TikTok is Using American Data for Espionage, and the U.S. Needs to Act Fast

 /  May 7, 2023, 4:03 p.m.


Though TikTok is widely considered the most addictive social media app, it is lesser known as the most intelligent. Since its launch, the United States government as well as independent security researchers and officials have raised concern at the ethics of ByteDance, the company that owns TikTok, and its connection to the Chinese Communist Party. 

More recently, however, U.S. authorities have become increasingly concerned as investigations reveal TikTok’s breach of security: unbeknownst to users, the company has access to private information through features of the application that allow it to collect data when users are logged out and entering confidential information into other websites. The question of how aggressively the U.S. should approach or limit ByteDance has created conflict, however, and efforts to pass legislation on the issue have stalled; some believe the threat to civilians is low and there is little that can be done, while others advocate for a complete ban of the app in the U.S. Despite this, it is considered by many to be a bipartisan issue, as officials on both sides of the political spectrum acknowledge the dangers of the app and the malintentions of its leadership. 

First released in China under the name Douyin, what is now known in the United States as TikTok was launched in 2016 and advertised as a video-sharing app. It quickly gained popularity, as it was and continues to be one of the only permitted forms of social media in China following the ban of Facebook in 2009 and Instagram in 2014 by the Chinese Communist Party (CCP). Douyin was created by ByteDance, a global technology company owned and operated by Yiming Zhang. ByteDance owns various internet platforms founded by Zhang including Kuxun, a travel and transportation search engine purchased by Trip Advisor, and 99fang, a real estate search portal.

What separated Douyin from other video sharing apps was its variety of content: no app had combined longer tutorials, educational videos, and vlogs, with shorter, 15-60 second lip syncing, comedic, and other miscellaneous videos. Douyin was able to retain users like never before, and, in August 2018, it expanded globally, taking on the name TikTok in English-speaking countries. Despite being an international organization, TikTok marked ByteDance’s first financial endeavor in the Western world, and its unique and unusual approval by the CCP suggests its interest in the U.S. to be greater than just financial. 

The CCP’s approval of Tik Tok implied that the app includes methods of censorship or espionage, making the Trump administration skeptical of its ethics immediately after TikTok’s launch in the U.S. In August 2020, after learning TikTok was collecting the cell phone location addresses of certain users, the Trump administration issued an executive order forcing ByteDance to either sell TikTok or separate it from ByteDance and turn the U.S. branch into a separate company within 90 days. In those intervening three months, however, ByteDance struck a deal with Oracle, a computer software company based in Silicon Valley, for the use of its servers to process American user data and prevent Chinese servers from having access to U.S. information. TikTok refused to surrender full ownership of its American data, however, saying it would maintain its use of Chinese servers for backup. TikTok maintained that it would eventually convert all U.S. storage to Oracle servers yet did not specify when the transfer would occur, suggesting TikTok wanted to maintain its access for surveillance purposes. 

After realizing negotiating a transfer of ownership with TikTok’s U.S base was nearly impossible, Ken Glueck, the Executive Vice President of Oracle, attempted to increase American presence in TikTok’s leadership as much as possible without requesting full control. He stated that Americans would hold four of the five seats on the board of TikTok Global, a U.S.-based company, and just over half of its shares would be held by Walmart, Oracle, and American investors and venture capital firms. While this deal seemed productive, the final seat unoccupied by an American would belong to Zhang. Since he is somewhat beholden to the CCP, his presence would likely undermine the purpose behind creating a majority American board. Although ByteDance as a company would no longer have ownership over TikTok Global, its independent investors, including Zhang, would maintain their shares and the control that comes with such an investment. And, while the deal allowed Oracle to survey TikTok’s updates and veto those it deemed dangerous, it did not give permission to alter or veto the app’s recommendation algorithm, one of its most intelligent yet invasive features.

The danger that TikTok’s U.S. data could pose, if in the wrong hands, is substantial. While many apps like Facebook and Instagram use in-app browsers to gather data that can generate auto-fill suggestions or prevent users from visiting sites that transfer malware, TikTok’s code is equipped with a feature able to track keystrokes, noting every character entered by the user. Unlike most apps, TikTok does not redirect users to Safari or Chrome when they visit external links advertised or included within an app. Instead, if a user clicks the link of a website from a clothes ad featured on TikTok, for example, all inputs, including the entry of any passwords for the site, billing information, and shipping information, occur within the app itself. Additionally, it can track the products a user browses to be able to better target the advertisements that appear on one’s feed. If TikTok wanted to, it could use the keystroke tracking feature to gather this information, seen as a “problematic” breach of privacy by Jane Manchon Wong, a security researcher and software developer based out of Hong Kong. Michael Beckerman, a TikTok official, denied this, of course, commenting that the app does not use the feature to track keystrokes but rather monitors typing patterns and frequency for user safety, protecting users from potential bugs or from visiting malicious websites. 

