Three hundred billion dollars, three billion downloads, and at least 90 minutes of attention per user every day—TikTok and its China-based parent company have captured much of the world in more ways than one. Yet today’s most popular social media app poses a distinct threat to American citizens. From logging keystrokes to laundering pro–Chinese Communist Party (CCP) narratives to U.S. audiences, TikTok—via its Beijing-based parent company ByteDance—exposes Americans to a host of abuses by the Chinese government.
TikTok’s data-collection and exploitation practices, abuses of privacy, propagation of influence operations, and promotion of social contagions that rend America’s social fabric require immediate attention from policymakers. If America is to preserve her self-governing republic, especially in the psyches of the next generation, dealing with TikTok and successor platforms is both a strategic and moral imperative.
TikTok and the CCP
TikTok’s parent company, ByteDance, is subject to the People’s Republic of China’s (PRC) laws and policies that permit the CCP’s access to the data ByteDance collects. One such policy is China’s 2017 National Intelligence Law, which compels private entities and individuals to cooperate with “state intelligence work.” Specifically, Article 7 of this law declares that “any organization or citizen shall support, assist, and cooperate with state intelligence work according to the law.”
Beyond this, Chinese officials—former and current—are embedded in TikTok’s parent company and involved in the company’s inner workings. In April 2021, the Chinese government acquired a 1 percent stake in ByteDance’s main domestic subsidiary and the board seat that came along with it. This action makes at least one of the three board members, Wu Shugang, a card-carrying official of the Chinese government. Further, a U.S. Department of Justice filing against TikTok assessed in September 2020 that “ByteDance contains an internal corporate CCP committee through which the CCP exercises influence at the company.” At lower levels, an August 2022 Forbes review found more than 300 LinkedIn profiles of current TikTok and ByteDance employees with ties to the Chinese state media apparatus. Fifteen of these profiles indicate that these professionals are both employed by ByteDance and official Chinese propaganda arms at the same time.
In fact, TikTok’s ties to the CCP via ByteDance are so deep that TikTok’s public relations strategy from leaked documents published by Gizmodo in July 2022 in a document titled, “TikTok Master Messaging,” include imperatives to “[d]ownplay the parent company ByteDance, downplay the China association,” as two of the first four exhortations on the list.
TikTok’s Data Privacy and Collection Methods
While a number of private American platforms engage in controversial data-collection and tracking practices, TikTok’s CCP links intensify debates over privacy invasion. Given its influence over the app, the CCP would likely encourage more collection, not less. And while the commercial surveillance practices of many American companies are exploitative, direct comparisons do not account for the differences in corporate governance between American and Chinese companies as well as the stark contrasts between U.S. and Chinese political systems. America—though under internal pressure—retains a relatively open society, free press, engaged citizenry, and independent judiciary to hold both the U.S. government and private companies accountable for their data-collection practices. China does not have a remotely comparable approach.
In terms of comparative data-collection practices to other platforms, a February 2023 report by cybersecurity company Internet 2.0 alleges that TikTok’s data-collection behaviors are among the worst in the industry. For example, TikTok’s Malcore (malware analysis tool) score was 63.1 out of 100, the highest and worst score of the more than 20 digital applications it tested. The average application’s score was 28.8, with no other app ranking as poorly in terms of data privacy and security as TikTok. According to the report, TikTok’s performance was due, in part, to the security vulnerabilities in TikTok’s code and the abundance of data trackers riddling the platform.
Particularly troubling is the extent to which TikTok conceals atypical elements of its collection practices. In August 2020, The Wall Street Journal revealed that TikTok exploited a loophole in Google’s Android operating system that allowed it to track the media access control (MAC) addresses (the unique device identifiers) of its users for at least 15 months. When TikTok was first installed on a new device over that time period, the company reportedly bundled these identifiers and other device data to send to parent company ByteDance. During the 15-month period, TikTok reportedly took steps to cover its tracks and conceal its exploitation of this loophole via a layer of encryption. TikTok also reportedly accessed user clipboards on Apple’s mobile operating system for a time, reading the clipboard in every instance the app was opened, potentially exposing sensitive information, such as passwords and banking information, to TikTok.
Whose Data? Everyone’s Data
Hard security concerns, such as vulnerability to intrusion and hacking through lax security measures, backdoors, and even bugdoors (security flaws hidden in a programming vulnerability—wittingly or unwittingly) are present whenever a device connects to the Internet. Yet TikTok appears to have deliberately engineered access to non-public datasets for certain individuals. Leaked audio of 80 internal TikTok meetings obtained by Buzzfeed captured an external auditor as he mused: “I feel like with these tools, there’s some backdoor to access user data in almost all of them.” If not backdoors, bugdoors can be introduced later via a software update that can provide access to certain systems. Additionally, TikTok could serve as a potential entry point to access the data of other people using the same Wi-Fi network.
