WASHINGTON – U.S. Senators Jerry Moran (R-Kan.) and Richard Blumenthal (D-Conn.) raised concerns over the risks TikTok poses to U.S. national security and consumer privacy, and called for structural restrictions on TikTok’s American operations. Sens. Moran and Blumenthal’s letter to the Committee on Foreign Investment in the United States (CFIUS) comes after ByteDance, TikTok’s Chinese parent company, disclosed that its employees used data on U.S. TikTok users to surveil American journalists.

“We write with profound concern regarding the risks that TikTok poses to our national security and to consumer privacy, and to urge the Committee on Foreign Investment in the United States (CFIUS) to swiftly conclude its investigation and impose strict structural restrictions between TikTok’s American operations and its Chinese parent company, ByteDance, including potentially separating the companies,” wrote Sens. Moran and Blumenthal in a letter to Treasury Secretary and CFIUS Chair Janet Yellen.

The senators referenced myriad concerning practices stemming from ByteDance’s ownership of TikTok, including misuse of Americans’ private data, control over algorithmic systems and censorship of topics deemed critical of the Chinese government and other authoritarian regimes.

“ByteDance’s engineers continue to have dangerous access to Americans’ personal data and control over its algorithmic recommendation systems, access that continues enable this spying on journalists. TikTok has failed to implement adequate protections in the four years since it acquired the app, despite continued assurances to the contrary,” wrote the senators.

“[T]he risks associated with TikTok are not limited to sensitive account data and information collected through advertising trackers, but include the app’s access to hours of personal videos and discussions of tens of millions of Americans, and its control over the platform’s powerful algorithmic recommendation system,” continued the lawmakers. “As TikTok plays an increasingly important role in American civic and political life, we should be concerned whether Chinese entities can promote or hide particular topics, especially in the service of the Chinese government’s political interests.”

“At a minimum, CFIUS should ensure that executive decision making about the platform is based in the United States and fully free from coercive influence from Beijing. It must also ensure that decisions about, and access to, all personal data, algorithms, and content moderation relating to American users is out of the reach or influence of the Chinese government,” continued Sens. Moran and Blumenthal. “We cannot rely on paper promises and unenforced half measures from a company that has abused our trust when our national security is at stake.”

Read the senators’ full letter HERE and below.

February 16, 2023

The Honorable Janet Yellen
Secretary of the Treasury and Chair of the Committee on Foreign Investment in the United States
Department of the Treasury
1500 Pennsylvania Avenue NW
Washington, D.C. 20220

Dear Secretary Yellen,

We write with profound concern regarding the risks that TikTok poses to our national security and to consumer privacy, and to urge the Committee on Foreign Investment in the United States (CFIUS) to swiftly conclude its investigation and impose strict structural restrictions between TikTok’s American operations and its Chinese parent company, ByteDance, including potentially separating the companies.

The Committee on Foreign Investment in the United States is an interagency task force responsible for reviewing foreign investments and transactions that could pose a risk to our national security. CFIUS has the power to block, or order the divestment of, foreign acquisitions of American companies or technologies, including on the basis of protecting the sensitive personal data of consumers. The Committee has jurisdiction over TikTok’s U.S. operations, and has acknowledged an active investigation, on the basis that the app was created from ByteDance’s acquisition of American social media company Musical.ly in 2017.  This investigation, and the potential remedies, also reflects CFIUS’s increasing scrutiny of China-based tech companies buying online platforms with sensitive user data, as demonstrated by its requiring the divestment of Grindr and PatientsLikeMe.  TikTok, which collects the sensitive information of tens of millions of American users and plays an increasing role in our society, is well within the scope of CFIUS’s national security mandate.

On December 22nd, ByteDance acknowledged that staff based in China and the United States had spied on the private data of journalists and others in order identify sources behind articles critical of the company, confirming reporting by Forbes.  While TikTok fired employees connected to the incident, according to Forbes, the spying was done by a formal ‘Internal Audit and Risk Control’ team that was directed by senior executives, including TikTok CEO Shou Zi Chew. At that time, TikTok sought to deflect from these disclosures with false denials and misleading answers — a pattern for ByteDance and TikTok. The incident also occurred while TikTok’s executives had repeatedly promised that Americans’ personal data was secure against such spying, including during testimony to the Senate Commerce Committee’s Subcommittee on Consumer Protection in October 2021.

This bombshell disclosure demonstrates that TikTok and ByteDance cannot be trusted by CFIUS or its tens of millions of users in the United States. In response to these and other credible media reports, Congressional scrutiny, and investigative research about the threat of Chinese spying and malign influence, TikTok has pursued a campaign of diversion and deflection to distract from these serious risks. TikTok is clearly, inextricably dependent on ByteDance for its operations, and therefore beholden to the government of China. We share the concerns of FBI Director Christopher Wray that China could use the app to collect data on tens millions of American users and attempt to influence our public discourse. Therefore, CFIUS should impose structural separations and firm restrictions on ByteDance’s ability to: access Americans’ personal data; make decisions about content moderation; control its algorithmic recommendation systems; and oversee its U.S. operations.

This incident exemplifies the long-term, significant threat posed by ByteDance’s ownership and operation of TikTok. As the Wall Street Journal recently demonstrated, TikTok’s product development and management continues to be based in China, including its opaque and powerful algorithmic recommendation system.  These reports also confirm open source research that found numerous examples of engineers working both on TikTok and its Chinese counterpart, Douyin.  Concerns about ByteDance’s control over TikTok are further exacerbated by the backgrounds of its staff: one investigation by Forbes found that three hundred current employees at TikTok and ByteDance previously, or in some cases concurrently, worked for Chinese propaganda outlets, such as Xinhua News Agency and China Global Television, before joining the company.  China’s undemocratic surveillance obligations for domestic tech companies are notorious and ensure that no data within the reach of China is safe — including TikTok users.

ByteDance’s engineers continue to have dangerous access to Americans’ personal data and control over its algorithmic recommendation systems, access that continues enable this spying on journalists. TikTok has failed to implement adequate protections in the four years since it acquired the app, despite continued assurances to the contrary. While a TikTok executive testified in the Subcommittee on Consumer Protection that U.S. data is kept away from China and “access controls for our data is done by our US teams,” in leaked recordings, TikTok staff acknowledged that “everything is seen in China.”  Those recordings further describe Chinese employees having complete access to private user data and describe an ignorance by U.S. staff about data flows to China. It was only after public leaks that TikTok fully acknowledged its China-based staff has access to private information of its users and that, even under its new data protection arrangements with Oracle, its Chinese staff would continue to have access to a “narrow set of non-sensitive TikTok U.S. user data.”

TikTok does not only collect the information regarding registered users. An investigation published by Consumer Reports in October 2022 found that TikTok tracks Americans, even those who do not use the platform, across the internet by embedding a tracking technology (often called “pixels”) in partner websites.  While this collection effort is ostensibly an advertising effort by the company, the transmission to TikTok of non-user IP addresses, a unique ID number, and information about what an individual is doing on a site provides a deep understanding of those individuals’ interests, behaviors, and other sensitive matters. This data collection is deeply concerning, given the threat the company’s collection of data currently poses to Americans privacy and security as detailed in this letter. As a result, even Americans who are not using the platform are at risk of having their information collected by TikTok.

Finally, the risks associated with TikTok are not limited to sensitive account data and information collected through advertising trackers, but include the app’s access to hours of personal videos and discussions of tens of millions of Americans, and its control over the platform’s powerful algorithmic recommendation system. TikTok has a troubling past history of censoring videos critical of the Chinese government and other authoritarian regimes: it has removed or hidden videos related to Tiananmen Square and Tibetan independence,  criticism of Vladimir Putin,  the persecution of Uyghur Muslims in Xinjiang,  among other topics. While it has claimed changes to those past policies, it continues to opaquely demote or remove certain content, including blocking LGBTQ accounts.  As TikTok plays an increasingly important role in American civic and political life, we should be concerned whether Chinese entities can promote or hide particular topics, especially in the service of the Chinese government’s political interests.

We urge prompt action by CFIUS to protect consumers and our national security through concluding the investigation underway and imposing strong remedies to separate ByteDance from TikTok’s American users. The Committee should not put its imprimatur on a deal with TikTok if it cannot fully ensure our personal data and access to information is free from spying and interference from the Chinese government. Moreover, monitoring and hosting requirements will never address the distrust earned from ByteDance’s past conduct. At a minimum, CFIUS should ensure that executive decision making about the platform is based in the United States and fully free from coercive influence from Beijing. It must also ensure that decisions about, and access to, all personal data, algorithms, and content moderation relating to American users is out of the reach or influence of the Chinese government. We cannot rely on paper promises and unenforced half measures from a company that has abused our trust when our national security is at stake.

Thank you for your attention to this important matter.