TikTok: Hate the Game, Not the Player
How Strategic and Regulatory Confusion Around TikTok Prevent an Effective National Security Response
TikTok: Hate the Game, Not the Player
BANNER: Smartphone with the app from TikTok on the flags of the USA and China. (Source: Reuters)
Executive Summary
TikTok’s meteoric rise and Chinese ownership have raised alarms in Washington, with bipartisan fears that Beijing could leverage the app to undermine US national security. Focusing exclusively on TikTok, however, risks overlooking broader security vulnerabilities in the US information ecosystem, and thus undermining the most impactful policy solutions. Those with concerns about TikTok often focus primarily on its foreign—and specifically Chinese—ownership and related questions about data privacy, algorithmic manipulation, foreign interference or narrative influence, and child protection risks. This paper focuses on the national security angle—namely, the first three issues. At the heart of each is an additional question of transparency; or, put more simply, how would we even know if the Chinese state was using TikTok to engage systematically in these activities.
To weigh what kind of national security risk TikTok presents, this paper examines how unique the platform’s operations are as compared to other social media companies headquartered both in the United States and abroad. We also examine ways the Chinese government might achieve similar impact through means other than TikTok. This frame is particularly important as many of the concerns articulated about TikTok are indicative of broader security vulnerabilities in the US information ecosystem.
The report proceeds as follows. We (1) outline the risks that have been identified in the national security community with regard to TikTok; (2) assess these risks in the context of the broader information ecosystem; (3) outline and assess US government actions, both potential and already taken, targeting TikTok; and (4) highlight gaps in the US approach and tools available to address risks illuminated through the TikTok case.
Our study found that, while foreign ownership of a company is not a national security threat in and of itself, the Chinese government’s legal and extra-legal ability to compel China-headquartered companies to comply with government requests, including access to user data or changes to the platform’s product, is unique. The country’s 2017 National Intelligence Law gives the government broad remit to require companies and staff to “provid[e] assistance” to intelligence agencies and to punish those who do not comply.
The study also found that, while TikTok’s collection of data on Americans is on the higher end compared to other social media platforms, it is not outside of the bounds of common practice for the majority of them, including those headquartered in the United States. While this does mean that TikTok presents an attractive potential source of data on Americans, it is both legal and pales in comparison to the data the Chinese government already accesses through hacking and can legally purchase through US-based data brokers (which includes troves of information collected through social media and credit card companies, consumer loyalty programs, mobile phone providers, health tech services, and more). The lack of a federal privacy or data protection standard makes these practices lucrative and perfectly legal. They also present a serious national security vulnerability for the United States.
Some of the concerns articulated about TikTok’s collection of data pertain to the Chinese government’s ability to use that data to hone influence campaigns conducted on the platform.
Our study found that state-linked actors have conducted such campaigns on TikTok, and that the information gleaned from TikTok could be useful in crafting more effective campaigns on the platform and elsewhere. TikTok’s particularly young audience also presents unique risks. However, TikTok is not a singular vector for these kinds of efforts, nor an effective means for influence campaigns in isolation. Chinese President Xi Jinping has emphasized the need for China to gain “discourse power” by using multiple social media platforms to shape public opinion in the United States and around the world, including through Western social media platforms. The Digital Forensic Research Lab has seen documented cases of this strategy in action throughout the world, with both Facebook and X (formerly Twitter) used in far more and more widespread Chinese Communist Party (CCP) influence operations than on TikTok. While the ability of the Chinese state—or any foreign government—to conduct these operations is real and concerning, they would occur whether TikTok existed or not. Likewise, the most effective remedies for mitigating these risks lie beyond whether TikTok operates in the United States.
Our study found that part of what makes it difficult to assess the severity of risk posed by TikTok is the lack of ability to know whether the Chinese government is exerting any sort of unique control over the platform and its employees. The United States has very few, if any, transparency requirements for tech companies that operate or are headquartered in the country. This means no company is required to provide insight on how their algorithm drives what users see, what data is collected and then used to do, content moderation actions taken and why, and more. The lack of such standardized information to regulators, independent researchers, or the public means there is a significant asymmetry in what a platform knows about its operations and everyone else. Countries like China can leverage that asymmetry both to direct action through TikTok and to obfuscate its action on other platforms.
Our study also surveyed the US government responses to TikTok at the time of writing. Starting with the administration of previous US President Donald Trump and carried through that of current President Joe Biden, the US government has taken various steps against TikTok, including trying to outright ban it—with President Trump issuing executive orders that (1) prohibit the platform from operating in the United States, pursuant to the International Emergency Economic Powers Act (IEEPA); and (2) force TikTok’s parent, ByteDance, to reverse its 2017 acquisition of Musical.ly, which resulted in the creation of TikTok, based on the findings of a national security investigation by the Committee on Foreign Investment in the United States (CFIUS). Both Trump efforts were stymied in the courts, with the IEEPA order outright blocked by two federal district judges and the CFIUS divestment order held in abeyance pending negotiations between the government and ByteDance aiming to mitigate security concerns. The Biden Administration rescinded the IEEPA order but has continued to press both the CFIUS investigation and the negotiations with ByteDance. In the meantime, the US government and many individual state governments have also prohibited the use of TikTok on government devices, and the US Congress has floated a number of bills intended to do everything from restricting the use of TikTok specifically to creating new authorities for the executive branch to do so unilaterally. One state—Montana—has attempted to ban the app outright, but this action was blocked in November 2023 on constitutional grounds by a federal district court.
To date, TikTok is still operational and wildly popular in the United States and around the world. Our survey found that existing government tools are limited in their effectiveness and poorly matched to the digital age. The array of actions mentioned above met various roadblocks, ranging from the political and economic, to the legal, geopolitical, and practical.
Aside from its widespread use, TikTok provides a source of income for millions of Americans and small businesses. Banning the app would likely directly impact the livelihoods of those people and create political consequences for those seen as responsible for such an action. Legally, efforts to block TikTok have met challenges relating to the president’s statutory authority to ban an app without further authorization by the US Congress, broader First Amendment and other constitutional protections, and questions surrounding how far US states can go in regulating the internet. The Supreme Court will further rule in several cases during its 2023-2024 term on the constitutionality of government efforts to interfere with or otherwise influence content moderation decisions made by social media platforms, and what platforms can choose to moderate. Those decisions will impact US government responses to TikTok as well.
Practically speaking, a ban on TikTok would be difficult to implement and would require the US government to either criminalize the distribution or use of the app; each approach coming with its own complexity. Moreover, if President Biden was to ban TikTok pursuant to a CFIUS divestment order, the US government would not even be able to communicate publicly about all the evidence that led to such a determination, given the laws protecting the proprietary information ByteDance submitted to CFIUS from disclosure, as well as the president’s likely reliance on highly classified intelligence in reaching his decision. That means the rationale behind the decision would likely be opaque, and there would be no public precedent or legal opinion to refer to in future cases. No doubt, authoritarian countries would certainly point to such a decision to justify their own banning of apps like Facebook, X, or political opposition tools. Geopolitically, if not carefully managed, such a move could unintentionally feed into China’s overarching strategy of goading powerhouses like the United States and Europe into abandoning their longstanding commitments to a “free open, secure, and interoperable internet.”
Notably, even if all of these barriers and concerns were to be addressed, an outright ban on TikTok would not restrict the Chinese government’s (or other adversaries’) ability to access significant and sensitive data on Americans, including security personnel and elected officials. It would also not meaningfully prevent the Chinese government from carrying out its existing and future influence operations and efforts to interfere in US elections, for example.
In reality, many important concerns relating to social media in general have been conflated with the specific security concerns raised by TikTok and its suspected entanglement with the Chinese government. In this environment, it can be hard to parse fact from fiction and actionable policy from grandstanding and xenophobia.
The current difficulties surrounding the regulation of TikTok highlight two gaps undermining current US efforts to address national security risks related to data privacy, algorithmic manipulation, and foreign influence:
- Lack of strategic clarity regarding how the United States should protect its critical information infrastructure amid great power competition; and
- The paucity of federal legal authorities or frameworks—beyond the inherently limited jurisdictional reach of CFIUS—to protect Americans’ data privacy, ensure platform transparency, and combat foreign interference.
