The wild popularity of TikTok, the app best known for videos of lip-syncing teens, is re-igniting the debate among U.S. officials over how the United States should define and defend its national security interests against Chinese companies. One frequent argument is that the United States should “ban” TikTok. Under U.S. law, that’s not a real option—but there’s a huge toolbox the government can deploy against the app instead.
TikTok is owned by ByteDance, a Beijing-based software company, creating worries about data privacy. The U.S. has accused the Chinese government of stealing personal data many times in the past, including targeting the U.S. Office of Personnel Management, Equifax, Marriott, Anthem health insurance, and others. As TikTok collects user data from tens of millions of Americans, Chinese authorities who possess sweeping national security powers can simply compel ByteDance to hand over foreign users’ data. The United States is not alone—India banned TikTok last month (along with dozens of other Chinese apps), citing similar issues, in the aftermath of a bloody skirmish with China on the border.
Another concern is potential censorship and disinformation. TikTok has reportedly moderated away content that displeases Beijing, such as references to the Hong Kong protests, Tiananmen Square, Tibetan independence, and Falun Gong, although the company denies any interference. Sen. Marco Rubio has warned that China seeks to “extend its authoritarian censorship of information outside China’s borders” by controlling content on TikTok. Peter Navarro, U.S. President Donald Trump’s chief trade advisor, said he expects “strong action” against TikTok.
U.S. law likely does not allow Trump administration officials to easily impose a flat “ban” on a free social media app already in use by millions of Americans. But our experience suggests that U.S. export controls, sanctions laws, and other national security provisions are available to restrain TikTok and isolate ByteDance. Thanks to the perception of a growing China threat, laws have been developed and expanded in recent years precisely to address a situation like this one. But the exact tool the United States chooses to use in the ongoing tussle between the world’s two superpowers has important implications for both U.S. and Chinese companies caught in between.
The United States could attack TikTok’s corporate relationship with ByteDance using the powerful Committee on Foreign Investment in the United States (CFIUS). CFIUS scrutinizes, and sometimes blocks, foreign investments in U.S. companies on national security grounds. In recent years, CFIUS has been highly focused on investments from China: Chinese investments made up more than 25 percent of CFIUS-reviewed transactions from 2015 to 2017, the most of any country. Thanks to the Foreign Investment Risk Review Modernization Act of 2018, CFIUS now has an extended reach and a sharper bite. It is no secret that the recent CFIUS changes were squarely directed at Chinese investment in the U.S. private sector. One of the reforms in the 2018 law focuses on transactions that result in foreign control over a U.S. business such as TikTok that “maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.”
CFIUS cannot outright “ban” TikTok, but the committee can force changes to mitigate data privacy concerns, including restructuring the corporate relationship in order to place TikTok’s U.S. data outside ByteDance’s reach. Another approach is to demand revisions to TikTok’s data-collection and dissemination policies. CFIUS could appoint an independent monitor to review and report on the company’s compliance with either of these protective measures.
Even more aggressively, the committee may decide that no middle ground adequately secures U.S. personal data when a Chinese company sits atop the corporate structure, and require ByteDance to divest from TikTok’s U.S. business. CFIUS orders to undo past transactions were once rare, but that remedy is no longer off the table, especially when China is involved. Twice last year CFIUS referenced data privacy concerns in forcing Chinese investors to divest from Grindr, the LGBTQ dating app, and from PatientsLikeMe, a health care technology startup.
Recent reports suggest that the Trump administration may place TikTok on the Entity List, a regulatory tool administered by the Commerce Department to protect U.S. national security and foreign-policy interests by restricting U.S. exports to a listed entity.
The Trump administration has used the Entity List enthusiastically against Chinese companies, following on from its predecessors. In March 2016, the Commerce Department listed Chinese telecommunications giant ZTE for violating U.S. economic sanctions against Iran and North Korea, crippling the business and forcing it to come to terms with pending enforcement actions by the departments of Commerce, Treasury, and Justice. Chinese state-owned chipmaker Fujian Jinhua was listed in October 2018 for alleged trade-secret theft, severing its access to U.S.-made equipment essential to its production line. Listed entities often suffer further when suppliers and other business partners are driven away completely, fearful that even permissible dealings with a listed entity might attract unwanted scrutiny from the United States.
The power of the Entity List lies in its flexibility, which may appear to some overseas observers as bordering on arbitrary. Commerce Department officials can redefine “national security … interests” with broad discretion and limited judicial oversight. Prior to 2018, the Entity List had almost always been used to target violations of U.S. export control or economic sanctions laws, but in recent years, the scope of “national security” has expanded. Last year, for example, the Commerce Department listed artificial intelligence giant Hikvision and seven other companies “implicated” in human rights abuses in China’s Xinjiang province, an unprecedented application of the Entity List. It would not be a stretch for the United States to pronounce that ByteDance’s access to the personal data of U.S. citizens threatens U.S. national security interests.
