TikTok National Security Concerns Resurface: What You Need to Know

A key regulator and lawmakers in DC are sounding the alarm again over allegations that TikTok shares data with China.
Popular video app TikTok is once again in the crosshairs of the US government, as a high-ranking regulator and a group of lawmakers re-surface national security concerns that the China-based service may pose.

On Friday, the company responded to a letter signed by nine Republican US senators, including Roy Blunt of Missouri and Marsha Blackburn of Tennessee. The letter expresses concern over a report that the company gives officials in Beijing "backdoor access" to data on its users.

In a response to the senators, TikTok CEO Shou Zi Chew laid out details about how the company is working with the Biden administration on an agreement that would "fully safeguard user data and US national security interests."

The eight-page letter, which was seen and reported by The New York Times, acknowledged that China-based employees "can have access to TikTok US user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our US-based security team."

However, TikTok said that as it continues to work on data issues, it expects "to delete US users protected data from our own systems and fully pivot to Oracle cloud servers located in the U.S."

"We know we are among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of U.S. user data," Chew said in the letter.

Earlier this week, Federal Communications Commissioner Brendan Carr, a Republican appointed during former President Donald Trump's administration, revealed that he had asked Apple and Google to remove TikTok from their app stores. His reason: The app collects data from users that poses risk to America's national security.

"It is not just an app for sharing funny videos or memes," read Carr's letter to Apple CEO Tim Cook and Google CEO Sundar Pichai. "That's the sheep's clothing."

Google declined to comment. Apple didn't respond to a request for comment.

The letters were prompted by a BuzzFeed News report in mid-June that China-based employees of TikTok's parent company "have repeatedly accessed nonpublic data about US TikTok users." The report cited leaked audio of internal company meetings, during which engineers in China discussed that they reportedly had access to US data between September 2021 and January 2022.

The recent concerns mark the latest round of turbulence for TikTok, which is owned by Beijing-based ByteDance. Here are some of the key issues TikTok raises in the US:

What are the concerns about the TikTok app?
Some US officials are concerned TikTok threatens national security because parent company ByteDance could share data about Americans collected through the app with the Chinese government. That data, they worry, could be weaponized against Americans. In theory, China could use the data to build profiles and spy on individual users, monitor their activity and target them directly. Another worry is the data could be used in aggregate to attack the US, such as using data to craft misinformation campaigns that could be used to destabilize the US government.

TikTok has repeatedly said it would never do this.

What has the US government done to address concerns?
In 2020, the app caught the attention of the Trump administration, which ordered ByteDance to divest TikTok though that sale hasn't actually happened. The app is banned on many US government-issued devices and among the military.

The Biden administration has been looking into security concerns related to TikTok. The Committee on Foreign Investment in the United States, a group of government agencies that vets foreign purchases of American companies, is reviewing these concerns. According to TikTok's letter, the company is already taking steps to mitigate US government concerns.

Is the threat real?
Probably not. The CIA concluded that Chinese intelligence authorities could potentially intercept TikTok data, according to a 2020 New York Times report, but that there was no evidence they had done so. But like all social media companies that collect information about what users' like, what they view and how they consume media, the data could be manipulated by any third party to create misinformation campaigns, as we've seen with other platforms, such as on Facebook during the 2016 and 2020 election cycles.

National security agencies and lawmakers have long cautioned about the potential danger of allowing technology companies with ties to China to operate in the US, since by law companies operating within China could be forced to share information with the communist government. The US government has already banned the use of telecommunications gear made by Huawei and ZTE, both Chinese giants. It has also blocked Chinese telecommunications service providers from operating in the US because of concerns they could be used by Beijing to conduct surveillance on American citizens or wage cyberwarfare against the US.

What data does TikTok collect?
Like Facebook, Instagram and other social media platforms, TikTok collects data about your location, IP address, search history, messages and what you look at and for how long. It also collects device identifiers to track your interactions with advertisers. If you provide access, it can also collect your phone and social network contacts. It also has access to all your user-generated content through the app, which includes all those videos and pictures you post.

Like other social media services, TikTok uses this information to serve up content that keeps your attention on the app. Like other social media companies, TikTok depends on displaying advertising to make money so it uses the data to fine tune ads, which makes them more valuable.

In its privacy policy, TikTok says it doesn't sell user data. But the company indicates it "may transmit your data to its servers or data centers outside of the United States for storage and/or processing." The company also states that third parties with whom it shares data could also be outside the US.

Has TikTok tried to reassure Americans?
In a June 17 blog post, TikTok said it's storing all of its US-based user data in Oracle's cloud service. Previously, TikTok stored US user data in the US but kept a backup in Singapore. The company added that it plans to eventually delete US users' private data from its own data centers.

"We know we are among the most scrutinized platforms from a security standpoint," Albert Calamug, who works on US security public policy for TikTok, wrote in the blog post. "We aim to remove any doubt about the security of US user data."

His statement apparently reflects a focused message from the company. It is the exact language that the company CEO later used in a June 30 letter to nine US senators.

In May, TikTok also said it had created a new department with US-based leadership to provide a "greater level of focus and governance" on US data security.

Will ByteDance employees still have access to US users' data?
In the letter to the senators, TikTok's Chew said that ByteDance employees in China still have access to TikTok data but with "robust cybersecurity controls and authorization approval" overseen by a US-based security team. He also said that even though the company is in the process of deleting US data from its servers in China as it moves them to Oracle's cloud service, ByteDance employees in China will still be working with TikTok.

These employees will continue to develop the algorithm used to deliver video recommendations to TikTok users. And he said that all public videos and comments will remain available to ByteDance employees under conditions that the US government approves to ensure "interoperability" among is worldwide creators and users.

What authority does the FCC have over apps and app stores?
None. The FCC regulates communications networks, which includes wired networks using telecommunications and cable infrastructure, as well as networks that use wireless spectrum. This includes radio, television, satellite and cellular service.

The agency doesn't regulate the internet or any companies that operate on the internet, which means it has no authority to force companies like Apple or Google to do anything, such as ban an app from their platforms.

FCC Commissioner Carr acknowledged this fact during an interview Thursday with Yahoo!Finance.

"We don't necessarily have direct regulatory authority at the FCC, unlike what we do with Huawei, ZTE, and China Mobile, where we've taken action," he said. "So it's possible they could tell me to pound sand."

But he added that pressure from others in Washington, such as lawmakers, and a review by President Joe Biden's Commerce Department could put pressure on the companies to remove the app from their platforms.

"This is just one piece of a broader federal government effort that's bringing … much-deserved scrutiny to TikTok, its data practices, and the national security threat," he said.