In the short term, US policymakers should distinguish acute and specific national security concerns around TikTok (e.g., its potential exploitation by Beijing for the purposes of surveillance and cyber intelligence-gathering, specific device-level concerns related to vulnerable persons, etc.) from broader issues endemic to the US information ecosystem that affect US competitiveness and the future of the digital commons.
The first problem may be immediately addressable, but the second requires a more strategic, high-level, and integrated approach. In the long term, the United States requires a cohesive, forward-looking strategy built on defining critical information infrastructure, enacting baseline data protection and transparency regulations, and integrating policy approaches across domestic and foreign realms. The TikTok debate merely makes visible these bigger issues that Washington has long overlooked. If they are not addressed, there will be other “TikTok moments”—and the nation will be no closer to a solution.
Jump to:
Introduction
Over the last four years, the US government has struggled with what to do about TikTok, the short-form video hosting application owned by ByteDance, Ltd., a Chinese technology company based in Beijing. It has tried to force a sale through executive action, held congressional hearings, and targeted the app on numerous legislative fronts, including by implementing device bans. The debate has served as a flashpoint, combining specific geopolitical concerns with broader worries about the effect of social media on our society and children.
TikTok emerged in 2018 as the product of ByteDance’s 2017 acquisition of Shanghai-based Musical.ly. Since then, TikTok has exploded in popularity, growing from 11 million monthly active US users in 2018 to roughly 150 million today, with 1.4 billion globally. It also has become important economically, with nearly 5 million businesses using TikTok to market their brands. Meta’s Facebook is still the world’s most popular social media app, with 3 billion users, followed by YouTube with 2.5 billion, but TikTok continues to grow and many companies continue to mimic its product.
Although the app is extraordinarily popular, TikTok also has aroused serious concerns within the US national security community. Experts have raised concerns with the app’s Chinese origin, and more specifically, the Chinese Communist Party (CCP)’s jurisdiction over TikTok’s parent company and its products. These concerns tend to fall into three broad themes: (1) data privacy, or the risks associated with Chinese government access to private user data; (2) algorithmic transparency, or the risks associated with China’s willingness and ability to manipulate TikTok’s recommendation algorithm; and (3) the potential for foreign influence, or China using TikTok to push specific content to US audiences.
The national security community has in some instances made strong statements regarding these risks. In the words of US Central Intelligence Agency Director William Burns, Americans should have “genuine concern . . . because the parent company of TikTok is a Chinese company, the Chinese government is able to insist upon extracting the private data of a lot of TikTok users in this country, and also to shape the content of what goes on TikTok as well to suit the interests of the Chinese leadership.” Expressing similar sentiments, Director of National Intelligence (DNI) Avril Haines said TikTok is a threat because China has been “developing . . . frameworks for collecting foreign data and pulling it in,” in order to “turn that around and use it to target audiences for information campaigns or for other things.” US Federal Bureau of Investigation Director Christopher Wray has said that TikTok “screams” of national security concerns.
In a rare example of bipartisan unity, Democrats and Republicans on Capitol Hill seem to share these concerns, with Democratic Senator Mark Warner, Chair of the Senate Intelligence Committee, saying TikTok “has the stamp of approval of the Chinese Communist Party and it poses a serious national security threat due to its data collection practices and its ability to reach and manipulate Americans.” While the Senate Intelligence Committee Vice Chair, Republican Senator Marco Rubio, has similarly accused China of using TikTok to “collect our data, manipulate our information, and to poison and feed garbage into the minds [of Americans].”
Concerns over the app are not limited to the United States. The Indian government banned TikTok in 2020, saying it was “prejudicial to the sovereignty and integrity of India, defence of India, security of state, and public order.” The European Union has prohibited the app from being loaded onto official EU-issued devices, as have individual countries across Europe, the Americas, and the Asia-Pacific region. Australian Attorney General Mark Dreyfus warned that TikTok puts Australians at risk from “extensive collection of user data and exposure to extrajudicial directions from a foreign government.” Canada also prohibited the app from government-issued devices, citing an “unacceptable risk to privacy and security” for Canadians. Though the United States and others have clearly stated their concerns, action to address them has been disjointed, with significant debate over how real the risks presented are.
To help ground the debate, the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and Scowcroft Center for Strategy and Security brought together experts in investment security, technology, geopolitics, business, China, comparative regulation, law, disinformation, foreign interference, and national security for a series of “roundtable” discussions. Those discussions explored the potential national security risks raised by TikTok; how they compare to other vulnerabilities related to the broader information ecosystem, as well as the policies of the Chinese government; what tools the US government has to deal with the identified risks; what actions have already been taken and their potential effectiveness; and what new tools or capacities the US government might need to better address the risks illuminated by the TikTok example. This report draws from these discussions, as well as additional research and interviews.
National Security Risks Posed by TikTok
The national security conversation related to TikTok tends to focus primarily on concerns over its foreign—and specifically Chinese—ownership and related questions about data privacy, algorithmic manipulation, and foreign interference or narrative influence. At the heart of each of these issues is the additional question of transparency; or, put more simply, how would we even know if the Chinese state was using its access to the app to conduct such activities.
Additionally, to weigh how serious a risk TikTok actually presents, it is also necessary to examine how unique the platform’s operations are as compared to other social media companies headquartered or operating in the United States. This includes an examination of how the Chinese government might achieve its goals through means other than through TikTok.
This section first addresses the issue of foreign ownership of TikTok, then it assesses each of the three previously identified risk areas (data privacy, algorithmic manipulation, and foreign influence).
TikTok’s Foreign Ownership and Chinese Government Control
Takeaway: Chinese ownership of TikTok does present a unique risk to the United States and its citizens as compared to other foreign-owned or US companies. There is no evidence of the Chinese government making systematic use of TikTok for antagonistic purposes, but there is little preventing it from doing so.
Foreign ownership of a company operating in the United States is not a unique or concerning feature in and of itself. Concerns related specifically to Chinese ownership, then, have more to do with the intentions and actions of the Chinese government and its potential to compel an ostensibly private company to take certain actions on its behalf. In the eyes of the US government, the United States outlined in its 2022 National Security Strategy China’s status as “the only competitor [to the US] with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to advance that objective,” which also makes TikTok unique among other potential foreign-owned apps given its Chinese provenance.
Indeed, China’s authoritarian government has instituted a robust system for compelling assistance, information, and cooperation from nearly any company or individual operating within its borders. Its 2017 National Intelligence Law, for example, gives the government sweeping powers to demand assistance in performing “national intelligence efforts” and to detain or criminally prosecute individuals within a company who refuse, including those at its head. If TikTok’s owner ByteDance refused such an order, for example, its executives could face these consequences on a personal level.
Specifically, Article 7 of this law states: “All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law[.]” Article 14 further gives intelligence agencies the authority to “require relevant organs, organizations and citizens to provide necessary support, assistance, and cooperation.” And, under Article 28, those who refuse to cooperate may be “detained” and/or criminally prosecuted for violating the law. So, if ByteDance or TikTok executives were to refuse an order directing them to allow Chinese intelligence agencies to use TikTok for “national intelligence efforts,” these executives would likely face punishment.
Article 10 of this same law also gives Chinese intelligence agencies extraterritorial powers, meaning they can compel those bound by this law to collect and provide certain information on targets outside of China. It states: “As necessary for their work, national intelligence work institutions are to use the necessary means, tactics, and channels to carry out intelligence efforts, domestically and abroad.” Article 11 reinforces this extraterritorial application by emphasizing that intelligence work institutions “shall collect and handle the acts or acts of foreign institutions, organizations, and individuals that are implemented or instructed or funded by others, or colluded by domestic and foreign institutions, organizations and individuals to endanger the national security and interests of the People’s Republic of China.”
These laws are not hypothetical. The CCP is well known for harshly dealing with those who challenge its authority, including the leaders of China’s largest technology companies. Alibaba founder Jack Ma disappeared for several months in 2020 after criticizing Chinese authorities, and has since stayed largely out of the public eye after previously being the prolific face of the company. ByteDance’s own co-founder, Zhang Yiming, was forced to give a public apology for violating “socialist core values” because Toutiao, a ByteDance platform for content creation and aggregation, had failed to properly crack down on CCP-delineated content violations, including political opinions the CCP considers adversarial.
