The video-sharing social network is a danger to personal privacy and national security.

If you know anyone under the age of 30 (or are in that group yourself), you may have heard of the most popular app in America’s youth culture – TikTok. The short-video creation and sharing app has rapidly become one of the most downloaded apps in the world, surpassing 2 billion downloads as of April 2020. Its growth has accelerated since the beginning of the year, especially taking off among teens stuck at home during the lockdowns due to the coronavirus pandemic. The app’s users are predominately young, with over 63% of users falling between the ages of 10 and 29 and 37% of the app’s US user base being categorized as ‘adolescent’. If you’ve heard about TikTok recently, it is likely either because you have seen some of the viral challenges or dances that have been going around the internet or you have read the breathless coverage surrounding the possibility that the Trump administration may ban the app in the US. I am no fan of the Trump administration, but in this case, I believe that they are fully justified in banning TikTok outright.

What reason could anyone have for banning a simple video sharing app loved by millions of American kids? There are quite a few actually, including the fact that the app has been a haven for child pornographers and sexual predators over the past few years. In its current iteration and during its previous life as the app Musical.ly, TikTok has dealt with continual complaints of sexual harassment, grooming, and stalking targeting underage girls. The app’s interface incentivizes much of this behavior by learning what a user likes and pushing more of these videos to their feed; in this case, an older man looking for videos of underage girls and ‘liking’ or interacting with them would be algorithmically pushed more of these videos over time. Other apps and online services have similar algorithms, but have been far more effective at limiting or eliminating the specific problem mentioned. More recently, a variety of cases have resulted in child pornographers and other sexual predators being convicted for actions taken on TikTok. The app has also had serious issues with respect to child privacy, as it was fined a record $5.7 million by the US government in 2019 for willful violations of the Children’s Online Privacy Protection Act (COPPA). The federal government found that:

User accounts were public by default, which meant that a child’s profile bio, username, picture, and videos could be seen by other users. While the site allowed users to change their default setting from public to private so that only approved users could follow them, users’ profile pictures and bios remained public, and users could still send them direct messages, according to the complaint. In fact, as the complaint notes, there have been public reports of adults trying to contact children via the Musical.ly app.

This is obviously a major concern for parents and their children or teens who are using the app regularly for both video sharing and social networking. But as awful as this issue is, it pales in comparison to the enormous amount of personal data which TikTok collects on its users of all ages. Most apps collect significant user data and monetize it so as to allow the ‘free’ download of its product to users, but TikTok collects a far larger – and more sensitive – amount of data than do its competitors. According to a report by the American cybersecurity firm Penetrum, “data harvesting, tracking, fingerprinting, and user information occurs throughout the entire application,” and the app vacuums up such private data as the phone’s IMEI number (a phone-specific serial number), the current operating system version, and even SMS text message logs. Penetrum states that the app “creates an extremely realistic and graphic fingerprint of your phone which can be used to determine everything you have installed.” A Reddit user in the app security field reverse-engineered the app and found similar evidence as did Penetrum; the user called TikTok “a data collection service that is thinly-veiled as a social network,” and claimed that the app harvested a colossal amount of location data on its users (location pings every 30 seconds). The app itself purposefully obfuscates its data collection by using a custom coding language, allows for remote configurations of the app (changes can be pushed to users rapidly without confirmation), and even includes some code which could surreptitiously open and execute files on a user’s device.

Besides these serious issues with data collection and privacy, TikTok is, in the words of Penetrum, “a massive security flaw waiting to happen”. The app uses insecure cryptographic practices, may allow users to execute commands within the app that are normally reserved for developers, and unsafely stores user tokens and private information. All of this makes the app very susceptible to hacking and data theft – and the nature of its access to all of a user’s phone data increases the damage that could be done through any hack. Earlier this year, cybersecurity firm Check Point found a number of significant security flaws in the app, including one that would allow hackers to send – purportedly on behalf of TikTok – messages to any user with links which could allow the hacker to take control of the user’s phone. Another example of the company’s inability to properly secure its product is the fact that the app was, for quite some time, not using HTTPS to secure user data – this is basic-level cybersecurity that every app developer understands. The poor security allowed leaks of user email addresses, birthdays, and other personal information. Some counter this information about data privacy and security by bringing up the data collection of other popular apps, from Facebook to Snapchat, but this argument both ignores the serious, documented issues with TikTok’s cybersecurity and completely misses the biggest issue with respect to TikTok – its Chinese ownership.

---

The screenshot above (since deleted) was posted in defense of TikTok by the New York Times’s full-time internet culture reporter, Taylor Lorenz. [Sidebar: Lorenz writes almost entirely about TikTok, yet somehow completely misses the major story with the app – its security and privacy concerns as they relate to its Chinese connections. But I guess memes and influencers are more fun to cover for my fellow millennial than Chinese internet censorship and personal data mining. C’est la vie.] This argument, echoed by numerous publications including the Washington Post, has a number of defects, including the creation of numerous false equivalencies and the incuriousness with which it treats the app’s relation to China.

