Hearings on TikTok ban in the US — why the app is dangerous
Anastasia Romaniuk, Civil Network OPORA
On March 24, 2023, the executive director of the TikTok platform testified before the US House Committee on Energy and Commerce about the social network's safety for American society and national security. Now, the US Congress must decide whether to ban the Chinese social network used by about 150 million Americans.
Svidomi and OPORA figure out whether TikTok is safe, whether its owner company, ByteDance, really works for the Beijing government, and whether it could use the data of American users in the interests of the Chinese Communist Party.
Does ByteDance work for the Chinese government?
The popularity of TikTok has long been a concern for the US government, as its owner is the Chinese company ByteDance. However, during the hearing, TikTok's CEO, Shou Zi Chew, insisted that ByteDance was a private business that did not work for any government, including the Chinese government, and that TikTok was doing everything possible to protect its users' data, freedom of speech and self-expression on the platform.
According to ByteDance themselves, they own 20% of the shares — international investors and employees around the world hold the rest. Shou Zi Chew says that TikTok positions itself as a global company with offices in Singapore and Los Angeles, and that is where user data is stored. However, the quarter of shares held by Beijing-based ByteDance has been a source of concern for the US government.
The Donald Trump administration first attempted to block TikTok in the US in 2020. The platform then responded with a lawsuit, arguing that it was a private company and such a decision was unlawful. The lawsuit ended with the cancellation of Trump's decision.
The issue of TikTok security and ByteDance's ties to the Chinese Communist Party was also investigated in Australia. In March 2023, a group of researchers submitted a report to the Senate Select Committee on Foreign Interference through Social Media. In the report, the researchers suggest that ByteDance is more of a hybrid private-public company.
Business "privatisation" in the Western sense contradicts the Constitution of the People's Republic of China. Members of the Communist Party of China (CPC) must establish a party branch inside all private companies in China, which must include 3-4 party members. Also, according to the law, employees of private companies must put the party's interests first and "protect its secrets at all costs".
ByteDance has a long history of conflicts with the ruling party. For example, since 2017, the CPC has complained about the news app Toutiao. As a result, the company was consistently accused of promoting "immoral" and "vulgar" content. In response, ByteDance stated it would prioritise CPC members when hiring content moderators. In 2021, this conflict ended with the resignation of the company's CEO at the time, Zhang Yiming.
Technically, the Chinese government owns 1% of the company. This is the so-called "golden share", which belongs to the State-owned property control and management committee under the State Council of China, the Chinese national broadcaster and the China Cyberspace Administration. This "golden share" is a prerequisite for media licensing in China.
Although ByteDance describes this stake as purely formal, it provides one seat on the company's board of directors for a government representative, giving the state access to inside information about the company's affairs and leverage in decision-making.
Due to the closed nature of the Chinese political system, it is difficult to say what real impact this instrument has. Still, recently the state has been increasingly buying stakes in various private companies. For example, at ByteDance, the government's delegated member of the Board of Directors is Wu Shugang, who in 2012 said: "I have only one wish — that one day I will be able to cut off the dog's head of the traitors [liberals in China]. Let the Chinese traitors who profess so-called 'civil rights and freedoms' go to hell!!!".
The Chinese cyberspace administration is known to push tech companies like ByteDance to build "public opinion research and evaluation groups" and an "online content safety committee". The party can control the company's auditing, editing, technology, products, and marketing through these structures.
In addition to recommendations, statements, and concerns, there are objective facts about the company's service to the CPC. At the same time, ByteDance publicly denies providing any services for the surveillance of citizens. In 2017, the news app Toutiao signed a cooperation agreement with the People's Armed Police of China. A year and a half later, law enforcement began working with another ByteDance product, the Chinese analogue of TikTok, Douyin, "to spread the positive energy of the People's Armed Police".
Later, ByteDance also worked with the Chinese Ministry of Public Security (MPS), providing consulting and extensive data analytics services to create and disseminate propaganda about the MPS.
In 2019, the company also signed a strategic memorandum of cooperation with the MPS Information and Propaganda Bureau. In addition, some of the company's top managers also work in state institutions. The company itself is a member of several state organisations, and about 300 employees of TikTok and ByteDance previously worked for Chinese state media.
Does TikTok depend on ByteDance's decisions in Beijing?