Without question, TikTok’s Chinese ownership presents a potential threat. While there is no evidence this is happening in any systematic way, under China’s National Intelligence Law, China’s intelligence agencies could commandeer TikTok and require it to turn over data drawn from its US user base and also require it to assist in influence operations and disinformation campaigns targeting the United States.
Data Privacy and Use Concerns
Takeaway: TikTok’s data collection practices are concerning, and the app does provide a powerful potential source of information to the Chinese government. This has particular ramifications for those directly targeted by Chinese security services. But the data generated through TikTok is not significantly different from that generated and collected by other tech companies, nor the most concerning source of data on Americans that the Chinese state currently has access to through legal means.
Another concern raised about TikTok in the context of US national security deals with the platform’s collection of user data and device information, and the potential for Chinese government authorities, including intelligence services, to access and potentially weaponize it. TikTok, like many other apps, collects a wide range of data about its users and the devices on which they access it. This includes data on what a user is doing on TikTok, what a user is doing on other sites it accesses through TikTok, what a user is doing on external websites, and some information on how, where, and when the user is making use of their device more broadly.
Distinctively, there are risks associated with TikTok’s device-level collection or, in other words, what can potentially be accessed via the microphone, location services, and other device-generated data. These risks should be considered in the context of the larger system of data collection in the United States, as below, especially risks based on if and in what ways TikTok in particular may present a unique opportunity for China to gather sensitive information on Americans.
Risks Associated with TikTok’s Data Collection Practices
Critiques of TikTok’s data collection tend to focus on the scale and scope of collection related to information generated through its own app and platform; information it collects on other platforms or websites; and information it makes available to others.
Research studies suggest that TikTok is relatively expansive in the amount of data that it collects. A study from cybersecurity firm Internet 2.0 assessed that TikTok collects more data on its users than almost any other platform, with the exception of Russian site VKontakte. But an investigation from CitizenLab found no evidence that the TikTok app collects excess information without user permission. CitizenLab also noted that, though the TikTok app does collect a great deal of data, the app “still fall[s] within general industry norms for user data collection.” Indeed, most apps collect a huge amount of data on their users. According to Meta’s privacy policy (covering Facebook, Instagram, Messenger, and other Meta products), its platforms collect almost the same set of information as TikTok, including personally identifiable information, location information (both precise and general), purchase history, and financial information. And various studies comparing the privacy disclosures of apps (including social media and other types of apps) operating on the Apple app store show that most platforms similarly gather a significant amount of similar data on their users.
TikTok’s Use of Pixels and Web Beacons
A second concern focuses on the potential for TikTok to gather data from sources other than that generated in the app itself, using tracking pixels (sometimes called “web beacons”) on other websites and platforms. Security experts warn that this opens up a number of risks of data leakage, particularly on websites where users provide sensitive or legally protected data. If a pixel captures some of this sensitive information, it could be leaked back to the social media company.
A report from Faroot Security, a Canadian cybersecurity firm, alleged that TikTok tracking pixels can be found on a number of US federal and state government websites, leading to concerns that the company, and by extension the Chinese state, could have access to sensitive information on government employees. Again, however, while the risks of data exfiltration are real, the practice of website owners knowingly or unknowingly embedding data-hungry web-tracking technologies on their website is not limited to TikTok. Website owners often embed tracking pixels as parts of widgets that allow users to easily share content from that site to individual social media platforms, such as to share an article found on a news site to X, Meta, or TikTok. In return the linked social media company is able to receive information about the actions of users on the original website and others the user visits through the same browser.
In fact, an October 2022 survey of over 170,000 websites by data security firm Lokker found that 93.7 percent of third-party tracking cookies came from just three companies: Google, Meta, and Microsoft. The same study found that Meta’s trackers, for example, were present on 42 percent of education-related websites and 36 percent of financial-services related websites. Meta tracking pixels attracted controversy in the past often used to submit highly sensitive personal information, including those for the Free Application for Federal Student Aid (FAFSA) website, hospitals, tax preparation services, and government websites for members of the US Congress, and, in some of these cases, they were found leaking legally protected information back to Meta. That TikTok has a web-tracking pixel that is found across websites is not unusual, but it may create additional risks if the data from this web tracking is stored or used by entities associated with or accountable to China.
TikTok’s In-app Browser
A third vector of concerns relates to TikTok’s in-app browser, which enables a user to open external links clicked within the app. TikTok is able to then use this browser to collect information on user activity on websites and apps outside of the TikTok ecosystem, including potentially capturing passwords, credit card details, and other sensitive information entered on those websites when visited through the TikTok app. While concerning, this too is not unique. A September 2022 study found that the iOS apps (i.e., those used on devices running Apple’s operating system) owned by Meta and the TikTok app inject JavaScript commands into their browsers that can act as a keystroke logger, recording all taps and keyboard inputs, including sensitive information like passwords and credit card information. Both TikTok and Meta denied that they use the code to engage in these kinds of activities, but there is no way to verify these claims.
Risks Associated with TikTok’s Device-level Collection
Finally, TikTok has access to a particular kind of information through what is called device-level collection that brings with it unique risks. When the TikTok app is loaded onto a smartphone, the company can track a user’s location and potentially create avenues for surreptitious access to information stored on the smartphone or to features such as the microphone. In other cases, experts have warned that Chinese intelligence operatives could use TikTok to embed spyware into software updates to collect information on a target’s smartphone or iPad.
It is worth noting that TikTok, as a video recording app, is not out of the norm in requesting microphone access from its users. Some Meta platforms (Instagram, for example) and Snapchat request the same access. To address the vulnerability this presents, most smartphone operating systems take measures to prevent apps from activating camera or microphone access while in the background and have added visual indicators to let a user know whenever an app is actively using the microphone. This means that, for anyone to use TikTok to surreptitiously activate a user’s phone to record something, it would require them to circumvent the device’s operating system controls. The forementioned 2021 technical analysis from CitizenLab found that the version of the TikTok app they studied was not collecting excess information without user permission or bypassing user consent for access to features such as the microphone.
The Internet 2.0 report, however, did suggest that TikTok may be more aggressive at harvesting other types of information, such as information about other apps running on the phone than some platforms. Other cybersecurity experts, including some in our roundtables, noted that Chinese security officials might see TikTok as a means to embed spyware into software updates. CitizenLab’s investigation, however, found no evidence of features, such as those found in TikTok’s Chinese sister app Douyin, that allow for dynamic code loading, which enables an app operator to surreptitiously load malicious code onto a device without a proper software update.
It is undeniable that TikTok collects potentially sensitive data, from location data to information about user devices to potential credentials for other services. If, under China’s National Intelligence Law, Chinese intelligence agencies chose to obtain access to all of the data collected by TikTok, this data could be used to track or surveil Chinese dissidents living abroad, US service-members, public officials, and the general public more broadly.
There is no publicly available evidence that China has used TikTok to do this in any systematic way, and, in his congressional testimony, TikTok CEO Shou Chew stated unequivocally that “TikTok has never shared, or received a request to share, US user data with the Chinese government. Nor would TikTok honor such a request if one were ever made.”
However, there is sufficient open source reporting in contexts outside the United States to raise significant concerns over the possibility that Chinese security services could use such device-level access to monitor persons of interest. Yintau Yu, a former senior ByteDance executive, said recently that, in 2018, CCP officials accessed data on TikTok users in Hong Kong, specifically targeting civil rights and pro-democracy protesters. Yu has also claimed that a committee of CCP members were given a so-called “superuser” credential that enabled them to access and view all data collected by ByteDance, including through TikTok. He further shared that CCP officials used this credential to access data on Hong Kong protesters’ network information, SIM cards, and IP addresses, all in an effort to identify and locate them, presumably in an effort to help Chinese security forces arrest them. Yu also has alleged that TikTok allowed this CCP committee to review TikTok users’ communications on the app. Most disturbingly, he stated that ByteDance maintained a “backdoor channel” for CCP officials to access not only information on users in Hong Kong but also data from US-based TikTok users.
