How TikTok could be used for disinformation and espionage

The popular video-sharing app avoided a nationwide ban this week. But experts say its national security risks remain.

Could TikTok enable disinformation or spying?
Could TikTok enable disinformation or spying?... 06:20

The popular social media platform TikTok has so far avoided being banned by the Trump administration. But until it addresses concerns over its national security risks, its future in the U.S. remains uncertain.

The Trump administration's deadline for TikTok to find a new owner came and went this week, a missed milestone that would have rendered the social media app effectively banned in the U.S. as of November 12. Instead, the administration granted the video-sharing app a 15-day reprieve. This gives TikTok until November 27 to be divested from its parent company, ByteDance, possibly through convincing government officials to approve a proposed deal with Walmart and Oracle.

The administration's push for a new owner is in large part because national security experts say the issues with TikTok stem from its current owner, ByteDance, a $140-billion Chinese company that also runs Douyin, the Chinese version of the app. 

TIKTOK'S POTENTIAL FOR PROPAGANDA

Both Douyin, which boasts 600-million daily users, and TikTok, which has been downloaded on 100 million American devices, use cutting-edge, AI-driven algorithms that analyze exactly how long users watch a video, in order to gauge their interests. The app then presents videos through a "For You" page, amounting to an endless stream of videos uniquely suggested for each user.

It is through this page of recommendations that the Chinese Communist Party (CCP) can push disinformation, according to Kara Frederick, a fellow at the Center for a New American Security. Formerly a Pentagon intelligence analyst, Frederick also worked at the National Security Agency.

"If the CCP decided [through] ByteDance to feed you propaganda, you're addicted," she told 60 Minutes. "It is there, and you're going to get more and more and more. And there, they can tweak and see what you like, what you don't like."

Frederick also said TikTok could potentially inject disinformation into the dialogue in the U.S. to sow discord, similar to the way Russia bots amplified the controversy over NFL players kneeling during the national anthem.

"That's low-hanging fruit, I would say," she said. "I wouldn't be surprised if China tried its hand at such things."

Through its algorithm, TikTok could potentially censor content, even if it does not outright ban it. By simply never recommending videos — with information, for example, about Tiananmen Square, Tibetan Independence, Hong Kong protests, or Uighur Muslims — the company could influence what America's youth sees on a regular basis. 

CHINA AND DATA MINING 

In addition to its potential to control information, TikTok is also collecting vast swaths of it. 

Like many social media apps, TikTok asks users for permission for access to their microphone, camera, photos, videos, and contacts. It even collects "keystroke patterns," which is the unique rhythm a person uses to strike their keyboard. 

Because China's 2017 Cybersecurity Law requires China-based companies such as TikTok to provide the Chinese government with access to their data, security analysts say this data could be a veritable goldmine for the Chinese government. Hackers linked to Beijing have already stolen the personal data of millions of Americans through security breaches at institutions like Equifax, Anthem, and the U.S. government's Office of Personnel Management. 

In an executive order this summer, President Trump addressed TikTok's potential for data mining, writing, "This data collection threatens to allow the Chinese Communist Party access to Americans' personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage."

In an interview with 60 Minutes, Vanessa Pappas, TikTok's interim CEO and the third person to helm the company this year, pushed back against the notion that the Chinese government can access the data the company collects. She noted that TikTok does not operate in China and said the data gathered from the U.S. is stored here as well. 

"If a government were to request data we will put that in our transparency report and tell you," Pappas said. "And certainly the Chinese government has not requested data, and if they did it would be an emphatic, 'No.'"

But according to Klon Kitchen, who leads technology policy at the conservative Heritage Foundation, the Chinese government does not even have to make the request. 

"The national security and cyber security laws of China require them to operate and build their networks in such a fashion as to where the government has unfettered access to their data," Kitchen said. "And so no, the CCP doesn't ask them for information. They don't need to. They have access to the information." 

Kitchen said the data TikTok collects, while seemingly harmless, could potentially be used in conjunction with information gathered in previous high-profile hacks. By combining TikTok data with other sources of information, he said, the Chinese government can get a fuller picture of an American they want to target.

"And they begin to understand, 'What is the ideal candidate for someone who gets hired into the U.S. intelligence community?'" Kitchen said. "If they were to try and source a human-intelligence asset, well, they know the exact type of legend or profile that they need to have to be an ideal candidate so they might get hired."

WHAT HAPPENS NEXT?

The U.S. Commerce Department in September attempted to ban downloads of TikTok, giving November 12 as a deadline for other internet companies to cease hosting the app.

After TikTok and TikTok content creators filed separate suits, two federal judges temporarily blocked the ban. "It is undisputed that the Secretary's prohibitions will have the effect of preventing Americans from sharing personal communications on TikTok," U.S. District Judge Carl Nichols wrote in one of the decisions.

In a later decision, U.S. District Judge Wendy Beetlestone wrote that the ban would cause the creators to "lose the ability to engage with their millions of followers on TikTok, and the related brand sponsorships."

But the nationwide injunctions did not address the other aspect of Trump's executive order, which requires TikTok to find a new owner. The administration has never explained the requirements for TikTok to keep operating in the United States, nor has it spelled out the consequences should the company fail to be sold by the new deadline of November 27.

In a statement to 60 Minutes, TikTok's New York-based head of corporate communications, Josh Gartner, said he is confident the Oracle deal will pass muster.

"Our U.S.-led security team has put extensive measures in place to guard against access to American user data by any government," Gartner wrote. "In September, we offered to make Oracle our trusted technology partner to further protect and verify the security of U.S. user data—a proposal that the President endorsed. We look forward to implementing this solution to put this issue to rest, once and for all."

Under this deal, Oracle and Walmart would partner with TikTok in the U.S. The two companies would have a combined 20 percent stake in TikTok, with Oracle taking 12.5 percent, and Walmart getting 7.5 percent. China's ByteDance would retain the remaining 80 percent ownership of the company. President Trump in September said he gave his "blessing" to the partnership. 

Microsoft had also been in negotiations to acquire TikTok's American operations, but ByteDance rejected their offer in favor of Oracle. Critics of the Oracle deal note the closeness between the company's leadership and the Trump administration: Oracle's Chairman Larry Ellison earlier this year hosted a fundraiser for President Trump, and the company's CEO Safra Catz served on the president's 2016 transition team.  

According to a statement from Oracle, the deal would move TikTok's U.S. user data to the American company's cloud infrastructure, thereby making Oracle accountable for data security and privacy. 

Oracle would also have access to check the app's source code, but ByteDance would reportedly retain the TikTok's algorithm and technology. The complete makeup of the deal has not been made public, and some in the tech industry fear it may not do enough to solve national security concerns. 

"A deal where Oracle takes over hosting without source code and significant operational changes would not address any of the legitimate concerns about TikTok, and the White House accepting such a deal would demonstrate that this exercise was pure grift," former Facebook security chief Alex Stamos wrote on Twitter.

For now, TikTok's future in the U.S. remains unclear. For Kitchen, the video-sharing app is not the only threat the U.S. faces, simply one the U.S. government is beginning to address. 

"I would say it's emblematic of the broader concern," Kitchen said. "And that broader concern is the fusion of the Chinese government with its industry. And if the Chinese government would adopt a more responsible posture, then Chinese technology companies could operate in the U.S. market and thrive."

Graham Messick and Jack Weingart contributed to reporting.

The video above was produced by Brit McCandless Farmer and Will Croxton. It was edited by Will Croxton.

To watch Bill Whitaker's 60 Minutes report on TikTok, click here.