The relentless pressure on TikTok ramped up further this week, with U.S. Secretary of State Mike Pompeo again claiming user data is sent to China. “It’s not possible to have your personal information flow across a Chinese server,” he warned during a British media interview, without that data “ending up in the hands of the Chinese Communist Party,” which he characterized as an “evil empire.” TikTok is firmly in the sights of the Trump administration, and they’re not letting up.
But now, as TikTok continues to deny U.S. accusations of data mishandling, of it bowing to pressure from Beijing, a new report from the cyber experts at ProtonMail has called those denials into question. “Beware,” it warns, “the social media giant not only collects troves of personal data on you, but also cooperates with the CCP, extending China’s surveillance and censorship reach beyond its borders.”
TikTok’s world is now dominated by speculation as to whether the U.S. will find some way to ban the app, cutting access to tens of millions of American users and calling a halt to TikTok’s soaraway growth. The week had started with confirmation of a ban on federal employees installing the app on government-issued devices, seen by many as a precursor to some form of wider action by the Trump administration. We also now know how such a ban would operate—TikTok would be added to a Commerce Department entity list, in the same way Huawei has been sanctioned.
With every week that goes by, it is becoming ever more critical to remind ourselves of what we know and what we don’t know. Yes, TikTok is a potential threat to the west, in as much as it is a Chinese-owned app now installed on hundreds of millions of devices. In a world where Facebook data has allegedly facilitated so much damage to political processes, so much manipulation and disinformation, to assume that TikTok doesn’t carry any serious threat is woefully naive.
But, that said, allegations of data exfiltration and “spying” are technical, they are binary, they can be proven one way or the other. And this is where the rhetoric meets a reality test. For all the talk, there is no solid proof that TikTok sends any data to China, there is no solid proof that any information is pulled from users’ devices over and above the prying data grabs typical of all social media platforms.
When TikTok is asked about claims to the contrary, it stands by the lack of proof, the missing smoking gun. There’s no evidence, it says, it’s a political campaign steeped in the standoff between Washington and Beijing. “There’s a lot of misinformation about TikTok out there,” the company tells me, pointing to its U.S. CEO and its CISO “with decades of U.S. military and law enforcement experience, and a U.S. team that works diligently to develop a best-in-class security infrastructure.” The company also reassures that U.S. data never travels to China.
But the warning this week from the cyber security analysts at ProtonMail isn’t political point scoring—these are ex-CERN security engineers. TikTok’s “zealous data collection,” the company warns, “its use of Chinese infrastructure, and its parent company’s close ties to the Chinese Communist Party make it a perfect tool for massive surveillance and data collection by the Chinese government.”
ProtonMail also cites a white paper published by Penetrum earlier this year, which warned that “37.70% of the known IP addresses linked to TikTok are Chinese,” and which described the “excessive amount of data harvesting, vulnerabilities in TikTok’s code, as well as a few things that may make you feel pretty uncomfortable.”
TikTok stands by its defense, telling me “millions of American families use TikTok for entertainment and creative expression, which we recognize is not what federal government devices are for. Our American CEO, our CISO… our entire and growing U.S. team—which has tripled since the start of the year—have no higher priority than promoting a safe app experience that protects our users’ privacy. That’s our focus.”
ProtonMail’s conclusion on TikTok is pretty stark: “The fact that TikTok is owned by a Chinese company, one that has explicitly said it would deepen its cooperation with the Chinese Communist Party, makes this excessive data collection even more concerning. The Chinese government has a history of strong-arming and co-opting Chinese tech companies into sharing their data and then using this data to intimidate, threaten, censor, or engage in human rights abuses.”
The Swiss-based company goes on to warn TikTok users that “from a security and privacy standpoint, TikTok is an extremely dangerous social media platform. Its potential for mass collection of data from hundreds of millions of adults, teenagers, and children poses a grave risk to privacy.” And its advice to those users is to proceed “with great caution… and and if this concerns you, you should strongly consider deleting TikTok and its associated data.”
And so another week ends, and TikTok remains caught in this maelstrom of security controversy and Sino-American politics. A ban or sanctions of some sort seem ever more likely with each passing week, and the U.S. rhetoric has found an audience with other hawkish politicians around the world. As things stand, TikTok owner ByeDance has gone from topping the social media world to contemplating a sale of its prize asset to U.S. investors in just a few short weeks.
The real issue for TikTok, though, is that there doesn’t need to be a smoking security gun for the U.S. and its allies to have a credible excuse to sanction and restrict the platform. China is an adversarial state to the U.S., the U.K. and their allies. There are reasons to believe Beijing could exert influence over TikTok parent ByteDance. That should be reason enough to act—and it’s looking ever more likely it will be.