TikTok is a popular app on iOS and Android platforms, known for its catchy and viral-ready short-form videos.
But to Democratic and Republican lawmakers, as well as the Trump administration, the social media platform could also be a new tool in the Chinese government’s arsenal.
Owned by Beijing-based ByteDance, TikTok is the latest tech company to land on the radar of the Committee on Foreign Investment in the United States, an interagency body tasked with reviewing foreign investments in American companies to determine their national security implications.
Currently chaired by Treasury Secretary Steven Mnuchin, CFIUS historically examined investments in U.S. ports and other physical infrastructure. But experts say the panel is expanding its focus toward foreign investment in U.S. technology, indicating the growing risks of hostile foreign governments gaining access to troves of sensitive personal data.
“There’s sort of the realization that this data can be very powerful, particularly if it fell into the wrong hands,” Geoffrey Gertz, a fellow at the Brookings Institution, said. “In the last two to three years, really, we’ve seen a shift toward tech and data concerns and really in the last year accelerating.”
Although CFIUS doesn’t comment on its investigations, it’s believed that the panel is reviewing ByteDance’s 2017 acquisition of Musical.ly, an app rebranded as TikTok. And the investigation of the tech company is only the latest undertaken by CFIUS.
Earlier this year, the committee ordered the majority owner of PatientsLikeMe, a U.S.-based health tech startup, to divest its stake in the company. The majority owner, iCarbonX, is based in Shenzhen, China, and backed by Tencent, the Chinese conglomerate.
CFIUS also ordered the owner of Grindr, Beijing Kunlun Tech, to sell the gay dating app and blocked the sale of MoneyGram to Ant Financial, a Chinese tech company.
“CFIUS is increasingly focusing on the potential links between personal data and national security,” said Robert Williams, executive director of the Paul Tsai China Center at Yale Law School.
The Grindr and MoneyGram episodes, he added, “may be instructive for TikTok because in both cases, CFIUS apparently perceived significant risks in Chinese companies’ access to data on U.S. citizens.”
Grindr, for example, shared users’ HIV statuses with third-party vendors and was collecting location data, raising concerns about data privacy for users in the military or intelligence community.
Concerns over China’s competition with the U.S. are driving the increase in activity for the committee, particularly as China takes a more active role in the global economy.
In its most recent report, CFIUS told Congress that from 2013 to 2015, China accounted for 19% of all foreign investment transactions and was the top country of origin for investors that provided notifications to CFIUS, followed by Canada and the United Kingdom.
But more broadly, the boost can also be attributed to a shifting view of national security.
“There’s a recognition that economic security and national security are much more closely intertwined than we’re used to thinking,” Gertz said. “National security threats aren’t just about weapons and hard security threats, but the data, high-tech companies, social media. There are national security interests involved there.”
Several lawmakers have sounded the alarm about the possible national security risks posed by TikTok, which has more than 110 million downloads in the U.S., and urged the Trump administration to review the potential counterintelligence threat.
Democratic Senate Minority Leader Chuck Schumer of New York and Republican Sen. Tom Cotton of Arkansas warned Joseph Maguire, acting director of national intelligence, about TikTok’s data-collection practices and suggested the company could be compelled to support intelligence work by the Chinese Communist Party. They also questioned whether TikTok videos could be censored if deemed politically sensitive to the Chinese government, particularly if the content is related to the Hong Kong protest movement and China’s treatment of Uighur Muslims, more than 1 million of whom have been detained in internment and “reeducation” camps.
Republican Sen. Marco Rubio of Florida, meanwhile, asked last month for a national security review of ByteDance’s purchase of Musical.ly, which had roughly 60 million U.S. users before it was rebranded as TikTok.
GOP Rep. Jim Banks of Indiana also warned TikTok could be used to harvest user data and said he would be “disturbed, but not shocked, to learn that TikTok shares secrets with the Chinese government.”
In addition to concerns of censorship, the data collected by widely used apps such as TikTok is “another feed of information that is getting added to a mosaic of awareness, which goes straight to a strategic capability,” said Klon Kitchen, a senior fellow for technology, national security, and science policy at the Heritage Foundation, a conservative think tank.
“There are the nefarious uses that the state might employ,” he said of China. “They could use it to crack down on political dissidence within their borders or crack down on dissidence outside their borders.”
TikTok certainly is not the only tech company to come under scrutiny for sweeping up users’ personal information, as many U.S.-based companies, particularly Facebook, have found themselves ensnared in scandals stemming from their mishandling of data.
But only recently have Chinese companies begun to offer applications that are gaining in popularity among U.S. consumers.
“For a long time, they weren’t innovating. They were stealing our intellectual property,” Kitchen said. “But they’ve done that long enough to where they’re genuinely innovating enough on their own and providing application offerings that are really attractive.”
In the coming months, CFIUS’s reach into high-tech companies will significantly expand because of legislation passed by Congress last year.
Called the Foreign Investment Risk Review Modernization Act, the measure expands the committee’s jurisdiction to new investments. The law calls for CFIUS to consider numerous new factors when considering national security risks posed by foreign investments, including the extent to which a transaction is likely to expose U.S. users’ sensitive information.
The new law also gives CFIUS the power to review noncontrolling, nonpassive investments involving a U.S. company that “maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.”
The regulations won’t take effect until next year, but the enhanced scrutiny on foreign investment in U.S. technology is a “leading edge indicator that this is our future,” Kitchen said.
“The reality,” he said, “is securing nations means securing networks, and securing networks means securing supply chains, both hardware- and software-supply chains.”
