How Scary Is TikTok?

After a long, untroubled slumber, the United States has awoken to the risks of China’s massive espionage campaign. China’s spies are inventive, tolerant of risk, and well resourced, making them formidable opponents. China has constructed the world’s largest surveillance state and does not hesitate to use information technology to spy on its citizens and others. Anything that is Chinese and connects to the internet can create risk.

So it is unsurprising that TikTok, the wildly popular entertainment app, has fallen under suspicion. If you have ever watched TikTok, you know it is a channel for short, homemade videos, usually young adults lip-syncing songs or copying some favorite meme, accompanied by the usual dog and cat videos that crowd the internet. This seems harmless. What are the charges against TikTok?

There are four: Chinese intelligence services harvest useful information from TikTok; the personal information TikTok collects when you open an account can be exploited by the Chinese state; downloading the app gives access to Chinese malware; and TikTok is a vehicle for Chinese influence operations. None of these charges hold up to scrutiny. 

It is good that Chinese espionage and cybersecurity have become major topics of concern in the public discussion, but sometimes that discussion seems more like a robotic repetition of charges irrespective of probability rather than a careful assessment. If you have watched TikTok, you may find it addictive, but it contains nothing of intelligence value. If the Chinese services have been driven to attempt to find intelligence value in 15-second videos of lip-syncing teenagers, they are in desperate shape. So charge one makes no sense.

Nor is the personal information (PII) supplied to TikTok useful. It is the kind of data collected by most apps—check out the permission you have given to some popular location apps. China does not need PII on young adults, since its 2015 hack of the Office of Personnel Management (OPM) supplied it with the federal form (SF-86) used to apply for classified positions. These forms contain a wealth of personal information—marital arrangements, mental health, employment history, arrests, or military service. OPM was the largest of a series of Chinese hacks against medial insurance companies and travel services associated with federal employees and provided the Chinese with a trove of invaluable information for counter-intelligence purposes used to identify U.S. intelligence officers and their Chinese agents. The OPM data appears to have never been used for blackmail (the dating app Grindr would have been much better for that, and even it was never used for blackmail). In any case, TikTok stores PII outside of China and says it does not share it with the Chinese government, a statement that is probably credible as TikTok knows sharing PPI with China would kill its business. Charge two makes no sense.

Getting a user to download a “poisoned” app is a good technique for surreptitiously installing malware, but it is also well known. With swarms of cybersecurity research scrutinizing TikTok for flaws, no malware has been discovered. Nor have there been outflows of information, which shows either admirable discretion from the Chinese as they perhaps wait for TikTok to reach one billion users or a complete lack of interest given the kind of information on TikTok and the nature of its users, neither of which could be considered prime targets for collection. Charge three is, at best, not proven, and it seems safe to reject it.

Charge four reflects the growing Chinese efforts to influence Western politics to adopt attitudes more favorable to China. This is a difficult task for a Leninist police state, and Chinese influence operations have not been persuasive. Here is a video of a Chinese rapper chanting about how Western media fabrications misrepresent China. It is dreadful. Here is another with a collection of Chinese pop stars crooning about the benefits of the social credit surveillance system. Even if it wasn’t in Chinese, it is hard to see U.S. teenagers hypnotized into rushing out to buy a copy of Xi Jinping Thought (a bestseller in China but a bit dry). TikTok as a Chinese influence engine is outlandish.

TikTok needs to do better on dealing with Chinese censorship. They, like many information technology companies, say they must respect the laws of the country in which they operate. This approach was not a problem when we did not recognize the worsening political conditions in China. It is not a problem unique to TikTok—Hollywood would never dare to make a film critical of China, given the importance of its market (the Chinese are under no such constraint, and films where Americans are the villains are not uncommon), and can at times pander to China. TikTok’s best course would be to copy the practice of others. If it chooses to have one set of content for China and another for everyone else, it can create what is essentially an internal Great Firewall. But if TikTok must respect the laws of the countries in which it operates, it must respect the laws of the United States, which do not permit censorship. Chinese government requests to remove content should not apply in the United States, and the process for administering them must be transparent. The model here might be Google’s reports on law enforcement requests or government requests to remove content.

These problems are not uncommon for social media companies, all of whom wrestle with content control, and if anything TikTok’s actions reflect a lack of maturity in company processes. This will improve over time. Beyond that, given official discomfort with TikTok, the company may need to change its ownership structure. TikTok is a U.S. company owned by a Chinese parent, ByteDance. ByteDance could accept being a passive investor in TikTok with no operational or management functions, or it could divest itself and sell TikTok the way that the Chinese company Kunlun was forced by the Committee on Foreign Investment to divest itself of Grindr.  

China continues to be hostile, meaning that there will be a messy and drawn out divorce between it and the United States. TikTok is caught in the middle, and some actions, while masked as security concerns, seem more intended simply to punish China. There are good reasons to be deeply concerned about China and espionage, but TikTok is probably not one of them. China’s troubling behavior and the politics of the relationship mean that TikTok will need to assuage the concerns of the United States and other countries, and this may include divestiture, but as the company works through this problem, don’t be afraid to let your teenager use one of their favorite apps. 

James Andrew Lewis is a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2020 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program