TikTok Is the Tip of the Iceberg
National Security Implications of PRC-Based Platforms
Hello, I’m Ylli Bajraktari, CEO of the Special Competitive Studies Project. In this edition of 2-2-2, Meaghan Waff of SCSP’s Intelligence panel discusses the national security implications of foreign based platforms from countries of concern.
The era of digital geopolitical competition has arrived. The war in Ukraine – “the first networked war” – continues to demonstrate the critical role of data and technology, and the power of open source information and social media, in modern war. Outside of Ukraine and war, the rapid proliferation of personal electronic devices, digital platforms, and communication infrastructure continues to create opportunities for citizens and countries alike to reach large segments of populations, often in a matter of seconds.
But this kind of reach is not necessarily benign, in practice or potential. Since 2018, TikTok has provided the People’s Republic of China (PRC) with an unprecedented opportunity for access into the United States and our allies and partners. With 1.5 billion users worldwide – 113 million of those in the United States – TikTok possesses a direct line of access to an increasingly large segment of the U.S. population. With this access, the Chinese Communist Party (CCP) controls a powerful platform from which it can freely collect personal and private data and exert targeted and impactful influence – as it has done with other platforms.
However, TikTok, in many ways, is the tip of the iceberg. A number of other digital platforms from China, platforms that could give rise to the same national security concerns as TikTok, are finding quick access U.S.-based users and consumers. This unprecedented, rapidly growing, and unrestricted access is moving us towards a scenario that SCSP’s Defense Panel warned about last year – where our shopping habits, dating preferences, social networking, career links, and even DNA is easily available and has the potential to be repurposed for nefarious activities.
Why is TikTok concerning?
Compared to other social networking apps, TikTok presents a unique challenge for policymakers due to TikTok’s origin in the PRC, its complex corporate governance leadership and oversight, and its ties to the CCP. The central issue at hand is about trust and control.
For a number of years now, policymakers and technology experts have sounded the alarm on TikTok’s privacy, societal, and national security concerns:
CCP Control and Corporate Governance. TikTok’s corporate relationship to its China-based parent company, Bytedance, remains murky. As a PRC-based firm, Bytedance is ultimately subject to the rules and regulations of the CCP. In August 2021, Beijing acquired a one percent stake and one board seat in the Bytedance-subsidiary “Douyin,” which operates the domestic version of TikTok inside China. Bytedance, itself, has a CCP party committee inside the company and myriad connections to the party-state.
Data Security & Privacy. TikTok’s opaque corporate governance structure and the fact that much of its underlying code and technical infrastructure was developed and is closely guarded in China calls into question the degree it can adequately partition its user data from CCP access. In fact, the 2020 Chinese Export Control Law that limits the export of sensitive technologies for national security allows the CCP to control the export of TikTok’s algorithm. TikTok collects a trove of user data, which in turn allows the CCP access to such data under the PRC’s 2019 Data Security Law, Article 36. Despite fervent denials that TikTok’s PRC-based developers can access TikTok’s U.S. user data, several instances have been reported of non-public U.S.-based user data being accessed by PRC-based engineers between September 2021 and January 2022.
Malign Influence. The Federal Bureau of Investigation (FBI) has warned that the platform could be used by CCP authorities to execute influence operations, including the ability to influence potentially high-impact and senior U.S. Government officials. During the 2022 general election, 30 percent of Senate candidates and 20 percent of House candidates used TikTok for campaign purposes. The potential for influence operations on TikTok is closely linked to algorithmic transparency as researchers have noted difficulties in understanding TikTok’s “black box algorithm.”
While the above national security issues are unique to TikTok, there are also societal and health concerns that deserve further attention. (Ed. Note: This newsletter is focused on these issues in relation to TikTok and PRC-based platforms. It does not address similar concerns in relation to U.S. and other non-PRC platforms).
Polarization. TikTok tracks user engagement to increasingly send bias-enhancing content, with one experiment showing TikTok provided exclusively far-right content on its “For You” page after the user engaged with conservative videos on the platform.
Addiction. TikTok’s content reportedly uses random reinforcement to induce user dopamine release and create an addictive phenomenon called “TikTok Brain” that lowers attention spans and the ability to focus on sustained tasks. Of note, the domestic PRC version of TikTok pushes educational content via its Youth Mode and has 40-minute long anti-addiction locks (in part due to PRC regulations) – something the U.S. version does not.
Psychological well-being. TikTok Brain reportedly correlates with increased anxiety, depression, and memory loss in users. Similarly, the platform is reportedly linked to increases in disordered eating and suicide rates from content like the “blackout challenge.”
What’s the bigger picture?
TikTok, however, is just the first PRC-tied platform to make a big splash - both in popularity and controversy. Other PRC platforms have entered the U.S. and international market and are growing in popularity that could pose similar challenges, particularly with respect to data harvesting, data exploitation, and - possibly - covert influence.
WeChat (social media). The all-in–one platform has 1.26 billion monthly users globally and 2.3 million weekly users in the United States, predominantly among Chinese speakers in the PRC and diaspora. WeChat has been criticized for censorship, surveillance, and control over users via the platform.
Shein (e-commerce). Shein surpassed Amazon as the most downloaded platform in the United States in the second quarter of 2022 and became the globally most downloaded shopping platform in 2022. The fast fashion platform is known for their steep discounts that promote abundance in purchasing.
Temu (e-commerce). Temu entered the market in August 2022 and replaced Shein, Walmart, and Amazon as the most downloaded shopping platform in the United States by October. Its popularity rests on heavily discounted goods and its incentives for group buying goods (Temu stands for “Team Up, Price Down”). It even had three ads run during the Super Bowl.
Capcut (video editor). CapCut is ByteDance’s video editing platform. Easy-to-use green screen functions and stickers contribute to its popularity, ranking among the U.S. top downloads for free platforms since May of 2022.
Tencent (gaming). The PRC-based firm Tencent is predominant in the online gaming industry. It is connected to the popular game Fortnite through its 48% stake in Epic Games and developed PUBG Mobile and Apex legend in its LightSpeed & Quantum Studio.
As of February 11, 2023, the top downloaded platforms in the United States per the free category on the App Store and Google Play. Source: Sensor Tower
What are governments doing about it?
Even with increased awareness of the risks, government efforts towards these platforms vary. For the most immediate concern – TikTok – there are a number of efforts, somewhat disjointed, to address the risks in the United States.
Executive Branch. Both the Trump and Biden Administrations have issued executive orders to deal with the risks posed by TikTok. In addition, the Committee on Foreign Investments in the United States (CFIUS) is currently reviewing the TikTok case.
Legislative Branch. Within Congress, Senator Josh Hawley’s (R-MO) No TikTok on Government Devices Act was included in the FY 2023 National Defense Authorization Act. Last year, legislation in the House and Senate was introduced by Representatives Mike Gallagher (R-WI) and Raja Krishnamoorthi (D-IL) and Senator Marco Rubio (R-FL), respectively, to ban TikTok and Bytedance alongside future subsidiaries. Furthermore, as of January 2023, Senator Mark Warner (D-VA) is also considering proposing a bill that would expand beyond current efforts to ban TikTok by including a broader “category of applications.”
State Governments. More than 30 states have enacted bans or restrictions to TikTok’s usage since November. The restrictions primarily limit access to TikTok on state-owned devices and networks. Several of these bans capture state university systems, though individual universities, notably Auburn University in Alabama and the University of Oklahoma, have enacted their own restrictions, limiting access to TikTok on their networks. Uniquely, New Jersey and Maryland banned platforms and devices from multiple foreign entities, including Huawei and Kaspersky Labs.
Growing Awareness Outside the United States.
There seems to be growing awareness about the risks from PRC-tied platforms, predominantly TikTok, in the European Union, United Kingdom, India, and Australia.
Some of these countries have also taken action. In 2020, India cut off all access to its market with the banning of TikTok alongside 58 other platforms. In the UK, the British Parliament shut down its TikTok account over data concerns. In the EU, the General Data Protection Regulation (GDPR) provides a threshold for data privacy and protection to all users within the EU. The Irish Data Protection Commission’s ongoing investigation into the exportation of children’s data to the PRC on the TikTok platform tests the company’s compliance with GDPR protections.
As the United States deliberates on further actions towards TikTok, allies and partners provide both models for action and force multipliers for prospective actions. Shared standards, mutual understanding of threats, and joint efforts to protect against vulnerabilities are much more likely to be effective in ensuring the safety of citizens, rather than individual, national-level actions.
So, what do we do now?
There are a number of options that the United States could consider to mitigate the risks in the near-term.
The most comprehensive solution to TikTok, and similar challenges for that matter, would be federal legislation.
If the central concern over PRC-tied platforms is the CCP’s ability to influence, control, and access the platform’s operations and data, the next strongest option would be a forced divestiture where CFIUS recommends the President order a divestiture, where ByteDance would sell its share of TikTok to a U.S. company. (However, Beijing could refuse to comply with the order and set conditions for a stalemate).
A lesser measure would be the continuation of state-level bans, which could decrease the platform’s user base among state employees and contractors. Given enforcement mechanisms available and the possibility of governors overturning prior state executive orders, these actions remain largely symbolic.
The final option includes CFIUS recommending mitigation measures. Project Texas is reportedly ByteDance’s proposed mitigation plan in the event of a CFIUS mitigation order. The plan is reported to involve housing systems related to serving content on Oracle servers for monitoring and creates a new subsidiary called TikTok U.S. Data Security (USDS) aimed at increasing transparency around data use, TikTok’s code and back-end systems, and content moderation.
A long-term and sustainable solution is a systemic approach to all foreign digital platforms from countries of concern. Such a solution will need to be wide-reaching and flexible in order to address the varied concerns stemming from both current challenges in the e-commerce and social media domains, as well as prospective risks that are yet to fully manifest themselves.
Beyond specific steps to address the threat of platforms from countries of concern, the United States should also adopt comprehensive federal data privacy laws and a data strategy. This is one domestic policy option that will contribute to addressing the threats above.
No matter how the United States deals with TikTok in the near-term, there needs to be a recognition that the risks are likely bigger than TikTok and so must be the prescription.
Excellent article. Of course all of these risks and concerns apply to US-based social media platforms as well, but I think the US government has full access to those, and is able to use them freely for all the nefarious activities you describe so well above. I'd guess that's why they aren't raising the alarms as much about Facebook and Twitter lol.