ByteDance Ltd.’s TikTok app is displayed in the App Store on a smartphone in an arranged photograph taken in Arlington, Virginia, on Monday, Aug. 3, 2020.
Andrew Harrer | Bloomberg | Getty Images
A former TikTok recruiter remembers that her hours were supposed to be from 10 a.m. to 7 p.m., but more often than not, she found herself working double shifts. That’s because the company’s Beijing-based ByteDance executives were heavily involved in TikTok’s decision-making, she said, and expected the company’s California employees to be available at all hours of the day. TikTok employees, she said, were expected to restart their day and work during Chinese business hours to answer their ByteDance counterparts’ questions.
This recruiter, along with four other former employees, told CNBC they’re concerned about the popular social media app’s Chinese parent company, which they say has access to American user data and is actively involved in the Los Angeles company’s decision-making and product development. These people asked to remain anonymous for fear of retribution from the company.
TikTok launched internationally in September 2017. Its parent company, ByteDance, purchased Musical.ly, a social app that was growing in popularity in the U.S., for $1 billion in November 2017, and the two were merged in August 2018. In just a few years, it has quickly amassed a user base of nearly 92 million in the U.S. In particular, the app has found a niche among teens and young adults — TikTok has surpassed Instagram as U.S. teenagers’ second-favorite social media app, after Snapchat, according to an October 2020 report by Piper Sandler.
Last year, then-President Donald Trump sought to ban TikTok in the U.S. or force a merger with a U.S. company. The Trump administration, including Secretary of State Mike Pompeo, expressed national security concerns over the popular social media app’s Chinese ownership, with Pompeo saying at one point that TikTok might be “feeding data directly to the Chinese Communist Party.” TikTok has consistently denied those claims, telling CNBC, “We have never provided user data to the Chinese government, nor would we do so if asked.” In the company’s last four semi-annual transparency reports, it does not report a single request from the Chinese government for user data.
Earlier in June, TikTok caught a break when President Joe Biden signed an executive order that revoked Trump’s order to ban the app unless it found a U.S. buyer. Biden’s order, however, sets criteria for the government to evaluate the risk of apps connected to foreign adversaries.
ByteDance’s control
The former employees who spoke to CNBC said the boundaries between TikTok and ByteDance were so blurry as to be almost non-existent.
Most notably, one employee said that ByteDance employees are able to access U.S. user data. This was highlighted in a situation where an American employee working on TikTok needed to get a list of global users, including Americans, who searched for or interacted with a specific type of content — that means users who searched for a specific term or hashtag or liked a particular category of videos. This employee had to reach out to a data team in China in order to access that information. The data the employee received included users’ specific IDs, and they could pull up whatever information TikTok had about those users. This type of situation was confirmed as a common occurrence by a second employee.
A look at TikTok’s privacy policy states that the company can share the data it collects with its corporate group, which includes ByteDance.
“We may share all of the information we collect with a parent, subsidiary, or other affiliate of our corporate group,” the privacy policy reads.
TikTok downplayed the importance of this access. “We employ rigorous access controls and a strict approval process overseen by our U.S.-based leadership team, including technologies like encryption and security monitoring to safeguard sensitive user data,” a TikTok spokeswoman said in a statement.
But one cybersecurity expert said it could expose users to information requests by the Chinese government. “If the legal authorities in China or their parent company demands the data, users have already given them the legal right to turn it over,” said Bryan Cunningham, executive director of the Cybersecurity Policy & Research Institute at the University of California, Irvine.
As CNBC reported in 2019, China’s National Intelligence Law requires Chinese organizations and citizens to “support, assist and cooperate with the state intelligence work.” Another rule in China, the 2014 Counter-Espionage law, has similar mandates.
The close ties between TikTok and its parent company go far beyond user data, the former employees said.
Direction and approvals for all kinds of decision-making, whether it be minor contracts or key strategies, come from ByteDance’s leadership, which is based in China. This results in employees working late hours after long days so they can join meetings with their Beijing counterparts.
TikTok’s dependence on ByteDance extends to its technology. Former employees said that nearly 100% of TikTok’s product development is led by Chinese ByteDance employees.