But the Entity List is an imperfect instrument. A U.S. company cannot be listed, so this approach would target TikTok’s foreign parent company, ByteDance. It’s not clear, however, how listing ByteDance would affect TikTok. The Entity List has been highly effective in changing the behavior of foreign entities heavily dependent on U.S.-origin exports, such as ZTE and Fujian Jinhua, but a software company like ByteDance likely does not depend on U.S. technological products to the same degree.
Instead, adding ByteDance to the Entity List may achieve results by restricting it from receiving crucial software updates through the iOS or Android app stores. Importantly, an Entity List designation would not formally prevent any ByteDance exports to the United States, although the designation may have the practical effect of stopping such exports, as companies often overcomply with U.S. sanctions. And overcompliance might lead companies such as Apple and Google to cut off even nonexport transactions with ByteDance (and TikTok) out of an abundance of caution. Where ByteDance does depend on U.S. products, it can take (and likely has already taken) steps to limit its exposure to U.S. supply chains, as other Chinese companies have done. Hikvision, for example, reportedly began a “de-Americanization” campaign months before it was designated, diverting its supply chain away from the United States and towards more secure sources.
Another arrow in the U.S. government’s quiver is to force a deplatforming of TikTok from iOS and Android app stores pursuant to the International Emergency Economic Powers Act, the statute that undergirds almost all U.S. sanctions programs. In May 2019, Trump signed Executive Order 13873, which declared that “unrestricted acquisition or use in the United States” of communications technology that is “owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” constitutes a threat to U.S national security. That order authorizes the Commerce Department to block any “acquisition, importation, transfer, installation, dealing in, or use” of information and communications technology and services based on an “unacceptable risk” to U.S. national security, including based on a risk of sabotage or other “catastrophic effects” to U.S. communication infrastructure.
It remains to be seen how the Commerce Department will use this new authority, but implementing regulations proposed late last year would authorize a case-by-case determination of whether a transaction should be prohibited or mitigated. These regulations could be used to deplatform TikTok, forcing its removal from the most popular app stores. While this measure would not remove the app from devices that already have it downloaded, it would effectively prohibit the app from being maintained, making its continued use practically impossible.
The Commerce Department regulations implementing that executive order are still pending, making any action against TikTok under Executive Order 13873 difficult on short notice. Any prohibition would almost certainly be challenged in court on both procedural and substantive grounds, drawing out any resolution for years and forcing the U.S. government to support its assertions publicly before a federal judge.
Finally, the Trump administration could target TikTok through law enforcement actions. In 2019, the Federal Trade Commission (FTC) issued a $5.7 million penalty against TikTok for illegally collecting children’s data under the Children’s Online Privacy Protection Act and entered into a multiyear consent decree with the company. Both the FTC and the Department of Justice are reportedly investigating TikTok’s compliance with that agreement. Civil cases brought by private citizens are pending against TikTok in U.S. courts based on alleged violations of user privacy. Such efforts would be of relatively limited scope, but might nevertheless deter ByteDance from future investment.
But as military strategists like to point out, the enemy gets a vote. TikTok and ByteDance have options to respond to any measures taken against them, some of which they have already implemented. ByteDance has changed some business practices, including cutting off its own engineers’ access to TikTok’s data. TikTok has attempted to allay concerns about its relationship with Beijing by hiring an American CEO, beefing up its U.S. regulatory team, withdrawing from Hong Kong based on the concerns over China’s new national security law, and issuing a “transparency report” stating that it was not asked for data by the Chinese government in 2019. Additional steps, such as a vigorous public relations campaign, could rally the millions of U.S. TikTok users, who generally skew young and anti-Trump already, portraying the company as a victim of an overzealous U.S. government.
TikTok and ByteDance also have legal options. Because the attempted “ban” by the United States is likely to rely on novel theories and will be imposed in haste, the companies are likely to have an opening to challenge the U.S. government action in court as lacking factual and legal support. A legal challenge might also put pressure on the U.S. government by forcing it to risk disclosure of sensitive intelligence on the Chinese companies if it chooses to fully defend court actions. Given the dearth of public evidence to date that TikTok provides any data to the Chinese government and the Trump administration’s less-than-stellar record against procedural challenges to its executive orders, it is possible that a well-structured challenge might be able to overturn, or at least delay, any “ban.”
Ultimately, TikTok presents yet another iteration of what is becoming a constant problem for the U.S. government: how to protect U.S. national security while maintaining the United States’ long-standing commitment to global free markets. How the United States attempts to thread that needle—and how TikTok responds—will set an important precedent in the digital economy for Chinese-owned companies doing business in the United States.