Is TikTok A National Security Threat?

I have changed my mind several times about whether it is the right thing to do to ban TikTok. I think there are smart people on both sides offering their input. I haven't heard a coherent discussion of it that does it justice- so I had a few conversations, with my team at Jemurai and with some peer groups in tech. This post reflects my evolved thinking after these discussions.

TL;DR - I believe the banning of TikTok is:

  1. A political action taken to make leaders appear strong on a topic that in reality they actually don't understand and haven't delivered on
  2. A business level coup for Facebook, Google and Snap among others
  3. A direction that lacks principles and consistency
  4. A very minor, if any, impact on national security
  5. Unlikely to play out where the end game works out the way people think it does

Based on all of this, I guess I think banning TikTok is a bad idea but that there are better and important ideas behind it that should be explored and implemented.

What is the risk?

At a high level, the stated national security risk is that TikTok as an application provides China (PRC) with significant cybersecurity or information gathering or influence capabilities that they currently lack.

One capability is the ability to conduct quiet influence campaigns where public opinion is swayed by tweaking "the algorithm" to distribute content that pushes sentiments in a particular direction.

Another capability is the ability to gather data about US citizens, including location, interests, etc.

In an apocalyptic narrative, TikTok could become an instrument used by the PRC during a conflict or war to either limit information distribution or more actively spread false news and more actively influence public sentiment.

I suppose another theoretical risk is that TikTok modifies their application to more actively spy on certain people. In other words, you get in on the premise of being a great social company and your app focuses on that, but in the long run you modify the app to do much more nefarious things.

Since a significant number of people use the app (170 million US users per TikTok via NY Times) and a significant number of young people use TikTok as one of their primary sources of news, certainly the control of the content does seem to be a potential risk.

The Impact of Chinese Governance

Americans buy huge amounts of many different things from China. Why is it different with TikTok?

The graphic to the right was posted by Michael McLaughlin (who has a book on the topic) and emphasized by Casey Ellis, founder of BugCrowd, in this LinkedIn post. McLaughlin points out that the leadership at ByteDance have direct ties to communist party roles.

On some level, there validity to this observation. On the other hand, I would guess that many business leaders also take on party roles based on cultural norms in China. So is it really a very red flag that these folks have party roles?

Do I believe that the leaders of ByteDance could be asked by PRC to provide information out of the TikTok data? Of course. Do I believe that their party affiliation in some ways reinforces this? Maybe. I suppose the really important question is: do you think any company anywhere doesn't provide governments with information when they ask nicely?

Now, stepping back, do I believe one of McLaughlin's key points that there are coordinated and comprehensive PRC campaigns to obtain, use and benefit from information stolen from the US? Absolutely.

Foreign government campaigns to steal information and influence our country should absolutely be a critical concern to both US citizens, government representatives, companies and allies. I work directly with companies that are targeted by PRC and we have seen surprisingly direct attempts to steal information. I believe we need to take stronger action around the digital landscape but we need a lot more principled clear thinking and regulation in this area to help people, companies and government agencies manage threats.


One thing that stood out to me about the ban of TikTok was that it named the company specifically. That seems crazy to me. How many laws have bans targeting particular companies by name!

To me, that belies the fact that we don't really know how to think about digital trust and information. We could have built legislation that bans selling of personal private information, but we didn't. We could have meaningful standards, laws or regulations around about spying or stealing intellectual property, but we didn't do that either.

You might say that is very hard ... maybe even impossible. I guess I think that sooner or later we're going to need representatives in government that understand technology and can help represent the things common people need.

Here are some really simple examples:

  1. Phone calls should be strongly authenticated (i.e. it should be impossible to spoof phone numbers - hat tip to Jack from Darknet Diaries)
  2. SPAM calling and SMS should be illegal. I won't put email (or snail mail for that matter) on this list yet.
  3. It should be illegal for cell carriers to sell location data.
  4. Selling people's personal data without their permission and compensation should be illegal.

The Counterarguments

A lot of the media reports about the ban talk about free speech and content creators. I think these are valid concerns with banning platforms. I'm not sure I buy that the speech and content creators by themselves would represent a very significant reason not to regulate TikTok if there were true national security implications.

So let's dig deeper into the actual national security implications of people using TikTok. The premise is that TikTok's parent company ByteDance and by extension the PRC has new special access to data about Americans, probably including location, interests, names, etc.

I believe based on direct research and reporting by folks like Brian Krebs (several examples like this in references) that most of this data is currently available for purchase on the internet.

I also believe that PRC has operatives in all major US tech companies that have access to the types of data that TikTok has. If TikTok were a US based entity, there would still likely be PRC operatives involved that could expose data about Americans.

Thinking about an application that starts off benign and turns malicious, I think this is something the app stores and OS's need to be on top of for all applications. TikTok certainly isn't unique in this.

Who Stands To Benefit?