Before delving into the details of China’s malign influence over TikTok, I need to address the bad-faith accusations of xenophobia hurled at anyone who pushes against the Chinese government, companies, or system. It is not at all xenophobic to be concerned about the actions of our biggest geopolitical enemy, especially when it relates to American security. It is naïve and ignorant to believe that anti-Chinese Communist Party (CCP) sentiment is xenophobic and irrational. The vast majority of us who are deeply antagonistic to the Chinese government have no problem with the Chinese people and fervently hope that they will one day have a more democratic and liberal government that safeguards their natural rights. (Personally, I’m gung-ho about the idea of enticing as many Hong Kong residents as possible to immigrate to the US, where they could continue their anti-CCP activism and contribute greatly to our economy and civil society.) But we are in a new Cold War, whether we like it or not, and we should treat all activity of the CCP as suspicious by default given their long history with data theft, human rights violations, systematic repression, and cultural genocide. It is no longer possible, intelligent, or reasonable to give the Chinese government and its proxies the benefit of the doubt. This piece is not meant to advocate for a new strategy towards China (more on that in a few weeks), only to showcase the problems inherent in TikTok and other apps of its ilk. Still, all Americans must understand that we are engaged in a geopolitical and civilizational struggle the likes of which we have not seen since at least the fall of the Soviet Union (and I feel that the CCP is likely going to be a much larger and more dangerous rival than was the USSR).

Now for the more specific arguments. Let’s start with one of the most commonplace contentions made by TikTok defenders: that it does not collect more information or treat that data any differently than do Facebook or other American tech companies. This is fairly easily disproven by the studies that I discussed above; TikTok does indeed collect a vast amount of data on its users and has had exceptionally poor safeguards surrounding that data. The app’s target audience of young people makes this data collection and arrogation far more concerning. TikTok has, as mentioned above, paid record fines for data privacy issues and has had frequent problems with enforcing the age limits on its app. But as the argument goes, who cares about this information given all of the private data that is already circulating the internet? What makes TikTok worse than Facebook?

The answer, dear reader, is the Chinese connection. TikTok is a wholly owned subsidiary of China’s biggest start-up tech success, ByteDance, a company which has received significant loans and funding from the Bank of China (itself having deep government ties). Although TikTok is not available in China, its sister app Douyin is a clone limited to the Chinese market. So why does this matter, particularly when TikTok management has said that none of its data is stored in or transmitted to China? Well, it matters because they are lying. A lawsuit filed in California by a college student alleges that TikTok has secretly “vacuumed up and transferred to servers in China vast quantities of private and personally-identifiable user data,” as well as creating a data dossier on the student, who downloaded the TikTok app but never created an account. This clandestine monitoring, along with the allegation that the app transfers data to China, is very troubling. In fact, ByteDance is currently under investigation by the Committee on Foreign Investment in the United States (CFIUS), a governmental organization that reviews foreign business transactions in the US for security issues regarding these sorts of charges. Independent inquiries by cybersecurity firms, including one by the aforementioned Penetrum, found evidence of significant Chinese ties with respect to data management. Penetrum claims that over 37% of IP addresses linked to TikTok are stationed inside of China and under the auspices of the mega-conglomerate Alibaba Group (recall that TikTok supposedly does not operate in China). Not only does this bring up huge data concerns, as Alibaba was recently the victim of an immense hacking scandal, but it brings up the major issue tied to Chinese data security: the ‘legal’ regime and state control of the economy.

Those who equate the privacy concerns surrounding Facebook and TikTok lack understanding of the Chinese economic and governmental systems. Although many commentators claim that China is a capitalist or free market system, it most decidedly is not. China has myriad state-owned enterprises and many sectors are entirely controlled by the government. It does not have what we in the West take for granted – the rule of law. Chinese government decisions are often arbitrary, capricious, and outrageous; thousands of dissidents have been disappeared and millions of Uighur Muslims are currently languishing in concentration camps in the far northwest of China. Even for companies which it does not own a stake in, Chinese government interference is commonplace. The screenshot shown above quotes a statistic saying that Facebook “fulfilled more than 51,000 law enforcement requests for data in 2019”; this does not prove the point that its author claims. In effect, it proves almost exactly the opposite. The statistic was included to show how American companies give data to the government all of the time, but really it shows that there is a choice in the matter for American businesses that does not exist for those located in China. You may recall the example of Apple denying US government subpoenas to unlock the iPhone of the terrorist who murdered over a dozen people in San Bernardino, California in 2015. Apple refused to unlock this phone, fought the order in court, and eventually was let off as the FBI found another way into the phone. In China, government data access is considered the norm and not the exception; indeed, a Chinese firm resisting government pressure to hand over data is almost unheard of. The Chinese government has promulgated a variety of national security and cybersecurity laws which give them unfettered access to “the massive amounts of raw data transmitted across Chinese networks and housed on servers in China.” But what about foreign companies or those, like TikTok, that claim independence from the CCP? A passage from the China Law Blog is worth quoting in full here:

This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government. Since the Chinese government is the shareholder in all SOEs and is now exercising de facto control over China’s major private companies as well, all of this information will then be available to those SOEs and Chinese companies. See e.g. China to place government officials inside 100 private companies, including Alibaba. All this information will be available to the Chinese military and military research institutes.

