TikTok, the popular video app, has taken a series of steps to convince U.S. officials the company is dedicated to protecting Americans’ data, including hiring Kevin Mayer, previously the head of streaming at Disney, as its CEO. It has also pushed for and held meetings with U.S. lawmakers, pulled out of Hong Kong due to a new severe Chinese national security law and published a “privacy roadmap.”
That may not be enough to meet U.S. demands, however.
In recent weeks, U.S. government officials and members of Congress have placed the company in their crosshairs, warning that personal data collected by the social media giant could be secretly sent back to its Chinese parent company, ByteDance. Secretary of State Mike Pompeo told Fox News host Laura Ingraham on July 6 that the U.S. is considering following India’s lead and banning the app.
Pompeo didn’t say how the Trump administration would do this, but even beyond the question of whether the U.S. should ban it, policymakers will have to figure out how to ban it. Some in Congress, however, have already been thinking about it.
Sen. Josh Hawley, R-Mo., introduced a bill that would ban federal employees from using TikTok on their work phones, which may be up for a vote next week. The Pentagon has already advised its personnel not to download the app, and U.S. companies like Wells Fargo have told employees to uninstall it. (Amazon briefly made the same demands of its workforce but later backtracked.)
While light-hearted music videos might not seem that sensitive, TikTok admits it collects wide-ranging information, not all of which users need to share, including the user’s age, email, phone number, profile information, comments, private messages, payment information, network contacts and location data — not unlike U.S. social media giant Facebook.
“There are very few apps that have the ability to extract data to the extent that TikTok does,” wrote Ken Lloyd, VP of risk for mobile security research firm Zimperium. “TikTok collects data as soon as the app is downloaded, including how you type, down to keystroke rhythms and patterns.”
Lloyd wouldn’t speculate on what the company does with that information, but he noted it is a foreign company collecting large amounts of personal data.
“For some organizations, the risk associated with that combination is not worth the reward, and they have chosen to restrict its use on their employees’ devices,” he said.
The company, for its part, says it is safeguarding its customers’ data.
“TikTok collects much less U.S. user information than many of the companies in our space and stores it in the U.S. and Singapore, with strict controls on employee access,” wrote a TikTok spokesperson.
The spokesperson also said its parent company, ByteDance, “is evaluating changes to the corporate structure of its TikTok business” to satisfy U.S. privacy concerns.
One possible path for restricting TikTok may be through the Committee on Foreign Investment in the United States, or CFIUS, which reviews when other countries make certain types of U.S. acquisitions. As far back as October 2019, Sen. Marco Rubio, R-Fla., sent a letter to Treasury Secretary Steven Mnuchin requesting that the committee “launch a full review of the national security implications” of the Chinese purchase of Musical.ly, the U.S. company that created the software behind TikTok.
“It is no coincidence that every day more companies and organizations are asking employees to delete TikTok,” Rubio, now the acting chair of the Senate Intelligence Committee, wrote in a statement to Yahoo News. “TikTok has yet to provide a real explanation to Americans about how they protect their data and how much of it could be made available to the Chinese Communist Party.”
CFIUS, led by the Treasury Department, has the power to send recommendations to the president to block, modify or unwind foreign transactions that led to foreign control of a U.S. company.
CFIUS is reportedly already conducting a national security review of TikTok and its Chinese parent company, though the process itself is kept secret. In rare public examples, CFIUS investigations resulted in forcing a Chinese company to sell the gay dating app Grindr and blocking a potential acquisition of U.S. semiconductor company Qualcomm.
With TikTok, it could demand certain concessions from ByteDance to protect national security, or do something even more drastic. In 2018 lawmakers passed a reform to legislation that governs the CFIUS review process, providing the interagency body with additional powers as well as requiring the committee to pay special attention to certain areas, such as protection of personal information.
If the CFIUS review committee determines TikTok’s ties to China pose a real national security threat, it could force ByteDance to sell its U.S. assets, from software to office equipment, belonging to Musical.ly. And if ByteDance doesn’t comply, it’s possible the U.S. government could try to force Google and Apple to remove the application from their popular app stores.
Another legal option might be to turn to the International Emergency Economic Powers Act, enacted in 1977, a broad law that allows the president to regulate commerce to confront a national security threat to the United States. Trump could use that authority to sanction or attempt to block TikTok from operating in the U.S.
Export control regulations, which allow the government to block the export of software, could be another lever to prevent the use of Musical.ly’s technology.
Additionally, a May 2019 executive order on “securing information and communications technology and services supply chain” could allow Trump to block “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service” dealing with communications technology and involving a foreign country or foreign person.
The Trump administration could also issue a new executive order specifically targeted at TikTok. And it’s possible the government could utilize the National Institute of Standards and Technology’s national encryption standards to require that encryption be used to protect U.S. user data.
Congress could also legislate a solution that would restrict its use at minimum for federal agencies, the military and cleared contractors. Hawley, chairman of the Senate Judiciary Subcommittee on Crime and Terrorism, has crafted a bill aimed specifically at this purpose.
“This legislation is a necessary step to protect the security of the United States and the data security of every American,” he said earlier this year.
On March 5, the House passed Rep. Abigail Spanberger’s amendment to ban TikTok for employees of the Transportation Security Administration, following the agency’s own guidance against its use in late February. Sen. Kirsten Gillibrand in February proposed creating an “independent federal agency that would protect Americans’ data,” including from the tech companies that collect it.
Despite these myriad potential measures, experts still disagree on the extent to which TikTok even poses a legitimate national security threat.
First, if Chinese officials accessed the U.S. data, experts debated over what they would do with it.
The Chinese already have large amounts of sensitive U.S. data, according to Jim Lewis, a senior vice president at the Washington, D.C.-based Center for Strategic and International Studies. And unlike telecommunications networks that could be tapped by companies like Huawei, and “a long history of connections to the Chinese intelligence services and a willingness to spy,” the personal information gathered on TikTok “doesn’t provide any intelligence advantage,” he said.
Courtney Hulse, an analyst at RWR Advisory Group, a D.C.-based firm that tracks risk and foreign threats, suggested that the personal data collected in bulk remains a serious risk when combined with all the other data Chinese officials have access to — particularly when training its artificial intelligence algorithms.
“While it is unknown to what degree, if at all, Chinese companies like TikTok are being tapped to help fuel these efforts with user data, it is possibilities such as this, exacerbated by China’s track record in the cyber domain, that make foreign governments rightfully queasy about permitting unhindered access to its users,” she wrote in an email to Yahoo News.
Additionally, the platform could be the next major host of foreign disinformation, reaching millions of young people around the world, argued David Hanke, a former staff member on the Senate Intelligence Committee and the primary author of the 2018 Senate legislation that expanded the powers of CFIUS.
“While Russia did not own or control the U.S. platforms it exploited, its trolls were still able to create and leverage fake accounts to spread disinformation and sow chaos,” he wrote in an op-ed for The Hill, referring to Russian efforts to meddle in the 2016 U.S. presidential election. “It’s not difficult to imagine what another foreign adversary, China, could do with a massive social media platform under its thumb. With TikTok, that is the situation the U.S. now faces.”
For counterintelligence experts, the platform serves as an untapped goldmine of personal information on young people — the sons and daughters of attractive targets like U.S. national security officials and potentially future U.S. government employees.
“It’s all about leverage,” said one former intelligence officer.
While TikTok has promised it would never turn over information to the government in Beijing, and would resist any efforts to compel the company to do so, it may not be able to fight back against information requests. Chinese companies are required to help the government if officials demand access, and though some have pushed back, it’s unclear how successful efforts to put off Beijing’s requests have been, according to congressional testimony by Samm Sacks, a senior fellow at Yale Law School’s Paul Tsai China Center.
One big question is whether any attempt at restricting TikTok really addresses the core concern about Chinese data collection.
Clark Fonda, a former congressional chief of staff who was also directly involved in CFIUS reform legislation, said that if the government wants to more thoroughly address China’s data practices, there are other options, like making the committee into an independent government agency.
“We wanted a government-led Chinese investment tracking system,” Fonda said. “Then, if you really wanted to go after the app makers, you could investigate and get more done than just harassing TikTok in the news.”
That option, however, wasn’t ultimately included in the legislation that passed, and Fonda said the problem goes well beyond TikTok.
“Everyone knows what TikTok is because it’s in the news, but I can guarantee there are other apps in the app store that are even more brazenly tied to a Chinese government-affiliated company,” Fonda said. “This is more of a systemic issue than just TikTok alone.”
By Jenna McLaughlin