TikTok dodges the hard questions about its China connections
By Mike Wacker
The Burner Files
October 11, 2022
The following is a guest post from Mike Wacker, a software engineer and technologist who has served as a TechCongress fellow in the House of Representatives.
n a line from the cartoon Futurama that later became a viral meme, Hermes won a promotion to a grade 37 bureaucrat for uncovering a form that had been incorrectly stamped only four times. The head bureaucrat said, “You are technically correct, the best kind of correct.”
When it comes to TikTok, though, being technically correct is often the opposite: the worst kind of correct.
Many people think that TikTok is just a social media app where people post dancing videos. TikTok uses that marketing strategy to portray themselves as a benign app and deflect criticism, but as a former software engineer from Google, I’m not the type to be easily fooled by savvy marketing. If you look below the surface, you will find that TikTok’s parent company, ByteDance, is a Chinese company with strong ties to the Chinese Communist Party. And the deeper you dig, the worse it gets.
Geoffrey Cain, who wrote the book on China’s “Perfect Police State,” recently testified before the Senate Homeland Security Committee on how “ByteDance’s leaders have extolled communist party virtues, pledging their absolute loyalty to a totalitarian government,” and how ByteDance “has censored Uyghur refugees who have suffered under a genocide” that the Chinese government has carried out.
TikTok is bleeding American executives who left because ByteDance was calling the shots. TikTok’s master messaging document, which was leaked to the press, says, “Downplay the parent company ByteDance, downplay the China association, downplay AI.” As part of that strategy, TikTok specializes in making statements that are technically correct, except that it’s the worst kind of correct.
Technically Correct, the Worst Kind of Correct: TikTok Doesn’t Share Data with the Chinese Government
Imagine that Anna entrusts Theresa with a deeply embarrassing secret. Nobody must know this secret, especially Cindy.
One day, however, Theresa shares Anna’s secret with Betsy, knowing full well that Betsy will then share it with Cindy. Cindy then shares that secret with everyone.
Embarrassed, Anna asks Theresa if she divulged her secret to Cindy.
“I didn’t share your secret with Cindy,” Theresa responds. Theresa is technically correct, the worst kind of correct.
Imagine that Theresa is TikTok, Betsy is ByteDance, and Cindy is China, and that’s exactly the type of obfuscation that TikTok uses. TikTok has frequently said that they don’t share American user with the Chinese government. They can, however, share that data with ByteDance—which can then share it with Chinese government.
TikTok’s American privacy policy explicitly says, “We may share all of the information we collect with a parent, subsidiary, or other affiliate of our corporate group.” Obviously, that corporate group includes ByteDance, but when Sen. Ted Cruz asked TikTok if ByteDance is part of its corporate group, TikTok dodged this question three times, before conceding that ByteDance is part of its corporate group.
TikTok frequently claims that it operates outside of China’s legal jurisdiction, but that answer only applies to TikTok; it does not apply to the rest of TikTok’s corporate group. What happens when TikTok shares data with a member of its corporate group who does fall under China’s legal jurisdiction?
Under the 2015 National Security Law, all Chinese citizens and organizations have “the responsibility and obligation to maintain national security.” Under the 2017 National Intelligence Law, they are also obligated to “support, assist and cooperate with the state intelligence work.”
China operates under a one-party system; the Chinese Communist Party and the Chinese government are essentially one and the same. The Chinese Communist Party is not a political party in the same sense that Republicans and Democrats are political parties.
In a one-party system, vague laws that promote “national security” and “intelligence” give the Chinese government unfettered power to force Chinese companies—including ByteDance—to share information with the Chinese government.
Big Tech executives, including TikTok Chief Operating Officer Vanessa Pappas, second from the right, testify at a Senate hearing on September 14, 2022. Courtesy of Getty. Used under a license.
Technically Correct, the Worst Kind of Correct: TikTok Stores American User Data in America
Imagine you’re a billionaire who’s looking to move some of your diamonds from your mansion in New York to your mansion in Massachusetts. At the New York mansion, your diamonds are stored in a secure vault—the best that money can buy.
However, you decide to transport the diamonds in the back seat an open-air convertible. As for the diamonds you left behind, you also left a key to the vault with a shady servant.
When your diamonds get stolen from that convertible, and you arrive back at your New York mansion only to find an empty vault, you incredulously say, “But I purchased a secure vault!”
TikTok has repeatedly said in the past that American user data is stored in America, putting it outside of China’s legal jurisdiction. Again, that answer is technically correct, the worst kind of correct.
First, even if the data is stored in America, you still need to ask who has the key to the vault. If Chinese employees—who are required by Chinese law to cooperate with Chinese intelligence work—have access to that vault, then that data is not secure.
