Cybersecurity & Tech Foreign Relations & International Law

U.S. Launches National Security Probe Into Chinese-Owned App TikTok

Richard Altieri, Benjamin Della Rocca
Friday, November 8, 2019, 3:04 PM

Lawfare’s biweekly roundup of U.S.-China technology policy news.

Tik Tok in use on a mobile phone (Source: Flickr/Aaron Yoo)

Published by The Lawfare Institute
in Cooperation With

U.S. Launches National Security Probe Into Chinese-Owned App TikTok

The Treasury Department’s Committee on Foreign Investment in the United States (CFIUS) has reportedly launched a national security investigation into TikTok, a rapidly growing video-streaming and social media app owned by Chinese social media company ByteDance. TikTok, which has more than 110 million downloads in the U.S. and is especially popular with teens, has come under heightened scrutiny in recent weeks from American lawmakers. Last week, Sens. Chuck Schumer and Tom Cotton penned a letter asking Acting Director of National Intelligence Joseph Maguire to determine whether TikTok’s data collection practices pose a national security risk. In early October, Sen. Marco Rubio asked Treasury Secretary Steven Mnuchin to investigate TikTok, saying in a letter that “ample evidence” had emerged that TikTok removes content that runs counter to “Chinese Government and Communist Party directives,” such as material related to the protests in Hong Kong.

The CFIUS investigation will center on ByteDance’s 2017 $1 billion acquisition of Shanghai-based, a forerunner to TikTok that had established a foothold in the United States and Europe. Following the purchase of the app, ByteDance, which has grown to become one of the world’s most valuable startups, combined with its own social media streaming service, Douyin, and rebranded the app outside of China as “TikTok.” In the past year, TikTok has been downloaded more than 750 million times globally—more than Facebook, Instagram, YouTube or Snapchat.

ByteDance did not seek CFIUS approval for the deal, and the investigative body has the authority to review completed transactions. Although the acquisition involved two Chinese-parented companies, CFIUS’s broad mandate allows it to “suspend or block” any deal with the approval of the president when “no other laws apply” and “credible evidence” suggests that the transaction poses a “national security risk.” CFIUS also has broad discretion over remedies. It may limit ByteDance’s capacity to access certain information, require it to observe restrictive protocols, or force it to divest entirely to remain in compliance with U.S. law.

Sources with knowledge of CFIUS’s confidential proceedings say that the committee is in talks with ByteDance about measures the firm might take to avoid running afoul of U.S. law. A TikTok spokesperson said the company could not comment on “ongoing regulatory processes” but added that “TikTok has made clear that we have no higher priority than earning the trust of users and regulators in the U.S.”

TikTok has previously said that concerns about its data collection and censorship practices are unwarranted. In a blog post from late October, the company said it stores U.S. user data inside the United States and that it is not “subject to Chinese law.” The post claimed that TikTok has “never been asked by the Chinese government to remove any content and we would not do so if asked.”

The TikTok investigation is the latest example of increasing scrutiny of Chinese technology firms from U.S. regulators. In March, CFIUS required Beijing Kunlun Tech, a Chinese gaming company, to sell gay-dating app Grindr, over concerns that the Chinese government might gain access to the data and blackmail users. In March 2018, President Trump quashed Broadcom’s attempted takeover of U.S. chipmaker Qualcomm, reportedly for fear that the deal would help China jump ahead in the race to develop 5G technology. In January 2018, motivated by data security concerns, CFIUS scuttled Alibaba’s attempts to take over U.S. payments company MoneyGram International.

The trend toward stricter review of Chinese investment is likely to continue. In September, the Treasury Department issued new regulations granting CFIUS greater latitude to review transactions involving sensitive technologies or personal data. The new regulations, widely seen as targeted at Chinese firms investing in American technology, are set to go into effect in 2020.

China Passes Cryptography Law, Heightening Security Standards

On Oct. 26, China’s legislature passed the Cryptography Law, which imposes new regulations on encryption technology—computer language that protects information by rendering it unreadable to unauthorized users. The law’s provisions, which will take effect in 2020, apply to companies that produce encryption technology and restrict how government entities, corporations and individuals may use encryption tools. The Cryptography Law divides cryptographic technology into two tiers: “core” cryptography, used to encrypt state secrets; and “commercial” cryptography, which is used to encrypt other information. The former category will receive heightened supervision, while citizens and corporations can lawfully use the latter category of encryption for their own network and information security, provided they meet certain baseline certification requirements.

Some Cryptography Law provisions may have negative consequences for foreign companies operating in China. Most notably, certification requirements for certain types of commercial cryptography may prevent firms from using their preferred encryption methods—an arrangement that foreign companies have found objectionable in the past. Compliance with new security standards and protocols may also prove costly for firms. But the law’s full financial implications remain uncertain because, as legal experts have observed, the text defines the highly regulated “core” encryption categories only in broad strokes. Until further regulations are released, companies may not know whether their technologies will fall into the “core” classification.

At the same time, the Cryptography Law appears to provide important protections for private companies that rely on encryption—including foreign companies. The law stipulates that, within China’s encryption space, all measures will apply equally to foreign and domestic firms. This provision, along with the law’s ban on forced encryption technology transfers, seems to break from past Chinese regulations that did not include such protections.

The Cryptography Law emerges from a long-term government push to overhaul the nation’s encryption regulation, which has been scheduled for revision since 2009. China’s State Cryptography Association (SCA) released a first draft of the latest legislation in April 2017 and a second draft this past July. After each release, the SCA solicited extensive comments from domestic stakeholders, which produced significant amendments to the draft legislation. The Cryptography Law also follows other recent Chinese data-security reforms, including the expansive 2016 Cybersecurity Law, which tightened controls on network activity and data management.

This legislation also comes amid state media reports that China is preparing to launch a new digital currency. Some analysts argue that the Cryptography Law will pave the way for China to release the new currency. Recently, President Xi Jinping stressed the importance of developing blockchain technology with practical applications

In Other News

On Oct. 24, Vice President Mike Pence sharply criticized China for its foreign and domestic policy in a high-profile speech. But Pence was careful to note the U.S. would not seek to decouple from the Chinese economy. In his remarks, Pence offered explicit American support for the protests in Hong Kong: “We are inspired by you,” he said of the protesters. “Know that you have the prayers and the admiration of millions of Americans.” Pence accused U.S. companies of siding with China in a recent controversy set off when a Houston Rockets executive published a tweet supporting the Hong Kong protesters, saying that American firms had “left their conscience at the door” to maintain access to China’s market. Pence went on to rebuke China for its human rights record, its actions in the South China Sea and its economic practices. In response, China said the Vice President’s speech “exuded sheer arrogance” and was “packed … with lies.” The sharp rhetoric from both governments highlights entrenched geopolitical tensions that may persist even if the two sides reach an agreement on trade.

Commerce Secretary Wilbur Ross said earlier this week that licenses for American companies seeking to sell to Huawei would be issued “very shortly,” and he expressed optimism that the United States and China would reach a trade deal within the month. Despite this, U.S. officials have been pushing Taiwan President Tsai Ing-wen to prohibit Taiwanese semiconductor manufacturers from selling to Huawei, arguing that the Chinese telecom firm might provide technologies with Taiwanese components to the People’s Liberation Army. Taiwan Semiconductor Manufacturing Company and other Taiwanese technology firms may have benefited from Washington’s decision to bar American companies from selling to Huawei, as they have been able to fill gaps in the American market. Meanwhile, the head of Germany’s foreign intelligence service, Bruno Kahl, told German legislators that Huawei should not be allowed to build any infrastructure related to the country’s “core interests.” Earlier this year, German Chancellor Angela Merkel had ruled out an outright ban for Huawei in building Germany’s 5G networks. Kahl’s recent remarks underscore the competing pressures Germany faces, as it weighs security concerns against the economic benefits Huawei could bring. In Russia, that debate has largely been decided in Huawei’s favor: The telecom titan has become a leader in Russian mobile device sales and 5G development, and has received praise from the Russian government.

In Hong Kong, officials have sought greater legal authority to combat “doxxing,” a practice whereby social media users publicize personal details about private individuals. The problem has affected both police and protesters. In late October, a Hong Kong court issued an injunction prohibiting social media users from posting personal details about police officers and their families. The broad language of the prohibition has prompted concerns that Hong Kong will use the measure to restrict free speech and press reporting. Meanwhile, Hong Kong’s privacy commissioner, Stephen Wong Kai-yi, has requested an amendment to Hong Kong’s Personal Data (Privacy) Ordinance that would grant his watchdog agency greater authority to cut Hongkongers’ access to websites that post personal details about protesters. The recent government actions have called additional attention to social media’s prominent role in the protests.


Sen. Marco Rubio argues in the Guardian that the U.S. must stand up to China’s Uighur internment policies, and the editorial board of Foreign Policy writes that conditions for Uighur Muslims in China are growing even worse. For the Brookings Institution, Ryan Hass evaluates Taiwan’s security prospects in light of President Trump’s foreign policy priorities. David Sacks discusses in the National Interest how China’s efforts to isolate Taiwan could backfire.

For the Council on Foreign Relations, Benn Steil and Benjamin Della Rocca examine Trump’s “phase one” trade deal with China and its effect on U.S. farm exports, while Justin Sherman analyzes China’s and Russia’s conceptions of cyber sovereignty. For the Mercator Institute, Noah Barkin examines how Europe can respond to U.S.-China technological competition, and Lavender Au and Mats Kuuskema analyze China’s social credit system.

Joshua Eisenman and Devin T. Stewart explain in Foreign Policy how China is responding well to countries’ feedback on its Belt and Road projects. For Time magazine, Christine Loh and Robert Gottlieb contend that the U.S. and China must put aside their geopolitical rivalry to tackle climate change. Yuwa Hedrick-Wong discusses in Forbes how China’s rise clashes with the existing global liberal order.

For Lawfare, Susan Landau writes that the White House has failed to address the threat of state-sponsored cyberattacks. Jim Baker explores how the U.S. can use encryption to protect against Chinese cybersecurity threats. Lawfare released a new e-book, “Huawei, 5G and National Security,” on the security implications of 5G technology.

Richard (Ricky) Altieri is a third-year student at Yale Law School. He holds a Bachelor’s degree in Philosophy from Amherst College and a Master’s in Global Affairs from Tsinghua University, where he studied as a Schwarzman Scholar. From 2015-2016, as part of a Watson Fellowship, Richard performed stand-up comedy in English, Spanish and Chinese in various countries. From 2017 to 2019, Richard served as a Business Advisory Services Manager at the US-China Business Council in Beijing, where his work focused principally on Chinese technology policy and intellectual property law.
Benjamin Della Rocca is a third-year student at Yale Law School. Before law school, he researched global macroeconomics at the Council on Foreign Relations and at Bridgewater Associates. He holds a bachelor’s degree from Yale in Ethics, Politics and Economics. His writing has appeared in Foreign Affairs, the Wall Street Journal and the Washington Post.

Subscribe to Lawfare