The lines are so indistinct that multiple employees described having email addresses for both companies. One employee said that recruiters often find themselves looking for candidates for roles at both companies.
TikTok acknowledged that employees might have multiple aliases, but said it relies on Google’s enterprise-level Gmail service for its corporate email and their emails are stored on Google servers, where they are logged and monitored for unauthorized access.
In comments to CNBC, TikTok downplayed the importance of its transnational structure. “Like many global technology companies, we have product development and engineering teams all over the world collaborating cross-functionally to build the best product experience for our community, including in the U.S., U.K. and Singapore,” a TikTok spokeswoman said in a statement.
On the personnel side, ByteDance in April appointed Singaporean national Shouzi Chew to the role of TikTok CEO. Prior to Chew’s appointment, TikTok was led in interim by former YouTube executive Vanessa Pappas, who was vaulted into the role after former Disney streaming executive Kevin Mayer resigned in August 2020 after just three months in the role.
Chew already served as ByteDance’s chief financial officer and will continue to hold that position in addition to his new role as TikTok CEO.
Again, TikTok downplayed the connection. “Since May 2020, TikTok management has reported into the CEO based in the U.S., and now Singapore, who is responsible for all long-term and strategic day-to-day decisions for the business,” a TikTok spokeswoman said in a statement.
The risks of Chinese ties
Cybersecurity experts who spoke with CNBC said there are a number of risks that come with TikTok being so interwoven with its parent company.
One set of risks is how the Chinese government could spread propaganda or influence the thinking of the Americans who use TikTok each month. This could be done through short-length videos that the Chinese government may want to show to Americans, whether it be factual content or misinformation. The company could also choose to censor certain types of content.
This has already happened in a few instances. For example, the company instructed moderators to censor videos that mentioned Tiananmen Square, Tibetan independence or the religious group Falun Gong, according to a September 2019 report by The Guardian. Following the report, TikTok said it no longer practiced that censorship and said it recognized that it was wrong.
“Today we take localized approaches, including local moderators, local content and moderation policies, local refinement of global policies, and more,” the company said in a statement at the time.
In November 2020, TikTok’s U.K. Director of Public Policy Elizabeth Kanter admitted during a parliamentary committee hearing that the app had previously censored content that was critical of the Chinese government in regard to forced labor of Uyghur Muslims in China. Afterward, Kanter said she misspoke during the hearing.
“Anytime [the Chinese government has] control over a platform like TikTok that has billions of users and is only getting more popular, it gives them power to feed our mind what we should think about, what we consider truth and what is false,” said Ambuj Kumar, CEO of Fortanix, an encryption-based cybersecurity company. Kumar is an expert on end-to-end encryption, including dealing with China’s special conditions for data encryption.
A bigger and much less discussed concern is the data TikTok collects from its users and how that data could be exploited by the Chinese government.
TikTok’s privacy policy explains that the app collects all kinds of data. This includes profile data, such as users’ names and profile images, as well as any data users might add through surveys, sweepstakes and contests, such as their gender, age and preferences.
The app also collects users’ locations, messages sent within the app and information about how people use the app, including their likes, what content they view and how often they use the app. Notably, the app also collects data on users’ interests inferred by the app based on the content that users view.
Most importantly, TikTok also collects data in the form of the content that users generate on the app or upload to it. This would include the videos that users make.
Some experts said they’re concerned that content created by a teenager now and uploaded to TikTok, even as an unpublished draft, could come back to haunt that same person if they later land a high-level job at a notable American company or start working within the U.S. government.
“I’d be shocked if they are not storing all the videos being posted by teenagers,” Kumar said. “Twenty years from now, 30 years from now, 50 years from now when we want to nominate our next justice to the U.S. Supreme Court, at that time they will go back and find everything they can and then they’ll decide what to do with it.”
TikTok is not unique in collecting American user data. American consumer tech companies such as Facebook, Google and Twitter also possess vast troves of information they’ve collected on their users. The difference, according to experts on Sino-U.S. relations and Chinese espionage, is that American companies have many tools at their disposal to protect their users when the U.S. government seeks data, while Chinese companies have to comply with the Chinese government.
