It's good to see you again.

Yes, really happy that we're post quarantine. We can travel much more easily nowadays.

Absolutely. We've had the opportunity in the last couple of days to meet, to have so many good meetings, including one with the president. One of the issues that has come up, over and over again, is the tremendous challenge that misinformation in cybersecurity presents to democracy writ large, especially to our countries.

Congratulations. I think the last time I saw you, you were minister at large. Now, you're minister...

With a portfolio, yeah.

Which is better?

There's pro and cons.

We'd love to hear just how you see your mission, and how you feel about the success of your experience, so far, and the mutual challenges we face in addressing disinformation and cybersecurity generally as it relates to democracy.

For both US and Taiwan, we are...

...a couple of questions... complete sign up... millions of us...

I think it's China.

Did it say "billions of us?"

The trolls, they are legion. Millions.

I've been thinking about how I could orchestrate this, all day long.

As I was saying... Back in 2018 we were maybe at peak trolling, peak disinformation here.

In 2018, there was a referendum and a mayor election on the same day, literally. Disinformation around these two fed into each other and there was a lot of sponsored social and political advertisement, precision targeting, on Facebook and the like.

Right after the election, the civil society got really serious about applying social pressure to Facebook, saying that if you do not provide honest assessment of who reaches where, what, and the foreign money... Because back in 2018, if they paid Facebook, they could bypass fact checking. This entire fact checking ecosystem is for naught if you can simply pay Facebook to bypass fact checking as a service.

The civic sector really did a good organization around social sanction. According to a former member of the Facebook Civic Integrity team, Taiwan, in 2019, was certainly one of the very few jurisdictions, in which that they implemented the honest advertisement norm that they worked with the international fact checking communities.

Because that was met with pretty good success early 2020, later on, they would apply a similar model to the US and many other jurisdictions. In terms of the volume of disinformation alone, we're definitely after that peak now, similar to how we are post-pandemic. [laughs]

Today, we have some good initial results in working with the journalism sector as well as civic journalism like media competence. One of the good thing as a minister with a portfolio [laughs] is that we can host a platform in which the Google and Facebook work with the journalism practitioners in Taiwan to figure out how to make sure journalism thrives. All of us can see that if journalism dwindles, that's bad for democracy.

I think we should do everything we can help the journalists digitally transform themselves, and to enhance civic journalism. There's a pan-partisan agreement on the importance of civic journalism and professional journalism in the role of countering dis- and misinformation.

I have to interject, that's counterintuitive. The irony is that — let me think — when it peaked in 2019, we were on the decline.

I would ask you this: With that assertion with the rapid expansion of algorithm utilization and with AI, I would think that we're only at the threshold of what could be growth in disinformation.

As for cybersecurity attacks, that's increasing for sure. Last year, we've seen five millions a day of cyberattacks from abroad to Taiwan, which is twice as many as 2020. The cyberattacks were on the rise especially after the Speaker Nancy Pelosi's visit, we've seen 23 times of DDoS in a day compared to the previous peak. It's unprecedented -- a wake-up call for many people.

Disinformation comes in waves, more like typhoons. You see it coming days in advance. You can prepare yourself for it, and we can strengthen resilience against typhoon. People understand how to do that now.

Cyberattacks are like earthquakes. They don't have a lot of warning. You have at most 10 seconds to respond, or 20 seconds if you are really lucky, and the damage is exponential.

For example, the DDoS that took down the connectivity to the Ministry of National Defense or presidential office for a couple of hours. During those a couple of hours, people do not have access to the official website, and so the information manipulation -- I wouldn't even call it disinformation at that point -- could simply say that the hackers have taken over the Ministry of National Defense and the Presidential Office.

There were several attacks that replaced the advertisement billboards, including outside of a Taiwan rail station. Again, it only took over the advertisement billboard, which is not the real system. Amid the confusion, there was information manipulation that says that Taiwan rails has been taken over. That is high coordination. This is cyberattacks amplified by psyops.

