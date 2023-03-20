Concerns about the national security risks posed by TikTok, the wildly popular Chinese-owned social media app, have reached a fever pitch. U.S. cities and states have blocked its use on government-owned devices, and universities have barred it from campus networks.

Now, the Biden White House is reportedly mulling a national ban if the Chinese owners of ByteDance, TikTok’s parent company, don’t sell their stakes — a prospect endorsed by a bipartisan group of lawmakers in Congress. That includes members of the House Energy and Commerce Committee, who have summoned the embattled company’s CEO to testify at a hearing on Thursday.

Despite these warnings, the app’s popularity in the U.S. has skyrocketed. With roughly 80 million daily active users in the U.S., TikTok has emerged as a strong competitor to homegrown tech companies like Twitter, Facebook, Instagram and Snapchat.

For many Americans, one big question remains: How bad is TikTok, really? Experts told Grid that it’s impossible to rule out the possibility of the Chinese government accessing data from the app. It’s not clear whether the Chinese government is interested in the information TikTok collects on its users, but several plausible scenarios worry people who study tech and national security. They include the Chinese government directing TikTok to make changes to the algorithm it uses to serve videos to users in an effort to influence election outcomes or using private information gathered by the app to blackmail dissidents or government officials.

Still, given the range of data that is already public from other sources, and other overarching concerns about app data collection, many experts said TikTok is getting outsized attention.

“In a geopolitical context, it’s viewed as problematic because it is something outside of our control,” said Jess Maddox, an assistant professor of digital media technology at the University of Alabama. “We’ve all heard the hypotheticals about what TikTok and [its owner] ByteDance in China could be doing with our data. I think it comes down to a lack of control over user data and user protections.”

What data does TikTok gather?

The data that TikTok tracks includes a user’s contacts, email address, keystroke patterns in the app, the videos they watch and the IP addresses of the phones or computers they use to access the app, according to an analysis by the Washington Post.

That’s a lot of information — but on their face, the kind of data TikTok collects appears to be similar to that of U.S. peers like Facebook or Google, which analyze your behavior online or track your GPS position in the background. Other commonly collected types of data include which posts a user likes — or doesn’t — what posts a person lingers on, who their friends are, what a person searches for and where they are, said Cooper Quintin, a senior staff technologist at the Electronic Frontier Foundation

In an individual sense, that data isn’t very useful — unless someone is targeting you specifically for some reason. But aggregating many users’ data together allows companies and governments to see trends, connect data points and draw broader conclusions than any one set of data alone.

That said, security researchers have criticized some of TikTok’s data collection practices as they relate to the privacy of individual users. TikTok has reportedly utilized geolocation data to attempt to identify leaks within the company, showing a willingness to utilize fine-tuned data for dubious ends.

Could the Chinese government access this data?

That’s an open question.

ByteDance is currently registered in the Cayman Islands — not China, even if it is headquartered there. TikTok Ltd., the U.S. TikTok subsidiary, is registered in the Cayman Islands as well, though it is also incorporated in Delaware and California.

TikTok stores data from American users in the U.S. to assuage national-security fears, but news reports have documented that ByteDance employees in China were able to access TikTok data of U.S. users.

TikTok executives have repeatedly said that it does not and would not share user data with the Chinese government, even if the government asked it to do so. However, the country’s National Intelligence Law, enacted in 2017, mandates that “all organizations and citizens shall support, assist and cooperate with national intelligence efforts in accordance with the law and shall protect national intelligence work secrets they are aware of.” That clause is central to the U.S. government’s concerns about TikTok’s control of U.S. user data.

Even without that law, Chinese authorities have significant power over the tech industry, said Rogier Creemers, an assistant professor at the University of Leiden who focuses on Chinese tech policy. That power has been made clear through the disappearance of several high-profile Chinese technology company executives, including Alibaba co-founder Jack Ma, from public view for large stretches after reports of friction with the government.

“This is a system that, where necessary, can intervene at the highly personal level, in a way that is meant to be scary,” Creemers said.

Although it is incorporated in the Cayman Islands, and its founder Zhang Yiming is largely based in Singapore, ByteDance’s headquarters remain in China. That means China authorities could potentially wield their influence to get what it wants from the company. ByteDance has had to make concessions to the government before: Zhang had to write an apology letter in 2018 saying a ByteDance subsidiary — a humor app — didn’t live up to “core socialist values” after authorities shut the app down over issues with its content.