This matters because China-based engineers employed by ByteDance reportedly accessed U.S. user data multiple times over the course of at least four months from 2021 to 2022. In June 2022, the same Buzzfeed-obtained leaked audio from TikTok’s internal company meetings confirmed that China-based engineers accessed U.S. user information that was not public, to include birthdays and phone numbers. Before that, TikTok’s former chief information security officer tacitly admitted that employees in China had access to U.S. user data in a blog post in 2020.
Separate whistleblower leaks point to access of U.S. user data by China-based employees as a pervasive practice among ByteDance employees. In a March 2023 letter to Committee on Foreign Investment in the United States (CFIUS) chair Janet Yellen, Senator Josh Hawley (R–MO) wrote that a former ByteDance employee with direct knowledge of TikTok’s operations admitted that his colleagues could “switch between Chinese and U.S. data with nothing more than the click of a button using a proprietary tool…just like a light switch.” In this case, extensive safeguards to shield U.S. user data likely did not exist and it was not difficult for ByteDance employees to access the data of Americans at will. In 2022, ByteDance conceded that it built an entire initiative centered around using TikTok to monitor the locations of at least two U.S. journalists. Known as Project Raven internally, this effort to track the physical locations of Americans was approved by ByteDance employees in China, likely as an attempt to ferret out the employees that leaked to Buzzfeed in the summer of 2022.
Beyond access to data, the CCP’s likely control over TikTok’s algorithm—originally designed using ByteDance’s algorithms and artificial intelligence (AI) models—raises questions about the app’s potential to be actively manipulated by CCP-linked actors. During divestment talks with Oracle in 2020, ByteDance representatives reportedly indicated that they would not surrender TikTok’s source code to the U.S. company and would instead retain it in China. After all, the CCP would have much to lose if ByteDance transferred the algorithm to an American company. FBI Director Christopher Wray appeared to explain why in a public speech more than two years later, asserting that the Chinese government both controls ByteDance and has the “ability to control the recommendation algorithm.” In a later hearing in front of the Senate Intelligence Committee in 2023, Director Wray testified that the Chinese government could control the software and data of millions of users who have TikTok on their devices, as well as spread propaganda within America. Given the CCP’s authoritarian track record, it is naive to believe that it has not taken advantage of these capabilities.
Manipulating the Information Environment
Concerns over data security do not scratch the surface of TikTok’s ability to manipulate the information environment. ByteDance and TikTok have already pushed pro-CCP narratives to the U.S. public, censored content of which the party-state disapproves, and gathered the necessary information to conduct tailored influence campaigns. In two years, the percentage of adults who get their news from TikTok on a regular basis rose from only 3 percent in 2020 to 10 percent of American adults in 2022—roughly tripling this audience. Now, nearly a quarter of adults in the United States under the age of 30 claim to regularly get their news from TikTok, according to the same survey. This creates yet another vector for the CCP through which to expand its influence over the cognitive landscape of the American body politic.
In one example of these soft influence operations against U.S. users, former ByteDance employees alleged in 2022 that TikTok’s parent company deliberately served pro-China content to a U.S. audience through its old news app, TopBuzz, in addition to censoring stories unfavorable to the Chinese government. In 2020, TikTok confirmed that the Chinese government asked its employees to set up an account, under the radar, that “[showcases] the best side of China (some sort of propaganda),” according to a TikTok employee. Leaked documents revealed that TikTok censors content that exposes the CCP’s genocide against its Uyghur community in the Xinjiang region and videos about Tiananmen Square, Tibetan independence, and Hong Kong protests. Concurrently, TikTok accounts linked to Chinese state media pushed divisive content to users during the 2022 U.S. midterm elections focusing on cultural flashpoints, such as the abortion debate, and mostly criticizing Republican candidates while favoring Democrats.
TikTok’s algorithm and unique technical features, such as “heating,” or artificially picking stories to go viral, also facilitate its manipulation of the information environment. Since the algorithm trains on data drawn from individual user preferences and engagement versus connections and “friend” networks, it amounts to a more bespoke vector for propaganda delivery. When information is tailored to individuals based on their unique digital profiles, it could supercharge, at scale, custom CCP influence operations against U.S. citizens. It is not hard to envision how these techniques could be deployed for the next U.S. presidential election in 2024.