The laws show clearly that the Chinese government is not interested in asking for data it requires; it is instead relying on its total control of Chinese networks and communications to simply take whatever data it deems necessary without even notifying the user or business from which the data was harvested. US Senators Tom Cotton (R – AR) and Chuck Schumer (D – NY) wrote a letter to the US Director of National Intelligence claiming that it does not matter whether TikTok “does not operate in China and stores U.S. user data in the U.S., [as] ByteDance is still required to adhere to the laws of China.” The Chinese legal regime is also important when it comes to that nation’s history of vast internet censorship. China (in)famously has the so-called ‘Great Firewall’, which separates its internal internet from the general internet which we all browse freely and take for granted. China plainly does not have a free and open internet, which is entirely by design. According to a report by the nonprofit Freedom House, China is “the worst abuser of internet freedom in the world,” and has been credibly accused of censoring content on TikTok itself. Investigations by journalists and governmental organizations have found that TikTok censored “videos that mentioned topics such as the Tiananmen Square protests, the Tibetan independence, the religious group Falun Gong, and many others—in short, any topic considered sensitive by the Chinese government.” Control of data and information is a large part of the CCP’s global strategy and can be weaponized against its enemies. According to an analyst at the Australian Strategic Policy Institute, “the [Communist] Party of China collects bulk data overseas and then uses it to help with things that relate to state security like propaganda and identifying public sentiment to understand how people feel about a particular issue… It’s about controlling the media environment globally. Once you have control, you can use it to influence and shape the conversation.” Anyone who was concerned about Russian election manipulation through social media carried out during the 2016 election should be markedly more worried about the real, documented uses of Chinese-owned social media and technology to forward CCP ideology and propaganda, influence Western politics, and silence dissenting voices.

Not only does the Chinese government abuse communications technology to forward its global censorship regime, it has a mammoth appetite for private data, especially that of Westerners and Americans in particular, and surveillance on TikTok and other Chinese platforms satiates only part of this hunger. The Chinese government, military, or government-linked nationals have been responsible for significant hacking attacks meant to steal the sensitive personal data of millions of Americans. These state-based actors were responsible for the Obama-era hack of the government Office of Personnel Management which gained them access to private and restricted information on millions of federal employees, the hack of Marriott and Starwood Hotels which stole the information of over 500 million customers, and the recent hack of Equifax, the US credit-monitoring agency which collects detailed personal financial information on American citizens. This stolen information, which includes social security numbers, financial data, addresses, and US government security clearance forms, is being used to create detailed and accurate psychographic profiles on Americans who are in places of power in government, military, academia, technology, and business. These profiles have allowed the CCP to target Americans who may be vulnerable to offers of money for stolen technology, intellectual property, or national secrets. This is happening right now and several Chinese nationals and American citizens have been arrested and charged with theft of important secrets, including a recent arrest of a prominent Harvard scientist and some of his Chinese-national graduate students. This data theft is obviously a major threat to American national security, but what does it have to do with a video-sharing social network predominately populated by teenagers?

---

When all of the evidence provided to this point is aggregated and examined as a whole, the picture becomes much clearer. TikTok collects an abnormal amount of personal user data and receives several phone permissions which allow it to scrape nearly all of a user’s non-app data as well as execute commands on the phone itself (like recording video or audio). This data is stored in Chinese servers which are accessible on demand by the Chinese security services. The Chinese government has an extremely long-term view of global politics compared to Westerners, especially us Americans who are infamously impatient. The collection of sensitive data on America’s youth via TikTok, combined with the previous (and ongoing) theft of personal information from their families, will allow the CCP to create an infinitely detailed personal record on nearly every future US CEO, government employee, military officer, scientist, professor, and journalist. After all, America’s youth will one day become our leaders; indeed, the Chinese government is relying on that. More subtly, the Chinese censorship regime and government control over data and internal processes at many of China’s most prominent businesses allows the CCP to exert undue control over the political discussions of foreign countries. It can shape the conversation, disallow certain perspectives, and push blatant misinformation designed to prop up Chinese interests. If a few hundred thousand dollars’ worth of Facebook ads were enough to launch a multiyear investigation into Russian electoral influence, what should Chinese Communist Party control over America’s most newly popular social network launch?