In addition to these tracking concerns, TikTok’s recommendation algorithm contains an advanced equation that notes the the likes and comments left on a video, its soundtrack, caption, and hashtag and compares that with the user’s likes, comments, playtime, and number of plays to score each video and show more or fewer similar videos based on its score. Ben Smith, a journalist for the New York Times, noted that “Another screenshot shared with me indicates that its content moderators have access not just to videos posted publicly, but also to content sent to friends or uploaded to the system but not shared, a difference from apps like WhatsApp and Signal that provide end-to-end encryption.” 

The use of such a powerful algorithm can be malicious if used to shape users’ exposure to certain information, and TikTok has shown itself to consciously promote CCP ideals. The company has censored videos regarding working conditions in Xinjiang and the 1989 Tiananmen Square protests, an American user who posted a video critical of the treatment of Uyghurs in China, and German users who posted similar videos regarding the treatment of Uyghurs yet used phrases including “reeducation camp” and “labor camp” to describe their living conditions. TikTok replaced these phrases with asterisks to reduce audience concern and awareness of the crisis. The use of conscious censorship on subjects considered sensitive to the CCP imply a willingness to use more subtle methods to shape American users’ perceptions of domestic and international events in ways that benefit the CCP.

Chinese national security laws allow the CCP to secretly request data from both domestic and foreign firms operating in China, making it impossible to guarantee the security or privacy of American user information. The CCP abuses these laws to collect “sensitive intellectual property, proprietary commercial secrets, and personal data.” While TikTok has long claimed that user data collected within the U.S. is not shared to foreign parties, BuzzFeed reported in June of 2022 that ByteDance employees have access to private data including phone numbers and birthdays of U.S. users in June of 2022, which was admitted to by TikTok a month later. Finally, in October, Forbes revealed that ByteDance plans to use the app to track the location of certain U.S. citizens. Lawmakers predicted this, for they previously stated TikTok can track the location of its users and gather browsing history from users visiting websites with which it has no affiliation. They caution that the Beijing government may be able to develop profiles on American citizens and use these to launch personalized blackmail or spying initiatives in the future. They also caution that such tracking technology could be used to gather national security information from U.S. government employees.

Oracle is not the only organization that has attempted to limit ByteDance’s influence. In 2020, the Committee on Foreign Investment in the U.S. (CFIUS), ordered ByteDance to divest from TikTok and, shortly after, the Trump administration attempted to enforce a complete ban of the app in the U.S. These orders faced challenges in court, however, and were dropped when Biden entered office. The Biden administration promised to monitor the situation, but felt that a ban was implausible and an overreaction to the seriousness of the threat. Currently, the FBI Foreign Investment Unit has become involved in CFIUS investigations to address “not only data security, but also governance, content moderation, [and] algorithmic transparency.” In October 2022, the Senate Intelligence Committee Chairman, Democrat Mark Warner, publicly agreed with Trump’s approach, saying he has been waiting for President Biden to take action on the issue but is growing increasingly fearful and impatient with his passivity. 

Over the past two months, however, the Biden administration’s sense of urgency regarding the seriousness of the threat has increased dramatically. On March 1, a House committee voted to advance legislation that permits the federal government to ban TikTok from all U.S. devices, not only federal government devices. On March 23, Shou Chew, TikTok’s chief executive, was questioned by the House Energy and Commerce Committee for five hours concerning the extent of TikTok’s communication and transfer of information with ByteDance. Since this action on the federal level, Montana has become the first state to ban TikTok altogether, though how strictly the law can and will be enforced is yet to be determined. 

