Lack of TikTok regulation stirs angst in Washington over privacy risks

In 2020, TikTok, the world’s most popular app, seemed inches from annihilation.

President Donald Trump’s top advisers had staged a raucous brawl in the Oval Office, shouting at each other over whether the app’s U.S. presence should be carved up and sold or banned for life.

Trump responded by ordering the app banished from the country within 45 days, signing its death warrant aboard Air Force One. Then, with his flair for messy drama, he changed his mind, demanding the company instead get sold to a U.S. buyer — provided, he said, that the United States got rewarded for its efforts by pocketing a “very large” cut of the sale’s proceeds.

The leaders of TikTok, owned by the Beijing-based tech giant ByteDance, had resigned themselves to selling to some stalwart of American capitalism, like Microsoft or Walmart, if it meant the app could survive, according to people familiar with the inner workings of the company who spoke on the condition of anonymity to describe sensitive matters.

But the Chinese government had the final say. Feeling protective of their powerful asset and antagonized by Trump, officials moved quickly to squash the takeover, adding the algorithms that drive TikTok’s growth to their list of banned exports and warning ByteDance through a state-owned news organ to “strongly and carefully” reconsider any deal.

The Chinese government “would rather have the company die than have it sold,” one of the people said. “They are not going to let the United States have one of their crown jewels — their algorithms. They would rather destroy it.”

The fight over TikTok has become one of the biggest standoffs of the modern internet: two global superpowers deadlocked over a multibillion-dollar powerhouse that could define culture and entertainment for a generation. Yet the battle has often played out like a farce, loaded with an almost comical level of contortions and contradictions — even as China’s power over the company has grown.

No piece of software has ever stirred so much angst in Washington. Once dismissed as a trivial teen craze, TikTok has been pummeled as a child-spying, data-crazy, “sophisticated surveillance tool” — what Sen. Ted Cruz (R-Tex.) once called “a Trojan horse the Chinese Communist Party can use to influence what Americans, see, hear and ultimately think.”

But if TikTok truly is the ultimate propaganda weapon, Washington has rarely treated it like one. Few of the expressions of federal dread — the dozens of congressional letters and agency bans and statements calling for someone to investigate something — have translated into actual action.

[The Washington Post tried to get suppressed on TikTok. Here’s what happened.]

Trump ultimately decided against a TikTok ban before the 2020 election after being shown internal polls suggesting the move would hurt his standing with young people and suburban moms, a former Trump aide told The Post. TikTok is now bigger than ever: Since Trump left the White House, the app has been downloaded in the United States more than 100 million times.

Republican Mehmet Oz and Democrat John Fetterman have used TikTok to campaign in Pennsylvania’s competitive U.S. Senate race. One Fetterman video, lampooning Oz’s viral “crudites” TikTok, has been viewed more than a million times.

For the Biden administration, TikTok has become a giant test of how to regulate a formidable and wildly popular cultural phenomenon while navigating the contours of U.S.-China relations and grappling with the new reality of an internet that American firms no longer dominate.

Federal officials have spent months negotiating a national security agreement that could reshape how the company operates in the U.S. But all of it could get blown up in an instant if Republicans retake Congress next month — or if Chinese government officials in Beijing balk at a deal.

The U.S. has failed to pass major social media regulations governing domestically run platforms that are committed, at least nominally, to American attitudes about freedom of speech. Now, the industry’s biggest hit in years comes from an authoritarian country with a radically different ideology on civil liberties and media control — and Washington is once again stalled on how to proceed.

The Biden administration, which vowed to evaluate TikTok’s risks in a “decisive and effective fashion,” launched a security review in June 2021 that has yet to publish its results. The Commerce Department’s months-old pledge to develop a new strategy for apps that foreign adversaries might exploit also still has nothing to show.

And a three-year, nine-agency investigation by the Committee on Foreign Investment in the United States (CFIUS), a secretive government group with the power to veto international business deals, has taken so long — and involved so many lawyers — that even some TikTok employees have complained it feels like the government is in no hurry to get anything done.

