don't use the comercial crap-ware.

By which I actually mean don't use the comercial consumer OS's and Applications that are so bloated with unwanted, unneeded, poorly tested functionality that the complexity is at a point where serious vulnerabilities are guaranteed.

But if you can not avoid the use of such commercial crap-ware then you need to consider other mitigations, in fact you should consider them no matter what you use.

For example for a vulnerability to be exploited an attacker has to gain access to a vulnerable system. If the systems in use are not in anyway connected to external networks then you've reduced your attack surface to "insider attacks" only. Whilst these do happen, they are no where near as frequent as attacks from external networks. But more importantly they are more tracable to actual individuals.

Which brings up the question of why so many "work computers" are connected directly or indirectly to external networks or communications? I've heard all the arguments multiple times and they all boil down to "arm waving" in by far the majority of cases. And even when there are legitimate reasons to connect, almost invariably they are done the wrong way on somebodies whim.

We have seen this repeatedly with security companies who realy realy should know better after all RSA and it's security token issue was quite public some years ago. I've lost count of the number of CA's that have lost control of key signing over this decade alone. Oh and who remembers that Italian company that developed malicious attacks that they sold to all sorts of people including repressive regimes? Yup "Hacking Team" is what they called themselves, and "got hacked" was their fate, due to stupidity and hubris. All of which they could have avoided if they had taken just a little more care... You'ld have thought they might have noticed an estimated 400GByte of data putting a big load on their outgoing pipe, but apparently not.

In theory Hacking Team were "experts" and had vast domain knowledge, so should have known not just the risks but how to mitigate them. But they had connections to public communications networks, that they dod not deal with correctly, and they got hacked... Perhaps more interestingly it looks like those who did it are not going to get prosecuted as the Italian prosecuters for various issues --not least Hacking Team's owner's dishonesty-- have closed the investigation.

Ask yourself a serious question of,

    If it can and frequently does happen to those seen as "Domain Experts" what can I do?

The answer is first off question why you have external communications. Then how you can reduce or eliminate external communications from internal systems that don't need them. But also where you identify a supposed need realy investigate it, the chances are you will find either it's not needed or it can be effectively mitigated.

Especially when you consider any effective mitigation against external threat entities should also work against insider threat entities as well.

In the past I've explained how I carry out mitigations in this area and why. The same can be done and has been done --by financial organisations amongst others-- for some time now, and it's not some nonsense "Best Practice" derived from questionnaires etc.

The real question for people to consider though is,

    Am I a gambler?

Because not mitigating crap-ware you know is full of unpublished but potentially known vulnerabilities is not "risk managment" it's the stupidity of someone who is addicted to poor odds gambling, who may well have "lost the farm" to APT and not yet found out.

JonKnowsNothingDecember 26, 2019 4:09 PM

@Clive @All

re: commercial crap-ware

There used to be 2 pathways for software changes:

1. Updates which were bug fixes and security fixes

2. Upgrades which provided new functionality

Now we have only 1 pathway for both.


Corporations do not have the interest in differentiating these paths anymore. False updates installing unfinished unsecure upgrades mixed together with incomplete or retro-reintroductions of security un-fixes-re-fixed.

Both pathways break systems, large and small.

They do provide pathways to continued churning of product and the eternal promise to Fix It in the Next Release.

The larger the scale of business the worse the probability for a total collapse of some aspect due to incompatibility of software + hardware because no one really can fathom how interconnected things are.

Some companies can't even keep track of compatibility of document formats.

In the USA we have certain regulatory systems that have specific HW and SW requirements.

In one case, a Federal Reserve Transmitting Unit had a terminal HW failure and that particular model was no longer manufactured. When a financial institution cannot transmit required bank data that's a big issue.

In another case, the senior management determined that some personnel no longer needed to have "expensive HW" and removed the device to a storage locker. It was duly pointed out that the "expensive/unnecessary" device was the required unit to file EDGAR reports to the SEC.

For smaller folks it's a huge hurdle to figure out why something that worked no longer works.

Apple iOS12-13 defaults to a newer video/image compression format HEIF/HEVC. This does not show up as a JPEG image on many systems and therefore is not compatible.