Banning the app on personal devices has raised first amendment concerns, however, as some consider it an abuse of the government’s right to regulate media consumption and personal possessions. It opens the door to a slippery slope of what the government should have access to with respect to citizens’ digital footprints, especially because many use the app for leisure and harmless entertainment. Whether enforcing this vote is akin to unwarranted search and seizure or arbitrary restrictions on speech and expression is debated. Many public universities have banned the app, too, and students are unable to access the application when using school Wifi. This is easy to get around, however, for students can switch to cellular data if they wish to continue accessing the app on campus. TikTok has commented on such recent restrictions, stating that American lawmakers are censoring citizens and the attention the app has received in recent American news is unnecessary.

Now that TikTok security concerns have grown and been recognized as a bipartisan issue, many fear that divestment alone is not an aggressive enough approach. Because TikTok is worth hundreds of billions of dollars, it would be extremely unlikely that any company or individual would have the means to purchase the app. The Treasury Department fears divestment because the order could face antitrust challenges similar to those the Trump administration encountered when attempting to mandate the U.S. version of TikTok be sold. For these reasons, the Department suggested the issue’s management be left to the Biden administration. Brenden Carr, the Federal Communications Commissioner, encouraged a full ban of the app. In November, this was introduced into legislation by Marco Rubio and Mike Gallagher who not only proposed a ban on TikTok, but also other social media companies owned by the CCP and used in the U.S. 

Though the Department of Treasury is against divestment, it supports initiating a compromise with TikTok. ByteDance would maintain nominal ownership of the app, as the Treasury recognizes the impracticality of requesting ByteDance give up all access to U.S. operations, yet TikTok would be led under a new subsidiary free of affiliation with the CCP, and it would establish an independent board of national security professionals. While this approach may seem productive, FBI Director Christopher Wray feels it is not aggressive enough: even with nominal influence, the CCP can continue to gather American data and influence U.S. users. He believes the only way to protect U.S. information is through complete separation of TikTok from ByteDance. 

As of December, five states banned TikTok from government phones and the Senate passed unanimous legislation prohibiting TikTok on federal devices. The intelligence community as well as multiple national security agencies including the Department of Defense and Department of Justice have encouraged CFIUS to order ByteDance sell its U.S. TikTok operations. They suggest it be sold to either a domestic company, a company located in a U.S.-allied country, or an individual. The CFIUS review stated that if there continues to be disagreement over which course of action to pursue, the most likely outcome would be an order forcing ByteDance to divest from the app in the U.S. The Biden administration has the ability to override this, however, and veto the order. Brooke Oberwetter, the Head of Policy and Communications for TikTok, agrees that such aggressive approaches should be avoided, claiming they are unnecessary: “The solution under consideration by CFIUS is a comprehensive package of measures with layers of government and independent oversight to address concerns about TikTok content recommendation and access to U.S. user data — measures well beyond what any peer company is doing today” and that “[f]urther measures are unnecessary and punitive; they send a chilling message to foreign tech companies wishing to do business in the U.S. and deliver globally interoperable experiences to compete alongside other global platforms.”

Either divestment or new, domestic or U.S.-allied ownership of the TikTok branch is both the most plausible and effective approach the U.S. could pursue to protect its users. This is true for two reasons: the lack of national security laws under the CCP, and ByteDance’s ability to gather information about American users even after Oracle restricted their access to servers. It has been proven by multiple investigations and reports by American journalists that as long as ByteDance has any amount of access to the servers through which user information is processed, TikTok’s advanced code can detect location and personal information, even when users have restricted location settings or are logged out of the app. A complete ban of the app is implausible: U.S. antitrust law would never permit such a harsh, monopolizing action and, aside from that, Americans are simply too invested in both the app’s entertainment and lucrative potential. TikTok’s threat is increasingly pressing, and simply monitoring the situation as practiced by the Biden administration is irresponsible, as users are interacting with the app, unaware of its breach of their privacy. Officials must realize that any progress is better than no progress. If leaders continue to stall passing domestic security legislation due to an inability to agree on the level of aggressiveness with which to treat the matter, users will continue to remain vulnerable.

The image used in this article is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported license. The original image was authored by Solen Feyissa and can be found here.

Ally Alvarez


<script type="text/javascript" src="//downloads.mailchimp.com/js/signup-forms/popup/embed.js" data-dojo-config="usePlainJson: true, isDebug: false"></script><script type="text/javascript">require(["mojo/signup-forms/Loader"], function(L) { L.start({"baseUrl":"mc.us12.list-manage.com","uuid":"d2157b250902dd292e3543be0","lid":"aa04c73a5b"}) })</script>