Our playbook needs to be quite different because journalism isn't going to be very useful if the connectivity is broken. If a really large human made earthquake cuts all the submarine cables, then even if we have all the CNN and BBC correspondents in Taiwan, it won't matter. Their message wants to reach the international audience. That's what coordinated cyberattack looks like in an invasion-and-annexation scenario.

I've always thought of the challenge around this whole issue of insecurity is all about defense. Is there an offense?

Yes, of course.

How would you describe the offense?

A couple of things. For example, our asymmetric defense is also a kind of offense. One example: When the drill happened early August, we want to make sure that people know that keeping dialing in a line to keep it busy is not the same as taking over the rail station or the presidential office. A denial of service is not the same as taking over control.

The way we send the message to the people is by bringing our new website, moda.gov.tw, online, the same hour as the drill, and tie it to the web3 ecosystem, the Interplanetary File System that hosts the Bored Ape Yacht Club, those NFT profile pictures that works like trading cards.

We deliberately choose a decentralized network and tie ourselves to that backbone. I then said I invite all the hackers to attack our website because if you take us down, you'd also have to take down a lot of the crypto apps... Well, I guess some of them did take themselves down today.

There's a lot of volunteers around the world. IPFS counts more than 200,000 computers. Each one may donate a little bit of their spare hard disk to keep our website alive, to improve our resilience.

It's also an offensive because it means that Protocol Labs, as well as people in Argentina, Lithuania, and so on, who otherwise do not have ways to contribute to Taiwanese causes can very easily do so now. They can just pin our website on IPFS and then participate in our defense. It's not unlike the so called IT Army of Ukraine.

That was quite successful. People understood that there's no way to take down our website. From this point onward, other ministries also know that they can find a safe harbor in decentralized communities.

Now, this also doubles as a way to help the journalists and the people who work on human rights within the PRC regime, because they may also use the same system to put tamper proof accounts of what's actually happening under the Zero COVID in terms of human rights abuses; this is essential for direct action.

By asking people to donate their computing power to this tamper proof network, we're also playing offensive because it helps to also keep alive not just our website, but also the accounts of all the human rights abuse that the PRC regime doesn't want its people to see.

I have two questions that I'm going to ask you now, but I would have to assume that there is no country that suffers more from the challenges around cybersecurity than Taiwan.

My first question would be, is there such a country that has more of a national security threat through cybersecurity than Taiwan? Secondly, how would you rate your defense compared to other countries? Are you at the top of the heap? Would you like to get there? How do you feel about where you are versus where other countries, say the United States, is sitting?

California is not a country? [laughs]

It depends on who you ask.

A state, certainly. The Silicon Valley companies, they are under even more intense cyberattack. If you take over Microsoft Exchange, you take over almost everybody. So although they are not countries, they're a very tightly coupled ecosystem, three major cloud providers. They are under even more fierce attack.

Which is why we must work closely with all three of them. We now share the same architecture, which we call Zero Trust Architecture (ZTA). Meaning that, for example, when I sign my official documents on my device, I may be anywhere. I was quarantined at home for seven days and worked nonstop.

Through ZTA, it checks my fingerprint, my device and its SIM card, and the edge activities on my device. Even if one of the three is compromised, the other two factors keeps me safe, and allows the defense team on the cybersecurity plenty of time — a day or two — in order to do forensics to keep the threat from spreading.

Now, compare that with the legacy systems inside the Intranet. In those setups, if I'm a minister, I present my ID card, I'm physically in the Intranet, then I'm allowed to do practically everything. I don't need to authenticate my device or my SIM card every time I sign on a "trusted" desktop computer within the intranet. That creates a lot of loopholes and possible problems.

I'll admit that our ministry, the moda, is currently the only ministry -- along with our two administrations -- to fully implement Zero Trust Architecture here in Taiwan in a national government, simply because the legacy systems take a lot of effort to migrate to this new mobile-first world.

I'm told that within some defense apparatus within the US, they have also a five-year deadline to implement the ZTA. Here, we're aiming for two years...

Two years.

...for some of our critical infrastructures. Microsoft, Amazon, and Google are now working together provide our key ZTA components, so it's not us versus the Californian companies. It's us together.