Additionally, data collected within the TikTok app may also flow to third parties through embedded third-party trackers, which could be another vector by which user information might flow from the app to the Chinese government. Though this practice is common within the industry: a 2017 study reported that 70 percent of apps share data with at least one third party, while 15 percent share with five or more. Another study suggested that TikTok allows an unusually high number of third-party trackers to collect user data from its app, especially for a social media service. It may be challenging for policymakers to know where user data flows once it is in the hands of third parties, making this another potential concern when it comes to access by entities such as Chinese intelligence services. Here, as above, the practice of using third-party trackers is not inherently out-of-sync with the behavior of the rest of the industry, but it represents another important area of concern with respect to the practices TikTok upholds when it comes to protecting users’ data against improper access and use, especially for a social media service.
Adding to these concerns, Forbes reported in 2022 that ByteDance employees had mounted a surveillance operation on several US-based Forbes journalists who had written pieces critical of the company and its TikTok subsidiary. The employees had accessed journalists’ TikTok user information, including IP addresses, to uncover whether they had been in close proximity to ByteDance employees who might have been the source of leaks to the press. An earlier 2022 report by Buzzfeed, which gained access to leaked audio from over eighty internal meetings at TikTok, outlined employee discussions about how China-based ByteDance employees had regularly accessed US user data. A report from CNBC earlier in 2021 also quoted former ByteDance employees as confirming the Beijing-based company’s access to US user data, including search history, engagement metrics, and other personally identifiable information.
In sum, the risks associated with TikTok’s device-level collection may present more serious concerns with regard to potential targets of interest to Chinese security services. However, the risks associated with TikTok’s data collection practices are in many ways not distinct among social media platforms, highlighting instead a larger problem in the US information ecosystem.
Data Brokers and the Bigger Picture
The vulnerability of Americans’ personal data to espionage or exfiltration by foreign adversaries or criminals is a major concern. The Chinese government in particular has a track record of using illicit means to collect such information, including repeated cyber hacks that have stolen millions of data records from the US Office of Personnel Management (OPM), Anthem, Equifax, Marriott, and many others. In July 2023, Chinese hackers exploited a security gap in Microsoft’s cloud to hack into the email accounts of Commerce Secretary Gina Raimondo, as well as those of personnel at the Departments of State and Commerce and US think tanks, a congressional staffer, and a US human rights activist.
However, China could already access vast amounts of data on Americans through perfectly legal channels. In the United States, there is an extremely profitable intermediary market consisting of thousands of data broker companies like Acxiom, Experian, CoreLogic, and even Oracle, which has been proposed as a potential US-based holder for TikTok data. These companies buy, clean, repackage, aggregate, and label user data from social media and credit card companies, consumer loyalty programs, mobile phone providers, health tech services, and public sources like voter rolls, campaign finance filings, property records, and more. These brokers then sell this combined data on individual Americans.
To give a sense of scale, Acxiom asserts that it has information about 2.5 billion people in the world, with 11,000 data points per consumer. Oracle has been sued in a federal class action, with plaintiffs alleging that the company runs a “worldwide surveillance machine,” collecting dossiers on 5 billion people around the world and selling them. The case has not yet been settled. Investigations by outlets such as the New York Times have documented the availability of immense datasets of location information available for purchase through data brokers, including one composed of 50 million location pings from the phones of 12 million Americans.
This largely unregulated market currently poses genuine national security threats to the United States and its citizens, as well as countless activists around the world. TikTok is potentially a direct data source for Chinese intelligence agencies, and that represents a real risk. However, such data pales in comparison to that which China already illicitly steals through hacks or that which it could potentially procure legally through data brokers. This is an area in which efforts to address a genuine security threat will require action beyond that targeting TikTok exclusively.
The Risk of TikTok as a Tool for Chinese Influence Operations
Takeaway: While TikTok presents a potentially useful tool for Chinese influence operations, its utility is in its connection to existing operations on a wide array of social media platforms primarily headquartered in the United States.
Another core concern regarding TikTok focuses on the potential for China to wield it as a tool of influence or information control. These concerns relate the potential for the CCP to control what content is allowed, surfaced, or promoted on the platform; to promote its own content and narratives on the platform; or to use the platform to glean insights making its influence operations elsewhere more effective.
TikTok has a large and growing US user base of over 150 million Americans and millions more around the world. This makes it a tempting vehicle for CCP influence operations and a potentially powerful bullhorn for pro-Beijing propaganda and messaging. The potential power of the platform can be seen in a recent Pew Research Center study of social media and the news that found the share of US adults who say they regularly get news from TikTok more than tripled between 2020 and 2022 (from 3 percent to 10 percent). Americans under 30 are particularly reliant on TikTok, with 26 percent saying they regularly get their news from the app. So, TikTok could be an effective channel for influencing younger Americans, in particular.
In terms of shaping narratives, TikTok has a history of censoring content displeasing to the Chinese government, including suppressing videos about the 1989 Tiananmen Square massacre, pro-democracy protests in Hong Kong, the persecution of Falon Gong members, and human rights abuses against the Uyghur population in Xinjiang, among other examples. Recent reports outlined the presence of state-aligned or affiliated accounts on TikTok that push pro-Beijing narratives and uncovered a coordinated campaign on TikTok by Chinese state media outlets attacking specific US politicians before the 2022 midterm elections. Beyond China, TikTok has also been implicated in disinformation campaigns conducted by Russia; for example, a December 2023 report by the BBC outlined how a Russian propaganda campaign of thousands of fake accounts on TikTok spread disinformation about the war in Ukraine on the platform. Another December 2023 report from Rutgers University’s Network Contagion Institute alleges that hashtags relating to topics that are censored in China (including, for example, “#Uyghur,” “#Tibet,” “#TiananmenSquare,”” and #HongKongProtest”) and are disproportionately underrepresented on TikTok as compared to Instagram. TikTok refuted these findings, stating that the hashtag analysis was flawed due to the fact that around one-third of videos viewed on TikTok do not have any hashtags and that Instagram has existed for longer.
This focus on Chinese government influence operations is not without merit; however, TikTok is not a unique vector for these kinds of influence campaigns. There are a wide variety of other platforms and nodes within the broader information and communications ecosystem at China’s disposal. For example, both Facebook and X (formerly Twitter) have been implicated in orders of magnitude more influence operations, including CCP adjacent ones, than TikTok has.
Indeed, such tactics are part of China’s stated strategy to spread China’s influence and preferred narratives abroad. Chinese President Xi Jinping has publicly and repeatedly emphasized the need for China to gain “discourse power” by using multiple social media platforms to shape public opinion in the United States and around the world. A series of reports from 2015 to 2017 revealed an uptick in suspected Chinese state-sponsored activity on social media platforms. These include reports that state media accounts purchased a large number of Twitter followers (thereby boosting their potential to be algorithmically boosted), that Chinese operatives used LinkedIn to conduct espionage operations, and that China-linked actors had conducted disinformation campaigns against Taiwanese President Tsai Ing-wen.
A June 2022 investigation by intelligence firm Mandiant showed that a network of thousands of inauthentic pro-CCP social media accounts across multiple social media platforms promoted negative stories about Australian, Canadian, and US rare earths companies as a strategy to help protect China’s market dominance in the sector. Additionally, in May 2023, Meta announced it had taken down a network of China-based accounts that was targeting the United States and Europe by posing falsely as a think tank and news organization and pushing official Chinese talking points. Later, in August 2023, Meta announced it had taken down another network of Chinese accounts across its platforms, describing it as “the largest covert campaign that we know of today.”
Those who study state-sponsored disinformation note that a Chinese influence operation solely using TikTok would not likely be particularly effective when compared to current methods leveraging multiple platforms simultaneously. While the CCP could ostensibly leverage TikTok’s recommendation algorithm to spread pro-Beijing messages and try to undermine US democracy, the reality is that the CCP is already engaged in these activities on US-based platforms and will continue to do so even if TikTok was banned or otherwise restricted in the United States.
Risks Associated with Lack of Transparency
Takeaway: We really do not know what the Chinese government is and is not doing on TikTok and other platforms, which makes it difficult to accurately assess the risk.
