Why TikTok’s security risks keep raising fears

The battle between the U.S. and China over TikTok came into full view on Thursday when the social media platform’s CEO testified before Congressional lawmakers.

Shou Zi Chew’s hearing in front of the House Committee on Energy and Commerce is happening at what he’s called a “pivotal moment” for the hugely popular short video sharing app. TikTok is owned by parent company ByteDance, which has offices in Beijing. The platform has 150 million American users but it’s been dogged by persistent claims that it threatens national security and user privacy, or could be used to promote pro-Beijing propaganda and misinformation.

Chew attempted to persuade lawmakers not to pursue a ban on the app or force its sale to new owners.

So are the data security risks real? And should users be worried that the TikTok app will be wiped off their phones?

Here’s what to know:

WHAT ARE THE CONCERNS ABOUT TIKTOK?

Both the FBI and officials at the Federal Communications Commission have warned that ByteDance could share TikTok user data — such as browsing history, location and biometric identifiers — with China’s authoritarian government.

Officials fear that TikTok, which like many other social media platforms collects vast amounts of data on its users, would be forced to give it to Beijing under a 2017 law that compels companies to turn over any personal data relevant to China’s national security.

Concerns around TikTok were heightened in December when ByteDance said it fired four employees who accessed data on journalists from Buzzfeed News and The Financial Times while attempting to track down the source of a leaked report about the company.

HOW IS THE U.S. RESPONDING?

In a rare, bipartisan effort to reign in the power and influence of a major social media platform, Republican and Democratic lawmakers pressed Chew during Thursday’s hearing on a host of topics, ranging from TikTok’s content moderation practices, how the company plans to secure American data from Beijing, and that it admits spying on journalists.

The Committee on Foreign Investment in the U.S. — known as CFIUS and part of the Treasury Department — is also carrying out a review, and has reportedly threatened a U.S. ban on the app unless its Chinese owners divest their stake. China’s Foreign Ministry in turn accused the United States itself of spreading disinformation about TikTok’s potential security risks.

White House officials have said there are “legitimate national security concerns with respect to data integrity.”

Some U.S. senators urged CFIUS last year to quickly wrap up its investigation and “impose strict structural restrictions” between TikTok’s American operations and ByteDance, including potentially separating the companies.

At the same time, lawmakers have introduced measures that would expand the Biden administration’s authority to enact a national ban on TikTok. The White House has already backed a Senate proposal that has bipartisan support.

HOW HAS TIKTOK ALREADY BEEN RESTRICTED?

Authorities in North America, Europe and Asia-Pacific New Zealand restricted lawmakers and other workers in its Parliament from having it on their phones.

The European Union’s three main institutions, the executive Commission, Parliament and Council, have ordered staffers to remove it from their work phones. So has Canadian government said its ban includes blocking civil servants from downloading the app in the future. Norway and Netherlands warned this week against installing TikTok on government devices.

The White House ordered U.S. federal agencies to delete TikTok from all government-issued mobile devices. Congress, the U.S. armed forces and more than half of U.S. states had already banned the app.

WHAT DOES TIKTOK SAY?

Chew, a 40-year-old Singapore native, told the House Committee on Energy and Commerce that TikTok prioritizes the safety of its young users and denied allegations that the app is a national security risk. He reiterated the company’s plan to protect U.S. user data by storing all such information on servers maintained and owned by the software giant Oracle.

Under a $1.5 billion project dubbed Project Texas that’s underway, data from U.S. users is being routed through servers controlled by Oracle, the Silicon Valley company it partnered with in an effort to avoid a nationwide ban.

Older U.S. user data stored on non-Oracle servers will be deleted this year. Under this arrangement, there’s no way for Beijing to access the data, Chew said in prepared remarks released ahead of the hearing.

TikTok has also sought to portray ByteDance as a global company, not a Chinese one. Executives have been pointing out that ByteDance’s ownership consists of 60% big global investors, 20% employees and 20% Chinese entrepreneurs who founded the company. TikTok itself is headquartered in Singapore.

ARE THE SECURITY RISKS LEGITIMATE?

It depends on who you ask.

Some tech privacy advocates say while the potential abuse of privacy by the Chinese government is concerning, other tech companies have data-harvesting business practices that also exploit user information.

“If policy makers want to protect Americans from surveillance, they should advocate for a basic privacy law that bans all companies from collecting so much sensitive data about us in the first place, rather than engaging in what amounts to xenophobic showboating that does exactly nothing to protect anyone,” said Evan Greer, director of the nonprofit advocacy group Fight for the Future.

Karim Farhat, a researcher with the Internet Governance Project at Georgia Tech, said a TikTok sale would be “completely irrelevant to any of the alleged ‘national security’ threats” and go against “every free market principle and norm” of the state department’s internet freedom principles.

Others say there is legitimate reason for concern.

People who use TikTok might think they’re not doing anything that would be of interest to a foreign government, but that’s not always the case, said Anton Dahbura, executive director of the Johns Hopkins University Information Security Institute. Important information about the United States is not strictly limited to nuclear power plants or military facilities; it extends to other sectors, such as food processing, the finance industry and universities, Dahbura said.

IS THERE PRECEDENCE FOR BANNING TECH COMPANIES?

The U.S. has banned the communications equipment sold by Chinese companies Huawei and ZTE, citing national security risks. But banning the sale of items is easier than banning a free app.

Such a move might also wind up in courts on grounds that it could violate the First Amendment, as some civil liberties groups have argued.

Another possibility, albeit remote, is forcing a sale. That’s what happened in 2020 when Beijing Kunlun, a Chinese mobile video game company, agreed to sell gay dating app Grindr after an order from CFIUS.

Beijing Kunlun said it signed a “national security agreement” with CFIUS to sell Grindr to San Vicente Acquisition for $608.5 million, promising not to send sensitive user data to China, cease its operations there and maintain its headquarters in the U.S.