Chinese employees have that key. In June 2022, a BuzzFeed report, based on leaked audio from 80 internal meetings, revealed that Chinese employees of ByteDance have repeatedly accessed nonpublic American user data.
Second, data must be secured both when it’s at rest, and when it’s in motion. Data may be stored in America when it’s at rest and the user is logged out, but what happens to all that data that the user generates when they’re logged in and using TikTok?
The most damning thing is what TikTok didn’t say what happens when data is in motion. When TikTok testified before Congress, they repeatedly declined to commit to cutting off all US data flows to China. Sen. Portman asked this question four times, and each time, TikTok declined to make that commitment through various forms of deflection. While the fourth time was a charm for Sen. Cruz, Sen. Portman was not so lucky.
TikTok’s privacy policy, however, does have an answer to that question. “TikTok may transmit your data to its servers or data centers outside of the United States for storage and/or processing,” reads the privacy policy. “Third parties with whom TikTok may share your data as described herein may be located outside of the United States.”
The privacy policy doesn’t put any limits on what types of data could leave the United States, or to which countries it could go to.
Chinese President Xi Jinping. Courtesy of Getty.
TikTok as a Surveillance Tool
But why would China care about a bunch of dancing videos? While I could imagine another scenario here, it wouldn’t top former CIA officer Klon Kitchen’s explanation for 60 Minutes:
Imagine you wake up tomorrow morning and you see a news report that China had distributed 100 million sensors around the United States, and that any time an American walked past one of these sensors, this sensor automatically collected from your phone your name, your home address, your personal network, who you’re friends with, your online viewing habits and a whole host of other pieces of information. Well, that’s precisely what TikTok is.
The data that TikTok collects would certainly reinforce that concern. If you have ever opened a link in the Twitter or Facebook app, you may notice that the web page will open in Twitter’s own in-app browser, instead of the device’s normal browser, such as Safari for iPhones, or Chrome for Android devices.
TikTok also has its own in-app browser, and in August 2022, security researcher Felix Krause discovered that TikTok’s in-app browser injects code that can monitor your keystrokes and taps.
Moreover, the fact that TikTok has an in-app browser suggests something is going on. An in-app browser requires a significant engineering investment, especially when you could just reuse the device’s browser to open any links. Companies will not make that investment unless they have something to gain from it—including the additional data they can collect using that browser.
In short, if you just want to let people share dancing videos, you don’t need to build an in-app browser. So why does TikTok have an in-app browser?
Other aspects of TikTok’s practices are equally alarming. TikTok collects biometric data without asking for your permission first; it will only ask for permission when it’s legally required to. “We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content,” reads the privacy policy. “Where required by law, we will seek any required permissions from you prior to any such collection.”
TikTok as Part of China’s AI Strategy
If you will recall, Twitter’s master messaging document said, “Downplay the parent company ByteDance, downplay the China association, downplay AI.” That last part deserves more attention.
AI, including facial recognition, is an essential tool in China’s attempt to build the perfect police state—a police state which has helped China carry out the genocide of the Uyghur population. Additionally, the battle for AI supremacy between the US and China is one with huge implications for national security. China’s AI strategy notes that “AI has become a new focus of international competition,” adding later that they will use AI to “elevate national defense strength and assure and protect national security.”
Training an AI system requires tons of data. ImageNet, an open-source dataset that is frequently used to train AI systems, contains over 14 million images. OpenAI’s DALL-E, a popular tool that generates images from text captions, was trained with 250 million images. Companies like Scale AI have been created for the purpose of acquiring high-quality data that can be used to train AI systems. TikTok isn’t just a huge source of dancing videos; it’s also a huge source of training data for AI systems.
Imagine that you wanted to build AI that can do facial recognition for videos. To train that AI, you would need lots of data; specifically, you would need lots of videos with faces. Now if only you owned a social media app with that type of data.
Moreover, once you build the AI, you might not just use it for the TikTok app. You might also use that AI to monitor surveillance feeds in your perfect police state. China’s AI strategy also says that they will “promote two-way conversion and application for military and civilian scientific and technological achievements and co-construction and sharing of military and civilian innovation resources.”
And thanks to developments such as transfer learning, you can take an AI that was trained to do one task—even if you don’t have access to the original training data—and use that AI as a starting point to build an AI system that can perform other tasks.
If you wanted to describe TikTok as a social media app where people post dancing videos, your answer would be technically correct, but it would also be the worst type of correct. Simply put, the solution is to delete TikTok from your phone, or even better, for the US government to ban TikTok.
The original article can be found on The Burner Files substack.