Thank you so much for your time. I find myself staring at this moda, and I had the privilege of working in the federal government for two presidents. I was asking Senator Daschle, who is the chief digital officer of the United States? The answer is, "I don't have a clue." There is a chief technology officer that works in the White House, and historically has been helpful.

I would love to get a little more context from you about what your mission is. How do you interact with other agencies? I ran the department of labor for a few years, and we had an internal team, the Defense Department, and frankly, never interacted with those other teams around. Our cyber people, and our digital people...

Everybody's on their own.

I'm fascinated, as a student of government right now, by this proposition, a minister of digital affairs. My initial response is I think it's brilliant. I'm wondering why we don't have a secretary of digital affairs. I'd love to learn a little bit more from you, not simply about what you are doing, but the cross fertilization.

We've met with a number of ministries throughout our trip, and what's your interaction with them? How do you create synergy so that everybody is benefiting?

In a sense, we simply look at the third-level agencies belonging to other ministries. Which agencies did the at-large ministers in charge of digital affairs -- especially the past three years during the pandemic times -- which teams interacted the most? Then we put all those teams into a ministry. [laughs]

That's essential because during the pandemic, there is the CECC, the Central Epidemic Command Center. When we need to, for example, distribute all the masks with the pharmacies as a rationing point, that's five different agencies working together around the clock to deliver a nationwide digital service in just three days. The same for the vaccine registration. The same for contact tracing.

Everyone who participated share this idea of resilience, meaning that in an adversity situation, everybody, including the private sector, the civic sector, all agreed that we need to fix this -- by yesterday.

Now, who among the government can say "go ahead"? Is this legal? Is this secure? Is this privacy-enhancing? Usually, it takes four ministers, and three minister at-large in order to OK every step. During the pandemic, of course there is the CECC commander who basically says, "This must be done."

We had a really intense experience nationwide, to deploy very large-scale, on the fly situation applications during the past three years.

So we look at the agency we interact with. For example, the part of the National Communications Commission that makes sure that the most remote islands and most offshore places have Internet, broadband, as a human right. That's a key part.

The part of the National Development Council that does data policy, that's a key part. Open data, open source, and things like that, which would be like 18F, or the USDS in the US.

Also, of course, we need the cybersecurity stamp of approval, so the department of cybersecurity, and along with them, the part of civilian critical infrastructure emergency response...

Can I just stop you right there? You're my new hero.

[laughs]

It's so much like what Obama set up with 18F.

18F and all that.

Exactly. Finally, the part of Ministry of Economic Affairs that works with platform economy companies, like Facebook and Google.

So we just look at all of them, saying that they work so much close together during three years. Now we're post pandemic, let's keep working together. That's moda.

So, you hold those different departments from different ministries under...?

...five ministers.

They each contributed one department or two.

How do you stay connected with them, with their old ministry? What is the connection between them?

Horizontal connections. Around the same time, a month before moda became a ministry, the Ministry of Science and Technology changed to a Council. The National Science and Technology Council (NSTC), which covers not just science but also technology, serves as a top-level coordination structure.

I'm a member of the NSTC, and so are the other ministers that I talked about. The at-large minister in charge of digital affairs, is now Minister Tsung-Tsong Wu, head of the NSTC and coordinator of inter-ministerial digital affairs.

For example, we work with Facebook and Google to hold dialogues with journalism organizations, it's Minister Wu hosting the inter-ministerial collaboration meeting, working with the Ministers of Culture, Communications, and Fair Trade Commission, and so on. In the meeting, he is the convener, and we are the capacity builder.

We are not a regulatory agency by any means, but when other regulatory agencies need, for example, cybersecurity capability, digital transformation capability, we provide that capability.

Can I ask, how much are you collaborating, talking, comparing notes, best practices, with other countries, in terms of how you're set up and what you do?

We practice what we call public code, which actually we learned from the 18F -- because previously the US copyright law only says that federal works are copyright-free for US citizens, and -- I think it was during Obama -- they extended this to say it's copyright free for everyone.

