For more than a billion users around the world, TikTok is just a mobile video-sharing app that they scroll through to watch people dancing and cats falling off furniture (or cats dancing and people falling off furniture). For the US Congress, however, TikTok has become a political football that has yet to be spiked. It’s been four years since national-security concerns over the app, which is owned by the Chinese company ByteDance, first hit the news in a big way. The story crescendoed in 2020, when then-President Donald Trump signed an order that would have banned the app (as well as the popular Chinese messaging app WeChat) from the US unless ByteDance sold its operations to an American entity. This, in turn, triggered frantic maneuvering among potential buyers, including Microsoft, the cloud-computing firm Oracle, and a group of investment banks. Ultimately, Trump’s order was blocked by the courts. In the summer of 2021, President Biden revoked it.
That didn’t end the debate over what to do about TikTok, however; indeed, in announcing the revocation of Trump’s order, Biden announced a wider review of foreign-owned apps. Over the past year, everyone from the administrative arm of the US House of Representatives to state colleges have banned the app on their devices or networks, while members of Congress have asked Apple and Google to remove TikTok from their app stores. In November, Brendan Carr, a member of the Federal Communications Commission, told Axios: “I don’t believe there is a path forward for anything other than a ban” of TikTok in the US. In December, the Wall Street Journal reported that officials at the Pentagon and the Justice Department want to force ByteDance to sell off TikTok, because of what they see as a risk that Beijing will be able to access Americans’ TikTok data and use the app’s algorithms to influence what American users see. In January, Josh Hawley, a Republican US senator, introduced a bill that, echoing Trump’s old order, would ban the app for all American users.
Recently, the shooting down of a Chinese surveillance balloon—and China’s warnings of reprisals against the US—have pushed tension levels over TikTok even higher. Chuck Schumer, the Senate majority leader, said earlier this week that a complete ban on TikTok “should be looked at.” Marco Rubio, a Republican senator from Florida, and Angus King, an independent from Maine, have also reintroduced a bill aimed at banning TikTok from operating in the United States unless it severs its ties to China. TikTok, Mario Díaz-Balart, a Republican Congressman from Florida, said, is “basically a Chinese Communist Party balloon in everybody’s home.” After the balloon was shot down, his colleague Matt Gaetz added: “Now blow up TikTok.”
Reporting from a number of news outlets has shown that concerns over TikTok’s handling of user data are far from theoretical. In December, ByteDance acknowledged that staffers accessed data on journalists from Forbes and the Financial Times as part of an attempt to identify the sources of leaks from inside the company. (TikTok says that the employees responsible for this conduct have been fired). One of the journalists targeted was Emily Baker-White, who was at BuzzFeed News at the time and now works at Forbes. Last June, Baker-White reported, based on leaked audio from more than eighty internal TikTok meetings, that China-based staffers at ByteDance routinely accessed data on US TikTok users, despite the company’s repeated assurances that data pertaining to US user stays in the US. As I noted last year, Michael Beckerman, TikTok’s head of public policy for the Americas, told senators in a 2021 hearing that only a US-based board of advisors determined where data on American users should go and who should see it. The Senate Intelligence Committee has asked the Federal Trade Commission to investigate whether TikTok misled officials.
These kinds of revelations help explain why TikTok has been trying, for more than two years, to convince the Committee on Foreign Investment in the US—the agency which reviews foreign investment for national security purposes—to agree to a deal that the company says would assuage concerns about its access to data on American users and its influence over the platform’s algorithm. (As the Journal noted this week, the Chinese government would also have to approve any deal). TikTok has recently launched a full-court media press, including taking journalists on a tour of its “Transparency and Accountability Center,” a new facility inside the company’s offices in Los Angeles. Shou Zi Chew, TikTok’s CEO, has agreed to appear before the House Energy and Commerce Committee next month. Per the Journal, this will be the first time that such a senior TikTok staffer has testified before Congress.
The plan that TikTok wants the CFIUS to approve is code-named Project Texas, and involves storing data related to US users on US servers—it is already doing this, with the help of Oracle, but CFIUS hasn’t approved it as an official solution to the problem of access by the Chinese government. TikTok is also proposing to empower a board of US advisors to oversee its algorithms. As Lawfare described it, at the core of Project Texas is a new American subsidiary, TikTok US Data Security, which was formally created last July. This entity “houses the functions of TikTok’s business that are most likely to give rise to national security concerns, such as access to US citizen data and decisions on content moderation,” Lawfare reported.
The new entity will have an independent board of directors, which TikTok will nominate and CFIUS will review, and the board will report directly to CFIUS and not to ByteDance or TikTok, according to the briefing that Lawfare and other journalists received from the company. Oracle will oversee all the data entering or leaving the entity, and ensure that it does not pose a security risk. Oracle will also be in charge of oversight of TikTok’s moderation system, recommendation engine, and promoted content—and, if it identifies a potential risk, it will flag that risk for the government. TikTok told journalists that creating the US subsidiary will cost one and a half billion dollars, and that operating the new unit will cost between seven hundred million and one billion dollars per year.
In a recent edition of his Platformer newsletter, Casey Newton noted that some researchers don’t believe that the kind of oversight TikTok is promising will accomplish anything. Klon Kitchen, a security researcher at the American Enterprise Institute, a right-of-center think tank, said on Twitter that TikTok is adopting a “catch me if you can” strategy, where “it strikes the pose of transparency but places the burden on outside reviewers of identifying and pursuing threats.” Even if every line of TikTok’s code were validated, “there is simply no way to maintain reliable, real-time situational awareness on a code base this large,” Kitchen wrote.
Regardless of the effectiveness, or lack thereof, of Project Texas, not everyone sees TikTok as the national-security risk that many members of Congress believe it to be. Writing for Techdirt late last year, the journalist Karl Bode argued that most of the outrage about the app and its use of data is “of the manufactured moral panic variety.” Bode points out that even phones without TikTok tend to be filled with “dodgy domestic and foreign apps collecting everything from their daily location habits to detailed online behavior metrics.” That data is then theoretically anonymized and sold to “a laundry list of dodgy international adtech companies and data brokers.” Bode notes that it would be trivial for China—or any other government, for that matter—to acquire this data and build profiles about Americans’ online habits, if it so chose. (And that’s before we get started on the balloons.) “Fixating on a single app doesn’t make any coherent sense,” Bode writes. “You’ve either got to fix the broader problem with actual policies and solutions, or you’re just making noise.”
Unfortunately for anyone eager to see an end to the TikTok discussion, Congress finds it easier to make noise than to solve complex problems. And this problem is very complex. Bode makes a good point: if we are supposed to be concerned about the security of personal data on smartphone apps, surely we shouldn’t be focusing on a single app simply because it is Chinese-owned. The problem is much wider than that.
Note: This was originally published as the daily newsletter for the Columbia Journalism Review, where I am the chief digital writer