Everyone in Washington is talking about a TikTok ban. But is it really a national security threat?

CNN

One thing was clear after Shou Chew, TikTok CEO, testified before a Congressional committee for over five hours. It was clear that the US lawmakers still believe that TikTok poses a threat to national security.

Chew made his first appearance before Congress. Many lawmakers were skeptical about TikTok’s efforts to protect US user data and to ease concerns about China’s ties to it. Nothing Chew said seemed to have any effect on the matter.

Both inside and outside of the hearing room, the rhetoric highlighted the bipartisan momentum to crack down on the app in America. House Speaker Kevin McCarthy stated that he supported legislation to ban TikTok. Secretary of State Antony Blinken stated that TikTok should also be banned. The Treasury Department released a statement pledging to "safeguard national security," but did not mention TikTok.

Governments around the world have banned TikTok from official devices due to concerns about TikTok's links to China. These fears are now part of the growing tension between the US and China. However, the comments made by the federal government Thursday and a threat from the Biden administration that it would impose a nationwide ban on TikTok unless its Chinese owners sell their stakes show that there is still a possibility of a total ban of this immensely popular app.

Two years ago, the Trump administration issued a similar threat about TikTok. However, there is still no evidence that the app poses a national security risk. Security experts believe that the government's concerns, although serious, only reflect the possibility of TikTok being used for foreign intelligence. The evidence that the Chinese government actually spy on people via TikTok is not yet available.

However, because the Chinese government has significant influence over the businesses it controls, TikTok and indirectly ByteDance could be forced into cooperation with a wide range of security activities including the possible transfer of TikTok data.

James Lewis, an expert in information security at the Center for Strategic and International Studies, stated that it is not that TikTok knows something. He said that instead, distrust of China and awareness about Chinese espionage have increased. "The situation for TikTok has become much worse since trust in China disappears."

In December, Rob Joyce, the director of cybersecurity at the National Security Agency, was asked by reporters to explain his concerns about TikTok. He offered a general warning instead of making specific allegations.

Joyce stated that people are always searching for the smoking gun within these technologies. It's more like a loaded gun to me.

Experts also make a distinction between TikTok's app, which seems to be operating very similar to American social media in terms of the amount and type of data collection and user tracking it does, and TikTok’s governance and ownership approach. The latter is the most concerning, not the former.

What's the problem?

The US government expressed concern that China could use its national security laws in order to gain access to the large amount of personal data TikTok collects from US users.

According to western legal experts the laws are extremely broad and require 'any organization, citizen or citizen' to'support, help, and cooperate with state intelligence works'.

Beijing could have access to TikTok user data. This information could be used to help identify intelligence opportunities. For example, China could uncover the vices and predilections of potential spy recruits or blackmail targets. Or, it could build a comprehensive profile of foreign visitors to the country through cross-referencing this data with other databases. It's possible that some of the TikTok users may become government or industry officials, even though they are mostly young teenagers with little to hide.

A second concern is that China could have a view of TikTok's algorithms and business operations. This could allow it to try to pressure the company to change what users see on the platform. It could do this by either censoring content or pushing propaganda to users. This could have huge implications for US elections and policymaking, as well as other democratic discourse.

These concerns are valid?

These scenarios, according to security experts, are possible based on the public information available about China's laws. However they stress that they are only hypothetical. There is currently no evidence to suggest that Beijing has ever harvested TikTok’s commercial data for intelligence purposes or any other purpose.

Chew, TikTok's CEO, stated publicly that the Chinese government had never requested TikTok's data and that the company would not comply with any request. Chew claimed that the US officials are imagining a scenario and that it has not been proved.

Chew stated that a lot of the risks being pointed out are theoretical and hypothetical. "I haven't seen any evidence." I look forward to having discussions about evidence, so that we can address any concerns.

There is a risk in TikTok's relationship with Beijing's Chinese parent, ByteDance. There are few ways for the public to verify whether or not this relationship exists.

TikTok has been building organizational and technical barriers to protect US user data from unauthorised access. Project Texas would give the US government and third parties such as Oracle some oversight over TikTok data practices. TikTok is currently working on Project Clover, a similar plan for Europe.

However, this has not dispelled the doubts expressed by US officials. Multiple legislators at the hearing stated that they weren't convinced by Project Texas. This is likely because, no matter how TikTok operates internally, China theoretically has more leverage than TikTok's Chinese owners. It is unclear what exactly that means, which is why it is so disturbing.

TikTok tried to assure US lawmakers that it was free from Chinese government influence in congressional testimony. However, it has not said to the extent that ByteDance might be vulnerable. TikTok also admitted that some China-based employees had accessed US user data. However, it is not clear for what purpose. It has also disclosed to European users the possibility that China-based employees could have access to their data in order to do their jobs.

What do TikTok really know about its users' habits?

Multiple security and privacy experts who have examined TikTok's application say that there are no obvious flaws that suggest the app is spying on users or leaking their data.