The US adopted Creative Commons Zero in addition to open source licenses, so that the software code become like NASA pictures, that anybody, anywhere around the world, can freely reuse, because they realized that if they wanted to restrict the cross-border flow, that should be at the data layer, not the algorithms. There's no point in restricting the free flow of code.

That's really good, because in Taiwan we were also debating the "build or buy" policy. Now, if we participate in the public code, open source initiatives, started in the White House during that time, we would not just save a lot of develop cost, but is also a form of diplomacy.

For example, during the pandemic, the code to ration out the masks, the civic tech community posted them on GitHub, and then South Korea, in Seoul, simply implemented the same API, and then they started to ration out their masks. That's a form of people-to-people diplomacy without any track-one complications.

In Japan also, I personally contributed, along with the g0v civic tech community, to the Tokyo Metropolitan COVID Dashboard, when it comes to public awareness. Again, I participated as an open source contributor, not minister-to-minister.

I think this is a really good way. It not just build alliances among likeminded allies, but we can collectively provide help to places who need digital infrastructures, so that they are not captured, locked into any particular vendor. In a sense, we become like co-vendors to the developing nations.

You also shared this model?

Yes. If you look for the Standard for Public Code, part of it is Taiwan's contribution.

Going back to the cyber warfare...China obviously being the biggest challenge. Is Russia here? Are you also getting from domestic challenges?

Sometimes they do share tools and playbooks, but from Taiwan we just say "threats from abroad," because for us it's all through submarine cables... [laughs]

Although we don't always know for sure the full attribution, like how many hops did it pass through, we do know that it's from submarine cables. So we just say "threats from abroad." It's millions of attempts per day, and increased by 23 times in volume during August 2.

23 million cyberattacks. That's hard for me to... [laughs]

What is the nature? What kinds of things are they doing, and who are they targeting? What is the...

During that day, it's simply connecting through so-called botnets, the computer they have taken over from abroad to all connect to the Ministry of National Defense, Ministry of Foreign Affairs and Presidential Office websites, to render it busy, like keep dialing to keep a line busy.

It's a high-resource, low-impact way of attack because you don't get any confidential documents this way. What they really want is to incite this sense of anxiety and fear that can then let the information manipulation of, "They have taken over the presidential office!" run amok on the social media. They didn't succeed at that, by the way.

Trevor, anything?

Yeah, so is this the Sunflower movement a big issue in Taiwanese politics has been transparency in government?

Yeah.

I'm wondering what else did you do as the core mission of yours for transparency of secure technology, and how are you doing that?

Transparency in the flow of work, meaning that for the career public servants, transparency must become less risky, rather than more risky. That's our call to action. The reason why we publish the real-time inventory of medical masks in 2020 every 30 seconds, instead of every 30 days or 30 hours.

That's because, first of all, people can see it for themself. When you queue in line, you see the actual trend in supply and demand. Most importantly, it turns opposition parties into co-creation parties. When MP Ann Kao interpellated Minister Chen back in March 2020, showing evidence from the civic sector's work based on OpenStreetMap, and said that mark rationing was not really fair -- the same kilometer on a map doesn't mean anything when people in rural areas have to take three hours by bus to get into the next pharmacy.

Now, if we don't have this real time open data published way before this interpellation, it would have become a zero sum game. Because we do publish that, the MPs have exactly the same data as we do. So Minister Chen said, "Legislator, teach us. You work with this very capable community. Teach us how to match the supply and demand better." MP Ann Kao did suggest better ways, such as preregistration. Within 24 hours, we started pre-registration and worked with convenience stores so as to be more fair to rural places.

In essence, if we publish non-personal data in the flow of work, it not just alleviates the public servants from political fallout or damage. It also turns opposition into co-creation.

If I could go back to this five million a day...I'm trying to quantify what you feel your success rate is. Is it 100 percent? Is it 80 percent? If you had to quantify your ability to respond defensively, how would you describe your success rate?

My main metric is the time that these architectures buys us to respond. Just like an earthquake warning system, it's not measured by the amount of earthquakes prevented -- because when you have high precision equipment, you actually detect more earthquakes. There's three felt earthquakes per day somewhere in Taiwan.

