TikTok Is Running out of Time: Understanding the CFIUS Decision and Its Implications

TikTok is a well-known social media platform that allows users to share short homemade videos. Its popularity in the United States grew rapidly in 2019, one year after its parent company ByteDance, a Chinese company, merged Musical.ly into its existing TikTok app. ByteDance’s 2017 purchase of Musical.ly has since faced scrutiny in the United States due to national security concerns. The Committee on Foreign Investment in the United States (CFIUS) opened an investigation in 2019 over the Musical.ly acquisition, and in August President Trump announced plans to ban TikTok if it is not bought by a U.S. company in the fall. TikTok subsequently filed suit against the U.S. government, alleging the ban violates its Fifth Amendment rights.

Q1: What’s going on with TikTok in the United States?

A1: When TikTok became the second-most downloaded app in the United States on Apple’s App Store in the fourth quarter of 2019, its widespread use elevated concerns about the possibility of user data being made available to the Chinese government. As the application’s popularity grew, it came under multiple U.S. national security investigations.

The rapid transition of users from a U.S. platform, Musical.ly, to a Chinese-owned platform, TikTok, raised concerns over Chinese access to U.S. user data. In July 2020, the Federal Trade Commission opened an investigation into whether TikTok violated U.S. privacy law by collecting information about children under the age of 13 without parental permission.

That same month, the Trump administration announced it was considering banning the use of TikTok in the United States. Vague explanations were originally given for the decision, such as the move being an effort to protect U.S. citizens’ personal data or retaliation over China’s handling of coronavirus. Then, in early August, the administration announced it would ban TikTok if the Chinese-owned platform was not sold to U.S. buyers by September 15, using the results of the CFIUS investigation as justification. Buyers quickly emerged. Microsoft has expressed interest in acquiring the platform to expand into social media networks and leverage opportunities to promote its other brands, such as LinkedIn and Xbox. This week, Microsoft and Walmart teamed up on a bid. Twitter is also rumored to have expressed interest in buying the platform, although it is unlikely that it could outbid Microsoft and Walmart. Oracle has joined up with General Atlantic and Sequoia Capital as an alternative to Microsoft.

Q2: What is the role of CFIUS?

A2: CFIUS is an interagency group that reviews proposed foreign investments in the United States—specifically mergers, acquisitions, or takeovers—to determine whether they threaten U.S. national security. If a CFIUS review finds a threat, the president has the authority to block investment or require mitigating measures, if (1) other U.S. laws are inadequate or inappropriate to protect national security; and (2) there is “credible evidence” of a threat. The presidential determination must occur within 15 days after receiving a report from CFIUS.

The 2018 Foreign Investment Risk Review Modernization Act (FIRRMA) legislation strengthened and modernized the CFIUS process. FIRRMA came into effect on February 13, 2020, broadening the scope of CFIUS to include transactions in which a foreign government has a direct or indirect substantial interest and non-controlling investment in U.S. businesses involved in critical technology, critical infrastructure, or sensitive U.S. personal data. Last, and most relevant to the TikTok case, it included a “sense of Congress” that provides additional factors for CFIUS and the president to consider when reviewing a transaction, including access to “personally identifiable information, genetic information, or other sensitive data on United States citizens . . . that may exploit that information in a manner that threatens national security.”

Q3: What does the TikTok investigation suggest about CFIUS’s approach to data?

A3: CFIUS’s decision to investigate ByteDance’s acquisition of Music.ly would have been unlikely five years ago, but over the last few years, CFIUS has been more willing to get involved in cases concerning potentially sensitive U.S. data. Nonetheless, when ByteDance purchased Musical.ly in 2019, it did not anticipate the purchase would have national security implications and did not submit the transaction to CFIUS. However, CFIUS began an inquiry and eventually a full investigation into the acquisition later that year after U.S. lawmakers called for the panel to look into the deal.

CFIUS’s decision on TikTok follows a pattern of investigations in which CFIUS has sought to protect U.S. personal information from foreign entities. In 2018, a $1.2 billion deal between MoneyGram and China’s Ant Financial was blocked despite a mitigation proposal to assuage concerns over Chinese access to data that could be used to identify U.S. citizens and their transactions. In March 2019, CFIUS ordered Kunlun Tech to divest Grindr over expected concerns about access to personal data such as location, sexual preferences, and HIV status. This trend continued in March when the Trump administration directed Beijing Shiji Information Technology to divest all interests in StayNTouch based on a CFIUS decision. While no official reasons were announced, StayNTouch’s handling of travel-related personal information and software tools that leverage ID scanning and facial recognition technology likely raised concerns.

One distinction in the TikTok case is the condition that it will not be banned if a sale can be made to a U.S. company by September 15. Previous CFIUS cases forced the termination of deals and divestments from companies despite proposed or adopted mitigating actions. 

Q4: What are the national security reasons to justify this decision?

A4: James Lewis, director of the CSIS Technology Policy Program, recently published a commentary titled “How Scary is TikTok?” in which he outlines the national security charges that the platform is facing. By his estimation, the main security risks with TikTok are (1) Chinese intelligence harvesting and exploiting U.S. personal information; and (2) Chinese influence operations. In his view, neither are serious.

