There’s a serious risk looming for President Trump in his fiery battle with TikTok—it hasn’t had much of a mention yet, but it will. If the next 44 days progress as planned, if Microsoft or an alternative U.S. suitor finds itself with the keys to TikTok, then overnight everything will change. And that could result in a seriously difficult problem for the administration.
As I’ve said repeatedly since the U.S. signalled its intention to censure this video-sharing app, TikTok is not spying on you. There is no evidence that suggests otherwise. Yes, TikTok does collect plenty of data—but so do all social media platforms. That data is fairly transparent and would be of little interest to a national security agency across millions of users.
How do we know this? Security experts have reverse engineered the app, captured its data flows, analysed its activity. How those reports are nuanced is critical. You can attack as intrusive all social media apps for tagging locations, phone IDs and activity on their platforms. It’s a grey area. But it’s a world away from app that exfiltrate other data without permission—credentials. contacts, browser history, files, photos, feeds from cameras and microphones. When we speak of spyware, that’s what we mean.
Trump and his team have been very specific in the allegations levelled at TikTok—these are not nuanced suggestions. TikTok and others “feed data directly to the Chinese Communist Party—their national security apparatus,” Secretary of State Mike Pompeo told Fox News on August 2. “It could be facial recognition… their residence, their phone numbers, their friends, who they’re connected to.”
The interesting twist in Microsoft potentially buying TikTok is its security expertise—the Redmond giant has one of the foremost cyber threat assessment and analysis capabilities in the world, and it’s called out nation state exploitation of consumer and enterprise hardware and software on numerous occasions. The gatekeeper will potentially capture an alleged poacher. This is very different from Facebook or a collection of tech investors buying TikTok.
And so here’s the issue for the administration—if and when Microsoft does get its hands on TikTok, it will know for a fact the extent of any data exfiltration to Beijing and any capture and collection of user data above and beyond what’s known. It is inconceivable that TikTok would be able to hide such activity so deeply as to be hidden from the tech and security savvy new owners of the business.
The administration can say it qualified its statements, that the threat is hypothetical rather than proven. White House trade adviser Peter Navarro, for example, warning last week that “every time you sign up for TikTok, all your information is potentially going right back to the Chinese Communist Party, the Chinese military and the Chinese government… They can use these social media apps to steal your personal information… to track you and surveil you and monitor your movements.”
But those whispered qualifiers have been lost in all the shouting. And a hypothetical risk is easily mitigated. It would be simple to mandate independent monitoring of TikTok’s activity, access to information, data flows from the device. The moment TikTok stepped outside its bounds, it could be blocked and shutdown immediately.
What we have instead are these hypothetical threats. And, worse, we focus on these rather than the very real TikTok threats: The potential for directed disinformation, for a China-friendly narrative to be favored, or for the expansion of TikTok’s services to its user base, including areas of more strategic interest to China.
But, still, TikTok is not actually spying on you. Don’t take my word for it—the CIA has just said exactly the same. Yes, China could intercept and capture all that data if it felt there was some use for it. But it’s not strategic, it’s of passing interest to them at best.
The U.S. clampdown on Huawei was a much more serious issue. This is the network equipment over which all data flows. Critical infrastructure, security, law enforcement, even intel in some places. Huawei is at the heart of China’s technology strategy. TikTok is not.
Beijing will retaliate against the precedent of U.S. commercial aggression, but as for the specifics of TikTok, ByteDance and the wealth of its founder, Beijing is indifferent. Ironically, WeChat is of much more value to China from a data perspective, but its install base in the U.S. pales compared to TikTok, it remains rooted in the Chinese expat community, it will not generate the same U.S. headlines.
The Huawei case study is extremely important when looking at the TikTok situation. Throughout the U.S. campaign against the Chinese telco equipment giant, there was never a serious allegation that smartphone users were at risk. Yes, Huawei phones are rare in the U.S. But so is Huawei’s network equipment. The truth is that Huawei would have been quickly caught if it was using its phones to monitor users. And a smartphone has access to all user data—its of exponentially more value than a single social media app.
There is a strong case to regulate TikTok, to monitor the app, to mandate independent security reviews and assessments—exactly as the U.K. deployed to monitor Huawei. There is a strong case to access TikTok’s algorithm and to assess any oddities in the narrative being promoted, where it’s suspected this may have been influenced. But to allege spyware and threaten a ban unless a business changes from Chinese to U.S. ownership, given the lack of any smoking gun, I think we all know how dangerous a precedent that sets.
When Huawei has been technically assessed, the reports usually disclose a wide range of potential security vulnerabilities. These, say Huawei and industry analysts, are fairly typical of the industry and can be exploited by any bad actor—not just China. Huawei’s current replacement of American technology with Chinese equivalents, driven by the blacklist, actually increases those risks.
TikTok has been rightly criticised and censured for poor data handling and code vulnerabilities—the most recent being the clipboard access outed by iOS 14. But all its U.S. based competitors platforms have to some degree seen the same kind of reports. TikTok is now widely installed. Just like Facebook, Instagram, WhatsApp this presents an ideal opening for a bad actor to create an exploit to target individual phones. This is simply offensive cyber 101. Successful exploits for hyper-scale apps are highly prized.
And this takes us to the crux of the spyware allegations against TikTok. We have seen Chinese apps that are genuinely found to be stealing data, spying on users, sending that information back to China. We have seen nation state hacks that target elements of China’s population through their smartphones. But to compromise an app of this scale would be too obvious, too easily found.
Right now, there are almost certainly Chinese apps currently available to both Android and iPhone users that represent a genuine, here and now threat. TikTok is not one of them. What TikTok is, though, is a theoretical disinformation and influencing platform, controlled by a company subject to the laws of China—an adversarial state to the U.S., that needs to be dealt with. But not like this.
Fast forward 44 days from now. In the event Microsoft buys some or all of TikTok, there will be immense pressure for disclosure of what was found behind the scenes, under the covers. Especially if the result of the U.S. election does not return Trump for a second term. If the U.S. government finds itself having successfully forced a shotgun change in ownership under threat of a ban, with no security issues subsequently found, then the administration could have a serious problem on its hands.