TikTok users would still risk their personal data being exposed to hacking and espionage by China even if the Biden administration struck a security deal designed to save the video platform from a full U.S. ban.
That’s the conclusion of former national security officials and other experts as the Justice Department reconsiders a settlement that would keep the popular video streaming app, which is owned by China’s ByteDance Ltd., available to its millions of U.S. users.
For all the latest headlines, follow our Google News channel online or through the app.
TikTok has been under US surveillance since 2019 due to concerns that Chinese actors may be tapping into those users’ information for espionage or other harmful purposes.
“They built the whole system in China,” said Stuart Baker, a national security attorney at Steptoe & Johnson LLP. “Unless they rebuild the system in the United States at great expense, sooner or later when something goes wrong, there’s going to be only one engineer who knows how to fix it.” And he or she will probably be in China.
This analysis of the settlement is based on interviews with former national security officials, lawyers who have worked on similar deals and experts who have studied data security, social media platforms and telecommunications companies. There is no indication that a decision has been made.
Brooke Oberwetter, a spokesperson for TikTok, said that while the company would not comment on the specifics of its discussions with the US government, “we are confident that we are on track to fully satisfy all reasonable US national security concerns.”
She also pointed out that although some China-based employees will have access to public data posted by users, they will not have access to personal user information and their use of public data – including videos and comments – will be very limited and available under the supervision of the supervisory board established by the US government.
TikTok routes all of its user traffic in the U.S. through servers maintained by Oracle Corp., and the database giant checks the app’s algorithms.
Still, additional restrictions on how U.S. consumer data is stored and accessed would be needed — and may not resolve U.S. security concerns, no matter how strong the deal looks on paper, experts said.
That’s a view shared by Senator Mark Warner, Democrat of Virginia, who chairs the Senate Intelligence Committee.
He said he was aware of the conversations surrounding TikTok and could not elaborate. However, he said the company has “a big mountain to climb with me to prove that it really can be safe.”
Warner said China has a poor record of protecting consumer privacy. “They have repeatedly demonstrated their ability to create this surveillance state that should scare the crap out of us all.”
He added that it is much more difficult today to technically isolate TikTok data or ban it altogether than it was five or six years ago, as the app’s popularity has grown.
“The burden of proving that you can actually extract American data, especially if the code is still being written in China — that would be hard to do.”
While TikTok owner ByteDance has sought to distance itself from Chinese state influence, President Xi Jinping has launched a sweeping crackdown on private enterprise, particularly in the tech sector.
The video streaming app, which has about 1 billion users but is banned in China, has been under scrutiny by U.S. officials since 2019, when the Committee on Foreign Investment in the U.S. began looking into a merger between ByteDance and Musical.ly.
The Biden administration has renewed a national security review of TikTok after former President Donald Trump stopped short of banning the app in an attempt to broker a deal to sell the platform to an American buyer that never materialized.
ByteDance had sought U.S. approval to sell a stake in the app to Oracle and Walmart Inc., but the deal did not materialize.
A US court has blocked the Trump administration’s efforts to launch TikTok from app stores run by Apple Inc. and Alphabet Inc.’s Google.
Cfius, which is chaired by the Treasury Department but includes members from across the government, has the power to reject or modify transactions involving foreign companies buying American businesses.
The agency is “committed to taking all necessary actions within its authority to protect the national security of the United States,” Treasury Department spokesman Michael Kikukawa said, declining to comment further.
If the companies under review are able to make concessions to sell or freeze US assets that raise security concerns, including data, it is possible to reach an agreement with the security panel to allow the transaction to proceed .
These arrangements may include the creation of a new board of directors and a supervisory board that reports to Cfius.
“You’re going to get an agreement that obligates the company to behave responsibly and transparently,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “And you’ll have the ability to pull the plug if something seems off.”
Lewis pointed to the purchase of T-Mobile USA Inc. from Germany’s Deutsche Telecom AG in 2001 and the sale of Sprint Corp. in 2013 to the Japanese investment firm Softbank Group Corp. In both deals, the U.S. introduced monitoring to ensure U.S. citizens’ data was not misused, Lewis said.
Nova Daley, senior public policy adviser for Wiley Rein LLP and a former Treasury Department official who worked on Cfius deals, said that in some cases it is better for the foreign company to retain ownership of the U.S. company because it allows more robust control of this data.
“Sometimes that kind of data is more securely protected by the enforcement powers of a mitigation agreement than an owner who is not required by law to protect it,” Daly said, noting that it would still be difficult to secure the data against determined efforts to be stolen or used for nefarious purposes.
If national security concerns cannot be resolved, Cfius can force companies to walk away from a deal or cancel a transaction.
Lawmakers pressed TikTok COO Vanessa Pappas during a Senate hearing last month on whether the company would cut off China’s access to all US data. Pappas said the company has strict controls over access to the data and where it is stored, and that the company will not provide that data to the Chinese government.
She said the company would continue to cooperate with U.S. federal data protection agencies and said the final settlement would “satisfy all national security concerns.”
Steptoe’s Baker said this argument suggests that while TikTok may believe it has satisfied reasonable national security concerns, “they shouldn’t sign off in blood that it will never have access.”
Displaced Syrian live streamers on TikTok receive less than 30 percent of the total donation
Russian court fines TikTok $50,000 over content
TikTok bans political accounts for fundraising, other money-making opportunities