The two sides have agreed on some initial terms — oversight from U.S. government specialists, new data-security rules — but the deal is still not close to a clear outcome, according to two officials who spoke on the condition of anonymity because of the matter’s sensitivity.

The Biden administration is considering a broader data-security executive order that could limit how Americans’ data is shared with China, the officials said, but it will probably not publish until late this year or early next year.

TikTok spokeswoman Brooke Oberwetter said the company is “on a path to fully satisfy all reasonable U.S. national security concerns. … Our operations in the U.S. have been scrutinized from every angle, and we have willingly engaged in that process.”

A CFIUS spokesman declined to comment, saying only that the group is “taking all necessary actions … to safeguard U.S. national security.” The White House’s National Security Council also declined to comment.

The concerns about TikTok have been amplified by lingering questions in Washington about how the app is run. TikTok’s U.S. executives say they operate independently of ByteDance executives in Beijing, are not influenced by the Chinese government, have never been pressed for data by Chinese authorities and would refuse to provide it if they were asked.

TikTok officials insist decisions about data security, business strategy and content rules are handled by company executives in Dublin, Mountain View, Calif., and Singapore, where the app’s chief executive, Shou Zi Chew, lives. TikTok’s California-based chief operating officer, Vanessa Pappas, told a Senate committee last month that ByteDance is a “distributed company,” without an official headquarters in China or anywhere else.

But current and former TikTok employees say managers in Beijing, where many of the company’s executives and employees still work, have assumed an increasingly active role in the U.S. team’s operations, leading them to question what leverage they would have to resist unwanted interference. Chew, the Singapore-based CEO, also reports to ByteDance’s chief and board.

Although the U.S. offices have some independence, China remains the company’s central hub for pretty much everything, according to the current and former employees, most of whom spoke on the condition of anonymity for fear of endangering their careers. Beijing managers sign off on major decisions involving U.S. operations, including from the teams responsible for protecting Americans’ data and deciding which videos should be removed. They lead TikTok’s design and engineering teams and oversee the software that U.S. employees use to chat with colleagues and manage their work. They’re even the final decision-makers on human resources matters, such as whether an American employee can work remotely.

There’s been “a full-blown recognition” inside the company that China’s efforts to control its tech giants extend even to TikTok, a service that can’t be seen inside China, said one person familiar with TikTok’s internal operations. Government officials “want to put their finger on the scale” of the nation’s tech industry, this person said.

Liu Pengyu, a spokesman for the Chinese Embassy in Washington, said in a statement that TikTok follows “international rules and abides by U.S. laws and regulations.”

The U.S., Liu said, has “frequently used state power to unreasonably suppress” foreign-owned companies “under the pretext of national security” in what he called “a blatant act of bullying.”

“We urge the U.S. side to … refrain from politicizing economic issues,” he said, “and provide a fair, just and nondiscriminatory environment for the normal operation and investment of companies from all countries.”

A ‘different animal’

In Washington, TikTok has fueled an intense debate over how much operational leeway any Chinese company should get. Some in the Biden administration have backed a system of privacy commitments and regulatory checks, worried that an outright ban, based on vague national security concerns, would reek of nationalist protectionism — the same sin the U.S. has accused China of all along.

[Biden administration weighing new rules to limit TikTok, foreign apps]

No one wants to repeat Trump’s failure; his orders collapsed in court after federal judges ruled he had shown little “substantial” evidence of TikTok’s threat. But some worry that nuanced technical measures won’t be enough to resolve the fact that one of America’s most dominant online megaphones is in the hands of its biggest ideological rival.

“It’s one of the very few areas where Donald Trump may have been right,” Sen. Mark R. Warner (D-Va.), head of the Senate Intelligence Committee, said in an interview.