The first concern is that Chinese intelligence can exploit users' personal information collected by the platform. TikTok does collect data, but the extent to which that information is passed on to Chinese intelligence is not clear. TikTok obtains information on users from social media, third-party services, and other users of the platform. It also automatically collects usage and device information, location data, messages, metadata, and cookies, as many other apps do. TikTok also previously sought clipboard access to users' phones, which could have exposed passwords. However, this feature is not exclusive to TikTok and is now disabled from the app. Even though there is no evidence of Chinese authorities acquiring the data collected by TikTok, the possibility of it being harvested creates a potential national security risk. However, the Chinese government can request information from all companies operating in China under its Cybersecurity Law of 2017, which creates a risk that sensitive U.S. data held by TikTok could be transferred to Chinese authorities. Chinese corporate actors say there is leeway to negotiate the scope of such requests, although it’s not clear how accurate that claim is. Regardless, given that the platform is predominately used by young adults, the majority of TikTok users' data is likely to be of limited value to the Chinese government.

TikTok has taken steps to create separation from China. In a bid to avoid Chinese censorship, the app is not available in China (a separate version called Douyin is available to Chinese users). TikTok stores user data in Virginia and Singapore. And TikTok ceased operations in Hong Kong following the adoption of the national security law that led the United States to determine the city lacked the autonomy from China it once had. Despite these moves, CFIUS still found that TikTok presented a risk to U.S. data security and sought action to prevent ByteDance from accessing U.S. users’ data.

Fears about Chinese access to U.S. data are not unfounded. China has shown a clear interest in collecting U.S. data, proven by the 2015 OPM hack, the 2017 Equifax hack, and the Marriot hack from 2014 to 2018. While data obtained from TikTok would not be as targeted as the information collected in these hacks, it would still have potential utility for Chinese intelligence. TikTok data could be exploited in the future for U.S. citizens that become government employees or private sector employees working on sensitive topics. Collected data also could be used to develop profiles on Americans for microtargeting information, as seen in the Cambridge Analytica scandal.

The second reason TikTok is being scrutinized is its potential to be used in Chinese influence operations, either through propaganda or censorship. TikTok’s parent company ByteDance has previously collaborated with the Chinese government. The Australian Strategic Policy Institute found that Douyin, ByteDance’s TikTok equivalent for Chinese users, is used to disseminate state propaganda. However, there currently are no accusations of non-domestic applications, like TikTok, being used to spread Chinese state messaging. These techniques are also unlikely to be effective among U.S. teens given the missteps of previous Chinese influence operations.

The charge against Chinese censorship has more evidence. Like other digital platforms, TikTok must abide by the free speech or censorship laws in the country of operation. The United States has restrictions on limitation of free speech; however, private social media companies can police content on their sites. There is concern that TikTok is blocking politically sensitive content because of influence from the Chinese government rather than violations of its terms of service, which would be illegal under U.S. law. TikTok claims it "does not remove content based on sensitivities related to China." Recently, however, an American account that condemned the detention of Uyghur Muslims in China was suspended. TikTok claimed the account was suspended because of a prior post. Still, there are other examples of content moderation that warrant scrutiny of TikTok's content removal policy, such as the lack of videos on the platform showing the Hong Kong protests.

Q5: What are the larger implications for this ban on the U.S.-China technology relationship?

A5: Historically, the United States has acted as a foil to the Chinese government’s heavy-handed control of its citizens’ speech. However, by walling off data transfers to a single country on national security grounds, the United States risks setting a precedent that could be adopted by other countries to limit data flows from the United States or require data localization. For example, India is debating a data protection bill that would require local storage and processing of Indian data. In justifying the legislation, Indian officials have cited Senator Josh Hawley’s (R-MO) declarations supporting data security to prove the need for data localization. This is despite the fact that data localization undermines security and creates an expensive obstacle for businesses to overcome.

Furthermore, with the United States tightening restrictions on Chinese companies, tech giants like Tencent and Alibaba will be less likely to target U.S. markets when expanding overseas. Chinese companies operating in the United States are already being forced to adopt strategies such as divesting assets, adjusting government data storage, and limiting themselves to minority stakes in investments. These tactics are also being used by U.S. companies operating in China. This trend suggests that two separate technology spheres are developing as both the United States and China seek to spread influence but must deal with increasing regulation. The European Union’s evolving approach to data regulation may create a third sphere. Three separate data spheres, all with different rules, prohibitions, exceptions, and frameworks, will also be costly for global innovation and business.

William Reinsch holds the Scholl Chair in International Business at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Jack Caporal is an associate fellow with the CSIS Scholl Chair in International Business. Patrick Saumell and Isabella Frymoyer were interns with the CSIS Scholl Chair in International Business.

Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2020 by the Center for Strategic and International Studies. All rights reserved.

Patrick Saumell

Former Intern, Scholl Chair in International Business

Isabella Frymoyer

Former Intern, Scholl Chair in International Business

Jack Caporal