3 ways China’s access to TikTok data is a security risk

The short-video platform TikTok has come under fire in recent months. Both lawmakers and citizens in the U.S. have questioned its data collection practices and potential ties to the Chinese state. The concerns have deepened after Buzzfeed published a report saying that data of some American users had been repeatedly accessed from China.

TikTok’s parent company, Beijing-based ByteDance, denied that it shared information with the Chinese government and announced that it had migrated its U.S. user traffic to servers operated by Oracle. Still, it was not enough to clear the air, and security and privacy experts continued to be worried.

“Politics and business in China are inseparable,” said Joseph Williams, partner, cybersecurity, at Infosys Consulting. He argues that “the Chinese government could focus on specific users, specific keywords, or specific video sequences to identify whatever they might find interesting.”

Theoretically, TikTok could collect all kinds of data, including text, images, videos, location, metadata, draft messages, fingerprints, or browsing history. The platform, which has grown rapidly in the past few years, exceeds 1 billion monthly active users globally, 100 million of which were based in the U.S. According to a Pew Research Center survey, 67% of American teens have installed this app more than Instagram, Snapchat, Facebook or Twitter.

The issue of companies handing out information to governments goes far beyond TikTok or China. “China isn’t the only nation-state with an unquenchable appetite for data,” says Matt Chiodi, chief trust officer at Cerby. “Consider that the U.S. has been the biggest data requester for many of the most popular social media platforms.”

Once governments get access to data owned by companies, they could leverage this in three primary ways.

1. Learning more about citizens and foreigners

The most concerning thing governments could do is combine data from multiple sources to “better understand and target individuals, as well as understand relationships between people,” says Dakota Cary, a consultant at Krebs Stamos Group.

Possibilities for combining data are manifold. “Don’t think of TikTok’s data in isolation, but what could a nation-state do with it in conjunction with data from public and dark web sources,” Chiodi says. In China, in particular, the government is already experimenting with its Social Credit System, so accessing TikTok data might allow it to take its plans to a new level and create accurate profiles of users in both China and elsewhere.

“All of the data collected on foreign nationals by the People’s Republic of China eventually ends up in this kind of system and will likely only be used when they determine someone is of interest,” Cary adds. It would allow, for instance, the country to monitor Western business people traveling to China or Western students enrolled in its universities. In addition, it could also enable the government to gain more valuable information on Chinese nationals who work or study abroad.

2. Intellectual property theft

China has long been accused of stealing intellectual property from Western organizations. The economic costs of this kind of theft are difficult to quantify, but FBI director Christopher Wray said in 2020 that economic espionage from China is the “greatest long-term threat” to the American economy.

Over the years, security companies have caught several Chinese hacking groups engaged in cyberespionage operations. In May 2022, researchers at Cybereason published a report on Operation CuckooBees, saying that the Winnti/APT41 group targeted manufacturing companies in East Asia, Western Europe, and North America, aiming to steal intellectual property.

Suppose the Chinese government would be allowed to access TikTok data. In that case, it could develop “targeted campaigns to identify those with access to sensitive intellectual property and execute spear-phishing campaigns to gain access,” Chiodi says. “For example, if you work for a defense contractor or telecommunications company, you could be a prime target.”

3. Highly targeted influence campaigns

After the 2016 U.S. presidential election, when Russia was accused of boosting the candidacy of Donald Trump, the thought of a nation using social media platforms to influence what people think has gained popularity. It is possible to employ apps like TikTok to “sway the opinion of a group by promoting a certain point of view that is advantageous to the geopolitical fortunes of the nation-state and its allies,” says Chiodi.

One way to achieve that is through algorithms that recommend specific videos to users, and China could, for instance, promote content that “supports ‘core socialist values,'” as Cary puts it. “The desire to guide recommendation algorithms and adhere to Party ideology could be exported as part of the TikTok platform, once policymakers are confident in their capability to influence the application,” he adds.

For the time being, the technical details of ‘guiding’ a recommendation algorithm seem difficult to nail down. It is why he believes that China might soon focus on things like content moderation, which are easier to implement, rather than build a well-crafted influence operation.

Chiodi is a bit more pessimistic. Even without these algorithms, China could create a long-haul campaign “to uniquely identify individuals they predict will have the most future influence in industry or society,” he says. “Predictions can be based upon various degrees of separation, among other factors.” These individuals could, theoretically, be influenced over the course of many years and may eventually be approached for espionage purposes, he adds.

How companies should respond to China’s access to data 

Experts who manage risk should understand the dynamic geopolitical environment. “The issue that TikTok represents is a systemic issue with software of any kind from China,” Cary says. “Any PRC-based company can be compelled to collect and share data with the government, including TikTok.”

One piece of advice is to try to understand the rules that apply to Chinese companies. Another is to have an updated registry of the company’s assets, knowing where data is located and how it is processed.

“A full accounting of corporate operations within China, the nature and storage of data, and the types of access made available across corporate network environments to China-based employees is critical for firms that focus on high-value added goods and services,” Cary says.

Individuals should also limit their public persona as much as possible, realizing that anything they put on the internet could be accessed for national security purposes if it’s not encrypted properly. This includes the services that operate on U.S. soil.

“We are now at a point in the history of technology where pooling and making sense of massive amounts of data is possible,” Chiodi says. “The consumerization of IT has made it so that even those nation-states with limited resources can use the commercial services of cloud providers to conduct data scraping and analysis campaigns once only available to the G7.”

Change of perspective on technology platforms 

A list of recommendations can be helpful to experts who manage risks, but what might be needed is a change in perspective. The internet has changed profoundly in recent years, and no country controls all technology platforms. Today, more than half of all internet users come from Asia, and of the top 20 world’s most visited web addresses, 12 are already Chinese.

“The United States has become used to its unrivaled position in the online world, making it difficult to adjust to no longer controlling all technology platforms,” says Mikko Hyppönen, chief research officer for WithSecure (formerly F-Secure).

Europe, on the other hand, has been living in this reality for many years. “Our technology platforms and applications come from far away, and their authors have little interest in our wishes, culture, or rules,” Hyppönen says. “Going forward, this will be increasingly true for the United States.”

The European Union has come up with several rules to minimize the risk. For example, it asks companies to store data about European customers on European soil, and it funds anti-misinformation and anti-disinformation programs.

“Countries need to require that data for their consumers is stored locally, and service providers need independent attestation that data transfers outside of the country are not happening or possible – both technically and from a people and process perspective,” Chiodi says.

According to Hyppönen, the concerns regarding TikTok are only a preview of what’s about to come. “China is a rising power online, and this is only the beginning,” he says. “China’s gross domestic product is growing at a staggering rate. It will catch up with the United States in a few years, bypassing Europe shortly after. China is becoming king of the hill.”