Former employees that worked for TikTok, the app widely popular with American teens and young adults, expressed concerns to CNBC over the Chinese parent company ByteDance, and how they gather and handle American users’ data.
Over concerns about national security risks associated with the app and its parent company, former President Donald Trump moved to either ban the app, or force the company to merge with a US based one.
Former Secretary of State Mike Pompeo warned that the app may be "feeding data directly to the Chinese Communist Party," although the app has denied these claims, telling CNBC that "we have never provided user data to the Chinese government, nor would we do so if asked."
President Joe Biden revoked Trump’s ban on the app in June, but issued criteria for the government to evaluate the risk of apps connected to foreign adversaries.
One former employee of TikTok told CNBC that lines between TikTok and ByteDance have become so blurred, that they are almost non-existent.
An employee expressed concerns over ByteDance’s ability to access US user data, highlighting an incident in which they needed a list of global users, including Americans, who searched for specific content. A data team in China sent over copious amounts of information containing all information the app had on said users.
While TikTok has downplayed the importance of this data access, with a spokeswoman telling CNBC "we employ rigorous access controls and a strict approval process overseen by our U.S.-based leadership team, including technologies like encryption and security monitoring to safeguard sensitive user data," cybersecurity experts are concerned that users could be exposed to information requests by the Chinese government.
"If the legal authorities in China or their parent company demands the data, users have already given them the legal right to turn it over,” Bryan Cunningham, executive director of the Cybersecurity Policy & Research Institute at the University of California, Irvine, told CNBC.
China’s National Intelligence Law required Chinese organizations and citizens to "support, assist and cooperate with the state intelligence work."
Concerns were also expressed over the choice of executives in both companies.
ByteDance announced in April that it appointed Shouzi Chew as TikTok’s new CEO. Chew had also served as ByteDance’s chief financial officer, and will reportedly continue to hold this position as well as his new CEO spot.
Downplaying the choice in CEO, a TikTok spokeswoman said in a statement, "since May 2020, TikTok management has reported into the CEO based in the U.S., and now Singapore, who is responsible for all long-term and strategic day-to-day decisions for the business."
Cybersecurity experts expressed their concerns to CNBC about the two companies growing interweaving.
Propaganda could be spread by the Chinese government on the platform, or chose to censure certain content, as seen in previous instances.
In the past, the company had instructed moderators to censor videos that mentioned Tiananmen Square, Tibetan independence or the religious group Falun Gong, according to a September 2019 report by The Guardian. TikTok said it no longer practiced that censorship and said it recognized that it was wrong following the report.
"Today we take localized approaches, including local moderators, local content and moderation policies, local refinement of global policies, and more," the company stated at the time.
"Anytime [the Chinese government has] control over a platform like TikTok that has billions of users and is only getting more popular, it gives them power to feed our mind what we should think about, what we consider truth and what is false," said Ambuj Kumar, CEO of Fortanix, an encryption-based cybersecurity company. According to CNBC, "Kumar is an expert on end-to-end encryption, including dealing with China’s special conditions for data encryption."
Another concern expressed is the collection of data TikTok has gathered and how the data could potentially be exploited by the Chinese government.
The app collects copious amounts of data on its users, including profile data, locations, messages sent within the app, what content they view, content they create, and how frequently they use the app.
While TikTok is not unique in collecting data, what is concerning is the connection to a Chinese company, who has to abide by all requests the government has to see data.
"ByteDance is a Chinese company, and they’re subject to Chinese national law, which says that whenever the government asks for the data a company is holding for whatever reason, the company must turn it over. They have no right to appeal," said Jim Lewis, senior vice president and director, strategic technologies program at the Center for Strategic & International Studies. CNBC states that "Lewis previously worked for various agencies in the U.S. government, including on Chinese espionage."
“If the Chinese government wants to look at the data that ByteDance is collecting, they can do so, and no one can say anything about it,” Lewis continued.
Amidst these concerns, cybersecurity experts weighed in on options to assure the American public as well as Biden that data won’t be issued.
"Jason Crabtree, CEO of cybersecurity company Qomplex, formerly served as a senior advisor to the U.S. Army Cyber Command during the Obama administration. He said TikTok should be clear on what it collects, where it is stored, how long it is stored for, and which employees of which companies have access to the data," writes CNBC.
TikTok states "the TikTok app is not unique in the amount of information it collects, compared to other mobile apps." The company says it stores data "for as long as it is necessary to provide you with the service" or "as long as we have a legitimate business purpose in keeping such data or where we are subject to a legal obligation to retain the data." The company said users may submit a request to access or delete their information and TikTok will respond to the request consistent with laws.
"As long as TikTok is a subsidiary of ByteDance, I certainly will not be satisfied with any purported technological fixes," Cunningham added, suggesting that a similar plan trump had proposed for the company to sell to an American company be followed.