The Trump administration’s continued insistence that TikTok is a security threat to American consumers has finally produced action. Late on August 6, the White House announced that the president had signed an executive order which essentially prohibited US entities, beginning forty-five days after the order’s signing, from “transactions” (not defined) with TikTok’s owner ByteDance or any of its subsidiaries. The US president also signed a similarly definition-lacking executive order saying the same for WeChat, a Chinese-based app that goes far beyond video-sharing and encompasses messaging, payments, and much more.
Until just a couple weeks ago, TikTok was best known for viral dance videos and political activism. Policymakers had raised security and privacy concerns about the app back in the fall of last year, but those qualms weren’t in the mainstream in nearly the same way as the recent rhetoric. After the Indian government announced on June 29 it was banning fifty-nine Chinese apps from the country, including popular video-sharing app TikTok, in retaliation for ongoing India-China border violence, the Trump administration was quick to take notice. Secretary of State Mike Pompeo said the United States was “certainly looking at” banning TikTok, among other unnamed Chinese social media apps. “I don’t want to get out in front of the president,” he said, “but it’s something we’re looking at.” While the security and privacy risks posed by these apps are real and complex, the United States needs a long-term strategy for tackling them. This executive order to prohibit US entities from engaging in “transactions” with ByteDance and its subsidiaries (e.g., TikTok) is a bad idea and driven by politics more than anything else.
The risks from these mobile apps arise from the data they collect and how they transmit and store it, as well as potential Chinese government influence over the internet and technology companies within China that control the apps. There are real questions to be asked on the issue of TikTok, mobile apps, and national security risks alone, separating out and unpacking policymakers’ purported, yet sometimes ill-elaborated or conflated, concerns. There are also real and broader questions that can and should be asked by the United States and its allies about risks like Chinese government censorship, espionage, and data access through technology companies.
Yet policy process matters—not just policy outcomes. The reality is that these digital supply chain risks are incredibly complicated, and substantive analyses of these issues don’t often lend themselves to soundbites. The global technology supply chain is deeply interdependent and interconnected; if you cracked open your smartphone, you’d see components sourced from numerous countries on the inside. Devices designed and sold by a company incorporated in one country, in other words, may have numerous subcomponents manufactured in others. Software, too, comes from all over the place—and research into technologies like artificial intelligence depends on heavy cross-border collaboration, such as between China and the United States. If you fly out of the country, you can, from many places, still access your email or your online banking. All the while, the United States benefits from internet freedom and openness, and has long been a staunch global defender of those principles, even in light of cyber and information threats posed through that interconnection.
Prohibiting federal employees from using TikTok would be a narrowly targeted way to deal with espionage concerns. Providing evidence that the Chinese government actively orders, encourages, or causes worldwide political censorship on TikTok or actively manipulates its political messages, to give another example, would be a way to demonstrate to the US public reason for concern. Communicating that many of these issues of data collection and security—including data collection on minors—apply to many more apps than TikTok would be a smart approach as well.
But that is not what’s happening here. Even in the presence of real data policy questions, the Trump administration is pursuing a dangerously broad and unproductive whack-a-mole policy that’s not about security.
The current administration’s policy on US-China technology issues has been remarkably zero-sum and politically driven. The Huawei saga is a prime example: 5G technology supplied by the Chinese telecommunications company raises numerous, real national security risks, but the Trump administration’s diplomatic messaging left many other countries (and many analysts in the United States) feeling that national security was used as a political prop in a trade war. Perhaps the most striking demonstration of this fact occurred in December 2018, when President Trump suggested he might stop efforts to prosecute a Huawei executive if it would help secure trade concessions from Beijing.
The Trump administration has not presented any substantive evidence why TikTok is a national security threat to the average American consumer—which at this stage remains a hypothetical, and far less clear than a risk of espionage through software installed on government devices. White House trade adviser Peter Navarro’s comment that a TikTok spinoff into a US firm would do nothing to change the risks betrays the very notion that current rhetoric has anything to do with real data policy questions. Despite real risks, this discussion is visibly about politics, plain and simple.
The notion of a broad ban on TikTok is a bad idea. As mentioned, there is no clear government-presented evidence that TikTok poses a national security threat to the average US consumer (again, federal employees are a different case). Some in Washington, this administration included, may love the idea of expelling all technology from the country that has any connection to China. But that approach simplifies complex supply chain security decisions—about data localization, about encryption, about trusting an app’s software updates—and boils it all down to a single country-of-origin data point with seemingly little appreciation for the repercussions.It also raises urgent questions about unilateral decisions to prohibit Americans from using foreign software.
All the while, it’s again worth stressing that companies move data all around the world, all the time, to deliver services and content quickly and reliably to customers. A company incorporated in the United States, for example, may regularly send its data through internet infrastructure located in other countries even if most of its servers are in the United States. Focusing too much on country of origin, while undoubtedly an important factor, can lead to overlooking these other kinds of considerations.
If the US government wants to build a long-term strategy for digital supply chain security, there are ways to do so: Enact strong federal privacy laws to restrict data collection, sale, and analysis by corporations—an issue which goes far beyond TikTok and includes many American companies that profit from surveillance. Work with device manufacturers to develop a software “bill of materials” label to understandably explain a tech product’s privacy and security practices to consumers. Develop objective criteria for the US government to assess and communicate why one hardware or software manufacturer is more trustworthy than another, which is especially valuable in cases where a Chinese firm could be handing data to the Chinese government.
This is a pivotal time for the global internet. Many governments around the world—in authoritarian countries like Russia and China, but even, in some ways, in democracies like India—are pushing for varying degrees of technological isolationism and state control over the internet within their borders. Just recently, an EU court ruled that transfers of European citizen data to the United States don’t satisfy EU privacy requirements.
The United States is hardly the only country dealing with these supply chain security questions. As the recent EU decision exemplifies, many governments are figuring out how to trust information sent to a country with law enforcement and intelligence agencies who might access that information. Domestic data privacy regulation is also slowly but surely getting more discussion around the world.
So, yes, there are real security questions to ask about Chinese government influence over technology companies; but the idea of broadly banning TikTok is a bad one that steps in the wrong direction on protecting a free and open internet.
Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative.
In-Depth Research & Reports Aug 4, 2020
Alliance power for cybersecurity
By Kenneth Geers
There is only one internet, and cybersecurity is therefore an inherently international challenge that countries cannot tackle alone. Alliances like NATO and the EU give democratic countries a cyber edge over their authoritarian challengers.
New Atlanticist Jul 28, 2020
Singapore’s prime minister has a message for the US: Don’t choose China confrontation or Asia withdrawal
By David A. Wemer
Lee Hsien Loong, the prime minister of Singapore, worries that Washington’s increasingly tense relationship with Beijing and domestic pressures to reduce its commitments abroad will force US policymakers to choose either a path of “colliding with China” or “deciding that you have no stake in the region and leave us to our own defenses.”
New Atlanticist Jun 26, 2020
What’s behind Russia’s decision to ditch its ban on Telegram?
By Justin Sherman
For years, the Kremlin was involved in cat-and-mouse efforts to block the use of Telegram, the encrypted messaging app, within Russia. Concerns about Telegram stem from the Kremlin’s concerns about the internet in general. The app enables the free flow of information, and especially when that information is encrypted, as Telegram’s is, the Kremlin sees the state’s narratives, its law enforcement surveillance capabilities, and Russia’s culture and public sphere as under threat. On June 18, however, Russia’s internet and media regulator Roskomnadzor said that it’s ending requirements to restrict Telegram access.