Recent news reports indicate that Washington is shelving a proposed deal to let Oracle and Walmart purchase the U.S. operations of Chinese social media giant TikTok, while President Joe Biden decides how to deal with China more broadly on technology competition and cybersecurity.
This is a positive development, indicating that the new administration understands this decision is about more than dance videos or even misguided economic protectionism.
TikTok had been banned from operating in the United States because of American data security concerns. The Trump administration worried that the data gleaned from U.S. users would be made available to the Chinese Communist Party (CCP), allowing them to track or otherwise threaten U.S. citizens and interests.
Most importantly, because the CCP exercises decisive influence over Chinese businesses and often employs them as an extension of the state’s law enforcement and intelligence apparatus, underlying concerns about TikTok’s relationship with the CCP apply to virtually every other Chinese company—of which there are more than 280 on the U.S. Stock Exchange. The implications of this decision, therefore, will be wide-ranging if the United States intends to be consistent. For a viable, coherent policy, decision-makers need to understand how the CCP—and those under its control—manipulate language to hide their intentions, capabilities, and actions.
Similarly to other Chinese businesses, like telecommunications companies ZTE and Huawei, as well as drone maker DJI, TikTok has defended its data security practices and asserted the independence of its operations from the CCP.
Their first assurance is some version of, “Why would anyone want our data?” or “There are much better sources of critical data than our platform.”
This is not a denial or a rebuttal of data security concerns. It is a dodge, predicated on the notion that every source of data must be comprehensive to be valuable. That is not true.
For two decades, at least, Beijing’s general posture on digital espionage has been to gather any and all data it can with the understanding that it will figure out how it wants to use that data later. At one point this approach was known as the “thousand grains of sand” strategy—a method that collects and arranges large volumes of disparate information into a comprehensive mosaic of intelligence and insight.
TikTok’s assurance also downplays the vast troves of data collected by mobile applications. For example, it does not just collect the user-generated content posted to its platform. Its Terms of Service explain that the company gathers its users’ online history, contacts, and even “keystroke patterns and rhythms.”
The combination of your online viewing history and your “keystroke patterns,” for example, could potentially allow others to discern passwords or even reconstruct the content of emails or texts.
Assurance number two is “Any U.S. data we collect stay in the United States with backups in X country (often Singapore).” This assurance hides two key realities.
First, it employs a narrow definition of “U.S. data” that often only includes explicitly personally identifiable information like a user’s name, address, phone number, or date of birth. It ignores the troves of so-called “anonymized data” that is shared and that can be easily used to reconstruct a person’s identity.
For example, a threat actor will not need your personally identifiable information to learn your name, address, place of work, etc. if they have your “anonymized” locational history. They can know all of these things, and more, by observing your online behavior: where you regularly visit, at what times, and for how long—correlating the information with widely available open-source information.
The second reality this assurance hides is how Chinese connectivity to your data—regardless of where the data are stored—is hardwired into the operation of these services.
The vast majority of development and maintenance of apps like TikTok are handled by engineers in China who require a steady stream of user data to keep apps running, build new experiences, and monetize content. This stream of data is predicated on some sort of digital “connection” between the platform, its U.S. users, and China-based engineers—otherwise security vulnerabilities could not be patched and new features could not be deployed.
This means that, even if U.S. user data were not formally transmitted to China, they could still be available to the Chinese. At the very least, this type of “digital doorway” would allow data to be accessed if the Chinese were so inclined.
The third and final assurance goes something like this: “The Chinese government has never asked us for U.S. user information and, if they did, we would say, ‘no.’”
This is another dodge.
China’s 2015 National Security Law requires all networks within the country’s borders—including those of TikTok’s parent company, Bytedance—to be “secure and controllable.” Subsequent legislation and government enforcement make clear that means these networks must be completely available to the CCP and its state intelligence and law enforcement entities. Early last year, Beijing enacted further requirements that made it illegal for any company in China to use encryption or other data security technologies that would deny the state access to information.
The CCP also understands all of these laws to apply extraterritorially to all Chinese companies and their subsidiaries, no matter their locations. Put simply, the Chinese government may not have to “ask” for this data because it already has access to it by law. TikTok and other companies may protest the government’s acquisition of this information, but there is no reason to believe such protests would actually prevent it.
In sum, the various data security assurances from TikTok and other Chinese companies are demonstrably suspect. To find a safe path forward, Americans need a clear-eyed-understanding of them.
Klon Kitchen (@klonkitchen) is a resident fellow at the American Enterprise Institute. He is also the former national security adviser to Senator Ben Sasse and a 15-year veteran of the U.S. intelligence community.