TikTok is a globally popular video-sharing smartphone application (app) owned by ByteDance Ltd., a privately held company headquartered in Beijing, China. It is under increasing scrutiny by the U.S. government as a potential privacy and security risk to U.S. citizens. This is because ByteDance, like all technology companies doing business in China, is subject to Chinese laws that require companies operating in the country to turn over user data when asked to by the government. Researchers differ over how TikTok’s collection of user data compares with other social media apps and whether TikTok poses a unique threat to the privacy and security of its U.S. users.
TikTok launched in the United States in August 2018. The app is available in over 155 countries in 39 languages and has approximately 800 million monthly active users. In the United States, the app has approximately 49 million monthly active users. TikTok’s appeal lies heavily on what has been called its “addictive” video feed, For You. The app builds this feed through a “recommendation engine” algorithm built on artificial intelligence (AI) technologies and data mining practices. According to the company, the recommendation engine relies on a complex set of weighted factors to recommend content, including hashtags and videos watched previously, as well as the kind of device a person is using. TikTok critics cite problems with how much data TikTok collects from and about its users and with how that data is stored—and could be shared.
On August 6, 2020, President Trump signed an Executive Order aimed at stopping TikTok from doing business in the United States. Once in effect on September 27, 2020 (an extension from the original date of September 20), the order will prohibit any U.S. company or person from “transacting” with ByteDance. On August 14, 2020, the President issued a second Executive Order stating that ByteDance, its subsidiaries, and partners must divest from all assets that support TikTok’s operations in the United States and destroy all previously collected U.S. user data. Divestiture may be accomplished by finding a U.S. buyer for TikTok. The requirements are designed to limit the Chinese government’s access to current and future data from U.S. TikTok users. ByteDance does not want to divest from TikTok and has sued the Trump Administration.
On September 14, 2020, Oracle announced that it had reached an agreement with ByteDance to “serve as [the company’s] trusted technology provider” in the United States. Treasury Secretary Steven Mnuchin announced that he had received the proposal. From the terminology used, it appears that the deal may involve a partnership between the two companies rather than a sale. This arrangement would keep the source code of the For You recommendation engine in the hands of ByteDance. It is unclear if this deal satisfies the conditions in President Trump’s Executive Orders. Secretary Mnuchin said that the Committee on Foreign Investment in the United States will review the proposal and present President Trump with its opinion. On September 19, 2020, Oracle announced that Walmart would be joining the TikTok acquisition.
On September 27, 2020, Judge Carl J. Nichols of the United States District Court for the District of Columbia granted a preliminary injunction against the Trump administration order. He stated that while President Trump has broad authority to prohibit business transactions with foreign entities that are deemed to pose a national security risk, TikTok appears to be exempt from such a prohibition because it is a personal communication service, which is protected by the International Emergency Economic Powers Act. The ruling does not affect the November 12, 2020, deadline that ByteDance divest from TikTok in the United States.
Some believe TikTok and other Chinese-owned apps pose a serious security risk to the United States because Chinese companies are subject to China’s laws that require compliance with government requests for data. Others believe that TikTok has fallen into “the crosshairs of a global technology battle” based on technology trade protectionism (this concept, also called “techno-nationalism,” refers to a country’s refusal or reluctance to import other countries’ advanced technology, as well as to export, or to allow other nations to benefit from, its own advanced technology).
Similar situations may arise in the future with other apps created by foreign companies. Options that Congress may consider include (1) developing an overarching legal and regulatory framework to protect the security and privacy of U.S. citizens’ data and communications, and (2) developing a uniform, transparent process to assess and mediate risks posed by foreign apps.R46543
Patricia Moloney Figliola is a Specialist in Internet and Telecommunications Policy at the Congressional Research Service.
To download the full report, please click here.