(CNN) As TikTok CEO Shou Zi Chew prepares for his first congressional grilling on Thursday, much of the focus will undoubtedly be on the short-form video app’s potential national security risks.
Concerns about TikTok’s connections to China have led governments worldwide to ban the app on official devices, and those fears have factored into the increasingly tense US-China relationship. The Biden administration has threatened TikTok with a nationwide ban unless its Chinese owners sell their stakes in the company.
But more than two years after the Trump administration first issued a similar threat to TikTok, security experts say the government’s fears, while serious, currently appear to reflect only the potential for TikTok to be used for foreign intelligence, not that it has been. There is still no public evidence the Chinese government has actually spied on people through TikTok.
TikTok doesn’t operate in China. But since the Chinese government enjoys significant leverage over businesses under its jurisdiction, the theory goes that ByteDance, and thus indirectly, TikTok, could be forced to cooperate with a broad range of security activities, including possibly the transfer of TikTok data.
“It’s not that we know TikTok has done something, it’s that distrust of China and awareness of Chinese espionage has increased,” said James Lewis, an information security expert at the Center for Strategic and International Studies. “The context for TikTok is much worse as trust in China vanishes.”
When Rob Joyce, the National Security Agency’s director of cybersecurity, was asked by reporters in December to articulate his security concerns about TikTok, he offered a general warning rather than a specific allegation.
“People are always looking for the smoking gun in these technologies,” Joyce said. “I characterize it much more as a loaded gun.”
Technical experts also draw a distinction between the TikTok app — which appears to operate very similarly to American social media in the amount of user tracking and data collection it performs — and TikTok’s approach to governance and ownership. It’s the latter that’s been the biggest source of concern, not the former.
What is the concern?
The US government has said it’s worried China could use its national security laws to access the significant amount of personal information that TikTok, like most social media applications, collects from its US users.
The laws in question are extraordinarily broad, according to western legal experts, requiring “any organization or citizen” in China to “support, assist and cooperate with state intelligence work,” without defining what “intelligence work” means.
Should Beijing gain access to TikTok’s user data, one concern is that the information could be used to identify intelligence opportunities — for example, by helping China uncover the vices, predilections or pressure points of a potential spy recruit or blackmail target, or by building a holistic profile of foreign visitors to the country by cross-referencing that data against other databases it holds. Even if many of TikTok’s users are young teens with seemingly nothing to hide, it’s possible some of those Americans may grow up to be government or industry officials whose social media history could prove useful to a foreign adversary.
Another concern is that if China has a view into TikTok’s algorithm or business operations, it could try to exert pressure on the company to shape what users see on the platform — either by removing content through censorship or by pushing preferred content and propaganda to users. This could have enormous repercussions for US elections, policymaking and other democratic discourse.
Are these concerns valid?
Security experts say these scenarios are a possibility based on what’s publicly known about China’s laws and TikTok’s ownership structure, but stress that they are hypothetical at best. To date, there is no public evidence that Beijing has actually harvested TikTok’s commercial data for intelligence or other purposes.
Chew, the TikTok CEO, has publicly said that the Chinese government has never asked TikTok for its data, and that the company would refuse any such request.
If there’s a risk, it’s primarily concentrated in the relationship between TikTok’s Chinese parent, ByteDance, and Beijing. The main issue is that the public has few ways of verifying whether or how that relationship, if it exists, might have been exploited.
TikTok has been erecting technical and organizational barriers that it says will keep US user data safe from unauthorized access. Under the plan, known as Project Texas, the US government and third-party companies such as Oracle would also have some degree of oversight of TikTok’s data practices. TikTok is working on a similar plan for the European Union known as Project Clover.
But that hasn’t assuaged the doubts of US officials, likely because no matter what TikTok does internally, China would still theoretically have leverage over TikTok’s Chinese owners. Exactly what that implies is ambiguous, and because it is ambiguous, it is unsettling.
In congressional testimony, TikTok has sought to assure US lawmakers it is free from Chinese government influence, but it has not spoken to the degree that ByteDance may be susceptible. TikTok has also acknowledged that some China-based employees have accessed US user data, though it’s unclear for what purpose, and it has disclosed to European users that China-based employees may access their data as part of doing their jobs.
What does TikTok actually know about its users?
Multiple privacy and security researchers who’ve examined TikTok’s app say there aren’t any glaring flaws suggesting the app itself is currently spying on people or leaking their information.
In 2020, The Washington Post worked with a privacy researcher to look under the hood at TikTok, concluding that the app does not appear to collect any more data than your typical mainstream social network. The following year, Pellaeon Lin, a Taiwan-based researcher at the University of Toronto’s Citizen Lab, performed another technical analysis that reached similar conclusions.
