The FBI has called it a national security threat. The US government has passed a law forcing officials to delete it from their phones. Texas senator Ted Cruz has denounced it as “a Trojan horse the Chinese Communist party can use to influence what Americans see, hear, and ultimately think”. And in March its CEO will defend its existence before the US Congress. For those unaware of the debate broiling on the other side of the Atlantic, the target of this strong rhetoric might prove surprising: an app best known for viral dances, launching generation Z media stars, and sucking teens down an hours-long content abyss.
But the rancorous debate over TikTok that began under the Trump administration has rolled on under President Biden. In addition to a ban of the app on all federal government devices, at least 27 states have blocked TikTok on devices they’ve issued, affecting a number of state schools and universities, too. A bipartisan bill, introduced in Congress last December, stipulates banning the app’s use by everyone in the United States.
TikTok scepticism is spreading to Europe too. Some politicians – echoing their Washington-based counterparts – contend that TikTok poses a security risk, warning it could potentially hand user data to Chinese authorities, and/or be wielded as a propaganda tool for the Chinese government – subtly influencing TikTok’s more than 1 billion monthly active users in a direction that dovetails with Chinese foreign policy goals.
It’s emblematic of ratcheting Sino-western tensions, where tussling over technology is as much about genuine paranoia over espionage as it is a useful arena for geopolitical grandstanding. In the age of the “splinternet” – which has seen the once-open web fracturing across different jurisdictions – anxieties over data sovereignty and information flows are on the rise. How western governments respond to TikTok could mark a decisive step in how technology is regulated in the decades to come.
While accusations that TikTok hands over user data to the Chinese government are so far unsubstantiated, the app’s claims over its trustworthiness took a blow in December with the revelation that employees at ByteDance (TikTok’s parent company) accessed TikTok data in an attempt to track the whereabouts of several western journalists in order to discover their sources within the company.
TikTok says the incident involved improper data access and that the employees responsible have been fired, but the transgression has nevertheless served as a lightning rod for apprehensions surrounding the company and the app’s data privacy protocols.
Alicia Kearns MP, the Conservative chair of both the Foreign Affairs Select Committee and of the China Research Group, has previously called upon TikTok to provide testimony about the data privacy of UK users. “In their evidence, they said something like ‘This could never happen’,” says Kearns. “Well, obviously that is not true, and it has happened.” (Last October, ByteDance tweeted that “TikTok has never been used to ‘target’ any members of the US government, activists, public figures or journalists.”)
TikTok met European commissioners last month to discuss data privacy and content moderation, in the context of how the company plans to comply with the EU’s new digital services regulation. “They’re starting to realise that TikTok is not just another app to communicate, or send videos to one another, or for amusement,” says Belgian MEP Tom Vandendriessche. “TikTok is gathering the data of our citizens.”
It’s worth noting TikTok is not the only company that has engaged in this practice: American businesses, including Microsoft and Uber, have also been found guilty of tracking individual users through their products in the past. But in the US, the news arrived at a highly sensitive time for the company. “This should be the final nail in the coffin for the idea that the US can trust TikTok,” tweeted Brendan Carr, a member of the US Federal Communications Commission.
The conversation in Europe is a little different. So far, the bloc has been less willing to single out TikTok on the basis of the location of its parent company. It is scrutinising the app over data privacy concerns: Ireland’s data protection commissioner opened two probes into the company in 2021 – one focusing on its handling of children’s data, the other to check that its data transfers to China complied with EU data legislation. (A draft decision has been submitted on the first inquiry.)
However, this is not unique to TikTok. The likes of Facebook and Google have also become ensnared in Europe’s data privacy laws, and the EU is currently wrangling with the US over whether EU data should be allowed to be sent there, for fears it could be hoovered up by US intelligence agencies.
“While some questions about TikTok and our Chinese heritage have become politicised, we take national security concerns very seriously,” says Theo Bertram, vice-president of public policy and government relations, Europe at TikTok.
Regardless of where you are, how seriously should you take the warnings? Some technology experts say the accusations are somewhat overblown. Both the data privacy and content manipulation threats cited by politicians currently lack convincing evidence, says Graham Webster, research scholar and editor in chief of the DigiChina Project at the Stanford University Cyber Policy Center in California.
