TikTok security deal likely to leave US data vulnerable to hacks, espionage by China

Published: Updated:
Read Mode
100% Font Size
8 min read

TikTok users would still risk having personal data exposed to hacking and espionage by China even if the Biden administration forges a security agreement designed to spare the video platform from a total US ban.

That’s the conclusion of former national security officials and other experts as the Justice Department reviews an accord that would keep the popular video-streaming app, which is owned by China’s ByteDance Ltd., accessible to its millions of US users.

For all the latest headlines follow our Google News channel online or via the app.

TikTok has been under US scrutiny since 2019 over concerns that Chinese actors might tap those users’ information for espionage or other harmful purposes.

“They built the whole system in China,” said Stewart Baker, a national security lawyer at Steptoe & Johnson LLP. “Unless they’re going to rebuild the system in the United States at great expense, sooner or later, when something goes wrong, there’s going to turn out to be only one engineer who knows how to fix it. And he or she is likely to be in China.”

This analysis of the agreement is based on interviews with former national security officials, lawyers who have worked on similar deals and experts who have studied data security, social media platforms and telecommunications companies. There’s no indication a decision has been made.

Brooke Oberwetter, a spokesperson for TikTok, said that while the company would not comment on the specifics of its discussions with the US government, “We are confident that we are on a path to fully satisfy all reasonable US national security concerns.”

She also pointed out that while some employees based in China would have access to public data posted by users, they would not have access to private user information, and their use of the public data — including videos and comments — would be very limited and accessed under the supervision of the oversight board set up by the US government.

TikTok is routing all its US user traffic through servers maintained by Oracle Corp. and the database giant is auditing the app’s algorithms.

Still, additional restrictions on how US user data is stored and accessed will be necessary -- and might not resolve US security concerns no matter how strong a deal looks on paper, the experts said.

That’s a view shared by Senator Mark Warner, the Virginia Democrat who chairs the Senate Intelligence Committee.

He said he’s aware of the conversations around TikTok and couldn’t give details. Nonetheless, he said the company has “a big mountain to climb with me to prove the case that it can really be safe.”

Warner said China has a bad track record on protecting users’ privacy. “They’ve shown repeatedly the ability to create this surveillance state that ought to scare the dickens out of all of us.”

He added that it’s much harder today to wall off TikTok’s data technically or ban it outright than it was five or six years ago as the popularity of the app has surged.

“The burden of proof that you can really segregate American data, particularly if the code is still being written in China -- that would be a tough case to make.”

While TikTok’s owner ByteDance has tried to distance itself from Chinese state influence, President Xi Jinping has launched a sweeping crackdown on private enterprises, particularly in the tech sector.

The video-streaming app, which has about 1 billion users but is banned in China, has been under scrutiny by US officials since 2019, when the Committee on Foreign Investment in the US began reviewing a merger between ByteDance and Musical.ly.

The Biden administration re-opened a national security review of TikTok after former President Donald Trump stopped short of banning the app in an effort to broker a deal to sell the platform to a US buyer, which never came to fruition.

ByteDance had sought US approval to sell a stake in the app to Oracle and Walmart Inc., but the transaction didn’t materialize.

A US court blocked efforts by the Trump administration to boot TikTok from app stores operated by Apple Inc. and Alphabet Inc.’s Google.

Cfius, which is chaired by the Treasury Department but includes members from across the government, has the power to reject or modify transactions involving foreign companies that purchase US entities.

The agency is “committed to taking all necessary actions within its authority to safeguard US national security,” said Treasury spokesperson Michael Kikukawa, declining to comment further.

If the companies that come under review are able to make concessions to sell or cordon off US assets that raise security concerns, including data, it’s possible to work out an agreement with the security panel to allow the transaction to proceed.

These arrangements can include establishing a new board of directors and an oversight board that reports to Cfius.

“You’ll get an agreement that commits the company to behave responsibly and transparently,” said James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies. “And you’ll have the ability to pull the plug if it looks like anything’s not being honored.”

Lewis pointed to the purchase of T-Mobile USA Inc. by Germany’s Deutsche Telecom AG in 2001 and Sprint Corp.’s 2013 sale to Japanese investment firm Softbank Group Corp. In both those deals, the US put in place monitoring to ensure the data of US citizens wasn’t being misused, Lewis said.

Nova Daly, a senior public policy adviser for Wiley Rein LLP, and a former Treasury official who worked on Cfius deals, said in some instances, it’s better to have the foreign company retain ownership of the US company because it allows for more robust scrutiny of that data.

“Sometimes this kind of data is more securely protected by the enforcement powers of a mitigation agreement, rather than an owner that isn’t compelled by law to protect it,” said Daly, pointing out that it will still be hard to secure the data against determined efforts to steal it or use it for nefarious purposes.
If national security concerns can’t be resolved, Cfius can force the companies to walk away from a deal or unwind a transaction.

Lawmakers pressed TikTok Chief Operating Officer Vanessa Pappas during a Senate hearing last month about whether the company would seal off Chinese access to all US data. Pappas said the company has strict controls over access to data and where it’s stored, and that the company wouldn’t give that data to the Chinese government.

She said that the company will continue cooperating with federal agencies to secure US data and said a final agreement “will satisfy all national security concerns.”

Steptoe’s Baker said that argument suggests that while TikTok may believe it’s satisfied reasonable national-security concerns, “they shouldn’t have to sign in blood that there will never be access.

Read more:

Displaced Syrian live streamers on TikTok receive less than 30 pct of total donation

Russian court fines TikTok $50,000 over content

TikTok bans political accounts from fundraising, other moneymaking opportunities

Top Content Trending