The Risks TikTok Poses Are Not at All Unique to TikTok

This article originally appeared in Future Tense, a collaboration among Arizona State University, New America, and Slate.

TikTok, the latest social media giant serving up distraction for the masses, has lately become a political tool for mass distraction. The White House has threatened to ban the Chinese-owned app in the United States or at least broker a possible acquisition by Microsoft (perhaps with a finder’s fee of sorts going to the U.S. Treasury, as President Trump proposed for some reason). Behind that drama, however, lie a series of crucial technology policy challenges the political class is largely ignoring.

U.S. government scrutiny of TikTok is based in the assumption that being owned by the Beijing-based social media company ByteDance makes it a likely avenue for Chinese government malfeasance targeting the United States. From this point of view, the fact that the app reportedly has 100 million U.S. users leads to three main kinds of risks: user data falling into Chinese government or other hostile hands, Chinese propaganda and censorship efforts penetrating U.S. society, and threats to national security as U.S.–China grow ever more fraught.

Each of these risks is real, but each is in fact larger than anything specific to TikTok. A focus on TikTok alone will do little to solve the broader problems of which these risks are only the most prominent example, and no one should feel their tech security work is done if a single Chinese-owned app is all that gets addressed.

Take the risk of the Chinese government or other bad actors gaining access to user data. The possibility captures the imagination, because mobile apps like TikTok collect so much data about their users. Not only do they record a person’s posts, but they track what posts a user looks at and for how long. They track location data, system configuration information, and other details that can make users identifiable across different services. Though TikTok says it stores all U.S. user data outside China, its privacy policy states that data may be shared with its parent company in Beijing. And even though the company says it is taking measures to limit data access, it is possible the Chinese government could lean on executives or engineers in China to gain access. And they could do so through legal requirements to help the government with national security matters, through extralegal pressure, or even through infiltration.

Honest people can differ over how likely it is that huge volumes of TikTok data would end up in Chinese government hands, but the risk of some amount of data transmission cannot be completely dismissed. The question becomes what kind of risk this poses. If you’re a Chinese dissident using TikTok to circulate content critical of Chinese leader Xi Jinping, there might be more risk; if your cats, dogs, or playground antics are contributing light to the world, it’s not entirely clear why China’s government would want your data or what they would do with it. In either case, however, a determined Chinese intelligence agency would likely have other ways to snoop, not least through trackers and data brokers that have long operated across a wide variety of apps and websites. At root, the problem is data collection and a lack of any real accountability as to how it’s handled. What if, then, as a condition of doing business in the United States, all social media companies were required to cut down on unnecessary data collection and held to account for how it is stored and used?

Next, consider the risk that China’s government could pressure TikTok to censor ideas critical of the Communist Party, or even try to affect how people vote. Most social media platforms deliver content to users based on notoriously opaque algorithms, and despite serious scholarly and corporate efforts, accountability is hard to find for what kinds of content get delivered to whom. Russia’s government, of course, has a history of manipulating platforms through coordinated posting by inauthentic accounts, or simply by placing ads, to try to affect election outcomes. It is possible China’s government could try something similar in the United States, or even more likely in a place like Taiwan. But as demonstrated by Russian actions in the 2016 U.S. election and elsewhere, politically-driven platform manipulation is hard to assess in terms of effect. It also does not require behind-the-scenes control of a platform. What if, as a condition of doing business in the United States, social media companies were required to meet stringent standards of transparency and accountability when it comes to activity affecting the sanctity of the democratic process or censoring political content?

At root, the problem is data collection and a lack of any real accountability as to how it’s handled.

Finally, consider the risk that TikTok might pose to national security. While privacy and political content risks are relatively concrete, the idea that widespread use of TikTok could threaten U.S. national security requires some imagination. Thinking creatively, it might be possible to leverage an app update or some other feature to gain unauthorized access to a user’s device.

TikTok and many other apps were recently shown to be accessing information stored in iOS users’ clipboards—a practice the company said was designed to detect spam and that it has since corrected. If you happen to be a top U.S. national security official, accidental or intentional leaks of information like this could yield important intelligence. The U.S. military addressed this category of risks, including both the everyday collection of data about service members and the risk of specific leaks, by instructing staff to remove the app from government and personal devices. TikTok data could theoretically be used in conjunction with troves like the Office of Personnel Management database, thought to have been stolen by Chinese government hackers, to build profiles of national security officials for blackmail or recruitment.

Yet this kind of hypothetical intelligence collection would be even more effective and much less likely to become an international headline if it were pursued through trackers working across many apps in advertising networks, or through hacking into phones or other systems with the kind of bespoke malware top intelligence agencies spend so much time developing and obtaining. To address national security risks from widespread data collection and cybersecurity vulnerabilities, what if, as a condition of doing business in the United States, apps and app stores were required to meet universal security standards to protect user data whether or not you handle state secrets?

The security and trust challenges receiving so much attention when it comes to TikTok are real, and having deep connections to China intensifies them in certain ways. But banning TikTok or coercing its sale would only address a tiny portion of the problem, not to mention the questionable legality of various potential moves and the chilling implications of a U.S. president unilaterally forbidding a venue where people gather online, access information, and exercise freedom of speech. It wouldn’t even address a major portion of the very China-specific threats getting so much attention today, since there are other avenues in all cases. Only a universal set of enforced rules for platforms—and the companies behind them that trade in data and interpolated insights about their users—can address legitimate government security concerns and give users confidence that their online lives are free from harmful snooping or manipulation through opaque algorithms. Today’s focus on TikTok is an opportunity for U.S. activists and policymakers to begin taking on the broader challenges that have been ignored for too long.