Virtual Meeting

TikTok on the Clock: Data, Deals, and National Security

Thursday, November 12, 2020
Tingshu Wang/Reuters
Speakers

Assistant Professor of International Studies, Indiana University Bloomington; CFR Term Member

Fellow, Technology and National Security Program, Center for a New American Security

Vice President, Global Customer Success, Liferay; CFR Term Member

Presider

Internet Policy Research Initiative, Massachusetts Institute of Technology; CFR Term Member

As the deadline approaches for Beijing-based social media platform TikTok to finalize a deal allowing its U.S. operations to continue, panelists discuss the rise of TikTok and other foreign-owned mobile apps, the relationship between data collection and U.S. national security, and the regulatory and legal implications of such deals. 

EDELMAN: Thank you, Sara, and thank you to the Council for inviting us this evening. I'm David Edelman with the Massachusetts Institute of Technology, and I'll be the presider for the on-the-record virtual meeting today, "TikTok on the Clock: Data, Deals, and National Security." And we have over five hundred of you registered for today's virtual meeting. And we'll do our very best to get to as many questions as we can during the Q&A period in about thirty minutes.

But first, we are joined today by three expert panelists. First, we have Kara Frederick, who is a fellow for the Technology and National Security Program at the Center for a New American Security, which she joined after roles at Facebook and the Department of Defense. Fred Tsai is vice president for global customer success at the enterprise software company, Liferay, and previously held roles at Salesforce.com and Dell, including as its director of China strategy. And third, we have Sarah Bauerle Danzman, who's an assistant professor at the Hamilton Lugar School of Global and International Studies at Indiana University Bloomington, who most recently spent a year as a CFR international affairs fellow at the State Department's Office of Investment Affairs. And I can think of no better group of three to help untangle all of this. So let's dive right in.

In the last twenty-four hours alone, and you can verify this with your own quick Google search, we have the following headlines on this topic. Forbes carries, quote, "Today Was Supposed to be Doomsday for TikTok—Here's Why It's Not." Bloomberg said, "ByteDance is desperate for an extension as TikTok sale deadline hits." The Verge said, "TikTok says the Trump administration has forgotten about trying to ban it and would like to know what's up." And CNN Business says that quote, "Trump blew up TikTok and now nobody knows what's going on."

And so it's our sincere hope today that with the expertise that we've assembled, we'll be able to figure out what's going on and what we should know about it going forward. So let's start right there. No one knows what's going on. Kara, help us understand what's going on here and help us level set for the audience who are perhaps not necessarily spending their whole day on TikTok, even though in this COVID world many of us are spending time at home. What exactly is TikTok? What is the relationship with ByteDance? And what are the specific concerns that we're seeing here?

FREDERICK: All right. So TikTok, if you haven't used it, then your kids or your nieces and your nephews—they certainly have. It's a video sharing app that Gen Z lives on. It has short videos, now up to sixty seconds long, with special effects. You can lip-synch to songs. You can talk to sound bites. There's filters, likes, comments, the usual. It's massively addictive, most likely in part to its “For You” algorithm, which we can talk a little bit more about. But as of last year, 60 percent of its users were between the ages of 16 and 24. And this summer active monthly users climbed to almost ninety-one million, and that's fifty million daily users in the U.S. as well. So massively popular, massively addictive, it's a digital platform owned by parent company ByteDance in China. In terms of what's going on, this saga, it really has it all. And in my mind, all of this, it really points to a broader threat. And that threat is what China or a Chinese-owned company can do with your data, what it will be able to do with American data in the future, and how the CCP, the party-state, really seeks to influence an American population through technology.

And really quickly, I like to bucket the risk into five categories. And there's sort of a litany of reasons to be concerned about the national security implications of a seemingly benign, really fun platform. Starting one—they’re your normal hard security concerns. These are your vulnerabilities to intrusion, hacking, and whatnot, bug-doors, so security flaws potentially hidden in programming vulnerabilities.

Number two—data privacy issues. These are your standard invasive data collection practices that even U.S. social media companies propagate. TikTok collects GPS locations, IP addresses, media access control addresses, or MAC addresses, contacts, images, keystroke rhythms and patterns, and other personally identifiable information and device information that are unique to a lot of the devices that you're actually using.

Number three, and this is where it starts to get more notional and abstract, hence some of the consternation about the viability of these actual threats—the governance atmosphere in China. TikTok’s parent company, as I've said, ByteDance, they're ultimately subject to CCP laws and policies that really have these broad and low thresholds for CCP access to the data that it collects. And you've all heard about the 2017 National Intelligence Law, I don't need to belabor it, the cybersecurity law as well. But it also leads us to, I think, what's very unique about TikTok and that's the algorithm, the “For You” algorithm, its secret sauce. It's based off of your interactions on the platform itself.

So you are your own entity, nothing that you see is really determined by your friends necessarily. It's based off of your particular engagement with video, subject to you—not your friends, not your network—just you, so your own personal newsfeed that doesn't depend on your actual social network. And with that comes a potential slick vector for disinformation, for propaganda that is going to be micro targeted specifically to you and be particularly compelling to an individual.

And then fifth, and finally—values. So we know through leaked documents that TikTok has censored content on Tiananmen Square, Tibetan independence, of potentially Hong Kong protests. And the fact that TikTok really maintains that youthful user base, it means it's really important to get a values transfer, right, when all of our youth are pretty much on a specific platform. You don't want to enter a younger generation of Americans to authoritarian principles. And there are so many implications flowing from that as well, but on pain of David yelling at me, I will stop there.