Much of the debate around TikTok is driven by concerns over the potential uses of the platform, rather than the proven instances of Chinese government action. This is because there is a great deal that we simply do not know about how TikTok—or any other platform operating in the United States—functions. In addition to the United States requiring very little, if any, data protection standards, there are also few, if any, requirements for companies to share information or data on what is happening on their platforms. There are no standards or reporting requirements on the uses and impact of algorithms, design choices, or other product approaches; few rules related to political or business advertising; and no standards or requirements for how a platform communicates its policies to users or anyone else. A May 2023 report issued by the Partnership for Countering Information Operations at the Carnegie Endowment for International Peace (CEIP) provided a sense of the scope of information at play.
In the void of such regulations and requirements, many US companies, at the prodding of civil society, have spent the past decade voluntarily experimenting with different kinds of research partnerships, data access tools, transparency reporting, and industry standards. Through this voluntary experimentation, independent researchers like those working with the DFRLab have been able to piece together some understanding of how the broader information ecosystem works and gets manipulated, including by state actors like the CCP.
Until recently, TikTok was one of the least cooperative, transparent, and accessible of the major social media platforms. Aside from it being newer, until February 2023, TikTok provided no data access or election-related information. Even in 2023, when it launched a researcher API access program, it included access requirements to which many researchers did not feel comfortable agreeing. Cumulatively, this means that there has been less independent research on TikTok, and those who have studied the platform have been hindered by a lack of access.
Our inability to know exactly what TikTok is collecting, what it is doing with the information it is collecting, the details and use of its algorithm, its content rules and take down decisions, and other aspects hinders any ability to know whether it is being leveraged by the Chinese government. However, this is also true about our ability to know whether and how US platforms are being used by the Chinese government, while noting that some platforms have invested heavily in partnerships to track this information. As with the lack of privacy protections, the lack of data access, transparency, or other tech regulations in the United States makes it difficult to fully ground our understanding and ensure the security of our information ecosystem.
Notably, the European Union recently passed a landmark suite of tech regulations—the Digital Services and Digital Markets Acts (DSA and DMA, respectively)—that mandate disclosure on some of these information and transparency questions for the first time. The new laws will apply both to US platforms like Meta and Google as well as China’s TikTok. The specific implementation details are still being hashed out, but the resulting information could provide a window into many of these questions.
US Government Responses to TikTok
Takeaway: Piecemeal actions like device bans have done little to address core concerns, and executive branch, congressional, and state-level actions have yet to clear First Amendment and other legal challenges. Even an outright ban on TikTok, however, would not restrict the Chinese government’s ability to access significant and sensitive data on Americans, including security personnel and elected officials. It would also not meaningfully prevent the Chinese government from carrying out its existing and future influence operations and efforts to interfere in US elections, institutions, or other democratic processes.
In reality, many important concerns relating to social media in general have been conflated with the specific security concerns raised by TikTok and its alleged entanglement with the Chinese government. In this environment, it can be hard to parse fact from fiction, and actionable policy from grandstanding and xenophobia.
The previous sections outlined the contours of the most prominent security risks raised regarding TikTok and provided an initial assessment of them. The following section describes the actions the US government has taken to date to address these concerns, beginning with the Trump Administration and continuing through the current Biden Administration.
Executive Branch Actions
TikTok first hit the US marketplace in 2018, and in the years since, the US government has taken various steps to assess and address the potential security risks related to the app. In 2019, during the Trump Administration, the Committee on Foreign Investment in the United States (CFIUS)[1] launched an investigation into the 2017 ByteDance acquisition of Musical.ly that gave birth to TikTok and whether it adversely impacted national security. CFIUS commenced the investigation on its own initiative, as neither ByteDance nor Musical.ly had voluntarily given CFIUS notice of the transaction. On August 14, 2020, President Trump issued an order, based on the CFIUS investigation, prohibiting the ByteDance-Musical.ly transaction and requiring ByteDance to divest all of its interests and rights in the US operations of TikTok (the “Divestment Order”). While technically still in effect, the Divestment Order has never been enforced. Between a pending legal challenge by TikTok and CFIUS repeatedly extending the deadline for divestment, in deference to negotiations between the government and ByteDance, the order is, at the time of writing, essentially held in abeyance.
On August 6, 2020, President Trump also issued Executive Order 13942, which—pursuant to the International Emergency Economic Powers Act (IEEPA) and the National Emergencies Act (NEA) —gave the Secretary of Commerce authority to ban the platform. Then-Secretary Wilbur Ross did so by regulation in September 2020. In doing this, President Trump cited the potential for TikTok to be used in support of Chinese data espionage and influence operations. Two federal district courts,[2] however, blocked the Trump Administration’s attempted ban, with both holding that the action, among other things, violated the Berman Amendments to IEEPA. These amendments, enacted in the 1990s, were sponsored by then-Congressman Howard Berman, whose district included parts of Los Angeles and its movie industry. Congressman Berman wanted to ensure that, even if a President deemed a foreign country to be a threat under IEEPA, such a designation would not restrict the free flow of information (including books and movies) between the United States and consumers in those countries. Accordingly, the Berman Amendments preclude the president from using IEEPA to “regulate or prohibit, directly or indirectly” the importation or exportation of “information or informational materials,” “whether commercial or otherwise,” and “regardless of format or medium of transmission.” The free and open internet is certainly an outgrowth of this policy approach.
On June 9, 2021, several months after taking office, President Biden issued Executive Order 14304, which rescinded Executive Order 13942, thereby nullifying his predecessor’s attempted ban. Shortly thereafter, President Biden also withdrew the Department of Justice’s appeals of the district court rulings.
Despite these actions, the Biden Administration has maintained the government’s focus on TikTok. Executive Order 14304 directed the Department of Commerce to develop recommendations on how to prevent foreign adversaries, including “the People’s Republic of China,” from gaining access to “United States persons’ sensitive data” and how to protect the United States from “connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.” Given the provisions of China’s National Intelligence Law requiring China-based businesses to assist the Chinese government’s intelligence efforts, Executive Order 14304 should be understood as focused on TikTok.
President Biden also continued the CFIUS investigation initiated under Trump and maintained the Divestment Order, albeit keeping it held in abeyance. CFIUS and ByteDance/TikTok have been engaged in lengthy negotiations over the terms of a potential mitigation agreement, which would preclude a presidential order banning the app and establish the conditions under which TikTok could continue to operate in the United States. TikTok has asserted that such a mitigation agreement could rest upon what it calls “Project Texas,” the company’s effort to address US national security concerns.
According to TikTok, and as revealed by a leaked draft agreement between CFIUS and TikTok laying out the proposed plan, “Project Texas” is built on five “pillars,” all communicated as focusing on keeping US data secure from Chinese intelligence agencies.
First, TikTok has created a new special purpose subsidiary solely in charge of US user data called “TikTok US Data Security” (USDS) that is overseen by an independent board of directors and led by executives reporting to that Board, and not to ByteDance.
Second, TikTok has created a “stand-alone version of the TikTok platform for the US” that is “isolated inside servers in Oracle’s US cloud environment.”
Third, to address concerns over “backdoors or data leakage,” TikTok has committed to tasking a US-based, third-party technology provider and a third-party source code inspector to inspect and test “every single line of source code that goes into the protected environment.”
Fourth, TikTok has proposed making its “content moderation systems and processes” transparent to the US-based, third-party technology provider, to ensure that they are “free from any foreign or outside influence.”
Finally, TikTok asserts that, in addition to the US-based technology provider, “a host of third-party monitors, auditors, and inspectors will be focused on ensuring that we are complying with all of our commitments.”
Despite these efforts, the Biden Administration does not appear to be convinced that Project Texas would fully address its national security concerns. In March 2023, the Biden Administration indicated that it might shortly, in effect, seek to enforce the Divestment Order, which would mean that TikTok will potentially be prohibited from operating in the United States unless ByteDance sells the app to another company not based in China.
At the time of writing, the Biden Administration has taken no public actions against TikTok since floating a ban. This may be due to the concern that a TikTok ban, even one founded on CFIUS findings, might still fall to a legal challenge.