Australian researchers have managed to reconstruct the management and accountability system at ByteDance. TikTok's executive director Shou Zi Chew reports to ByteDance Board member Kelly Zhang. Similarly, TikTok's department heads report not to (or not only to) local managers in Los Angeles or Singapore but also to the Beijing office.
In September 2022, Forbes spoke to former TikTok employees. Three people who previously held senior positions said they had virtually no influence on decision-making, with instructions coming from the ByteDance office in Beijing. Forbes also has evidence that at least one of TikTok's department heads resigned because he had to report directly to the parent company.
In mid-2022, BuzzFeed journalists received the TikTok tapes and audio recordings of 80 internal company meetings. According to them, the company's American employees "don't know how to access user data" and turn to their Chinese colleagues for help. The company's employees also claim that Chinese employees repeatedly viewed the personal data of American users, such as phone numbers.
ByteDance confirmed this data leak. In addition, they admitted to using confidential data of American journalists (including geolocation) to track their sources within the company. During the hearing, Shou Zi Chew also confirmed this fact. Still, he noted that the company's employees were guided by their considerations, not instructions from ‘above’, when using this data for an internal investigation of the leak, resulting in their loss of employment.
Although TikTok and ByteDance's public communications emphasise the global nature of the social network, which does not operate in China, this is contradicted by the data on lower-level employees. Having studied LinkedIn data, Australian researchers found that many people simultaneously work or have worked for ByteDance and TikTok.
In addition, Forbes journalists testified that TikTok employees' tax documents and pay cheques listed ByteDance as the source of their financial income.
"TikTok and ByteDance often present the location of the platform abroad and the hiring of foreigners for management positions as a trump card in security issues. The authors of the study call this technique "Singapore-washing".
Is the data of TikTok users safe?
Concerns raise about the lack of transparency in what data the social network de facto collects and stores about users and who has access to it. In July 2022, the Australian-American cybersecurity company Internet 2.0 examined the TikTok code to assess data security risks.
The researchers concluded that the network collected much more data than was necessary. For example, the application checked the user's current, accurate geolocation every hour, the device was mapped (collected data on all active applications) and had constant access to the calendar. In addition, the researchers found that at least some of this data was sent to servers in China.
"TikTok refuted these findings, calling them unfounded. Earlier, URL Genius also found that TikTok collected much more data about its users than other social networks, and it was not known for sure where this data went next.
To reassure the US members of Congress, TikTok presented Project Texas. "TikTok has established a US subsidiary, TikTok U.S. Data Security Inc. The company will be managed by an independent board of directors appointed by TikTok and approved by the Committee on Foreign Investment in the United States. Also, the Board of Directors will report to the Committee rather than ByteDance. Furthermore, all data of US users will be stored exclusively in the US, and an independent party, the US company Oracle, will be responsible for monitoring data entering and leaving the company.
Oracle should also audit TikTok's code for hidden risks and security gaps. This audit should put an end to the debate over whether TikTok is capable of spying on its users in China's interests.
The social network is preparing a similar project called Project Clover for EU countries.
Australian researchers have summarised the risks that a breach of privacy for TikTok users may pose:
- privacy breach: theoretically, TikTok can be used to access sensitive user data, such as phone book, geolocation, or correspondence data,
- data collection: vast amounts of user data can be used for the benefit of the Chinese government, intelligence and military
- espionage and intelligence: this data can be used for spying, manipulation, recruitment, repression
- censorship by the CPC
- control over the narrative: using the methods of propaganda, censorship and disinformation, social media can be used to manage the public debate at the level of society
- political interference: organisation of massive influence campaigns to spread ideas favourable to specific political goals.
However, banning a particular social network will not solve the problem of data security or even national security. According to TikTok's CEO, the root of the problem is not in who owns the company, as American tech giants have also repeatedly used users' data.
American legislation lacks a fundamental framework for regulating citizens' personal data security for all companies, similar to the European GDPR (General Data Protection Regulation).
All the threats that concern US officials pose even more significant risks to Ukraine at war. All the vulnerabilities we have listed are equally relevant to Ukrainian TikTok users, who now number more than a million.
According to its legislation, the Chinese government has all the leverage it needs to get detailed data on Ukrainian users, and the company has no chance of refusing them.