The other are not felt, but recorded by the machines and the earthquake sensors. They are here because we can then inform our elevators, our escalators, and all the construction machinery during those 20 seconds to not cause damage. When we have better sensors, better machinery, we can increase the time to respond.

For earthquakes, that's probably the best you can do. I don't see earthquake peace accords being signed any time soon, in which the earth promises to not make earthquakes next year. [laughs] The same for cyberattacks. We want to buy response time, through indicators so that we know well in advance that an attack is coming.

In the best scenario, it becomes like typhoon, where we can make full preparation and backups, and not to be caught unaware.

Would you describe the threat the same way today as you would when you began? The impression I have is that this technology keeps evolving and ever changing.

As it changes, you have to stay ahead of the change in order to be able to effectively repel and create a defense mechanism. How does one stay abreast? Is it through research, through trial and error? How do you do that?

I entered the cabinet in 2014, post-Sunflower, as an intern, a reverse mentor. The difference between 2014 and now is that back in 2014, there was this very naive idea that social media connections are automatically good for democracy. [laughs] Like, more connection the better. It's like "free trade is automatically good for democratization."

There was a certain naïveté in the world. Of course, the Sunflower itself is a backlash against that over-naive assumption. At the time though, it was difficult to convince our democratic partners to take this as a serious threat to democracy, to see some social media platform designs as fundamentally antisocial. To see some connectivity as fundamentally asymmetric and therefore bad for the health of the democracy as a whole.

The arguments was difficult to mount then. I would say the immune system in the society, the societal resilience, was much weaker in 2014.

Nowadays, we've made vaccines, and I've recovered from COVID. [laughs] There's a strong antibody of the mind against the narrative that authoritarians liked to abuse back in 2014.

Also, people nowadays generally understand that if you share a disinformation message in the fit of outrage without checking where it's from, without checking the provenance, it's bad for democracy.

If you ask over four major parties in the parliament now, they're like, "Of course, that would be like a Trojan horse," and so on. I think many of them didn't use to say that in 2014. That's the main difference.

Your ministry is, as Todd noted, really an innovation. A governmental response that I hope is replicated in other countries, including the United States, but I'm still unclear as to the structure. As you address those challenges, how do you structurally, an organization, create a ministry to be able to address those challenges so efficiently?

There are three main units within our administration, within our ministry. The one is the moda proper, the ministry. Our focus is on societal resilience. To ensure broadband as a human right, and general availability of real time open data and code so that it benefits everyone in a society.

The broadband work includes now the non-geostationary orbit satellites that can serve our remote islands to protect them against earthquakes that would destroy submarine cables, including human made earthquakes. All that is the moda proper with six departments.

In addition to that, there are two administrations, for cyber security and for digital industries. The cybersecurity arm is concerned with critical infrastructure, and it interacts with National Security Council. It requires a higher security clearance compared to the moda proper.

Along with the Administration for Cyber Security, starting next year we will also have the National Institute of Cyber Security, the NICS, which will be an expansion of our outreach to the US and all the democratic alliance, the Declaration for the Future of Internet (DFI) partners, so that we can jointly defend ourselves.

As for the Administration for Digital Industries, there are no national secrets there. It works to help all industries on the way toward digital transformation. As the competent authority for the Digital Signature Act, the administration works with the NFTs, platform economy, e-sports, extended reality, and so on. The great thing about that administration is that is not a supervisor of anything.

For the startups, the Administration for Digital Industries is their natural friend because the administration will try their so-called soul-bound NFTs before any other governmental agency. They are here to try every startup's new idea.

When it makes sense in terms of promoting cybersecurity, privacy and resilience, then we're like a ministry-wide sandbox that can then publish our playbook, for the other ministries to take these innovations seriously.

The idea behind societal, industrial, and emergency-response resilience is that we want this Venn diagram to overlap as much as possible. The more they overlap, the more agile we are.

So our main KPI is agility: In how many minutes, in how many seconds can we assess a new situation and come to good-enough consensus on those three aspects?

I would imagine that those who are engaged with this kind of work at that level of skill requires an enormous amount of training and education. Did you have a workforce challenge when you created the ministry, and how did you address it?