Lacking coherent guidance, the official U.S. relationship with TikTok has been in a state of constant disorder. American soldiers banned from installing the app on military devices still use it all the time on personal phones. The White House said it was scrutinizing the app for national security risks, then gave special briefings to its biggest stars — as was first reported by The Washington Post, whose namesake TikTok account has 1.5 million followers.

The House of Representatives’ chief administrator warned House staff in August not to use the “high-risk” app. But the Democrats, who run the House, already employ a full-time TikTok content strategist to help run their 130,000-follower account. Stacey Abrams, Val Demings, Jon Ossoff and other rising Democratic stars are all regulars; so are both sides of the Pennsylvania Senate race, John Fetterman and Mehmet Oz. President Biden himself appeared in a TikTok influencer’s video on the same day last month that Pappas, the company executive, was getting grilled on Capitol Hill. (A DNC spokesperson said its TikTok videos are made on dedicated devices, isolated from the committee’s other business, to mitigate potential privacy risks.)

The Democratic Party has gone all in, hiring a full-time TikTok content strategist to help run its 130,000-follower account. Videos from the party’s rising stars, including Sen. Jon Ossoff (Ga.) and Rep. Val Demings (Fla.), have been “liked” millions of times.

Even politicians who don’t have a TikTok presence acknowledge that many of their friends and family are users. “It seems like every day someone’s sending me a TikTok,” said Rep. James Comer (Ky.), the top Republican on the House Oversight Committee. He doesn’t have an account himself and said, “I don’t think it’s out of the question to suspect China may be up to no good.”

The federal government, however, has yet to provide actual evidence of harm or conspiracy for an app many Americans know and love. And American companies have shown plenty of problems of their own. Facebook paid a record $5 billion settlement to the Federal Trade Commission for violations of user privacy, while researchers have shown that political misinformation on the platform helped fuel the violence of the Jan. 6, 2021, insurrection. Twitter recently was accused by its former security chief of major security failures and of harboring foreign-government spies.

When lawmakers have reached agreement over TikTok’s risks, they’ve focused on issues that technical experts view as irrelevant, like where Americans’ data is stored. TikTok argued for years that the risk to Americans’ data was low because the information was stored on servers in Virginia and Singapore. Then, as the negotiations with CFIUS continued, the company announced an initiative known as Project Texas that would move all U.S. user data to servers in Texas run by the tech giant Oracle.

But that concern and the solution has always struck independent technical experts as off point. It doesn’t matter where a server is plugged in, they argue, if someone still has access half a world away. TikTok executives say Chinese employees still will be able to access the data, rendering the solution effectively moot.

“These measures were completely undermined as soon as they were announced,” said Adam Segal, a cybersecurity expert at the Council on Foreign Relations, referring to Project Texas. More to the point perhaps, he said, “the data is not particularly high quality to begin with.”

Some lawmakers have voiced support for Oracle becoming an independent auditor of TikTok’s algorithms. But the company is not a public watchdog; it’s TikTok’s business partner — and was almost a part owner, had Trump’s sell-off push not failed. Co-founded by Trump ally Larry Ellison, Oracle has no social media experience and has shared no details of how its audits would work.

As a protector of Americans’ data, it’s also an unusual choice: Oracle runs massive businesses, known as data brokers, that sell Americans’ personal records by the billions — a practice that has triggered lawsuits over the company’s “global surveillance machine.” Oracle declined to comment.

The intense focus on TikTok, some technical experts argue, has overshadowed more problematic ways Americans’ data gets gathered and exploited in a country — the United States — without any basic data-privacy laws. And banning TikTok would do nothing to prevent buyers in China or around the world from collecting more sensitive information on Americans from unregulated companies, including data brokers, whenever they please.

“TikTok is this totally different animal that no one in the U.S. government really understands, and so there’s just been months of hand-wringing,” said Paul Triolo, senior vice president for China at the business strategy firm Albright Stonebridge Group.