The new default compression method was promoted to improve data storage on iPhones (because you cannot upgrade the storage) but the commercial value was to force people to upload their stuff to the iCloud (where they lose copyright ownership) and download from the iCloud to intended target unit. The exchange between the upload and download also reduces the vaunted iPhoto resolution to that of a grainy thumbnail.

In worst-best scenario for people-corporations is that they buy new HW and SW hoping that things will be fixed in a newer system. Since the user doesn't know what's wrong (other than it's not working), it's a hope-and-a-prayer on their part and a financial feed-trough for the corporations.

Throw into this mix, the various tech writers and journalists who review and recommend products all the time on various media platforms. It would be financial suicide to not-recommend a product that is paying the mortgage.

Even the most resourceful Google-Fu cannot uncover all the permutations where things are going to go pear-shaped.


Clive RobinsonDecember 26, 2019 5:31 PM

@ JohnKnowsNothing, ALL,

Even the most resourceful Google-Fu cannot uncover all the permutations where things are going to go pear-shaped.

A friend has a compleate listing of Unix for a PDP 11/70 not just on paper but in text file form as well.

Over the past years they have ported it to a number of platforms from Motorola 68K upwards. In more modern times to even single chip "System On a Chip" (SOC) microcontroler. During this time they have also gone through many bug and vulnarability reports updating the code. It's an interesting hobby, but also the system appears quite secure and lacks one heck of a load of bloat.

If you don't mind "working the command line" and using K&R style C, BASIC or FIG Forth then it's a fun thing to work with.

But importantly is that lack of bloat and the fact you only have what you need to talk across serial lines (networking via SLIP or PPP is there if required). Makes it potentially way more secure than say a Raspberry Pi Zero with a bloated GNU / Linux.

Parallel computing whilst on the surface looking increadibly complex can be designed so it is not, and the code kept just about as simple as possible, has the potential to actually be a lot more secure than most current systems. But as each year passes high complexity threaded code with very ill definded interfaces appears to be the rule...

I guess the question is "When will we learn, and will it be to late or not?".

SpaceLifeFormDecember 26, 2019 5:42 PM

@ Clive, JohnKnowsNothing, ALL

Stick to plaintext for comms.

No graphics. No PDF.

Clive RobinsonDecember 27, 2019 4:31 AM

@ SpaceLifeForm,

Stick to plaintext for comms.

As I've mentioned in the past, it's my prefered method of crossing "security gaps" using another system to check for various issues.

However at the end of the day "source code" for interpreters is "plaintext" so you also have to use a subset of even text based applications, that you know don't have interpreters or anything sufficiently close to be one inside them. This can be awkward as many "grep" like tools do have command parsing inside them.

Old unix source code can be your friend if you have the ability to "take out the clever tricks". Mostly they were not needed back then, and with modern resources being "t'pence a bucket full" they certainly are not needed today. Also it enables you to strip out "the kitchen sink" features you are never likely to use as well.

At the end of the day, though I hate to say it because usong your own private unpublished code is a form of "security by obscurity" it does help stop people getting a toe-hold and can make any such attempts actually "stand out", thus alert you to something odd.

The big problem is of course "other people" more or less insist on "rich text" in it's many forms either insisting on sending it to you or insisting on it from you "because of their business flow" etc. There are ways around this but sometimes spending half an hour to write a couple of pages of plain text, then another half hour "hand crafting" it up into another format can and is a right royal pain in the posterior.

However at the end of the day you have to do the evaluation of "what price for security". From my perspective the first question is what price would there be for them performing a physical penetration to plant surveillance equipment etc. You then use that as your working baseline. Making that way more expensive for them can be as simple as putting door alarm sensors in all the internal doors and keeping all the doors closed, the pluss side is doing that helps reduce your heating/cooling bills as well ;-) wiring it all up to a cheap single board computer that can also work a mobile phone as an alert system helps as well. Supprisingly there are so many little security projects people have developed for the likes of the Raspberry Pi and other low cost SBC's that you can almost "plug and play" your own security system together that even a decade or so ago would have been thought of as "very high tech". Again doing it your own way makes an attakers life very much more difficult.

