Over a matter of days, TikTok has become the scariest social network in the world. On July 7th, US Secretary of State Mike Pompeo told Fox News that the White House was considering banning the app, a move so unprecedented that it’s hard to know what government action was even being threatened. India has already taken a similar measure, and on Friday, an email went out telling Amazon employees that they should uninstall the app from their company phones — although higher-ups later said it had been sent in error. Over the weekend, Wells Fargo issued a similar order and stuck with it, and both major political parties have told their operatives to steer clear of the app.
It’s the kind of avalanche of concerns you would expect from a privacy failure on the scale of Cambridge Analytica or the Yahoo breach — but it’s remarkably hard to pin down what TikTok has actually done to lose America’s trust. The most recent scandal came when TikTok was caught eavesdropping on users’ clipboard data, which was suddenly visible due to a new privacy feature in iOS 14. But more than 50 other apps were caught doing the same thing, including LinkedIn, PUBG Mobile, and the official reader app for The New York Times, a transgression that’s largely been ignored.
If TikTok is different, it’s because of China. Although TikTok is operated from within the US, it’s owned by the China-based ByteDance, and much of the anxiety comes from uncertainty over exactly how much control ByteDance has over TikTok’s daily operations. Like Huawei before it, TikTok has become an avatar of US anxieties over Chinese espionage, spurred on by decades of increasingly aggressive hacking and intellectual property theft. Those concerns mean that many users will simply never accept a China-backed social network on US phones. So while the last week’s defections might look like the standard privacy scandal, they’re part of something much thornier and harder to solve, with scarier implications for the internet at large.
In terms of individual data collection, it’s not clear TikTok is doing anything out of the ordinary. The app does collect a lot of data, and a lot of it for no clear purpose, whether that’s keystroke data, background location, or other apps installed on your phone. But that kind of data collection is depressingly common, and security researchers have struggled to show that TikTok is doing anything outside the norm. When CNET talked to security researchers about TikTok permissions in the wake of the scandal last week, they found mostly shrugs.
(For its part, TikTok emphasized its basis in the US when reached for comment. “TikTok is led by an American CEO, with hundreds of employees and key leaders across safety, security, product, and public policy here in the US,” the company said. “We have never provided user data to the Chinese government, nor would we do so if asked.”)
But even if TikTok isn’t doing anything different, it could be riskier simply because of its political ties to Beijing. The Chinese internet is heavily censored and surveilled, and any social network with Chinese ties carries the risk of exporting that censorship and surveillance into other countries. This happens quite tangibly with TikTok’s Chinese sister app Douyin, which regularly shuts down broadcasts in mid-stream if moderators detect an unauthorized foreign face or a violation of the platform’s modesty rules. Even if TikTok had a perfect privacy record, there are structural reasons to be worried about phones and user data, as Lawfare detailed in April.
For experts, the concern is less about mass data collection and more about targeted operations that are harder to detect. Because TikTok maintains the standard level of invasive app access, the Chinese intelligence services could potentially use it as a portal to surveil specific users or gather compromising information. The FBI has already raised the alarm about Chinese spies stealing US trade secrets, so that same access is even scarier for Amazon or Wells Fargo, which might plausibly have proprietary tech that China wants to steal. As long as the Chinese government can put pressure on TikTok through its ownership, there will be ways to snoop on users without raising alarms. That makes it hard for high-risk users to feel entirely safe, no matter what the app does.
Anxiety over foreign interference has reared its head before. As recently as April, Zoom was caught rerouting external video calls through China, a behavior far more serious than anything we’ve seen from TikTok. Equifax lost data from more than 100 million people (possibly working for Russia, depending on who you believe), which is certainly more information than TikTok has ever had access to. But there’s something about TikTok’s ownership entanglement that makes it harder to forgive. Even if Zoom was careless or Equifax was outmatched, there’s a belief that they’re still fighting on the right side. But political pressure can’t be fixed with security audits. If you believe TikTok is collaborating with Chinese intelligence services, there’s simply nothing the company can do to reassure you.
That leaves the US employees of TikTok in a difficult place. For years, the company has been insisting that it operates independently of its Chinese owners, and even now, there’s no public evidence that contradicts them. They can take on security audits and try to build up trust, but they can’t stop being owned by ByteDance, and every scandal scares off more users and advertisers.
The cleanest permanent fix would be severing the US-based TikTok from its Chinese parent ByteDance, and there’s an easy way for Washington to make that happen. Last week, my colleague Adi Robertson described the regulatory mechanism for this: the Committee on Foreign Investment in the United States, which could legally sever TikTok from its Chinese parent. (It forced a Chinese company to divest from Grindr last year on similar grounds.) It would be a heavy-handed remedy, but if you see Chinese ownership of a major US social network as a problem, it’s the only plausible answer. But short of that, it’s not clear how much independent groups like Amazon or the Democratic National Convention can accomplish by warning employees away from the app.
But if that kind of corporate amputation is really necessary, it would have implications much larger than TikTok. WeChat is mostly used in China, but it has more than a million users in the US, many of them immigrants hoping to communicate with relatives in China. WeChat regularly surveils users outside the US and censors sensitive topics, as detailed in a Citizen Lab report in May. PUBG Mobile is made by Tencent, the same Chinese software giant that makes WeChat. Should we crack down on the app, now that the PUBG Mobile app been caught snooping on users’ data? Solving the industry-wide problem would mean peeling American users away from Chinese apps one by one and cutting off companies from Chinese investment just as the US economy is faltering.
Beyond that, it’s not clear what the American tech industry looks like without China. One by one, every major internet platform has tried to reach Chinese users and failed, finding that there was simply no way to operate behind the Great Firewall without making compromises that would be unacceptable to American users. Instead of Twitter and WhatsApp, China has Weibo and WeChat. Every year, there is less space where the two overlap. This is how the global internet splinters, one program and system at a time, pulling different countries’ networks further and further apart. That splintering isn’t inevitable, but apps like TikTok show how hard it is to resist the basic logic of it — and how difficult it is for products that get caught in the middle.