The Long Game: Integrating TikTok Data with Stolen Datasets to Map U.S. Networks and Life Patterns
Americans should be concerned about the integration of TikTok data with China’s growing trove of stolen datasets from hacks conducted at least as far back as 2014. Seemingly disparate datasets, once integrated, can help foreign adversaries to create profiles of American citizens that are ripe for blackmail, espionage, and more.
TikTok data, if fused with other information, could paint comprehensive intelligence pictures of American users. This type of data integration involves bringing together distinct data sources and synthesizing them into something new and more useful than the constituent sources. Such integration can also be as simple as cross-referencing data to make inferences and assessments.
Relatedly, China’s strides in AI development indicate that the Chinese party-state can and will apply emerging technologies to such datasets to expeditiously exploit its collection. Leveraging applications of AI, such as machine learning, and analytics can transform data into insights. These technologies can parse through raw data at machine speed and make it useful, such as by identifying patterns and anomalies or predicting and mapping trends. Big data analytics can help to process and analyze large volumes of data and extract meaning or flag items of interest. With the advent of these technologies, data that was previously discarded or ignored now has value. What TikTok collects is thus even more useful to the PRC.
China is no stranger to employing these techniques. In fact, CCP officials are already using analytics and data integration to enforce internal control in places like the Xinjiang Uyghur Autonomous Region using an “Integrated Joint Operations Platform.” Through this and other systems, Chinese authorities aggregate behavioral and biometric data, such as whether its inhabitants use an abnormal amount of electricity, display religious enthusiasm, or fail to show up to the local CCP activity of the day. Authorities collect iris scans, cheek swabs, eyelash and voice samples, and even 360 degree captures of an individual’s gait, all with the intent of integrating these pieces of data to create a multimodal profile of individuals and identify potential threats to the regime. TikTok—given the depth and scope of data it collects—could be used by the Chinese government to build digital profiles, determine patterns of life, and even map out the social networks of Americans.
The CCP can easily construct digital profiles of Americans using the surveillance footholds it has already gained in the United States and other parts of the West. China reportedly created dossiers on prominent Americans and those hailing from allied countries like Australia, Canada, and Great Britain as recently as 2020 with both stolen and publicly available datasets. This is just the tip of the iceberg. The CCP could add TikTok and other “open-source” data to cross-reference data from the Chinese hack of the Office of Personnel Management detected in 2014, which exposed the Social Security numbers, addresses, and family contacts of thousands of U.S. government employees, among other sensitive information. This data can be added to that from other hacks linked to the Chinese state, such as the hack of the Marriott hotel system in 2018, the Anthem health care system hack from 2015 and the Equifax financial services hack in 2017 to enable the CCP to track where U.S. citizens stay, who they travel with, and any vulnerabilities in their health, medical, or financial lives. Patterns of life from digital platforms like TikTok, with real-time GPS and biometric data-collection capabilities, can fill in many gaps. As former Google CEO Eric Schmidt warns in a 2023 Foreign Affairs essay:
[T]he warfare of the future will target individuals in completely new ways: authoritarian states such as China and Russia may be able to collect individual data on Americans’ shopping habits, location, and even DNA profiles, allowing for tailor-made disinformation campaigns and even targeted biological attacks and assassinations.
The Chinese party-state has already unleashed an advanced surveillance state on its own people. All efforts by the CCP to apply its surveillance apparatus to Americans must be actively repudiated.
Recommendations for the United States
Given the current threat environment, The Heritage Foundation recommends a wholesale ban of TikTok’s operations in the United States (and, eventually, all U.S. allied countries). After implementing a U.S. ban, the federal government should craft, publicize, and enforce a risk framework for foreign-owned platforms and applications seeking entry into the U.S. market. A systemic approach is required to prevent another TikTok from infiltrating America in the future.
To achieve this outcome, Congress, along with the executive branch and relevant agencies, should:
Ban TikTok from Operating in the U.S. Market. Congress should eliminate the loophole that prevents the President from enforcing sanctions against TikTok. To do so, U.S. legislators should update the International Emergency Economic Powers Act’s (IEEPA’s) Berman Amendment. IEEPA generally grants the President broad authority to contend with unusual or extraordinary foreign threats through measures like economic sanctions or embargoes. A 2020 executive order by President Trump attempted to use IEEPA authorities to ban TikTok as a national security threat. TikTok sued the Trump Administration that same year and a federal judge sided with TikTok by relying in part on a loophole for “informational materials” in the Berman Amendment, which is a set of amendments to IEEPA originally meant to protect the free flow of legitimate communication, such as films and photographs, to the United States from hostile nations like Cuba.