Congressional and State-level Efforts
In the meantime, multiple efforts at regulating the app have appeared in the US Congress and a number of US states. In December 2022, President Biden signed bipartisan legislation banning TikTok from most federal government-issued phones, expanding an earlier, narrower ban. In addition, thirty-four state governments have taken similar actions, most recently Arizona in April 2023. In May 2023, Montana enacted more extreme legislation (SB 419), completely banning TikTok from operating in the state. The Montana law was immediately challenged and, on November 30, 2023, Federal District Judge Donald Malloy issued a preliminary injunction temporarily blocking the law, holding that it likely violated the First Amendment and unconstitutionally interfered both with interstate commerce and with the federal government’s primary role in regulating commerce with foreign nations. The litigation concerning the law is ongoing.
Back on Capitol Hill, while some senators and representatives have introduced federal legislation that would ban the app nationwide (such as the “No TikTok on United States Devices Act,” introduced in January 2023 by Senator Josh Hawley), the leading bill—the “RESTRICT” Act—is more nuanced. Jointly introduced by Democratic Senator Mark Warner and Republican Senator John Thune on March 7, 2023, with the support of President Biden, the RESTRICT Act would establish a risk-based process to address threats posed by information and communications technology (ICT) products connected to foreign adversaries and give the Secretary of Commerce authority to “review, block, and mitigate” a wide range of transactions “involving foreign information and communications technology that pose undue risk” to national security. Thus, if the RESTRICT Act were to become law, Commerce Secretary Raimondo could use this authority to ban TikTok, if she wanted.
Under increasing pressure, TikTok has tried to assuage concerns on Capitol Hill and elsewhere, mounting a “charm offensive” of sorts as well as spending over $4 million on lobbying efforts during the first half of 2023. In addition to investing $1.5 billion to implement Project Texas, TikTok expanded access to its API to academics and US-based universities and also invited reporters to tour its newly opened Transparency and Accountability Center in Los Angeles alongside an announcement that it plans to open up further centers in multiple locations across the globe. The announcements were accompanied by a public relations blitz, culminating in Chief Executive Officer Shou Zi Chew’s March 23, 2023, testimony before the House Energy and Commerce Committee.
The initial reviews of his testimony were negative, with both Democrats and Republicans harshly attacking him and TikTok. In the months since, however, nothing has happened, and the RESTRICT Act appears stuck, with the bill criticized from both the left and right as a “Patriot Act on steroids.” Some Republicans, such as Senator Rand Paul, oppose it because it could lead to censorship, asking “do we really want to emulate China’s speech bans?”
Ultimately, the biggest obstacle to the RESTRICT Act or any congressional or executive effort to ban TikTok might end up being the First Amendment. Judge Malloy’s November 30, 2023, order temporarily blocking the attempted Montana TikTok ban aptly demonstrates the constitutional issues involved. And no matter what ultimately happens in the Montana case or in any litigation concerning a potential federal ban, it would take years to resolve, as these cases wind their way through the courts, potentially culminating in a US Supreme Court ruling.
Assessing the Effectiveness of Government Actions on TikTok
With so much churn and high-level attention to TikTok, it is important to consider whether the various policies and approaches proposed by the US government would achieve their stated objectives. The following section examines each proposal against the national security risks described in the first two sections of this paper and assesses their potential impacts more broadly.
Requiring the Sale of TikTok
The demand by the Biden Administration for ByteDance to sell TikTok to a US company may be a non-starter, given China’s vocal opposition. Hours before Shou Zi Chew’s House testimony on March 23, 2023, the Chinese Commerce Ministry stated that any forced divestment by ByteDance would require the export of sensitive technology (i.e., the TikTok recommendation algorithm), and such an export would need to be approved by the Chinese government. Ministry spokesperson Shu Jueting said that “China will oppose” such a sale. Accordingly, absent a diplomatic breakthrough between the United States and China, a forced sale or initial public offering (IPO) of TikTok by ByteDance seems unlikely. Even if China was to allow such a sale to move forward, divestment would not measurably limit the Chinese government’s broader ability to collect and leverage data on Americans, conduct influence operations, or otherwise advance its interests, as discussed in detail above.
Prohibiting TikTok on Government Devices
The most significant action the US government has taken to date has been its ban on the use of TikTok on government-issued phones and devices. This action has done nothing to address the potential generation and collection of sensitive information on US citizens using TikTok, however, or the much more substantial data collection the Chinese government undertakes through other means, as described in prior sections.
However, it does potentially mitigate the risk of Chinese intelligence officials using device access to gather passwords and sensitive government information through malware, misuse of device permissions, or the other concerns highlighted in the first section, at least with regard to government officials on official devices. During our roundtable series, some participants suggested expanding this policy to private companies involved with critical infrastructure, emerging technologies, or other sectors likely to be a target of Chinese espionage. Doing so could be a productive step in mitigating the more targeted risk of access to sensitive information through the app itself. However, it would not measurably impact the broader actions of the CCP.
A Negotiated Agreement and Project Texas
In some ways, the Project Texas proposal is a slimmed down response to the “sell or get out” threat, given the access TikTok seems to be promising to the US government. Given the extraordinary power a mitigation agreement based on “Project Texas” would give the government in overseeing TikTok’s operations, including its algorithm, one then has to ask why the Chinese government would permit it to move forward, while so aggressively quashing talk of outright divestment.
The answer may lie in the enforceability of such an agreement. With a code base now ten times that from when Microsoft was going to take ownership, the likelihood that a third-party auditor repeatedly reviewing millions of lines of code could find a backdoor entry point surreptitiously slipped in by the Chinese government seems low. The Chinese government may be banking on such odds to move forward an agreement.
Aside from questions around malicious code, Project Texas does little to address concerns that TikTok could be commandeered by China to mount an influence operation. Project Texas offers transparency into TikTok’s content moderation systems, but it is unclear if a third-party monitor or the US government would be able to determine whether TikTok is being used to shape public opinion in a pro-Beijing direction, and the implications of such a determination for monitoring conversations on other, non-Chinese apps.
This would also seem to raise substantial First Amendment, let alone practicality concerns. As noted by the American Civil Liberties Union’s Patrick Toomey, “if this agreement would give the US government the power to dictate what content TikTok can or cannot carry, or how it makes its decisions, that would raise serious concerns about the government’s ability to censor or distort what people are saying or watching on TikTok.” For digital and human rights activists the world over, such permissions would also set a concerning precedent legitimizing government control over expression when justified by “national security.”
Banning TikTok
This brings us to the most sweeping potential course of action: banning TikTok outright. Banning TikTok would not restrict the Chinese government’s ability to access significant and sensitive data on Americans, including security personnel and elected officials. It would also not meaningfully prevent the Chinese government from carrying out its existing and future influence operations and efforts to interfere in US elections, for example.
It would mitigate potential Chinese government access to a rich source of data on Americans using TikTok and limit the potential for the government to have a popular app at its disposal through which to augment, test, and otherwise support its narrative agenda and influence operations.
Despite this nuance, whether to ban TikTok continues to be the primary focal point of the national security conversation. Even so, TikTok continues to operate within the United States and the efforts to ban it through executive order, CFIUS investigation, and legislation appear to have stalled, at least for now.
Barriers to Banning TikTok
There are several reasons why efforts to date to ban TikTok have been unsuccessful. These include political and economic considerations, significant legal barriers, the practicality of actually implementing a ban, and geopolitical considerations regarding how a ban on TikTok would play out at the same time as the United States is trying to reinvigorate institutions and processes that champion a free and open internet.
Political and Economic Issues
Any conversation about TikTok has to acknowledge the political incentives at play. The app is popular; as noted by Commerce Secretary Raimondo, “the politician in me thinks you’re going to literally lose every voter under thirty-five, forever.” Economic issues also play into the politics as well, particularly as the 2024 election cycle gears up. For the 5 million or so Americans who use TikTok for business, a ban would have direct monetary impact. At a larger scale, removing a major social media platform from an already-consolidated social media market could impact the US tech industry in a number of ways yet unexamined.
