TikTok and National Security

Recent legislation in the House of Representatives highlights the discussion of national security risks from the use of TikTok have identified three potential sources of danger. The first is that TikTok is part of a nefarious Chinese government influence operation designed to sway U.S. politics. The second is that TikTok can be used to collect personal data on Americans. The third is that voluntarily downloading TikTok onto phones or devices allows for the injection of malicious software by China. Only the third source creates serious risk.

Influence operations are generally overrated. If American democracy is at risk, survey data suggests this has little to do with external actors. The problem is domestic. This is not confined to the United States—a wave of right-wing populism is sweeping across democracies from India to the Netherlands and the United States, as a reaction to perceived injustices. Some analysts blame this on the arrival of a new gilded age, where disparities in wealth create deep political tensions, but even Russia, which is usually best at influence operations, is struggling with exploiting these tensions, and China is not as good as Russia in influence operations aimed at foreign audiences.

One topic where TikTok has been used in an effort to shape political views and to distort facts is in regard to the conflict in Gaza, but this is not the result of China’s activities. It reflects the spontaneous efforts of users. This kind of problem is a feature of social media, where uncurated and unverified information is the norm.

China does collect personal data on Americans and have been doing so for at least a decade, but there is no evidence that it has found a way to benefit from this. China takes advantage of the loophole created by the congressional failure to pass privacy legislation. The new Executive Order (EO) on data may make this more difficult but will not stop foreign access to American data as the EO strictures can be circumvented. Possible explanations for China’s data collection effort include to guide influence operations, but as noted above, these are ineffectual. It could be used for espionage purposes, to identify targets for recruitment, but again, there is no evidence that China has done this. Finally, this data could be useful for counterintelligence purposes to identify U.S. agents by correlating it with other data. It is likely that China (like other major intelligence agencies) runs analytical programs to identify persons of interest, but TikTok users may not be the best subject population for finding intelligence agents.

One area of real risk is in installing and updating the TikTok app. In effect, TikTok users are voluntarily downloading Chinese software into which they have minimal or no insight, onto their devices. Even if the app has been screened and declared clean by an app store (a protection the European Union is inadvertently undermining with its Digital Market Act), there is no guarantee that future updates and patches will include malware.

Several solutions to this problem have been proposed, but not all are feasible. Forcing ByteDance, TikTok’s parent company, to divest itself of the valuable and highly profitable assets and sell to a U.S. owner could reduce risk but is impossible. China would object—it has already placed export controls on TikTok’s software—and it could retaliate against U.S. companies by forcing them to divest. Even if Beijing did not object to divestiture, TikTok is exceptionally valuable—some estimate it is worth more than $200 billion—and there are few or no buyers capable of finding this kind of money. Forcing ByteDance to sell at a reduced price reinforces the possibility of China retaliating. TikTok could avoid divestiture and set up shop in a third country (in the past, TikTok considered doing this in Ireland), storing its data and conducting operations there to circumvent U.S. restrictions. Finally, forced “fire sales” of valuable assets is a common tactic of the Putin regime (Russian social media network VKontakte is a good example) and not a precedent the United States should adopt.

Banning TikTok faces significant likely insurmountable obstacles and relation to free speech, which is protected by the First Amendment. The Berman Amendment also limits the ability to use sanction laws to restrict speech. Previous efforts to ban TikTok have all failed because of these obstacles, and while his administration is cognizant both need for any action against TikTok to withstand judicial scrutiny, a ban would face lengthy litigation and would likely fail.

A more feasible approach would take advantage of TikTok’s desire to use an initial public offering (IPO) to offer shares of the company to the market. An IPO would allow TikTok’s current owners to legitimately profit from the company’s success. TikTok would like to do this on Wall Street; Beijing may insist that its IPO be offered in Shanghai. TikTok’s investors would like to use an IPO to “cash out,” and an IPO on Wall Street would provide a vehicle for the Committee on Foreign Investment (CFIUS) to intervene and impose conditions on the IPO to mitigate risk.

The most important of these would be to establish external oversight of TikTok software and updates, using a third-party review. One approach would be to create an oversight board of U.S. citizens with security clearances (a common CFIUS practice). Monitoring data flows and conditions on where personal data could be stored by the new entity, who could access it and how it could be used could be part of a CFIUS agreement. CFIUS could require increased transparency into the operations of the new entity to reduce risk. These measures resemble those proposed by TikTok in its “Project Texas” plan, but Project Texas suffered the fatal flaw of having TikTok police itself, and CFIUS could require that oversight and compliance be conducted by an external third party.

There is a larger and more complicated problem of Chinese software use in U.S. apps and networks (and Chinese software modules are present in some leading apps used in the United States). A first step to addressing this would be to have the Department of Commerce’s Office of Information and Communications Technology and Services responsible for the Information and Communication Technology and Services (ICTS) program to use its survey authorities to determine the scope of the problem and to identify what additional authorities it would need (it now relies largely on the International Emergency Economic Powers Act, IEEPA) to compel the removal of Chinese software that poses national security risks.

Whether TikTok is complicit or not, the United States should manage the risk created by deep technological connections to a hostile and untrustworthy nation that is undertaking the largest espionage campaign in history. Legislation and executive branch authorities can minimize risk while allowing TikTok to continue to operate. Broader solutions could include finally passing a national privacy law, expanding transparency into software supply networks, and restricting cases where the use of Chinese technology creates risk. Not all Chinese technology creates risk, but real risks can be mitigated, including those attributed to TikTok.

James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.