“Is the worry that teens will do such idiotic videos when they’re 15 that they’ll be blackmailed by the Chinese government later in life? Or that the AI algorithm will be abused to serve up a bunch of anti-Joe Biden videos?” Triolo said. “These things aren’t impossible, but there’s no evidence that any of this is happening. And there are real consequences to taking action on the basis of potential future risk that you can’t quantify very well.”

‘Always vulnerabilities’

TikTok has for years coached employees to downplay its “China association.” Pappas, a former YouTube executive who had worked with some of the video giant’s biggest creators, told The Post in 2019 that TikTok’s U.S. operation had “a large degree of autonomy” from Beijing and worked best “without executives 10,000 miles away involving themselves in their decisions.”

To underscore that independence, TikTok has said it limits which employees in China can see data from Americans’ profiles. But TikTok’s own employees have questioned those limits. In recordings of internal meetings first reported by BuzzFeed in June, and which a former TikTok employee provided to The Post, company employees in the U.S. can be heard saying some engineers in Beijing had “access to everything.”

TikTok executives disputed that interpretation, saying the recordings proved the company had been looking for problem spots in a giant organization and figuring out ways to firm them up. And many of the meetings did discuss new safeguards, with one employee in the recordings calling for all Chinese data-access privileges to be questioned with “additional … scrutiny.”

In any case, TikTok has now made it clear: The access by staff in China isn’t going away. U.S. executives have said that teams in China will retain access to Americans’ data for “engineering functions” and other “daily duties.” In a letter to nine Republican senators in June, Chew, TikTok’s CEO, said employees in China would continue working on the app’s most critical elements, including the “For You” algorithm that shapes what each user sees.

Though Republicans often criticize TikTok as a Chinese surveillance threat, some of the party’s candidates have joined the crowd, including Brian Hawkins, a House candidate in California, and the gubernatorial candidates Scott Jensen of Minnesota and Darren Bailey of Illinois.

The revelations kicked up a fury among congressional Republicans, who accused the company of placing the “safety and privacy of millions of U.S. citizens in jeopardy.”

TikTok’s defenders argue that much of the data-privacy outrage is overwrought. The app collects people’s ages, locations, phone numbers, facial photos, voice recordings and search histories, its privacy policy shows — but that kind of data is gathered by most social networks, and America’s biggest ones collect even more.

Facebook has spent nearly two decades compiling people’s photos, work histories and relationship statuses for ad-targeting databases. Snapchat, criticized for its security promises, has operated under an FTC settlement order since 2014. And a Twitter whistleblower recently alleged in a federal complaint that Chinese entities could use that platform to punish users who had jumped the country’s firewall.

Jeremy Fleming, the head of the British cyberintelligence agency, said this month that he was unconcerned by children’s use of the app as long as they were attentive about what data they were sharing. “Make those videos, use TikTok, but just think before you do,” he said.

Some privacy advocates question why members of Congress critical of TikTok haven’t directed the same degree of outrage at data brokers, whose industry sells bulk details on Americans’ health and finances, including to foreign buyers. No one has accused TikTok of breaking federal data-privacy laws, because the U.S. doesn’t have any; a proposal for baseline privacy protections that would apply to all companies, not just Chinese ones, remains indefinitely stalled in Congress.

TikTok is more aggressive about collecting data than its competitors in some notable ways, however. The app will continuously ask for a user’s full contact list, even after they say no, the U.S.-Australia research team Internet 2.0 found in July. Another researcher, Felix Krause, discovered code that could record everything a user types into the app’s internal web browser, including passwords; the company said the code was never used to record keystrokes.

The gathering of such data, and its open flow to Chinese engineers, has alarmed some former employees. A former TikTok employee and a former security contractor told The Post they had spoken with the FBI separately about their concerns. The FBI declined to comment.

TikTok executives have argued that Americans’ information is not subject to Chinese laws, which can force tech companies to hand over data and cooperate with “national intelligence” work. TikTok, they note, isn’t even available in China, though ByteDance offers a similar service, Douyin, that looks and works just like it.