Legal Issues
It is unclear whether a TikTok ban would stand up in court. On the one hand, a ban by authority of the president would probably rest on somewhat firmer legal ground, because it would be based on the findings of a CFIUS investigation and rest on the president’s express statutory authority under 50 USC. § 4565(d) to “suspend or prohibit any covered transaction that threatens to impair the national security of the United States.” The specific statutory roadblock that defeated President Trump’s effort—the Berman Amendment to IEEPA—would not apply to a divestment order issued pursuant to a CFIUS investigation. TikTok would likely challenge such an order in court, possibly by questioning CFIUS’s jurisdiction over a transaction between two China-based companies or asserting that the 2024 enforcement of a divestment order unraveling a 2017 transaction would violate due process, given settled expectations. TikTok likely would raise First Amendment concerns as well.
The US Congress could also, of course, bolster President Biden’s statutory authorities through legislation like the RESTRICT Act or a repeal of the Berman Amendments to IEEPA, but this would not protect a TikTok ban from a First Amendment challenge, including one founded in part on CFIUS findings. This is especially true, given the seemingly theoretical nature of the threat presented by TikTok (at least based on the information that has been released publicly). Indeed, if there was ample factual evidence of Chinese intelligence officials systematically using TikTok to gather data on Americans or to deploy influence operations, the government’s legal argument in support of a ban would be much stronger. Such a ban could be analogized to the one upheld against a First Amendment challenge by the Supreme Court in Arcara v. Cloud Books, 478 US 697 (1986), where New York authorities shut down a bookstore that had actually been used as a hub for illegal prostitution.
However, unlike in the Arcara case, there is no publicly available evidence supporting the notion that Chinese intelligence services have systematically used TikTok to commit espionage or to mount influence operations. The argument is that TikTok could theoretically be used in this way. But just as an order shuttering a bookstore because it might someday be used as a hub for criminal activity would not likely survive a First Amendment challenge, it seems unlikely that a TikTok ban based on a merely theoretical possibility of it being used for Chinese espionage would withstand First Amendment scrutiny.
Practicality of Implementing a Ban
There is also the question of how a ban would be enforced as a practical matter. Some ban proposals would criminalize usage of the app, focusing enforcement on individuals, which would amount to roughly 150 million TikTok users in the United States. Other proposals would criminalize the distribution, focusing enforcement on app stores such as those maintained by Apple and Google. Either way, enforcement might require a fairly draconian and far-reaching set of actions that could impact the global tech sector in ways worthy of careful examination.
If a national ban were imposed, some current US users of TikTok might try to use circumvention technology such as Virtual Private Networks (VPN) to get around the ban. Many VPNs were created to help those in repressive societies access the open internet. They work by encrypting a person’s online identity and location, rerouting it through a server someplace else in the world, thus making it difficult for those monitoring usage and networks to know where a user is actually located. This raises the question of whether the US government would be prepared to criminalize the use of VPNs to access TikTok or otherwise restrict and track VPN usage, despite the potential impact on global human rights and open internet access.
In addition, there might be other adverse and unintended consequences of a ban. For example, devoted TikTok users might be incentivized to “sideload” TikTok, which would further undermine cybersecurity and expose American users to heightened risk of malware.
Geopolitical Impact
A further concern is geopolitical. The internet is global and systemic, and the United States has a vested interest in ensuring its national security, economic, and geopolitical interests are protected and advanced in a domain that has become an increasingly important sector of global competition. Ironically, China’s core geopolitical strategy relies on its ability to goad powerhouses like the United States and Europe into abandoning their longstanding commitment to a “free open, secure, and interoperable internet.”
An outright ban of TikTok as currently proposed—particularly absent clearer standards for all platforms—could risk undermining this global consensus exactly at the moment China has succeeded in generating debate in a number of global decision-making bodies as to whether this system should be sustained. It would represent the first time the United States has banned a major social media platform and would almost certainly be referenced in bad faith by countries like China and Russia to justify their own repressive, and aggressive, actions while advancing their narrative and propaganda goals.
Chinese President Xi and Russian President Vladimir Putin make similar arguments about national security when justifying their bans on Facebook and then Twitter. Those countries have traditionally argued that their national security requires such “cyber sovereignty” measures to protect their populations against US espionage and “the corrosive influences of the West.” While US action against TikTok is not the same thing as China banning Facebook, the actions required to implement such a ban would mirror deeply problematic laws and actions countries have taken in recent years.
Gaps in the Government Toolkit for Addressing Information-based National Security Risks
Takeaway: The current difficulties surrounding the regulation of TikTok highlights two challenges undermining current US efforts to address national security risks related to data privacy, algorithmic manipulation, and foreign influence: (1) the lack of strategic clarity regarding how the United States should protect its critical information infrastructure amid great power competition; and (2) an overreliance on CFIUS and the absence of domestic regulations for data privacy, platform transparency, and combating foreign interference.
None of the options listed above would significantly degrade the Chinese government’s ability to collect sensitive data on US officials or Americans generally, conduct influence operations in the United States, or otherwise advance its espionage and intelligence interests through other social media platforms.
Ultimately, in analyzing TikTok and its operations in the United States, it becomes clear there are gaps in the US government’s toolkit to address a range of national security vulnerabilities related to technology.
Lack of a Concept of Critical Information Infrastructure
The TikTok conversation is hampered by a lack of clarity around critical information infrastructure. The information infrastructure through which elected officials communicate with constituents, governments conduct emergency response, businesses run, and Americans exercise their rights is critical to the functioning of the country. However, unlike the electric grid, which is run by private companies operating within carefully crafted rules and transparency requirements, or the global financial system, which is closely (albeit imperfectly) regulated by central banks and subject to various legal rules), the information space is made up largely of private companies governed by very few rules or transparency requirements in the United States, and many rules in other countries.
Admittedly, this is not a simple concept, given the First Amendment implications of anything involving the expression of Americans, and the subjectivity of information itself. But the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has identified the communication and information technology sectors as two of the government’s recognized sixteen critical infrastructure sectors. The United States would be well served by a serious conversation about what comprises “critical” information infrastructure, as doing so would allow it to explore evidence-based policy responses that build resilience and advance US interests at home and abroad.
The Need for Legal Tools Beyond CFIUS and IEEPA
CFIUS is an important tool for US national security, but, by its design, it is jurisdictionally limited to reviewing foreign investments in US businesses or operations. If Shanghai-based Musical.ly had not had a sufficiently substantial US presence (with an office in Santa Monica and millions of US users), CFIUS would likely not have had jurisdiction to review ByteDance’s acquisition that gave birth to TikTok in the first place. As mentioned earlier, even if President Biden were to act to ban TikTok based on CFIUS findings, it is unclear it would survive a First Amendment challenge.
It is also unclear what the public or diplomatic messaging would be concerning an order based on CFIUS authority, given that its investigations are classified and the proprietary information provided by ByteDance and Musical.ly during that investigation is statutorily protected from public disclosure. All CFIUS investigations involve not only classified intelligence but also trade secrets provided to the government by the parties, typically making them a somewhat shrouded process. This means there might not be a clear rationale, even if there is actual evidence of Chinese espionage activity, communicated to the US public or the world for a decision banning an application regularly used by millions of Americans. While there are a variety of statutory factors (listed in 50 USC. § 4565(f)) that the president must consider in determining whether there is credible evidence that a transaction impairs national security, presidential determinations based on CFIUS investigations are inherently based on subjective judgment calls, at least to some degree.
President Biden might try to provide a clearer picture by declassifying certain findings, so as to make a more persuasive public case for a ban. It would, however, still likely be difficult to provide proof of a clearly articulated “why” for such a momentous decision. Given that Russia and China would be certain to leverage such a decision for their own narrative goals (after all, Russia and China also ban TikTok or other social media platforms based on their own opaque threat assessments), it is worth assessing whether there are other mechanisms to take similar actions that would allow the United States to more directly communicate as an understandable standard. Given the huge impact a decision involving an application currently used by millions of Americans would have, the decision should be grounded on articulable standards or precedents that could be convincingly and fulsomely communicated to the US public and globally.
Indeed, the question of an articulable standard to guide decision-making and communicate such decisions to the public is not theoretical. There has been a significant increase in foreign investment in US-based information infrastructure, including by authoritarian regimes, but it is unclear why some investments trigger CFIUS action more than others. As an example, Saudi Arabia is the largest government investor in Twitter (now “X”), owning 27 percent of outside equity with combined funds associated with Saudi Arabia, the United Arab Emirates, China, and Qatar outweighing private US ownership. The Saudi sovereign wealth fund invested close to a billion dollars just in the second quarter of 2022 in Zoom and Meta, adding to its investments in Microsoft Corp., Alphabet, and Salesforce. But CFIUS apparently saw no security threat and, therefore, took no public action.