One obvious beneficiary of a TikTok ban is Facebook. According to the Washington Post, even in 2022 Facebook was paying lobbying firms to malign TikTok. One interesting quote in the article is from a whistleblower report that stated:

Facebook researchers said teens were spending “2-3X more time” on TikTok than Instagram, and that Facebook’s popularity among young people had plummeted.

Washington Post, 2022

Of course, other key TikTok competitors also stand to benefit, including Google (Youtube) and Snap. It will be interesting to see if news emerges about further lobbying campaigns from Facebook, Google, Snap and others.

The presence of a lobbying campaign on one side doesn't invalidate the potential truth that TikTok could be a risk, but it certainly suggests that there is more to this than initially meets the eye.

Divestment and A Global Context

A key part of the proposed solution is divestment of TikTok by ByteDance, with a presumed acquisition by another entity.

This turns out to be a pretty complicated situation for a bunch of reasons. For one, TikTok might be worth $300B, which is a larger transaction than PE typically does and much bigger than published M&A. For another, what happens if PRC just says "no" and doesn't make it logistically possible? Yet another is that TikTok is sure to challenge the ban in court which might take years to play out.

But let's consider some of the theoretical alternatives. A comment that came up in one of our conversations that I'm just going to repeat verbatim because it was so on point was the following:

So I think the most likely divestment looks like the package that was presented recently where Steve Mnuchin ties up with Saudi money and it becomes Saudi-controlled. Because Saudi, despite having executed the only attack on US soil in generations, is not formally an adversarial nation.

Comment from Internal Conversation

A similarly amazingly on point comment was the following about Russia and Yandex:

Just to give you an idea how insane this is...we are in a proxy shooting war with Russia. China manufactures most of the goods that run our most productive industries. Congress banned TikTok by name, but Yandex (HQ: Moscow) is not affected.

Comment from Internal Conversation

A final comment that I thought was pretty funny, was:

Influence operation? Come on. The largest news source in the country right now is Fox News, which was literally created by Roger Ailes (a Nixon advisor) with Rupert Murdoch's money, with the express purpose of being a partisan news outlet.

Comment from Conversation

I include these points because for me, this is what really made me realize how specifically targeted and limited this ban actually is. If we decide we're going to do something for national security, I would like to see us do something that has the correct outcomes across our global risk profile.

Are there things wrong with TikTok?

I believe that it is fairly well proven that firms building apps like TikTok (and Facebook, Instagram, Youtube, Snap, etc.) have devoted significant resources into making their applications addictive. I don't think it serves the general public to have companies investing millions (billions?) of dollars into research and using brain science to figure out how to keep eyeballs on screen.

So yes, I think there is something wrong with TikTok and that we need better rules to help govern all applications.

I also think that the potential privacy implications are real and that there whole ecosystems that need to be modernized to rethink privacy and what data applications may access. Or maybe what users need to be told about how their data is used.

Conclusion and References

I titled this post "Is TikTok a national security threat?". I think the answer I have come to is, yes, just like a lot of other things that we haven't bothered to think about. Furthermore, our clumsy approach is likely more political than substantive.

In my ideal world, we would have a very well educated and technology savvy population and we would have institutions that promote a shared understanding of facts and then we wouldn't need to regulate this technology this way. Influence operations would be difficult because people would have trusted institutions. Gaining access to personal information like location data for dissidents would be difficult because privacy regulations would force organizations to limit (and maybe punish) the selling of personal information.

Given that we don't have those nice things, I would like to see concrete steps to define more general regulations around privacy, data sharing, influence, and that actually address the key concerns.

I would also like to see a much deeper investment in education that makes those realistically possible.

The core references for this post are the following:

  • https://www.nytimes.com/2024/04/24/technology/tiktok-ban-congress.html
  • https://www.nytimes.com/2024/04/23/technology/tiktok-ban-bill-congress.html
  • https://arstechnica.com/tech-policy/2024/04/biden-signs-bill-to-ban-tiktok-if-chinese-owner-bytedance-doesnt-sell/
  • https://www.linkedin.com/posts/caseyjohnellis_nationalsecurity-activity-7177820432211824640-xwwp
  • https://www.washingtonpost.com/technology/2022/03/30/facebook-tiktok-targeted-victory/
  • https://www.washingtonpost.com/technology/2021/10/25/what-are-the-facebook-papers/
  • https://krebsonsecurity.com/2024/03/mozilla-drops-onerep-after-ceo-admits-to-running-people-search-networks/
  • https://krebsonsecurity.com/2024/03/the-not-so-true-people-search-network-from-china/
  • https://krebsonsecurity.com/2024/03/a-close-up-look-at-the-consumer-data-broker-radaris/

Thanks again to Runako, Reuben, Joe, Caitlin, Brian, Malcolm and others for weighing in and sharing their ideas about this complicated topic.

Share this article with colleagues

Matt Konda

Founder and CEO of Jemurai

Popular Posts

Ready to get started?

Build a comprehensive security program using our proven model.
© 2012-2024 Jemurai. All rights reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram