Concerns about the Chinese government shouldn’t be dismissed, experts say. But banning TikTok would be a drastic measure.
OVER THE PAST few weeks, as relations between the US and China sank to even lower lows, the social media app TikTok has emerged as a new target for the Trump administration. Both secretary of state Mike Pompeo and White House adviser Peter Navarro warned on Fox News that the US was considering outlawing Chinese apps, of which TikTok is the most popular, over security concerns. Trump’s chief of staff Mark Meadows told reporters Wednesday that there are “a number of administration officials who are looking at the national security risk as it relates to TikTok and other apps,” adding that action may come within weeks, not months.
Concerns about TikTok have also spilled over into the corporate world. Last Friday, Wells Fargo said it had banned its workforce from using TikTok on company devices, an announcement that came after Amazon walked back a similar notice it sent to employees the same day. Meanwhile, on Twitter, venture capitalists, tech journalists, and China watchers have been intensely debating whether or not TikTok—one of several apps created by the Chinese tech giant ByteDance—poses as big a threat as government officials claim.
TikTok’s fiercest opponents argue that it should be viewed as a dangerous Trojan horse for Chinese Communist Party espionage. On the other side are those who frame that criticism as merely thinly-veiled xenophobia, a result of rising racism toward Chinese people and deteriorating relations between the US and Beijing. In between are plenty of people who aren’t quite sure what to believe. So far, like with Russian anti-virus firm Kaspersky a few years before, US officials have provided little evidence for their claims about TikTok aside from pointing to its country of origin. Absent hard proof, what’s left are more extrapolated dangers, like whether the Chinese government, which the US says was responsible for a notorious series of breaches at American institutions, would pilfer user data from TikTok, or censor content on the platform the way it tightly controls the internet within its own borders.
Experts on China say that while those possibilities can’t be dismissed, blocking TikTok is a drastic measure, and one that wouldn’t necessarily solve every issue that concerns the app’s detractors. Outlawing TikTok would also mean the US would be participating in the same Chinese-style internet sovereignty tactics it has long criticized, and it’s not clear where the line might be drawn. While TikTok is likely the biggest, many other Chinese-owned apps are also used in the US, including Tencent’s WeChat. And then there are the worrisome implications of shutting down a platform tens of millions of Americans use for free expression, especially just months before a presidential election.
TikTok, for its part, has repeatedly said that the Chinese Communist Party wields no influence over its operations. The app is not available in China, though ByteDance runs a similar platform called Douyin there. The company stresses that it stores data on Americans users in the US and that none of it is subject to Chinese law. (TikTok’s Privacy Policy states, however, that it may share user data with a “parent, subsidiary, or other affiliate of our corporate group.”)
TikTok has made efforts to be more transparent about its practices and to distance itself from Beijing, including pulling out of Hong Kong, where a sweeping national security law imposed by China went into effect last month. During the first three months of this year, ByteDance spent $300,000 on lobbying in Washington, according to the Center for Responsive Politics, where it hasn’t received a warm welcome from US lawmakers. Last fall, a number of senators raised security concerns about the app, and the Committee on Foreign Investment opened an investigation into ByteDance’s purchase of Musical.ly, a lip-syncing platform it later combined with TikTok. And in December, the Pentagon ordered military personnel to delete TikTok from their devices.
In an interview with WIRED Wednesday, Roland Cloutier, TikTok’s global head of security, declined to address questions about China directly, but stressed that TikTok was committed to maintaining robust security practices, including allowing outside firms to audit its technology. “What I can talk about is facts, and the facts are quite simple,” Cloutier said. “We use multiple external third parties [and] internal security teams to test and validate and beat on our product on a daily basis to look at potential vulnerabilities.” Cloutier joined TikTok earlier this year, after stints as head of security at the software firm ADP and after spending a decade in the US military and Department of Veteran Affairs.
Mobile security experts say TikTok’s data collection practices aren’t particularly unique for an advertising-based business, and largely resemble those of its US-owned competitors. “For the iOS app available to Western audiences, it appears to collect very standard analytics information,” says Will Strafach, an iOS security researcher and creator of the privacy-focused Guardian Firewall app. That includes things like a user’s device model, their screen resolution, the operating system they use, and the time zone they’re in. “Most data collection by apps concerns me, I don’t like any of it. However, in context, TikTok appears to be pretty tame compared to other apps,” he says.
Dave Choffnes, a computer science professor and mobile networking researcher at Northeastern University, wasn’t able to assess the Android version of TikTok firsthand, but relied on an analysis posted to Reddit, which many of TikTok’s critics have cited. Based on that, Choffnes says TikTok appears to be “in the same league” as other social media apps, which often collect extensive data about their users, including their precise location. Just because these practices are common, Choffnes says, doesn’t mean TikTok is totally benign. “Users should be questioning whether installing and using the app is worth handing over extensive data over to yet another company,” he says.
Like other apps, security researchers have found bugs inside TikTok, which were later patched. More recently, some users were alarmed when they learned TikTok was requesting access to their clipboards, which could potentially expose sensitive data like passwords. TikTok says the functionality was part of an anti-spam feature that detected when users tried to post the same comment on different videos over and over again, and that it never retained data from anyone’s clipboard. The feature has since been disabled.
The main thing distinguishing TikTok from other apps is its ownership. Unlike in other parts of the world, China experts say the Communist Party could easily pressure ByteDance to hand over data from TikTok. But it’s not clear that it has any good reason to do so. “Xi Jinping leadership has said, ‘We want tech companies that can be global brands that can compete in markets outside of China,’” says Samm Sacks, a cybersecurity policy and China digital economy fellow at the think tank New America. TikTok is one of China’s few truly global tech companies, and any suspicious behavior from Beijing, if uncovered, would jeopardize that.
“I think the incentives are lined up for them not to just ride roughshod over privacy,” says Kaiser Kuo, co-founder of the China affairs podcast Sinica and a former communications executive at the Chinese tech giant Baidu. It’s also unclear how valuable the personal data of TikTok’s overwhelmingly teenage user base would be to a government that has, according to US intelligence agencies, obtained highly sensitive information about millions of Americans through hacking the Office of Personnel Management, Anthem health insurance, and more.
In addition to user data it automatically collects, TikTok also has a vast trove of information about what videos millions of Americans are watching, and what topics they may be searching for on the platform. It’s become an important venue for political speech and activism, and some researchers worry the Chinese government could use it to sway public opinion or censor topics it doesn’t want discussed. “The average user, if they’re concerned about TikTok, should be far more worried about potential censorship than they should be about espionage,” says Justin Sherman, a fellow at the Atlantic Council’s cyber statecraft initiative.
A spokesperson for TikTok said in an email that its “content and moderation policies are led by our US-based team and are not influenced by any foreign government.” But guidelines from TikTok obtained by both The Guardian and The Intercept last year show the company instructed staff at one point to censor topics sensitive to Beijing, as well as people it deemed unattractive. TikTok said the rules were outdated when the reports were published. Since then, the company has released more information about its policies and algorithms, and announced a new transparency center, where outside experts can observe its moderation practices in person.
Blocking TikTok would quickly put an end to all of these concerns, but it would also raise a number of new issues as well. India outlawed dozens of Chinese apps last month including TikTok, which represented one of the company’s largest markets. Sherman says the move immediately raised questions in the country about censorship and the extent of the government’s legal authority to take such actions. The same could happen in the US.
Blocking apps based on where they’re from would also make the United States considerably more like China, which has for years prevented foreign tech companies from gaining a foothold in the country. The problem is that TikTok is far from the only tech firm in the US with ties to China. Tencent, the company behind WeChat, is a large investor in Reddit, for example. “The slippery slope is exactly the reason we should be very skeptical of this, because it just sends us down into this spiral of distrust,” says Kuo. “If we do this, then what else is fair game?”
A better solution, some experts say, would be to institute robust rules for protecting people’s privacy and preventing data misuse by companies, regardless of which country they happen to be from. “I think the way to get at this is let’s create legislation and standards that are trusted criteria for the way that TikTok and all companies collect, share, and retain data,” says Sacks. After Facebook’s Cambridge Analytica scandal, there was a new push for a federal data privacy law, but two years later any momentum on Capitol Hill appears to have stalled. Except for a few state laws, Americans’ privacy is largely in the hands of companies.
US officials have been vocal about not trusting China, and as a result they don’t trust TikTok. And when the biggest concerns are geopolitical, an app security audit or transparency report is unlikely to stop worried speculation. “The Communist Party itself doesn’t even know what they are going to do about TikTok in the future,” says Jeremy Goldkorn, editor-in-chief of SupChina and cofounder of the Sinica podcast. “We’re guessing.”
1 comment