Additionally, the gaming sector, which is a $300 billion market reaching 3 billion people around the world, is an increasingly important node of our information ecosystem. Aside from its massive scale, many gaming companies are building the next wave of technology the world will be using, and many games collect user data and provide communication interfaces for players all over the globe. Chinese company Tencent and other Chinese government-backed investors have spent the last decade buying up majority shares or outright ownership of many US and European gaming companies. Tencent’s investments in more than 800 companies include outright ownership of FunCom, Riot Games, and Sumo (among others), and a 40 percent stake in Epic Games, along with shares in Activision Blizzard, Ubisoft, and many more of the world’s leading and most profitable companies.
CFIUS has cleared a number of these investments, including Tencent’s acquisition of Sumo, and it has not forced Tencent to divest its holdings in Riot Games and Epic Games. Given the massive reach of such companies (with Epic Games’ Fortnite boasting more than 80 million active users as the most popular game in the world) and the data they collect, there does not seem to be an articulable and publicly available reason why CFIUS would have a problem with ByteDance-owned TikTok but not with Tencent-owned Riot Games or partially owned Epic, for example.
Separately, while IEEPA certainly is a relevant tool, the federal courts that blocked President Trump’s attempt to ban TikTok demonstrated the limitations of seeking to apply it to security concerns arising out of the information ecosystem. Thus, it stands to reason that CFIUS and IEEPA cannot be the only tools for considering the national security implications of a foreign-owned application or other technology like TikTok.
Lack of Domestic Regulations Imposing Privacy Protections and Transparency Standards
Aside from liability and copyright protections, the United States has almost no national-level regulation of the tech industry and the information ecosystem it underpins. In addition to the United States imposing few, if any, data protection standards,[3] there are also few if any requirements for companies to share information on what is happening on their platforms, and few reporting requirements or rules governing advertising, communication of platform policies or design choices, or publishing of algorithm impacts and uses.
This means that many of TikTok’s practices, including those presenting real risk to its users, are unfortunately both legal and fairly standard. And CCP actions that many have highlighted as concerning do not occur solely on TikTok. Indeed, the concerns highlighted about TikTok in particular serve to underscore just how vulnerable the US digital landscape is as a whole. While the vulnerabilities are not unique to the United States, the lack of action is. For example, while there is a great deal of variance in national approaches to these challenges globally, the United States stands as the only developed democracy without a federal privacy or data protection standard.
Other countries have addressed these issues by considering more comprehensive approaches, including the EU’s General Data Protection Regulation (GDPR), DMA, and DSA. While certainly not perfect—parts of the DSA would likely violate the First Amendment if a similar law was enacted in the United States—the combination allows a systemic approach enshrining the rights of users, addressing the market power of platforms, setting standards for responsible platform behavior, and decreasing the variance in knowledge between platforms, regulators, and the public.
Though some states, like Illinois and California, have tried to fill the gap by passing comprehensive privacy laws of their own, the growing patchwork of sometimes contradictory laws presents more challenges than opportunities for addressing the issues discussed in this paper.[4]
In this way, the absence of federal rules also ironically cedes this essential area of policymaking and national security to foreign actors, allowing every other country in the world to set the standards for US citizens and its companies. One of the single most impactful ways to address the risk of the Chinese government leveraging TikTok to spy on Americans and influence public discourse would be to pass federal privacy laws and transparency standards for all companies. TikTok will not be the last social media company with popularity around the world, nor will it be the last non-US company to gain prominence in the United States.
Conclusion
TikTok presents a potential, though as yet unproven, threat. Under China’s National Intelligence Law, its intelligence agencies could commandeer TikTok, requiring it to turn over data drawn from its US user base and also requiring it to assist in influence operations and disinformation campaigns against the United States. While there is no evidence this is happening in any systematic way, it is theoretically possible.
While official Washington seeks to address this as an individual potential threat, it is missing the bigger picture. The risks identified in the debate over TikTok’s operations in the United States, are entry points to the systemic risks of a largely ungoverned social media ecosystem. The United States could ban TikTok, but banning this one platform would not make Americans any safer. China or other foreign adversaries can still obtain—and are currently obtaining—vast amounts of data on Americans from other sources, including by purchasing it legally from data brokers who buy, package, and sell this data. In addition, banning TikTok would not significantly thwart Chinese influence operations, because, as the Russian intelligence agencies have repeatedly demonstrated, US-based social media platforms and their recommendation algorithms are easy to exploit and have already been repeatedly manipulated to shape US public opinion and divide Americans amongst themselves.
More fundamentally, and separate and apart from the president’s legal authority to take action, experts and policymakers have raised constitutional concerns regarding any attempt at a total ban of TikTok, as seen in the recent federal court decision temporarily blocking the state of Montana’s attempted comprehensive ban, holding that it likely violated the First Amendment and other constitutional protections.
Similar First Amendment concerns also overshadow any renewed federal effort to ban the app, whether founded on CFIUS’s still-ongoing investigation of TikTok, or even one authorized by new legislation from the US Congress. Even less comprehensive federal actions against TikTok, such as a potential CFIUS mitigation agreement requiring close government monitoring of TikTok postings to police for CCP influence operations, might run into difficult First Amendment territory, depending on how the Supreme Court rules in several cases in its 2023-2024 term that directly relate to the constitutionality of government efforts to interfere with or otherwise influence content moderation decisions made by social media platforms.
In the short term, US policymakers should distinguish acute and specific national security concerns around TikTok (e.g., its potential exploitation by Beijing for the purposes of surveillance and cyber intelligence-gathering, specific device-level concerns related to vulnerable persons, etc.) from broader issues endemic to the US information ecosystem that affect US competitiveness and the future of the digital commons.
In the long term, the United States requires a cohesive, forward-looking strategy built on defining critical information infrastructure and enacting baseline data and algorithmic transparency regulations. The TikTok debate merely makes visible these bigger issues that Washington has long overlooked. If they are not addressed, there will be other “TikTok moments”—and the nation will be no closer to a solution.
[1] As set forth in 50 USC. § 4565(k), CFIUS is an interagency committee chaired by the Treasury Department, tasked with reviewing certain foreign investments or other transactions involving US businesses or real estate to address potential national security concerns.
[2] See Marland v. Trump, 498 F. Supp. 3d 624 (E.D. Pa. Oct. 30, 2020) and TikTok, Inc. v. Trump, 507 F. Supp. 3d 92 (D.D.C. Dec. 7, 2020).
[3] There are individual federal laws governing discrete aspects of privacy, such as the Gramm Leach Bliley Act (protecting the privacy of financial information) and the Health Insurance Portability and Accountability Act (HIPAA) (protecting the privacy of medical information, though not digitally gathered biometric information).
[4] The US Supreme Court may have an opportunity during the 2023-2024 term to clarify some of the rules governing state efforts here, with its decision to grant review of two cases involving efforts by Florida and Texas to restrict social media companies’ ability to moderate certain content (Moody v. NetChoice, LLC (Florida) and NetChoice v. Paxton (Texas)) and its decision to grant review (Murthy v. Missouri) of a Fifth Circuit ruling limiting the ability of certain Biden Administration officials from talking to social media companies about content moderation decisions. Decisions in these cases will come sometime before the end of June 2024, but they potentially could impact the ability of the US government, states, and US platforms to address the risk posed by foreign influence campaigns, including by China.
Authors
Editors
Contributors
Cite this report:
Rose Jackson, Seth Stoddard, and Kenton Thibaut, “Hate the Game, Not the Player: How Strategic and Regulatory Confusion Around TikTok Prevent an Effective National Security Response,” Digital Forensic Research Lab (DFRLab), February 13, 2024, https://dfrlab.org/2024/02/13/tiktok-hate-the-game-not-the-player-how-strategic-and-regulatory-confusion-around-tiktok-prevent-an-effective-national-security-response/.