TikTok: Influence Ops, Data Practices Threaten U.S. Security

By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center
Published March 9, 2023

Cyber Threat Intelligence thumbnail

We assess that TikTok, a video-sharing app we initially discussed in a 2021 blog post, poses a risk to users and U.S. security more broadly due to the Chinese Communist Party’s (CCP) ability to leverage the app for influence operations and as a data harvesting clearinghouse. As reported by CNBC in February 2023, the app faces regulatory pressure from officials across various levels of government calling to regulate and even ban the app in the United States. In response, TikTok announced plans for a transparency project called “Project Texas" in July 2022. Despite this, any solution still enabling CCP oversight and data to flow through Chinese servers via TikTok’s parent company, ByteDance, leaves the risk that the CCP will leverage the app to serve geostrategic goals to harvest data and manipulate the U.S. populace through censorship and influence operations.

TikTok as a Vehicle for Influence Operations

TikTok has become a substantial source for U.S. media and news consumption. According to the Pew Research Center, 10% of Americans reported that they regularly consume news on TikTok. That's more than triple the total of 2020 at 3%. Additionally, 26% of U.S. adults under 30 said that they ingest news through the app.

These figures are concerning given TikTok’s legal obligation to support CCP security and intelligence initiatives. China's intelligence agencies also lack the checks and balances that apply to U.S. entities, meaning they can potentially harvest and exploit data from TikTok without the oversight and accountability governing their U.S. equivalents. In a December 2022 address to the University of Michigan’s Gerald R. Ford School of Public Policy, FBI Director Christopher Wray highlighted concerns that TikTok could be used to manipulate the American public, per Axios. Given the Chinese security law obliging Chinese companies and individuals to cooperate with a wide array of intelligence work, the CCP holds the authority to drive the app’s recommendation algorithm to “manipulate content” and even use it to subtly conduct “influence operations.” An app’s recommendation algorithm precisely determines the content a user sees. This means TikTok’s engineers can direct the app to serve content friendly to CCP interests, such as by prioritizing videos in users’ feeds which support the CCP’s claim over Taiwan. 

TikTok has already shown a willingness to push narratives aligned with CCP interests within the platform. Forbes notes that TikTok features several accounts run by the CCP’s propaganda arms who have amassed millions of followers and tens of millions of views by posting divisive content about U.S. politics. This has included criticizing candidates in both major parties leading up to the 2022 elections. As of this writing, the accounts lack clear markers indicating they are China-affiliated. TikTok claimed it would add labels at some point in 2023 to change this.

China arguably stands as one of the United States' greatest geopolitical rivals, and the Chinese government has explicit goals of undermining the United States' strategic power and influence, explained Newsweek. It has attempted to do so by aiming to gain global economic and strategic footholds, including through data collection and aggregation. The potential to influence a large collection of U.S. users to gravitate towards China-friendly views and sow social discord presents a substantial opportunity for China to pursue those objectives.

TikTok’s user base includes roughly one third of Americans who spend an average of 82 minutes daily on the app, wrote Reuters. As a social media platform, TikTok is designed to maximize engagement, but what separates it from other social media apps is the short duration of videos, which were originally limited to 15 seconds. This drives what is known as a “return on attention span” (ROAS), Forbes explained in a 2022 article. By maximizing ROAS, TikTok offers users heightened satisfaction in a shortened period of time, thereby incentivizing diminished patience and attention spans.

This stands in contrast to China’s domestic version of the app, “Douyin.” Unlike its U.S. counterpart, Douyin prohibits user uploads, personalizes feeds with content ranging from science to literature and art, and limits time on the app for kids to 40 minutes each day. While there is no direct evidence demonstrating the CCP is attempting to erode the cognitive faculties of U.S. users, the differences between the two apps reveal a divide between the app’s designed user experience for the respective countries’ youth.

Censorship as Influence

TikTok also exerts influence through what the platform deliberately excludes in the form of censorship, thereby distorting users’ perceptions. A TikTok executive disclosed to U.K. lawmakers in 2020 that the app censored videos, revealed Foreign Policy. This included content about China’s repression of the Xinjiang region’s Uyghur population. Earlier this year, TikTok suspended Russian nationals’ access to the app, demonstrating TikTok’s willingness to censor materials even outside of China-focused content. TikTok claimed the decision was driven by its commitment to adhere to Russia’s so-called “fake news” law designed to control the narrative about the war in Ukraine, but as written in VICE, researchers found that international content about the war was blocked, while pro-Putin narratives remained available on the platform.

Foreign Policy categorizes TikTok content manipulation as “censorship,” “demotion,” and “promotion.” Collectively, TikTok uses these tools to distort users’ perceptions by serving content within the app directly inline with values driven by the CCP and its allies’ interests.

Concerning Data Collection Practices

Beyond influence operations and censorship, TikTok and its parent company ByteDance have the ability to harvest significant user data. In the words of Foreign Policy, the app can reportedly access:

[U]sers’ names, ages, phone numbers, email addresses, details about the devices and mobile networks they’re using, keystrokes, messages on the app, and even biometric information such as “faceprints and voiceprints,” according to the app’s privacy policy. TikTok’s algorithm also tracks what users watch and how much time they spend on each video so it can better tailor the content it serves them, giving the app key insights into behavior patterns, likes, and dislikes.

