If TikTok could be said to have a chief antagonist inside the bureaucracy of the federal government, FCC Commissioner Brendan Carr would be as good a candidate as anyone for that designation.
The commission’s senior Republican, nominated to the body by President Trump, has repeatedly denounced TikTok in interviews and public statements for presenting what he describes as a clear “national security threat.” Motivated by leaks of audio from internal TikTok meetings showing that US user data has been accessed from inside China — despite earlier protestations to the contrary from the company — Carr has also gotten creative in his ongoing crusade against the video app.
He’s sent letters to Google and Apple, for example, demanding an explanation for why an app like this that’s shown to violate their rules shouldn’t be kicked out of their respective app stores.
So far, Carr told me in an interview, only Google has responded to that letter. And it was with, as he puts it, a “word salad” defense acknowledging Carr’s concern and promising that the company would look into the issue. No answer from Apple yet, but Carr isn’t worried. “The tide is moving out on TikTok,” he told me.
Is China collecting data from TikTok?
“People look at TikTok and say, well, it’s just a fun app for sharing videos,” Carr says about the app — which, as of the time of this writing, Apple lists as the #2 “Top Free App” in its App Store. Moreover, Apple also includes TikTok on its list of “Must-Have Apps,” which is a separate ranking.
Continues Carr, “It’s not the video, though. It’s all this data being pulled below it. Is there a tremendous national security threat when it comes to one family’s son or daughter, individually? I don’t think so. The problem is this is millions and millions of people, and data on millions and millions of people. And China has got the most sophisticated AI operation for analyzing this stuff. It’s the scope and scale that really presents the national security threat for us.”
To be sure, his problem with the app also extends beyond any mere hypothetical danger associated with US users. There’s also the very real perception that TikTok, at first, left in the minds of people like him — namely, that it was sufficiently walled off from its China-based parent entity, ByteDance. Until, that is, a bombshell Buzzfeed report dashed that assumption back in June. That report relied on audio from more than 80 TikTok company meetings to assert that employees based in China have “repeatedly accessed nonpublic data about US TikTok users.”
For anyone keeping score, that’s also precisely why the Trump administration threatened to ban the app in the US. It was a threat that seemed on the verge of leading to real action … until the onset of the coronavirus pandemic, which meant that other priorities quickly took precedence.
The company’s response
The situation is much different now. The pandemic has waned, Trump is out of office, and TikTok has come back to the fore.
In June of this year, TikTok policy advisor Albert Calamug tried to allay some of the myriad security concerns by sharing a breakdown of how the company handles US user data.
He explained in a company blog post, for example, that TikTok maintains data centers in both the US and Singapore, wherein it stores data connected to US users. TikTok’s Virginia data center, he continued, “includes physical and logical safety controls such as gated entry points, firewalls, and intrusion detection technologies. It’s also important to maintain backup data storage locations to guard against catastrophic scenarios where user data could be lost, and our data center in Singapore serves as the backup data storage location for our US users.”
For more than a year, he added, TikTok has been working with Oracle to better safeguard its app, systems, and the security of US user data. And today, TikTok says that 100% of US user traffic is being routed to Oracle Cloud Infrastructure.
Is that enough to allay concerns? Not hardly.
TikTok’s CEO certainly didn’t help matters during recent congressional testimony that saw him, among other things, quibble over what counts as spying. At one point during that hearing, Florida Republican congressman Neal Dunn, with a reference to TikTok’s parent company, gave TikTok CEO Shou Chew an easy layup of a question: “Has ByteDance spied on Americans at the direction of the Chinese Communist Party?”
Chew’s response: “I don’t think spying is the right way to describe it…”
TikTok in 2022: What changed?
Investigations into problems around TikTok, meanwhile, are continuing at the federal level. On multiple fronts, in fact.
Besides Carr sounding the alarm as an FCC commissioner, two US senators have called for an FTC probe of TikTok. Carr also told me that the US Commerce Dept. has its own review that’s ongoing. Additionally, there’s a so-called CFIUS review run by the US Treasury Dept. That’s an ongoing review, according to Carr, looking at foreign investments in the US regarding TikTok as well as related apps.
Outside of the US, members of parliament in countries like Australia and the UK have likewise undertaken similar efforts.
“This isn’t about me or the concerns I’ve raised,” Carr said. “This is about the bipartisan and global concern about this. I think it’s very clear that TikTok has got a short window here before there’s concrete government action.
“You’ve already got things like the military branches that have banned TikTok from their official government devices. I just don’t see how you can be half-pregnant when it comes to the security concern, which is enough of a concern to boot it off military devices. It seems hard to conclude that the exact same military personnel should be able to put it on their personal phones — and be in the same areas as they are when they’re acting in their official capacities.”
Other concerns
And new TikTok-related security concerns continue to mount. As we noted in a separate piece, security researcher Felix Krause recently discovered that the in-app browser in TikTok’s iOS app injects JavaScript code into every website that users visit. That means the app could monitor every keyboard entry and every tap on the screen.
According to Krause, an app injecting JavaScript into a website isn’t inherently malicious. But even if it’s clear what an app is doing, how companies use the data they collect isn’t always transparent. Moreover, in the case of the TikTok in-app browser, Krause says the code “behaves like a keylogger.”
The chief administrative officer of the US House of Representatives has also urged members of Congress to refrain from using TikTok.
“My mindset has always been — it’s not enough to have ties back into the (Chinese Communist Party),” Carr told me. “We still have at the FCC dozens upon dozens of entities that we license and authorize that have ties back into communist China. What I’ve always said is you need that, and a plus factor.
“We saw with Huawei, ZTE — a lack of transparency about data flows. Or, they’d represent that data doesn’t go to Place X. And then we’d find out that data does, in fact, go to Place X. And I think that same mindset applies to TikTok. It’s not enough just that the parent company has ties back to communist China. It’s that they have masked the data flows back into China for two years. We’re always looking for a plus factor before we step into action.”