The US government warns that TikTok is a security and privacy concern for millions of Americans, but when it comes to specifics on how the Chinese government could get its hands on data from the social video app, the Justice Department is keeping the information classified.
In court filings from the Justice Department on Sept. 25, the agency on multiple occasions redacted specific information on how the Chinese government could take your data.
“For example, although TikTok claimed to store U.S. user data within the United States, the Commerce Decision Memo then explained why the PRC may still be able to gain access to that data through [REDACTED],” the Justice Department said in its court filing.
Details from the Commerce Department’s memo are also redacted.
TikTok faces a ban in the US by November unless its parent company sells off its assets to an American company, and a deal involving tech heavyweight Oracle is pending. While the app was supposed to be removed from app stores earlier in September, TikTok won a delay on Sunday after a federal judge ruled in the company’s favor.
Redactions in government documents often keep crucial information hidden from public knowledge. For example, while the Commerce Decision Memo redacted information on TikTok’s backup servers in Singapore, a later court filing on Sunday revealed that the server is owned by the Chinese tech giant Alibaba.
“The Secretary also concluded that the TikTok data of US users is especially vulnerable because TikTok keeps a backup of all its US data in Singapore with a China-based company called Alibaba,” the unredacted court opinion said.
The US government has long argued that TikTok’s parent company, ByteDance, has ties to the Chinese government and serves as an espionage tool. It’s pointed to the app’s sweeping data collection and to the Chinese government’s national security laws, which allow the government to force companies to provide information for investigations.
In court documents, TikTok has argued that it wouldn’t comply with demands by the Chinese government for American data, because the data is stored on US and Singapore servers, not in China.
While the Commerce Department argues that the Singapore server data is at risk because it’s hosted by Alibaba, a TikTok spokeswoman said it’s secured from the Chinese government.
“The cloud storage that we rent in Singapore is protected by our own encryption and technology, which is implemented by our US-led security team. In addition, our proposal that the Administration has publicly agreed to in principle would move 100% of US user data to the Oracle storage system,” the company said in a statement.
In August, President Trump issued an executive order threatening a ban of TikTok, arguing that the app would allow China to “track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage,” but the administration has yet to provide specific details on how the government would do so.
When the, a senior Commerce Department official declined to give any examples of China using TikTok to spy on Americans.
“Whether we have any evidence, domestically, of these particular apps taking data is missing the point,” the official said at a press briefing on Sept. 18. “We know what they’re using these apps for overseas. We know what the Chinese government’s intent is here in the United States.”
The US government has also suggested several ways in which Chinese espionage would be possible — though these scenarios aren’t unique to Chinese companies.
The Commerce Department’s memo described a situation whereTikTok and ByteDance would be defenseless against cyberattacks from the Chinese government stealing data from the company. Similar attacks have happened to Equifax, the Marriott hotel chain and the US Office of Personnel Management, but those American companies aren’t designated as a national security threat.
A New York Times report in August also found that the CIA ran a security check on TikTok and noted that the Chinese government has never requested data from the app on American users.
Multiple independent security researchers have analyzed TikTok’s data traffic flow and found that while the app takes a large amount of data, it hasn’t gone beyond what data-centric companies like Google and Facebook request from your devices.
Privacy advocates have argued that the best way to protect US data isn’t banning foreign apps from the country, it’s improving the nation’s privacy laws to make sure it’s no longer an industry standard for apps to siphon vast amounts of data from millions of people.
The Justice Department argued that even if Trump doesn’t have evidence of the Chinese government spying on Americans through TikTok, he doesn’t need it.
“There is no requirement that the Executive must wait for specific harm to occur before responding — the Executive is free to act prospectively based on a risk of harm,” the agency argued in its court filing.