Chinese companies certainly aren’t alone in facing this kind of pressure. Apple and other U.S. companies operating in China have also come under scrutiny regarding whether the servers in their country are protected from Chinese government intrusion. Apple stores its Chinese customers’ data on servers accessible to the Chinese government and has taken down thousands of apps that are available outside the country.

What could this data be used for?

If the government was indeed able to gain access to the data that TikTok gathers, it could be leveraged for a variety of purposes — from blackmail to the aforementioned election interference.





Some researchers argue that the security risk depends in large part on which Americans’ data is exposed.

“Insofar as a foreign power’s access to this data poses a national security risk, it depends entirely on who the user is,” wrote the authors of a report from the Georgia Institute of Technology’s Internet Governance Project.

A person’s location, job or family connections could make their data more or less of a U.S. national security risk, they argue, as could whether the way a person using the service allows TikTok to identify and track them or expose confidential information about the U.S. government.

“We couldn’t figure out how big data could be used in a way to jeopardize national security short of having people in sensitive national security positions handle data in a way that would compromise national security,” said Karim Farhat, one of the report’s authors and the assistant director of the Internet Governance Project.

The Chinese government also has other ways to collect masses of data on people in the U.S., raising questions about where TikTok falls in terms of its usefulness to Beijing.

China has been accused or suspected of hacks that breached U.S. entities like the White House Office of Management and Budget, exposing the personal details of thousands of federal employees and the credit reporting behemoth Equifax. The latter breach involved Social Security numbers, addresses and other details for nearly half the U.S. population.

“I think what we don’t have, even at the classified level, is a very specific mechanism where it would be very clear that, if the Chinese intelligence and security services would get their hands on [TikTok user] data, they would be able to, from that, derive these actionable points, which they could then use in the following ways,” said Creemers. “I think it’s a far more general sense that might present a relatively easy channel for our adversary to get their hands on data in our population. We want to close it up. I think it doesn’t go much beyond that level of generality.”

Creemers and other researchers did say, though, that big data from TikTok could potentially be marshaled for election interference. “There could be a selective promotion or demotion of content that is even targeted to individual users, based on where they are geographically, who they might vote for, what political leanings they would have,” said Lindsay Gorman, a senior fellow at the Alliance for Securing Democracy at the German Marshall Fund and a former Biden administration adviser. “TikTok has all that data about U.S. voters and then could target information left and right, literally, to individual citizens based on its control over the algorithm. And so the really big concern, I think, is from the propaganda and information manipulation side of things.”

How has TikTok tried to ease concerns about the security of its data?

TikTok has spent millions of dollars working to separate its U.S. data operations from its Chinese owners after President Donald Trump famously pushed the idea of banning the app. More recently, the company had been negotiating with the Biden administration on potential data safeguards that would satisfy U.S. security concerns without requiring a change of ownership. Even so, the Biden administration is now advocating for ByteDance‘s Chinese owners to sell their stakes.

Right now, that means U.S. users’ data is stored on servers in the U.S. and Singapore. TikTok is also pursuing a $1.5 billion corporate restructuring plan called “Project Texas,” which would mean the U.S. cloud data company Oracle would be able to oversee what was going on with data, along with the U.S. government, and make sure it didn’t pass through mainland China, where ByteDance is headquartered. But this has done little to dissuade U.S. lawmakers, from President Biden and members of Congress to state and local officials, from continuing to single out the app as a unique threat to national security.

This month, a bipartisan group of Senators introduced a bill that would expand the scope of the executive branch to allow the Commerce Department to review software updates or data transfers by tech platforms in which a foreign adversary has an interest. It comes just before the CEO of TikTok is set to testify before Congress, an eagerly awaited hearing that is likely to get contentious. The fate of that Senate bill, and the outcomes of the hearing, could plot the fate of the app, for better or worse.

Any banning of an app wholesale will have free expression and free speech implications for the U.S. — one that is sure to come under scrutiny by the courts along with young adults who are TikTok’s dominant user base.

Some privacy researchers don’t see TikTok as the problem but rather the lack of commitment in the U.S. to digital privacy more generally. Rather than dealing with problems piecemeal, as they arise, observers argue that the U.S. needs to enact some form of national privacy legislation, which China and the European Union have both done.

“Overall, we need federal privacy legislation, we need an end to these massive data brokers, and we need to realize that this isn’t just a problem when China does it,” said Quintin. “It’s a problem when anybody does it.”

However, addressing perceived national security threats from China has been more appealing for lawmakers than addressing these overarching tech regulation issues.

“The U.S. is at a level of political dysfunction where the only thing that can make Congress move is to be able to show that you’re tough on China,” said Creemers.

Thanks to Brett Zach for copy editing this article.