“ByteDance is a Chinese company, and they’re subject to Chinese national law, which says that whenever the government asks for the data a company is holding for whatever reason, the company must turn it over. They have no right to appeal,” said Jim Lewis, senior vice president and director, strategic technologies program at the Center for Strategic & International Studies, a foreign affairs think tank. Lewis previously worked for various agencies in the U.S. government, including on Chinese espionage.
“If the Chinese government wants to look at the data that ByteDance is collecting, they can do so, and no one can say anything about it,” Lewis said.
The Chinese government’s track record when it comes to human rights and widespread surveillance is reason for concern.
“Given the Chinese government’s authoritarian bent and attitudes, that’s where people are really concerned with what they might do,” said Daniel Castro, vice president at the Information Technology and Innovation Foundation, a nonprofit, nonpartisan think tank.
In particular, these experts cite the 2015 hack of the Office of Personnel Management, in which intruders stole more than 22 million records of U.S. government employees and their friends and family. The hackers behind the breach were believed to have been working for the Chinese government.
“They’ve collected ten of millions of pieces of data on Americans,” said Lewis. “This is big data. In the U.S. they use it for advertising … in China, the state uses it for intelligence purposes.”
Americans who decide to use TikTok should do so with the understanding that they are likely handing their data over to a Chinese company subject to the Chinese government, said Bill Evanina, CEO of Evanina Group, which provides companies with consultation for risk-based decisions regarding complex geopolitics.
“When you’re going to download TikTok … and you click on that ‘I agree to terms’ — what’s in that is critical,” Evanina said.
Not all experts, however, are concerned that TikTok is a threat.
Graham Webster, editor in chief of the Stanford-New America DigiChina Project at the Stanford University Cyber Policy Center, notes that most of the data that TikTok collects could just as easily be gathered by the Chinese government through other services. China doesn’t need its own consumer app to exploit Americans’ data, he said.
“I find it to be a very low-probability threat model for actual national security concerns,” Webster said.
What TikTok could do to calm fears
As TikTok waits to see how the Biden administration decides to proceed, the company could take a number of steps to provide the new president and the American public with assurances that their data won’t be misused.
A first step would be for TikTok to be more transparent about what its data collection process is. For cybersecurity experts, specific details would go a long way toward gaining it credibility.
Jason Crabtree, CEO of cybersecurity company Qomplex, formerly served as a senior advisor to the U.S. Army Cyber Command during the Obama administration. He said TikTok should be clear on what it collects, where it is stored, how long it is stored for, and which employees of which companies have access to the data.
A TikTok information sheet states that the company stores U.S. user data in Virginia with a backup in Singapore and strict controls on employee access. The company does not specify which user data it collects, saying “the TikTok app is not unique in the amount of information it collects, compared to other mobile apps.” The company says it stores data “for as long as it is necessary to provide you with the service” or “as long as we have a legitimate business purpose in keeping such data or where we are subject to a legal obligation to retain the data.” The company also says any user may submit a request to access or delete their information and TikTok will respond to the request consistent with applicable law.
“If all those things are documented and attested to, you have a much better shot at explaining to the U.S. public, to regulators and other interested parties why this is no issue to consumers,” Crabtree said. “If you don’t or are unwilling to provide real clarity then that’s something people should rightfully be really concerned about.”
Another tactic would be for ByteDance to proceed with the plan it had outlined toward the end of the Trump presidency and sell TikTok to a U.S. company that Americans already trust. After Trump signed the order that could have potentially banned TikTok, the company entered talks with Microsoft but didn’t reach a deal. At one point, there was an agreement in place to sell minority stakes to Walmart and Oracle, although the sale was never finalized. For some cybersecurity experts, anything short of this would not be enough to evoke trust in TikTok’s handling of American data.
“As long as TikTok is a subsidiary of ByteDance, I certainly will not be satisfied with any purported technological fixes,” Cunningham said.
Rather than focusing specifically on TikTok or Chinese apps, the U.S. should make stronger privacy regulations to protect Americans from all tech companies, including those with ties to adversary nations, Webster said.
“The solution ought to be comprehensive privacy protection for everyone, protecting you from American companies and Chinese companies,” Webster said.