The Washington Post teamed up with a privacy researcher in 2020 to examine TikTok's inner workings. They concluded that the app doesn't seem to collect more data than any other mainstream social network. Pellaeon Lin (a Taiwanese researcher at the University of Toronto Citizen Lab) performed a similar technical analysis in the following year.

TikTok does not collect the same amount information as Facebook and Twitter. However, it still collects a lot of data. This includes information about your videos, comments, messages, and -- if granted this access -- your exact location and contact lists. TikTok's privacy policies also state that the company may collect your email address and phone number as well as your search and browsing history. It will also collect information about the content of the videos and photos you upload and, if you consent to this level of access, the contents your clipboard so you can copy and paste information into its app.

Lin said in an interview that TikTok's source codes closely match those of Douyin, its China-based counterpart. Lin said that both apps were developed using the same code base and tailored for their respective markets. TikTok might have privacy-violating hidden functions that could be turned on or off using a tweak to its code. Lin couldn't find these configurations and features because of the limitations of trying reverse-engineering an app.

Lin stated that TikTok could have used unencrypted communication protocols to access contacts lists and precise geolocation data without permission or to bypass system-level privacy safeguards built in iOS or Android. Lin found nothing.

Lin stated that Lin did not discover any vulnerabilities in their communication protocols or security issues within the app. Lin said that the TikTok app did not display any malware-like behavior in privacy.

TikTok has used Lin's research in its defense. Citizen Lab reacted strongly to the company's criticisms of the paper this week, stating that TikTok had presented the research as "somehow exculpatory". However, a key finding was Lin's inability to see what happens after user data is collected.

In a rare moment, Chew said that TikTok was saying the same thing as Citizen Lab. "Citizen Lab says they can't prove a negative. This is what I've been trying for the past four hours," he stated.

Do you have other security concerns?

TikTok was accused of tracking its users' keyboard inputs using its in-app browser. This is known as keylogging and could pose a security threat. Felix Krause, a privacy researcher, conducted the analysis last year. While keylogging isn't inherently malicious, it could theoretically mean that TikTok could gather passwords, credit cards information, or any other sensitive data users submit to websites through TikTok.

However, there is no evidence that TikTok actually did this. TikTok claims that the keylogging function is used to 'debug, troubleshoot, and performance monitor', as well as detect spam and bots. Research has also shown that keyloggers are very common in the technology industry. This does not excuse TikTok and its peers from using keyloggers in the first instance, but it isn't proof that TikTok is a greater national security threat than other websites.

Numerous studies have shown that TikTok can track users on the internet, even when they're not using it. Studies have shown that TikTok can track visitors to websites by embedding tracking pixels. TikTok claims it uses the data in order to boost its advertising business. TikTok's claim is not unusual in this regard. According to Malwarebytes (a leading cybersecurity firm), the same tool is also used by US tech giants like Facebook-parent Meta, Google, and others on a much larger scale.

Chew stated that keystroke logging is done by the company to 'identify bots' and not to record what users say. Chew also repeated the fact that TikTok doesn't collect more user data than its peers in this industry.

Like the keylogging tech, TikTok's use of tracking pixels doesn't make it a national security risk. However, the Chinese government might influence TikTok through ByteDance to misuse its data collection capabilities.

Separately, last year's report revealed that TikTok was spying upon journalists. It was snooping their user data, IP addresses, and other information to determine when or if certain reporters were in the same place as employees of the company. TikTok confirmed the incident, and ByteDance fired several employees for improperly accessing the TikTok data from two journalists.

It was not the kind of large-scale, government-directed intelligence operation that US national security officers fear most. It was a part of an internal operation by ByteDance employees to find leaks to press. This may have been a deplorable, but not unusual for an organization under public scrutiny. The incident is being investigated by the US government.

Joyce, the top cyber official at NSA, stated to reporters that he is more concerned about 'large-scale influence campaigns' using TikTok's data than 'individualized targeting through TikTok to do malicious acts.

However, no evidence has been found to support this.

Bottom line

TikTok might collect a lot of data, some of it in secret, but researchers have found that it isn’t more intrusive or illegal than other US tech companies.

Security experts say that this is more an indication of the flexibility we have given tech companies to manage our data than it is a TikTok issue.

"We need to believe that these companies are doing the right things with the information and access they've given them," said Peiter "Mudge" Zatko, an ethical hacker who was also the former head of security at Twitter and whistleblower. "We probably shouldn’t. This is because of concerns about the ultimate governance and management of these companies.

Lin stated to CNN that TikTok's appetite for data is a result of policy failures to adopt strong privacy laws that regulate large tech companies.

Lin stated that TikTok was only one product of the entire surveillance capitalism economic system. And governments all over the globe are failing to fulfill their responsibility to protect citizens' privacy, allowing large tech companies to profit from user data. Instead of focusing solely on one app, governments should work to protect all user data.