Congress should update the statute to account for today’s information environment and data exploitation practices by foreign-owned digital platforms and their proxies. Specifically, the informational materials exemption could be qualified with language to indicate that these materials should be reasonably free from malign state actor links and influence. TikTok, by virtue of its parent company ByteDance, would not meet this criterion for exemption.
- Congress can make clear, for example, that under such an update to the Berman Amendment, the President can deem these foreign-owned digital platforms (1) a national security threat, and (2) under the influence of a malign state actor. Alternatively, Congress can find that TikTok already qualifies as a national security threat under malign state actor influence.
- Legislators can also engineer a ban through other avenues that eliminate the Berman Amendment loophole or otherwise allow the use of IEEPA authorities to ban TikTok. Such efforts include Senator Marco Rubio’s (R–FL) draft bill Averting the National Threat of Internet Surveillance, Oppressive Censorship and Influence, and Algorithmic Learning by the Chinese Communist Party (ANTI-SOCIAL CCP) Act, a bipartisan companion bill in the House sponsored by Representatives Mike Gallagher (R–WI) and Raja Krishnamoorthi (D–IL), and Representative Mike McCaul’s (R–TX) Deterring America’s Technological Adversaries (DATA) Act.
Institute a Risk-Based Framework that Triggers Specific Policies for Foreign-Owned Digital Platforms that Want to Operate in the United States. A solution to the next TikTok exists in a country-neutral risk framework applied to foreign-owned platforms. When met, these criteria would trigger an if–then ruleset for more focused policy prescriptions. If a particular criterion or set of criteria is met, then a particular policy action should be enacted. The Treasury Department, Commerce Department, State Department, and the National Institute of Standards and Technology can contribute to the development of this framework. Essential elements of risk-based criteria that, when met, should trigger specific policy action include:
- The digital platform’s target audience and monthly active users (such as the size of the digital platform’s American userbase and scale of growth). Meeting high-risk criteria under this description would not trigger a specific policy action but would help to inform the next three criteria.
- The platform’s overall security (such as vulnerability to hard security problems like hacking and intrusion). Meeting high-risk criteria under this description would likely trigger a CFIUS review.
- The platform’s collection and information-control practices (such as features of its algorithms, content moderation, and censorship policies). Meeting high-risk criteria under this description would likely trigger the use of IEEPA sanctions.
- The platform’s home jurisdiction. This last element should encompass a foreign government’s data practices (that is, asking: Does the foreign government use AI-driven systems for surveillance that data collection from a U.S. market will help to improve?), the foreign government’s human rights record, and the foreign government’s governance atmosphere. Platforms emanating from adversary nations like Iran, North Korea, or Russia would effectively trigger specific policy action. Meeting specific high-risk criteria in this description would likely trigger a combination of CFIUS review and Leahy Law restrictions.
Pass a National Data-Protection Framework to Address Third-Party Data Collection and Sharing Mechanisms for U.S. Users. Congress should prohibit digital applications from sending U.S. user data to TikTok/ByteDance and similar foreign-owned digital platforms that represent legitimate national security threats to the United States.
- A TikTok ban is not sufficient to protect U.S. data because myriad apps and trackers can send U.S. data to TikTok even if a user has not downloaded the TikTok app. In the future, if a company like TikTok/ByteDance meets specific high-risk criteria under the risk-based framework proposed in this Backgrounder, then these apps should be prevented from sending U.S. data to these designated companies.
- Congress can take steps to prevent applications from providing TikTok, and therefore ByteDance, with U.S. data via a data-protection framework with appropriate standards and oversight for how commercial entities collect, store, and share U.S. user data.
Private companies should:
Remove TikTok from Their App Stores While Congress Negotiates a Solution to the TikTok Problem. Pending congressional action on TikTok, U.S. tech companies, including Google and Apple, should remove TikTok from their app stores due to its relationship to the CCP and legitimate threat to national security.
Every day that TikTok is allowed to operate in the United States is another day that China can collect information about U.S. citizens and sharpen its ability to exploit Americans—especially the young. The more that TikTok becomes embedded in the United States, the harder it will be to uproot.
Even so, there will be another TikTok. Without implementing a systemic, risk-based framework to proactively address the next TikTok now, the U.S. will have ceded yet another critical digital battlespace to its adversaries. More so, U.S. policymakers have a duty to safeguard America’s social fabric and protect young citizens from the whims of an adversary nation. Failing to deliver means that the next generation of Americans will pay the price for Washington’s lassitude.
Kara Frederick is Director of the Technology Policy Center at The Heritage Foundation.