But Chinese authorities have some experience in back-channeling surveillance requests: Federal prosecutors in 2020 charged a Zoom executive in China with giving people’s data to government officials and disrupting video calls about Tiananmen Square; he remains wanted by the FBI.

Scott Kennedy, a senior adviser at the Center for Strategic and International Studies, a think tank, said TikTok would be limited in its ability to resist a government order. “When it comes to data access from the Chinese state,” he said, “there are always vulnerabilities.”

A joyful mandate

Since its close call with Trump-induced oblivion, TikTok and ByteDance have spent heavily to make new friends in Washington. They have paid more than $13 million for nearly 50 lobbyists to work the White House, the Pentagon and Capitol Hill, federal disclosures show, with a crew that includes two former U.S. senators and a state chief of both of Trump’s presidential campaigns.

Much of their outreach has focused on the political party whose members seem to despise them: TikTok has donated to the Republican Attorneys General Association and was listed among the attendees of the political influence group’s donor retreat this summer in Palm Beach, Fla., down the road from Trump’s Mar-a-Lago Club.

Inside the company’s U.S. offices, the connections to Beijing are hard to miss. Several employees said they had been surprised to find themselves called into weekly meetings with their Chinese counterparts to discuss intimate details of how the U.S. app runs. “As I get more senior at the company, I realize China has more control,” said an employee who works in U.S. content moderation and spoke on the condition of anonymity to discuss internal matters.

TikTok last month banned all political-campaign fundraising and began requiring all candidates and political parties to go through a “mandatory verification” process, saying the move would help reduce “harmful misinformation.” The change expanded TikTok’s long-running ban on ads promoting any politician, partisan cause or “issue of public importance,” which its executives have argued is designed to protect the app as a place for “joyful” content.

A person familiar with the company’s corporate decision-making said TikTok’s approach to political content has been driven by its leaders’ eagerness to avoid political squabbles at all costs. The fear of Washington controversy, the person said, has also driven the company’s attitudes around which videos should be permitted or suppressed. TikTok officials deny that fear of political blowback has driven policy.

TikTok’s parent company faces similar strains in China. Authorities there in recent months have intensified a national crackdown on thousands of tech companies, including passing intricate new rules detailing how algorithms should run and what topics should be banned from discussion. Regulators have issued rules demanding that recommendation algorithms spread only “positive energy” and a creator “Code of Conduct” that bans content that promotes “immoderate” lifestyles or seeks to create “hot issues in public opinion.”

TikTok officials acknowledge that the app uses built-in measures to demote videos the company doesn’t want seen, marking videos so that they are visible to the creator and their followers but never shown on people’s “For You” feeds — an algorithmic kiss of death.

In TikTok’s early years, leaked guidelines showed that moderators were told to suppress videos about the Tiananmen Square massacre and other fraught topics, as well as videos showing people with disabilities or “ugly facial looks.”

TikTok executives have said that those guidelines were a “blunt instrument” to minimize conflict and have since been replaced. But questionable suspensions remain routine.

When a teenager’s account was suspended in 2019 after she discussed China’s detention of Uyghur Muslims, TikTok blamed a “human moderation error.” When phrases such as “I am a Black man” were flagged as inappropriate, TikTok blamed a “flaw” in its hate-speech detection software. When a famous Tiananmen Square clip was made invisible, the company blamed a misapplied ban on “military information.” And when, in February, its automatic-subtitle feature blotted out phrases such as “reeducation camps,” which China runs in its western province of Xinjiang, the company blamed an “outdated” system built to block profanity.

[Inside TikTok: A culture clash where U.S. views about censorship often were overridden by the Chinese bosses]

TikTok’s defenders say these were inadvertent mistakes, not attempts at mass censorship; Facebook and Instagram, they note, have been criticized for their handling of race and censorship, too. Citizen Lab, the University of Toronto research group, found only “inconclusive” evidence last year in a test of whether TikTok was censoring politically sensitive posts: Some posts vanished, while others stayed up, with no clear pattern of blame. And any TikTok viewer in the U.S. can now find hours of videos that discuss topics that would be banned on China’s internet, including about its mass detention camps and Tiananmen Square.

