Dancing in the Dark: Examining TikTok's National Security Risks
About the Author: Kosha Doshi is a fourth-year B.A LL.B (Hons.) student at Symbiosis Law School in Pune, India. Her primary areas of interest include Cyber Security, Artificial Intelligence, Data Infrastructure, Fintech, and TMT.
Image by Solen Feyissa available here.
TikTok, the popular social media video app owned by Chinese tech company ByteDance, has recently come under scrutiny for its privacy policies and potential ties to the Chinese government. With close to 95 million users in the United States alone, and an expected audience of 103 million by 2025, TikTok’s widespread popularity is undeniable. However, the app’s vast data collection practices and potential for national security risks have become concerning for many. In August 2020, the Trump administration attempted to ban TikTok by an executive order, but this was shut down by the federal courts. The Biden administration is currently evaluating the risk posed by apps connected to foreign adversaries, including TikTok. Meanwhile, members of Congress, including Senator Marco Rubio and Representatives Mike Gallagher and Raja Krishnamoorthi, have introduced a new bill to ban TikTok and ByteDance from operating in the United States. The bill, entitled the ANTI-SOCIAL CCP Act, aims to protect Americans from the threat posed by certain foreign adversaries using social media companies for surveillance, data collection, and censorship. This blog will delve into the ongoing controversy surrounding TikTok and its potential impact on privacy and national security. It explores the risks and benefits of this popular social media app and considers the potential consequences of its continued operation in the United States.
NAVIGATING THE LEGAL LANDSCAPE
A new bill has been introduced in the United States that has the potential to drastically impact foreign social media companies’ operations in the country. At its core, the bill directs the President of the United States to effectively ban certain foreign social media companies, specifically ByteDance and TikTok, from operating in the country. The legislation is written in such a way that the call for a ban could theoretically be expanded in the future to cover other foreign social media platforms that are deemed risky to U.S. national security. The bill outlines that 30 days after it is enacted, the President will use their powers under the International Emergency Economic Powers Act (IEEPA) to “block and prohibit all transactions in all property and interests of property of a social media company”. It indicates that the President would not have to declare a national emergency before invoking IEEPA and would not be limited by the IEEPA’s regulation regarding the import or export of information or informational materials. For a social media company to be blocked and prohibited, it must satisfy at least one of the following criteria: The company is domiciled, headquartered, or has its principal place of business in, or is organized under the laws of a “country of concern”. A country or entity of concern directly or indirectly owns, “controls with the ability to decide important matters,” or holds 10% or more of the company’s voting shares or stocks. The company uses software or algorithms that are controlled, or whose export is controlled, by a country or entity of concern. A country or entity of concern can substantially, directly or indirectly, influence the company to share data on U.S. citizens or modify its content moderation practices.
ByteDance and TikTok satisfy these criteria, and the bill also defines a “country of concern” and an “entity of concern” in a way that enables additional, future applications of this IEEPA social media platform ban. The bill refers to the term “foreign adversary” in the Secure and Trusted Communications Networks Act of 2019 to define a “country of concern”. From a national security perspective, it is reasonable to consider the risk posed by entities that are part of a foreign political party, government, or military, and especially if that entity is a security agency. The reference to individuals subject to “substantial influence, directly or indirectly, from a country of concern” also appears reasonable, as there are certainly foreign countries where law enforcement agencies or intelligence services are known to place intense, coercive pressure on individuals at technology companies to compel them to cooperate with the state. This bill has far-reaching implications for foreign social media companies operating in the United States and could result in a ban on their operations if they are deemed to be a risk to U.S. national security.
TIKTOK AND THE NEW FRONTIER OF CYBERSECURITY
The concern surrounding TikTok has centered on the possibility that it may provide the Chinese government with data that poses a significant threat to cybersecurity. The threat scenario is based on two key assumptions: first, that the data generated by TikTok provides the Chinese state with valuable insights into systemic US vulnerabilities, and second, that the Chinese government can access this data due to TikTok’s parent company, ByteDance, being based in China. However, the Trump administration’s approach to addressing these concerns through an executive order and other proposals has been criticized for failing to differentiate between the various security risks posed by TikTok. These risks include data collection on US government employees and individuals, censorship of information in and outside of China at Beijing’s request, and the spread of disinformation on the platform.
The ANTI-SOCIAL CCP Act offers a clearer articulation of these risks by breaking them down into two main categories: a company sharing or being compelled to share data with a government or entity of concern, and a company having its content moderation practices substantially influenced by a government or entity of concern. It is important to clearly distinguish between these risks as they require different mitigation actions and their likelihood and severity vary. The bill’s list of four prohibition criteria does a better job than the Trump administration’s executive order in separating these risks, but the bill could benefit from linking specific mitigation actions to specific risks. TikTok does collect a large amount of data on its users, like other social media platforms, but the lack of privacy and security regulations in the US make a significant amount of information on Americans from political preferences and demographic information to real-time GPS data and data on military personnel widely available for purchase. The bill’s proposed complete ban on TikTok may not be the most appropriate or sustainable solution to the security risks posed by foreign platforms. This raises the issue of whether a blanket solution for various risks related to content moderation, data privacy, and others is the most suitable and sustainable approach in the long run. A more effective policy framework could be one that offers a range of possible responses to the security risks posed by foreign platforms, such as a complete ban in cases where risk mitigation measures are deemed insufficient, or a more moderate approach that imposes specific content or security requirements on the company.
The Biden administration has made significant efforts to address the concerns surrounding the use of foreign mobile applications, particularly TikTok and WeChat. The revocation of the Trump-era executive orders, which aimed to ban these platforms, was a positive move. The new executive order signed by President Biden, entitled “Protecting Americans’ Sensitive Data From Foreign Adversaries,” highlights the importance of evaluating potential threats to national security through rigorous and evidence-based analysis. Furthermore, the increasing involvement of security review bodies, such as CFIUS, in cross-border investment reviews highlights the concerns over national security creep. CFIUS’s reported discussions with TikTok suggest that the interagency committee is looking for ways to mitigate security risks by requiring companies to address these risks rather than undoing transactions. The need for a federal consumer data privacy law is pressing, given the fears that foreign governments may obtain personal information of US citizens through foreign mobile applications. This law must provide a balanced approach to cross-border data transfers that takes into account both national security interests and the potential harmful effects of data localization. Without such a law, the US will continue to face challenges in regulating the growing number of foreign technology companies. In conclusion, the Biden administration’s approach to TikTok and other foreign mobile applications is a step in the right direction. The need for a nuanced and balanced approach to addressing national security and privacy concerns remains crucial for maintaining a democratic society.