“I think both of these theories are possible, but at this point they both require a significant amount of imagination to actually constitute a US national security threat,” says Webster. He doesn’t think it’s unreasonable at this stage to think that Chinese officials might have unauthorised access to TikTok user data. “But you would have to make an argument for why that access can be used in such a way that constitutes a national security threat,” he says.
This is because the data held by TikTok isn’t unique. The app can collect location data, but must ask users before tracking detailed GPS data. If the user declines, only their rough whereabouts can be gathered. (In fact, a TikTok spokesperson claims its employees didn’t succeed in the attempted tracking of journalists precisely for this reason.) What’s more, the same data is gathered by any number of apps – and is routinely sold on to third-party data brokers who make it available to prospective buyers.
“There are lots of ways that foreign governments can access data in the United States,” says Anupam Chander, professor of law and technology at Georgetown University Law Center, Washington DC. “TikTok seems to be an unlikely target of data gathering by the Chinese government, because of the largely public nature of the activity on the app.”
Data privacy issues aside, what about the “Trojan horse” argument advanced by the likes of Cruz? Is TikTok secretly inculcating in generation Z a taste for Chinese Communist party talking points? In 2019 the Guardian revealed that the app’s content guidelines for moderators on how to deal with inflammatory content yielded the serendipitous by-product of stifling any mention of Tiananmen Square, Tibetan independence or Falun Gong – all topics that are suppressed by Beijing. At the time, the company insisted the documents didn’t reflect its current policy and that it had since embraced a localised content moderation strategy tailored to each region.
A 2021/22 study by Nato’s Strategic Communications Centre of Excellence found that TikTok compared favourably to other platforms on combating inauthentic manipulation (coming second to Twitter, and ahead of Facebook, Instagram and YouTube). The report recommended more cooperation with external researchers to make it easier to study content moderation on the platform, something a TikTok spokesperson says the app is aiming to grow.
Although TikTok has repeatedly said that western user data is not stored in China, that it has never, and would never, share user data with Chinese officials, and that its global content moderation strategy is not beholden to Beijing, over the past six years, TikTok and Washington’s committee on foreign investment in the United States (CFIUS) have been negotiating a deal aimed at finally allaying the concerns of US politicians.
The $1.5bn Project Texas involves the establishment of a data centre that will store US user data in Texas, under the watchful eye of Oracle, the American software giant headed up by billionaire GOP funder and Trump ally Larry Ellison. To address fears about content manipulation that serves the Chinese government, Oracle will also inspect the app’s source code and content algorithms.
TikTok is now making similar arrangements for Europe. The company is setting up a data centre in Ireland that will store the data of users in the UK and EU.
These measures would place the app’s data practices under far more scrutiny than its Silicon Valley competitors, according to Webster. “Based on the reporting of what [Project Texas] would look like,” he says, “it sounds like they’re talking about measures that should basically mitigate these potential security threats – as much as is reasonable, in my opinion.” Whether it will be enough to satisfy regulators is another issue.
One party eyeing the negotiations with interest is Facebook, which views TikTok as an existential threat. Last year, the Washington Post revealed a Facebook-backed lobbying campaign targeting TikTok that specifically played on data privacy fears. This could prove money well spent, given that TikTok users say in the event of the app being banned they would probably pivot to (the Facebook-owned) Instagram or other social media apps.
More bans raise the prospect of legal challenges on the basis of freedom of speech or expression. The obvious parallels between banning apps and the Chinese government’s strict internet controls have been widely noted – a phenomenon that’s particularly ironic for Republicans, who have spent the past few years pounding the drum for supposed freedom of speech.
But there is agreement on one thing – that this should serve as a catalyst for the US to finally start thinking about data privacy more generally. “The idea of foreign ownership as being the critical basis for intervention [on TikTok] seems unwise,” says Chander. “We should have a broader approach that examines the national security risks posed by data flows more generally.”
He’s not alone in hoping the TikTok debate might spur progress on the establishment of national data privacy legislation that would protect American consumers on all apps, not just TikTok.