You can also take a lesson from the accient orientals who used to creat physical alarms such as floors that squeaked. If you make certain of your floor boards squeak or move in certain ways and put a sensor some distance away, the chances of an intruder finding and disabling them without setting them off is very small.

Whilst cheap safes like those you have in hotels are fairly easy to open, they can also be alarmed from the inside and the wires taken out through one of the "bolt down" holes they often have, using three bolts instead of four probably won't be detected by an intruder.

The point being you want to detect them not stop them. You are at the end of the day protecting information not physical objects, there are ways that information can be protected at rest that they can do little or nothing about. What you don't want to do is let them get at data when it's unprotected because you are using it, and they can only do that if they catch you unaware. Just knowing someone is taking interest in you is often sufficient for the cautiously minded to avoid problems.

Electron 007January 3, 2020 8:11 AM

More interesting news. Following the U.S. assassination of the Iranian general.

https://thehill.com/policy/defense/army/476488-army-bans-soldiers-from-using-tiktok-on-government-owned-devices-citing

The Army is banning soldiers from using the popular TikTok app on government-owned devices, citing a potential security risk.

Army spokeswoman Lt. Col. Robin Ochoa told Military.com in an interview this week that the Chinese social media app is “considered a cyber threat.” The regulation comes after the Defense Department and lawmakers have expressed concerns about how the app collects personal data.

So is TikTok a variant of the banned ToTok? And is it possible that the Chinese attribution is a false flag? I am sensing a certain phenomenon of "what a tangled web we weave" on these social media apps. How much support does Iran have from China, if TikTok and perhaps ToTok itself are of Chinese origin?

Clive RobinsonJanuary 3, 2020 1:57 PM

@ Electron 007,

So is TikTok a variant of the banned ToTok?

From what has been publicaly said and assumed, it's unlikely. It would appear ToTok is what is called ironically a "Chinese knock-off" of TikTok, which is not realy Chinese either.

The UAE Government with the assistance of personnel from various US civillian and US military SigInt entities under the operation called "Project Raven"[1] which was supposadly an "anti-terrorist" cooperation developed tools and techniques of which ToTok is believed to be one. The Project Raven tools are known to have been used by the UAE government in the main, not for terrorist related activities, but to spy on UAE citizens and members of the press and even foreign nation diplomats and politicians, as well as one heck of a lot of US citizens.

Put simply ToTok is very much a copy of the very popular TikTok presumably to make "take-up" of the ToTok spy ware easier.

TikTok though was developed by a US company that got taken over by what as far as we can tell is an independent company from China a couple of years ago.

There is a lot of noise from US politicians --especially those looking for a distraction from more pressing politics from their opponents-- to go play their favourite game in town "China Bashing". This game requires no evidence or even suspicion of evidence. Orders from on high in the Executive are if it can in any way be linked to China start a massive FUD campaign not just to discredit it but make any investment in it worthless.

Thus it matters not a jot what the real state of play is US policy is to destroy in any way possible anything Chinese, by FUD, innuendo or direct fabrications, no matter how many US jobs or income it destroys. It's a new variation on "Reds under the bed" and it's fairly obvious how it is going to end (as it has in the past with lots of innocent US citizens harmed by polititians on a bandwaggon...).

In short it's a direct steal from George Orwell's 1984, where Orwell described the need for a distant faceless enemy to keep the local civilians in a controled state of pretend war and the restrictions that go with it.

Pretty much all the "Wars on XXX" in the US be it drugs or anything else are an excuse to take further rights from US citizens whilst pumping their hard earned tax dollars into the pockets of very unworthy people who use some of it via lobbyists etc for politico's to "feather their nests" with.

Thus this "War on China" is just another excuse to seize yet more goods, assets, and taxes to make the undeserving richer, and it matters not one jot how many US citizens get harmed in the process.

In the case of TikTok the innuendo started with a "think of the children" opener from a Senetor, who has little or no knowledge of TikToK but knows which side his bread is buttered with the administration.

In fact the only credible evidence presented so far is that the US is doing every thing it accuses the Chinese of but worse much worse. The US gov got caught "Red" handed in the process of supply chain poisoning US products being shipped to China...

[1] https://www.reuters.com/article/us-usa-spying-raven-specialreport-idUSKCN1PO19O

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.