First of all, we work with all the other administration ministries and local governments, the best and the brightest people, as long as their bosses let them move here.

Our initial hiring was just around 100 positions, but we get more than 5,000 resumes -- all of them wants to work at the moda. We don't have a problem on the general-purpose public service level.

Now, for the more specialized people who are not part of the public service workforce, for example, people in cybersecurity with a focus on red-and-blue teaming. There was no public service entrance exam for these people.

We are currently carve out a special way for them to enter the Administration for Cyber Security and also, starting early next year, the NICS. We are working with the Examination Yuan, which is a separate branch of government, to give them a very flexible salary. Truly exceptional talents can be paid more than me.

Do you have to do extra training for them?

Yes. The examination, the background checks, security checks, and so on, are all customized with the Administration for Cyber Security.

That you're competing against the private sector for the results?

We believe in talent circulation. [laughs]

I don't like that. [laughs]

Our main way of attracting private sector people, is saying that you're not going to be here forever. Maybe for the next three or four years...

How exciting to be...

How exciting, with a minister-level salary...

More than a minister?

As long as you have a higher degree than the minister... You see, I'm a high school dropout. [laughs]

People here enjoy a pretty decent salary. Of course, not as good as TSMC, but we're working on closing that gap.

For a startup?

You're right. For a startup, it's actually better than most startups. Then, after three or four years, they will learn and grow to be architect. Once they return to the private sector, they get paid so much more.

That's interesting. Have you found any value in collaboration with your regional neighbors? Japan and Korea, for example.

Yes. In addition to the people-to-people ties, more formally, we are very interested in, for example, harmonizing our positions around, for example, AI, data reuse, privacy protection, Free Flow with Trust, things like that. We pay very close attention to, for example, the EU Act around digital resilience.

When we build our cybersecurity testing labs here in Taiwan, especially around semiconductor, which has to be originated in Taiwan because TSMC and friends are here, but we want cross certification. When the E187 certificate is obtained here, it would also be recognized in other parts of the world.

We're working to look at the parts in which that Taiwan can provide a good certification, or basic R&D to make certification easier, things like that, around the supply chain items that we are excelling in.

How interested are the American companies in what you're doing?

The three cloud companies, of course we work closely together. They form the backbone of our Zero Trust Architecture solution. It's just, we insist on no lock-ins, so within our system no two adjacent parts can belong to the same vendor. We intentionally test interoperability between those vendors.

We also learned that from Ukraine. It's better to work with a multitude of vendors, without overly reliant on any single one. We need to keep the option to switch to one of the more heterogeneous configurations.

Let's go back to the workforce. As you're recruiting and bringing in people, how are you accounting for potential bad actors trying to get in and be a part of the company, infiltrate and be inside?

In the Administration for Cyber Security and in the NICS, of course, there's the usual security clearance, background checks, which takes a few months, but hopefully worth it.

In addition to that, adopting a Zero Trust Architecture means, that there's very limited damage you can do, even if you are in this office, because there's no intranet. We don't have an intranet, so every access is analyzed, and if you try something weird, before it actually causes damage, it would be detected.

We are reasonably sure that, by adopting ZTA, we can recruit people with less experience in cyber hygiene, and get better training in better cyber hygiene.

Compare that to the old intranet, desktop, password world. If you are here physically, have the card and the token, and remember the password, everything is yours. So adopting ZTA also allows us more flexibility when it comes to workforce.

Speaking of workforce, I have to assume that you have to be so consumed by the threat you get every day, that there's hardly little time to be thinking about 10 years or 20 years hence. Your comment about social media and how counterintuitive it was 10 years ago...Do you think that it was maybe a threat to democracy in some way?

It makes me wonder. As you look at AI, as you look at autonomous vehicles, as you look at robotics, and its implications for Taiwanese society 10 or 20 years from now, how do you plan for that? How do you address the, what you know are going to be, challenges totally unlike those you're facing today?