But even if TikTok collects about the same amount of information as Facebook or Twitter, that’s still quite a lot of data, including information about the videos you watch, comments you write, private messages you send, and — if you agree to grant this level of access — your exact geolocation and contact lists. TikTok’s privacy policy also says the company collects your email address, phone number, age, search and browsing history, information about what’s in the photos and videos you upload, and if you consent, the contents of your device’s clipboard so that you can copy and paste information into the app.
TikTok’s source code closely resembles that of its China-based analogue, Douyin, said Lin in an interview. That implies both apps are developed on the same code base and customized for their respective markets, he said. Theoretically, TikTok could have “privacy-violating hidden features” that can be turned on and off with a tweak to its server code and that the public might not know about, but the limitations of trying to reverse-engineer an app made it impossible for Lin to find out whether those configurations or features exist.
If TikTok used unencrypted communications protocols, or if it tried to access contact lists or precise geolocation data without permission, or if it moved to circumvent system-level privacy safeguards built into iOS or Android, then that would be evidence of a problem, Lin said. But he found none of those things.
“We did not find any overt vulnerabilities regarding their communication protocols, nor did we find any overt security problems within the app,” Lin said. “Regarding privacy, we also did not see the TikTok app exhibiting any behaviors similar to malware.”
Are there other security concerns?
TikTok has faced claims that its in-app browser tracks its users’ keyboard entries, and that this type of conduct, known as keylogging, could be a security risk. The privacy researcher who performed the analysis last year, Felix Krause, said that keylogging is not an inherently malicious activity, but it theoretically means TikTok could collect passwords, credit card information or other sensitive data that users may submit to websites when they visit them through TikTok’s in-app browser.
There is no public evidence TikTok has actually done that, however. TikTok has said the keylogging function is used for “debugging, troubleshooting, and performance monitoring,” as well as to detect bots and spam. Other research has shown that the use of keyloggers is extremely widespread in the technology industry. That does not necessarily excuse TikTok or its peers for using a keylogger in the first place, but neither is it proof positive that TikTok’s product, by itself, is any more of a national security threat than other websites.
There have also been a number of studies that report TikTok is tracking users around the internet even when they are not using the app. By embedding tracking pixels on third-party websites, TikTok can collect information about a website’s visitors, the studies have found. TikTok has said it uses the data to bolster its advertising business. And in this respect, TikTok is not unique: the same tool is used by US tech giants including Facebook-parent Meta and Google on a far larger scale, according to Malwarebytes, a leading cybersecurity firm.
As with the keylogging tech, the fact TikTok uses tracking pixels does not on its own transform the company into a national security threat; the risk is that the Chinese government could compel or influence TikTok, through ByteDance, to abuse its data collection capabilities.
Separately, a report last year found TikTok was spying on journalists, snooping on their user data and IP addresses to find out when or if certain reporters were sharing the same location as company employees. TikTok later confirmed the incident and ByteDance fired several employees who had improperly accessed the TikTok data of two journalists.
The circumstances surrounding the incident suggest it was not the type of wide-scale, government-directed intelligence effort that US national security officials primarily fear. Instead, it appeared to be part of a specific internal effort by some ByteDance employees to hunt down leaks to the press, which may be deplorable but hardly uncommon for an organization under public scrutiny. (Nevertheless, the US government is reportedly investigating the incident.)
Joyce, the NSA’s top cyber official, told reporters in December that what he really worries about is “large-scale influence” campaigns leveraging TikTok’s data, not “individualized targeting through [TikTok] to do malicious things.”
To date, however, there’s no public evidence of that taking place.
Bottom line
TikTok may collect an extensive amount of data, much of it quietly, but as far as researchers can tell, it isn’t any more invasive or illegal than what other US tech companies do.
According to security experts, that’s more a reflection of the broad leeway we’ve given to tech companies in general to handle our data, not an issue that’s unique or specific to TikTok.
“We have to trust that those companies are doing the right thing with the information and access we’ve provided them,” said Peiter “Mudge” Zatko, a longtime ethical hacker and Twitter’s former head of security who turned whistleblower. “We probably shouldn’t. And this comes down to a concern about the ultimate governance of these companies.”
Lin told CNN that TikTok and other social media companies’ appetite for data highlights policy failures to pass strong privacy laws that regulate the tech industry writ large.
“TikTok is only a product of the entire surveillance capitalism economy,” Lin said. “And governments around the world are ignoring their duty to protect citizens’ private information, allowing big tech companies to exploit user information for gain. Governments should try to better protect user information, instead of focusing on one particular app without good evidence.”
Asked how he would advise policymakers to look at TikTok instead, Lin said: “What I would call for is more evidence-based policy.”