Foreign Relations & International Law

Reflections on TikTok and Data Privacy as National Security

Robert D. Williams
Friday, November 15, 2019, 3:54 PM

What is behind CFIUS's probe into Tik Tok?

Tik Tok in the App Store (Credit: Quinta Jurecic)

Published by The Lawfare Institute
in Cooperation With

What does the U.S. government want with a video-sharing app used primarily by tweens and teens?

News broke last week that the interagency Committee on Foreign Investment in the United States (CFIUS) has opened a national security investigation into the Chinese company that owns TikTok, a globally popular video-streaming and social media app boasting more than 100 million downloads in the United States. The CFIUS inquiry crystallizes several emerging issues in the law and politics of national security and in U.S.-China relations that have been overshadowed by the media’s focus on the trade war negotiations.

The TikTok drama is a useful reminder that our future is one in which the principal sources of prosperity and conflict alike will be informational in nature. In this world, privacy concerns often bleed into national security concerns; issues of free speech, data privacy and cybersecurity are inextricably intertwined; and even the most technically proficient experts are hard-pressed to calibrate the optimal balance of technological openness and interdependence.

First, why the fuss over TikTok? On Oct. 9, Sen. Marco Rubio appealed to Treasury Secretary Steven Mnuchin to launch a CFIUS investigation into TikTok’s acquisition of U.S. video-sharing platform, citing “ample and growing evidence” that TikTok removes content that is out of step with “Chinese Government and Communist Party directives,” such as information related to the protests in Hong Kong. On Oct. 24, Sens. Chuck Schumer and Tom Cotton sent a letter to Acting Director of National Intelligence Joseph Maguire stating concerns about the potential national security risks posed by TikTok’s collection of users’ personal data and about the app’s content censorship practices.

This would not be the first time that CFIUS had balked at the prospect of a Chinese company gaining access to U.S. citizen data. In January 2018, CFIUS blocked Chinese firm Ant Financial’s bid to acquire U.S. payments company MoneyGram over similar data access concerns. Months later, CFIUS ordered Beijing Kunlun Tech, a Chinese gaming company, to sell dating app Grindr over fears that the Chinese government might gain access to data that could be used to blackmail users of the app. In August 2018, when Congress passed legislation to expand and strengthen CFIUS, it emphasized the need to scrutinize foreign investment in companies that “maintain[] or collect[] sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.”

Concerns about Beijing’s access to U.S. citizen data are not unfounded. The latest CFIUS intervention follows years of reports suggesting that China’s government is building a massive database on American citizens. Notable incidents include the Office of Personnel Management breach that exposed security-clearance records and sensitive information on 22 million Americans, the pilfering of data on nearly 80 million customers from health insurer Anthem, and the hack of Marriott that compromised data on 500 million guests of “the top hotel provider for American government and military personnel.” Experts fear U.S. citizen information can be used to develop a mosaic picture of users’ lives and habits, creating (among other things) opportunities to blackmail those with access to sensitive national security information. (According to statistics from the Office of the Director of National Intelligence, nearly 3 million Americans possess security clearances.)

The national security implications of U.S. citizen data collection are obvious enough, but what about TikTok’s alleged censoring of content that runs afoul of the Chinese government’s preferred narratives? What is the role of a national security committee in addressing gripes about online speech? At first blush, one might think that by including such allegations in their appeals to security officials, U.S. lawmakers are conflating national security imperatives with free speech values. The linkage made by the senators is instructive, however. Evidence that an ostensibly private company is censoring or manipulating content to serve the ends of the Chinese Communist Party (CCP) could help to reveal whether and how the company is subject to direction from the Chinese party-state. The extent of TikTok’s censorship is hotly contested, but the basic concern is valid: If an app is censoring for Beijing, it might also be handing over data to Beijing.

The censorship-as-national-security claim also operates at a higher level of abstraction. Following Russia’s interference in the 2016 U.S. presidential election, American officials are sensitized to the risk of foreign interference in the U.S. information environment, which is foundational to the functioning of American democracy. Few Americans are eager to import Chinese state media narratives and curated information flows. At what point does propaganda or lobbying activity become a sovereignty-violating “information operation”? When does influence cross the line into interference?

Yet, at the same time, Americans should not aspire to emulate China’s tightly controlled domestic media environment. When do government initiatives to counter foreign influence undermine the very constitutional values they aim to protect? As the members of a recent Asia Society task force put it:

Efforts to shape Americans’ views about China often involve constitutionally protected speech by citizens and foreign nationals. What is objectionable are Chinese-government coordinated actions that are covert, coercive, or corrupting, even if they involve “speech.” As we act to rebuff these wrongful efforts to shape Americans’ views about China, we must protect other efforts to influence people’s views that are protected by our country’s cherished system of free expression embodied in the First Amendment. In protecting our democratic freedoms from Chinese government pressure, we must not undermine our constitutional principles ourselves, such as free speech rights for citizens and non-citizens alike; the right to receive information and ideas, as well as to communicate them; the academic freedoms of universities, teachers, and students; and the robust and open “marketplace of ideas.”

These issues were elaborated recently in an important essay by Jonathan Hillman, who argues that an overly paranoid and defensive reaction to Chinese tech companies risks undermining both the United States’s values and its economic competitiveness. “The risk of getting this wrong,” Hillman writes, “is not merely that the United States becomes less competitive, but that it also becomes less American.” Similarly, Jennifer Daskal and Samm Sacks make a compelling case that Washington should “spend less time trying to clip the wings of rising entrants to the market and more time working on legislation and the development of standards to better protect privacy, secure data, and manage online content.” Even as these analysts warn against paranoia and overreaction, however, they all seem to acknowledge the basic validity of the questions swirling around TikTok. As Hillman explains, “Some concerns are legitimate: Washington should want to know whether the Chinese government is using companies to steal its secrets or gather data to blackmail federal employees.”

Therein lies the conundrum: Just as it is wrongheaded to paint all Chinese tech companies as agents of a Leninist party-state, it is equally overly simplistic to chalk up the agitation over TikTok to McCarthyist fear-mongering by Congress and the Trump administration. It’s descriptively incorrect and analytically unhelpful to think of the U.S.-China tech relationship in categorical terms. The American foreign policy community is in the midst of a major debate over the future direction of China policy writ large. There should be space in that discussion for those who worry with equal sincerity about the risks of espionage and sabotage, on the one hand, and about the economic, strategic and constitutional costs of technological “decoupling” on the other. The future of U.S. national security depends on a textured approach that strikes the right balance between protecting U.S. strategic interests and safeguarding American constitutional values.

This is why the CFIUS probe into TikTok should be (tentatively) applauded, not derided: It is a nuanced response to a multidimensional challenge. Daskal and Sacks argue that it reflects a “whack-a-mole” and insufficiently strategic approach to competition with Chinese technological influence. Perhaps so. But perhaps a different analogy is more apt. The CFIUS review process reflects the use of a scalpel instead of a sledgehammer. This is not to dismiss the importance of the United States’s adopting new affirmative measures to bolster U.S. competitiveness and the attractiveness of U.S. tech policies and norms. But when it comes time to play defense, it is far better to do so using CFIUS’s approach of case-by-case risk analysis than to wall off the U.S. economy to Chinese technology and capital. Reuters’s report that “CFIUS is in talks with TikTok about measures it could take to avoid divesting the assets it acquired” suggests that, behind the scenes, CFIUS may be taking a delicate touch to safeguard U.S. interests without foreclosing the U.S. market to an enormous player in the tech space.

There is another, less obvious benefit to the discrete approach embodied in the CFIUS inquiry into TikTok. The message it sends is that the United States is not closed for business, but evidence that a Chinese company is following orders from Beijing that threaten U.S. security will impair that company’s access to the U.S. market. Chinese leaders are not immune to incentives. In its drive to support the outward expansion of China’s tech sector, the Chinese regime must consider the costs of Chinese companies appearing to be too beholden to the Chinese state. As the Huawei 5G episode has made clear, that perception is a looming threat to China’s global ambitions.

Similar competing incentives are already evident in the rollout of China’s domestic data localization regime. The impulse toward greater government control of data cuts against the need for open data flows to support the development of China’s tech sector—both of which are important to China’s broad vision of national security.

If the TikTok drama illustrates the fluid connections between individual privacy and national security, China’s 2017 Cybersecurity Law and implementing regulations all but merge the two concepts. Beijing aspires to protect both privacy and national security through measures to keep “personal information” and “important data” within China’s borders. (An important caveat: Privacy in the Chinese context largely describes an information relationship between individuals and companies, not between citizens and the government. Consumer privacy protections thus coexist alongside a repressive surveillance state that employs widespread facial recognition and personal data collection to monitor and control Chinese citizens.) There are numerous lingering ambiguities, however, in the letter and implementation of China’s data governance framework. In addition to bureaucratic resistance and complexity, the murkiness of enforcement of these data protections may reflect Chinese officials’ ambivalence about the openness required to reach the “commanding heights” of technological development and their deep insecurity about the consequences of openness for maintaining a “secure and controllable” online environment.

As the CFIUS inquiry into TikTok illustrates, U.S. officials are confronting their own distinct set of tensions between economic openness and data control. In navigating this terrain, CFIUS should be one element of a broader strategy that seeks to ensure national security considerations relating to data protection are as targeted and narrowly construed as possible. Washington’s approach must account for the strategic value of data protection but also the strategic costs of U.S.-China technological decoupling. Those costs were highlighted recently in the interim report of the U.S. National Security Commission on Artificial Intelligence. “The choice,” the commission wrote, “need not be a binary one between cooperating and disentangling.” Despite the unfortunate optics of politicization in the tone and publicity around Congress’s TikTok anxiety, perhaps in the end the TikTok episode will demonstrate a path forward that transcends this false choice.

Robert Williams is a senior research scholar, lecturer, and executive director of the Paul Tsai China Center at Yale Law School. He is also a nonresident senior fellow at the Brookings Institution.

Subscribe to Lawfare