During the pandemic, especially 2020, '21, the PRC regime tried very hard to push the narrative that only top-down lockdowns are effective, that only authoritarian regimes can counter the virus. "Democracy only leads to chaos" and so on. Well, people only have to look at New Zealand, Australia and Taiwan to see that this is simply not true.

Now, it is possible to maintain public health and economy at the same time. We need to keep making the same sort of arguments when it comes to AI. At this moment, there is a push toward trillion-parameter AI models that takes a tremendous amount of computing power to train. For some applications, that would require a tremendous amount of data collection too.

For example, in totalitarian regimes, they can afford to record, through cameras, record all sort of emotions from people in all sorts of environments, and produce highly effective social control models. They literally harvested a lot of human data to make this, what I call, authoritarian intelligence. That's authoritarian AI. Maybe they're the top of the world. Companies in Silicon Valley simply cannot replicate the totalitarian arrangement. There's no way that they can catch up to that sort of application in machine training.

On the other hand, maybe it's OK that we are not at the top of the world when it comes to such authoritarian applications... because we don't want those authoritarian applications at all. We don't want that sort of top-down social control. In Taiwan, which is why I said this antibody, vaccine of the mind, immunization is so important. We're less lured by this "centralize and automate everything" narrative that used to attract a lot of people, not just from Taiwan, but across the world back just a decade ago.

Nowadays, we simply say AI is only as useful as it is assistive, augmentative. The AI-in-the-loop responses to the community needs are not straying from the societal norms. By building a norm based order, in which that AI can be deployed with community governance, we can collective reject the authoritarian AI siphoning personal data from our population.

Once we reach this point, we can simply say, it's OK to coexist with the retweet button; our democracy can thrive, and even be resilient. Whereas, around 2012, the PRC regime they want zero hate. They don't want to co-exist with viral tweets. They want to ban the words "civil society," and spending more in their military budget on zero-hate campaigns, just like their lockdowns now.

Well, we're now on very different paths. It's no longer just a fork in the road. It's completely opposite direction, at times. We need to make this value based argument very clear to the rest of the world.

Let me ask you about the Chinese government's influence. As you know, President Trump tried to ban Tiktok. You said something where you can coexist with the virus...

Indeed, it enabled a different strain of virus now. TikTok by any other name is still Tiktok. Behind TikTok, there's this whole extractive advertisement ecosystem that maximizes addiction building. If you ban TikTok, but still allow for this addiction-building dark patterns, then they could just siphon personal data through another jurisdiction, another app.

In the current US federal law, it's still legal for these ecosystem to keep sending profiling information back to the PRC regime. It's a false sense of comfort if you only ban TikTok and not deal with the entire ecosystem. If, on the other hand, we take a more EU-like approach, and say that it's the other way around -- They have to earn it in order to collect any personal information, that's much more likely to work.

That is to say, in situations when over-collection of profiling data would pose a high risk to the society, maybe we by default just don't do that, and evaluate on a case-by-case basis, as we already do in the field of health data, in the US around HIPAA.

If we treat ordinary people dancing to their phone cameras in a way that's consistent to how we treat financial and medical data, then we are looking at a much more effective regime to harmonize our data protection and cybersecurity laws. TikTok is certainly a symptom, but we need to treat the cause.

The US itself is also deliberating toward that direction, maybe four years behind EU on that direction. I think there's a new privacy law in the works that has this data minimization push, which didn't used to be a major thing in US when it comes to privacy. Now people are more aware of that idea of not collect unnecessary data; don't collect data and then sell it to the highest bidder to our attention.

This is gradually becoming a norm even in the US. I think Taiwan and the US can work in tandem toward that vision.

My fear though is that we have regulatory infrastructure around privacy for health and finance. I don't think we have anything close to a regulatory infrastructure for TikTok or gaming. That regulatory infrastructure still has to be created. Is there a consensus on what that might look like?

In Taiwan, of course, in the Sunflower movement, one of the core arguments was that the so called 4G core infrastructure in the so-called private sector in the PRC regime may not remain within the private sector.

What's called "clean network" later in the game was widely discussed by the people on the street in 2014, because of economic reasons. People said that we'll have to continuously do systemic risk assessment if we adopt such equipments in our 4G infrastructure.