But the company’s internal debate over tolerable speech remains very much alive. A TikTok employee suggested censoring a Financial Times report in June about a ByteDance executive who had spoken dismissively of maternity leave, the newspaper found. TikTok said the idea was never considered.

An avatar’ of fear

TikTok said, in its most recent “transparency report,” that government authorities had asked it to remove or restrict more than 400 videos or accounts last year — but that none of those requests had come from China, one of the most censorious countries in the world.

Chinese companies, however, must routinely agree to Chinese government involvement, and ByteDance is no exception. In 2018, ByteDance’s founder responded to government punishment by pledging to help boost the Communist Party’s core values. Last year, the Chinese government took over one of the three board seats in a ByteDance subsidiary critical to its biggest apps. And in August, Chinese regulators said ByteDance had submitted the core “behavioral data” algorithm used in Douyin for registration and review.

If the U.S. government wanted to come down hard on TikTok, the punishment could resemble that meted out to another Chinese tech star, Huawei. The company was one of the world’s biggest sellers of telecommunications gear when U.S. officials blacklisted it as a national security threat; several sanctions, export restrictions and federal investigations later, the company’s global market share and revenue have dwindled, and its U.S. presence has effectively collapsed. (The company has said the claims are baseless.)

Some former U.S. employees of TikTok, however, said that much of the Washington fearmongering around the app appears overly dramatic. “Never once did I think, ‘Oh, no, the Chinese are going to come and set all our policies,’ ” one former TikTok manager said.

Still, some argue that the company’s internal secrecy and murky chain of command limit the U.S. team’s ability to know who in Beijing is really in control. One former employee, who spoke on the condition of anonymity for fear of retaliation, said: “There was always this hierarchical culture from China. They had made these decisions, and we should just follow.” (TikTok officials said the company discourages corporate hierarchies.)

TikTok has previously promised to dispel all doubts about its independence, pledging in early 2020 to open physical “Transparency Centers” where experts could observe the company’s real-time moderation decisions and examine its algorithms’ code. But the company indefinitely shelved the plan soon after, citing the pandemic, and has instead offered guided virtual tours to journalists and political staff.

In August, Axios reported that Oracle officials had begun auditing TikTok’s algorithm and were using “regular vetting and validation” to ensure “the models have not been manipulated in any way.” But two people familiar with the matter, who spoke on the condition of anonymity because they were not authorized to discuss it, said the audits have not been started or closely planned.

TikTok officials said they chose Oracle based on its technical prowess and experience with government contracts. But both companies declined to answer questions seeking further details for how any of this oversight would work, including how much Oracle would be paid, what its auditors will do or how they’ll respond if they see anything wrong.

Oracle, which is publicly traded, has filed nothing with the Securities and Exchange Commission detailing the arrangement. For now, the people said, Oracle is functioning solely as TikTok’s server provider, a web-hosting role with no authority to police operations. Oracle has not been involved in TikTok’s negotiations with CFIUS, these people said, and no official national security agreement has outlined what a third-party TikTok auditor would even look for.

Graham Webster, a researcher with the Stanford Cyber Policy Center who studies China, said he wasn’t surprised that TikTok’s mystery and power had fueled people’s suspicions. But so much of the angst around TikTok, he said, has focused on anxieties about the internet that also remain unresolved for American companies: about data harvesting and political manipulation, about the fickle whims of screen-glued teens, about the unaccountable algorithms shaping our lives.

“Rather than confront head-on what’s happening in our own society … we have a multiyear convulsion about one company that happens to come from China,” Webster said. “China has become an avatar for fears that Americans reasonably have about ourselves.”