This data, which TikTok explicitly lists in its U.S. privacy policy, allows the platform and vested parties behind the platform to access a "one-stop-shop" for preferential psychometric data, which includes attitudes, behaviors, and preferences of a given user. For context, tech firm Cambridge Analytica used psychometric data leading up to the U.S. 2016 presidential election to enhance targeted manipulation as part of efforts to “nudge” the opinions of a large userbase and influence their votes, noted Intelligencer. TikTok’s psychometric collections and history of engaging in influence operations presents the risk that the platform will aim to nudge the U.S. user base in directions favoring CCP interests.

While many apps, including U.S. ones, harvest and sell user data, it’s important to contextualize TikTok’s data collection practices within the CCP’s overall strategic objectives. In 2015, China announced its “Digital Silk Road” (DSR) plan. The DSR’s focus on data gathering represents a key feature of the CCP’s overall Belt and Road Initiative (BRI) designed to develop economic and strategic influence globally, explained the Carnegie Endowment for International Peace. The CCP sees data as a critical means to integrate market advantage, national power, and strategic influence as well as to develop machine learning models. In 2019, the CCP declared data a “national resource,” reported Newsweek, with the Party prioritizing it on par with land, labor, capital, and technology.

The collection efforts beyond TikTok are vast and include data breaches and purchasing information through data brokers, who legally collect and aggregate large data sets to license to third parties. Per Newsweek, former director of the United States National Counterintelligence and Security Center Bill Evanina testified to the Senate Select Committee on intelligence in 2021 that an estimated 80% of American adults had expansive personally identifiable data (PII) stolen by the CCP. China’s collection pursuits have also been used to steal economic trade secrets valued between $200-$600 billion and military secrets such as the plans for the F-35 fighter jet. What's more, the CCP leveraged data to target individuals vulnerable to espionage and to store broad datasets for future applications as China’s big data analysis capabilities mature.

Additionally, TikTok has shown a willingness to take unethical action through leveraging internal app data. In a December 2022 incident covered by CNN, TikTok admitted to accessing the locations of several journalists as part of an investigation into whether they had leaked internal documents to the broader press. Another risk is TikTok's operators could augment the app via a patch or update effectively infecting users' devices for other malicious purposes, granting them even greater surveillance and control of real-time user data in the event of heightened tensions or a national conflict. Given TikTok’s deference to the CCP and recent history of exploiting sensitive user data for targeting purposes, this poses a real risk that the CCP will use this data to target journalists and Chinese nationals abroad as well as pursue intelligence-related goals.

Growing Pressure for Accountability

TikTok is facing substantial pressure from U.S. officials to take accountability for data practices and censorship, with some officials calling for outright bans. The federal government and over half of the states have already banned the use of the app on government devices, wrote Forbes in another article. After the Trump administration’s efforts to ban the app were rejected in court, the Biden administration decided to tackle the issue through an investigation by the Committee on Foreign Investment in the United States (CFIUS). The CFIUS is actively investigating TikTok and negotiating with executives to mitigate risk by requiring increased transparency through a review of TikTok’s algorithm, restricting CCP access to platform data, storing PII within U.S. cloud servers, and requiring oversight of the app’s data flows.

TikTok announced plans in July 2022 to implement an initiative called “Project Texas” that it claims will place the CFIUS’s concerns under a single entity that will report directly to the CFIUS and feature data oversight by cloud-hosting company Oracle. It’s too early to assess how the CFIUS will rule and whether “Project Texas” will adequately meet U.S. officials’ concerns about the app. Even if the app were outright banned, largely unrestricted data regulations enabling companies to sell extensive user data still offer a wide set of options for Chinese agencies to collect U.S. PII. This includes data brokers as well as China’s efforts to steal sensitive information through targeted cyber intrusions. Under current conditions, China will remain steadfast in its effort to collect massive data sets both in the United States and globally to serve its strategic objectives driven by the DSR and BRI.

Exercising Data Safety in the TikTok Era

Both individuals and organizations should perform a risk assessment before downloading and using the TikTok app. Anyone considering or currently using TikTok would be best served reviewing the app’s data sharing policies and evaluating the impact of having that data made available to third parties, including the CCP. Concerned parties should also continue to monitor updates in the CFIUS investigation and analysis of policy shifts impacting TikTok policies. Lastly, all parties would be well served ensuring any risk-based assessment accounts for their overall digital footprint and downstream risks of having PII and other sensitive data available more broadly.

As a function of the MS-ISAC, we publish content focused on informing state local, territorial, and tribal (SLTT) entities about the threat environment, including from a state-sponsored angle. Ready to strengthen your awareness of the threat landscape? Evaluate the strength of your cyber defenses posed by TikTok and other threats.

 

 

 

About the AuthorThe Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC), functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.