Maybe they don't have any backdoor today, but next time the firmware update arrives, we'll have to reassess whether they have become de-facto state-owned enterprises now in all but name. This economic argument won bipartisan support back in 2014, and it was fundamentally economic argument.

We can make similar arguments around telecommunication, and then from the link level gradually to the application level. From the lower in the stack, connectivity and so on, I think there's a general understanding in the US now. If we jump to the content layer, or mix different layers together, that will be like, I don't know, the DHS Disinformation Governance Board. It's a leap too far. But if we move slowly upward the stack in a way that all political parties could agree, that's more feasible.

I have to ask, are there many Twitter users in Taiwan, and if there is not...?

No, there's not a lot.

OK. They probably are ambivalent about Elon Musk taking over the...

...indeed. We're like, sure, whatever.

Our public square is in the civic sector. Our Twitter equivalent for politicians and journalists, called PTT, is for the past 25 years, subsidized by the Ministry of Education as part of the National Taiwan University Student's Club on bulletin board systems.

It's like a digital campus. It enjoys the freedom of thought, conversation, and so on, and the funding remains stable.

People, the vast majority, the citizens use it?

If you look at the newspaper and it says a "netizen" said this or that, chances are it come from the PTT. The great thing about PTT is that it's entirely open source. Everybody can look at the source code.

To register new accounts, you have to authenticate by sending a SMS to PTT, that's how it did away with the trolls. The moderation and governance system itself is by merit.

What I'm trying to say is that, by serving no advertisers or shareholders, it can stay for 25 years. It's like the National Public Radio for civic discourse. I don't think the National Public Radio in the US wants to run Twitter, but that would be the equivalent.

You don't get the diatribe that we get?

There's no incentive to sell the attention of a PTT netizen to a highest bidder.

There's no adverts because there's no advertisers.

There's no advertisers nor shareholders.

You don't have Grumble either?

Do what?

Grumble. Grumble is going to be the emerging, in 2024 election, people aren't going to be talking about Twitter in the United States. They're going to be talking about Grumble.

No, we don't. The thing about the public square is a lot like journalism, in the sense that during the Kyiv situation earlier this year, personally, I stayed up all night to read "Kyiv Independent" and other correspondents on what's actually happening in Kyiv.

Now, if I do get those feeds and I do get this real time information of Zelenskyy saying, "I need ammo, not a ride," and so on, I don't need to go to the less informative deep fake or conspiracy theory websites.

If they don't have a broadband connection to the world back then, like in Crimea situation back then, then of course, the appetite is there, and you will be flooded by Russian propaganda. I think these antisocial corners, they will pale in comparison if there's an actual public square with actual civic journalism going on.

I'm trying and I'm processing the remarkable stuff that you're saying and trying to filter through all the other things that you've had done is really fascinating. We've heard consistently from many ministers about the proliferation of misinformation, mostly based from China.

What I'm hearing here on this is you don't have Twitter. What are the vessels for communicating the misinformation here?

What are the platforms?

There's three major modes. One is the end-to-end encrypted — like WhatsApp — message platform called LINE. The vast majority of citizens are on the LINE platform. Then next to LINE is the domestic forums, PTT, Dcard, and so on. Then on top of that is global platforms; a lot of people are on Facebook, Instagram and YouTube.

In my old job at the Democratic National Committee, we spent a lot time jawboning Facebook and all the platforms. Did you end up doing that as well...?

Yeah. The great thing is that the people in the middle, the PTTs of Taiwan, leads with the social norms for Facebook to follow.

Good.

When the civic sector helps you on trade negotiations, that makes the negotiation easier. [laughs]

This has been fascinating. I know we're out of time. We can talk at least another hour, but I congratulate you on all of your good work and your leadership.

I'm always so impressed here, first, because of your willingness to meet so often. I'm sure you get American delegations daily. We're grateful for your accessibility, and for the model that you've set for the rest of us as we contemplate the challenges we face in our country, too. Thank you for that.

Thank you.

Absolutely.

Thank you.

Thank you, Audrey.

Thank you all.