Australian Outlook

In this section

Banning TikTok is a Distraction From Broader Threats of Chinese Digital Espionage

31 Dec 2020
By Alexander Ratcliffe
An iPhone with the TikTok app open in front of the Chinese flag. Source: Max Pixel https://bit.ly/2FhSXkt

Donald Trump’s recent executive order calling for a ban of social video broadcasting app TikTok in the United States has sparked outrage and ignited a debate about digital media security. Antagonism toward TikTok is more reflective of Trump’s anti-China rhetoric than a genuine security concern.

On August 6, Donald Trump signed executive orders banning TikTok and WeChat, two Chinese-owned social media platforms, from operating in the US if they do not agree to a buyout by a non-Chinese firm. While this move follows the general trend of the Trump administration’s promotion of anti-China messaging, there are logical economic and strategic arguments to be made for the ban being in the US’s best interest. Certainly, Trump’s motivation is given legitimacy by what is hard not to see as a political overstretch by the Communist Party of China (CCP). However, the declaration of TikTok as a national emergency primarily serves the interests of the Trump administration and major US tech firms. Other, less prominent software and social platforms pose a much greater risk for potential Chinese espionage campaigns.

TikTok is a social media platform used by more than one billion people worldwide to share short-form video content.  The app is owned by ByteDance, a Beijing-based technology firm. It was first launched in China, where it operates as Douyin, in 2016 and then made available to international markets as TikTok in 2017. It did not have a presence in the US until 2018, after ByteDance had acquired its Shanghai-owned rival Musical.ly for a reported $1 billion.  TikTok and Douyin are functionally identical, but they operate on different servers with no access to each other’s content.  This separation allows Douyin to comply with Chinese censorship restrictions and, until recently, has been sufficient for mitigating other countries’ national security concerns. In June, Kevin Mayer, the former head of Disney Plus, became the chief operating officer of ByteDance.  Mayer remains based in Southern California.

The primary focus of concerns about TikTok has been the risks associated with the collection and storage of personal data on Chinese-based servers. The collection of personal data is a widespread practice of companies offering social platforms and online services. The platforms and services are generally free to use, but the hosting, maintenance, and improvement of the platforms costs a significant amount money. To cover costs and make a profit, technology companies will either sell their users’ information or use it for targeted advertisements. While there are some privacy concerns surrounding this practice in general, the fact that TikTok engages in this practice should come as no surprise. Like any company, its primary objective is to turn a profit.

That being said, privacy issues involving the sale of user data for profit is not the critical issue here.  The action against TikTok comes as part of the US State Department’s Clean Network initiative to protect the privacy of US citizens and companies from “aggressive intrusion by malign actions, such as the Chinese Communist Party.” Any company that stores data on a server in China or develops software in China is subject to a critical piece of legislation which ensures that the CCP have access to data and software backdoors when it pertains to “national security.” The legislation allows the Chinese government to access any data collected and stored in China in the course of an investigation into compliance with China’s cybersecurity regulations. This does raise some serious concerns as there is no law that allows users, data maintainers, developers, and anyone from the government to deny the request. Without any refusal mechanism and with no laws preventing the government from placing malicious code into Chinese-developed software, the government can do exactly that – and has.

In contrast, in the US, while pathways do exist for accessing personal information, there are protections in place to prevent the broad use of these powers. There is a strong corporate culture of not acquiescing to government requests for backdoor access to American programs and technologies, and it is in no way in a company’s legal or financial interest to provide this data in an accessible format covertly to government agencies. In the case of TikTok, the threat of Chinese malware is of little concern as TikTok does not store its US-based users’ data in China.

There are many people who hold the view that their personal information being in the hands of the CCP is of little consequence. However, this apathy is ill-advised as there still exist means by which data could be used maliciously for espionage. Under the hypothetical situation in which users’ data was collected by the CCP, it is a clear failure of imagination to underestimate one’s own relevance or access to relevant assets. It certainly conceivable that the personal information collected by TikTok could be used to produce highly targeted espionage campaigns or for some potentially unflattering content that is shared on TikTok as a means of coercion. These are certainly significant worries for any state currently feeling the pressure of a Chinese espionage campaign.

While TikTok is one of the most high-profile Chinese owned companies to receive media and government attention for broad security concerns, there are other applications and hardware developed and hosted in China and used globally that present considerably greater risks. Though it has an immense user base, the code upon which the TikTok is built is relatively simple, which makes hiding malicious payloads difficult. Due to TikTok’s relatively small application size, high visibility, and limited permissions, its risk of delivering malicious code to users is low. Computer games, on the other hand, offer a large software package to hide in and generally receive little scrutiny. These conditions present a far greater opportunity to deliver or mask malicious software. This is exacerbated by the anti-cheating tools associated with competitive online games which acquire masses of data from users’ computers and require sweeping permissions to operate. It is not hard to imagine these tools being used in espionage campaigns, and some recent examples of this activity in commercial software should cause great concern.  Of course, the CCP denies any involvement.

An often-overlooked component of the discourse on TikTok is the clear advantage that such a ban would be for American developers looking to fill the void left by the video app.  Since the debut of Vine in 2013, short video-based social media apps have been immensely popular, particularly among teenage users.  With an estimated 85 million monthly active users, many of whom have turned to the app to curb their boredom and engage in social interactions while in lockdown, the opportunity to replace or acquire TikTok would be immensely valuable.  Donald Trump’s vitriol toward Tiktok could serve to substantially reduce its potential value should a US buyout go ahead. It is hard, given Trump’s often erratic policy reasoning, to know whether this factored into the recent announcements, but it certainly seems, at face value, to be economically beneficial to the US.

China’s current ability to insert malicious content and lack of legal protections is a political overreach, and the consequence is the increasing legitimacy of the US’s desires to stymie Chinese technology firms. The major beneficiary of the executive order against TikTok is clearly Microsoft, which is currently in negotiations to acquire the app, rather than the average US citizen. And of course, in the midst of an economic crisis, banning TikTok would hit the company’s 5000 US-based employees hardest.

Alexander Ratcliffe is a PhD candidate in the Department of Quantum Science at the Australian National University.  Alexander has a background in computer science and software development.  His current research focuses on developing control schemes for scalable quantum information processing architectures.  

This article is published under a Creative Commons Licence and may be republished with attribution.