EDELMAN: Thank you, that is hugely helpful. Now, Fred, you're in industry and you know, TikTok, as we've read, has been in talks to spin off its U.S. business, maybe in a sale, maybe just to transfer to possibly Oracle or Walmart. And while TikTok is getting all of the attention in today's deadline, WeChat was also singled out in President Trump's executive orders here. Can tell us a little bit about that. Now, they don't necessarily have the same options or incentives as companies, certainly when it comes to a sale, so tell us a little bit more about this other piece of the picture, WeChat. How does it fit in? And how is it different?

TSAI: Sure. I mean, so two things. The first one is the ban on TikTok is more commercial, and the ban on WeChat is really much more personal, especially for Chinese Americans. And just to step back a bit, you know, TikTok, just in the U.S. alone, is really one of the internet's most amazing growth stories. As was mentioned, you know, all the cool kids use TikTok. They love the fifteen seconds short-video format. It's actually grown by about nine times since just a couple of years ago to almost a hundred million users in the U.S.

And again, that's from 11 million to 100 million users. Last year, revenues for TikTok were about $200 to $300 million. They're set to grow by five times to a billion dollars this year. And Wells Fargo believes it'll grow to $6 billion next year. This is truly amazing growth off of a large base already. By comparison, Facebook, right before its IPO, only about doubled in revenues. So again, TikTok is going to grow by five times to $1 billion in 2020. And again, do it again, by six times in 2021, so really, really amazing exponential growth. One of the internet's bright stories right now.

WeChat on the other hand, is really, it's really pretty irrelevant for the U.S. and here's why. It’s irrelevant business-wise, it really affects Chinese Americans and the Chinese diaspora mostly. For those unfamiliar with WeChat, it's essentially the Chinese version of WhatsApp. It's used in China by a lot of the global Chinese diaspora. Within China it’s used for much more than just messaging, there are payment systems and other features integrated that make it an integral technology for day-to-day life. A lot of street vendors use it, for instance.

Personally, I use it almost every day to share my daughter's photos with our family group chat and occasionally to communicate with friends who are based out of China, as it's now the preferred mode of communication there. From my perspective, from a data security perspective, the WeChat threat is really more theoretical than anything. It's very small. WeChat only has about 1.5 million monthly average users in the U.S. Again, that's versus TikTok's one hundred million. And again, even versus Russia's Telegram, which has about three million and South Korea's Line service in the U.S., which has about three million in the U.S. WeChat is really, really tiny. So this is really a hearts and minds issue.

The WeChat ban is much more personal and it demonstrates the escalation, these rising tensions between the U.S. and China. I know that many Chinese Americans have been deeply concerned about how they're going to be able to communicate with their friends and family abroad. We as a family, as I mentioned, we had been using WeChat—we actually transitioned to South Korea's Line as a result of the proposed ban and, you know, our family members have feared losing three years of photos and videos of our daughter. So in the end, I think, there's a lot of drama, definitely a lot of bluster over both TikTok and WeChat. Not really sure how productive it is in the end.

EDELMAN: So, Sarah, now you've been on the inside of this and obviously studying it for a long time. Help us with the broader context here. We've been talking about these app bans as it can relate to two individual cases, right—TikTok and WeChat. And obviously, it’s related to specific companies. But these are broader questions, right, of data security, of China, of investment review, and all of them have a much longer history here. I know you've been studying this. So help reacquaint us here. What are the actual tools that the U.S. government has and is employing in this case? And have the politics around those changed in the last few years? Is that what we're seeing in these particular cases?

DANZMAN: Yes, well, first of all, thank you, David and the Council, for organizing such a timely webinar and also to the audience for joining us today. So there are kind of, when we think about the two executive orders that have been put in place against TikTok and ByteDance, we can pull out two specific tools that are being used by the U.S. government that also help us to think more broadly about how the U.S. government is thinking about the threats associated with this type of data collection. So the U.S. government's key investment review tool has been the Committee on Foreign Investment in the United States, or CFIUS, which many of the audience members are probably acutely aware of, but just a couple of years ago, you know, most people, if you ask them what CFIUS was, they would have no idea, right?

And CFIUS was recently strengthened by the 2018 passage of the Foreign Investment Risk Review Modernization Act, or FIRRMA. And there were a lot of important changes in the FIRRMA bill. But one of the things that FIRRMA did was kind of emphasize the importance of sensitive personal data as a potential national security risk that CFIUS really needed to look more closely at. And I can get into a lot more details about the specifics of that in Q&A if people are interested. And CFIUS authorities were used in the August 14 divestiture executive order against ByteDance, which owns TikTok, and is currently kind of the subject of a lot of speculation as to if the divestiture orders actually going to go through.

But another major tool of the Trump administration has been the use of the International Emergency Economic Powers Act, or IEEPA. And IEPPA is normally used to authorize kind of economic sanctions, kind of more broadly. But this is the authority that the president invoked in the August 6 executive order that attempted to ban TikTok. There was an additional executive order on that same day using IEEPA authorities to ban WeChat. And we can also talk about the legal challenges there as well because that executive order has run into a lot of legal peril.

So the politics of CFIUS and IEEPA are quite different. So there is broad and bipartisan support for CFIUS. And that's because, for a long time, both parties have really understood the value of CFIUS. It operates under sort of normal conditions, what I would call like normal politics, not in the realm of emergency actions. Right? And there's also an understanding that there is a clear process through which the national security concerns are vetted and discussed among a whole of government approach with the nine agencies that that sit on the committee.

IEEPA, in contrast, is, you know, there's less agreement about whether and how IEEPA should be used. And that's because IEEPA provides the president with the authority to act over a much broader range of concerns. So, CFIUS is only in power, you can only use CFIUS if there's a national security risk arising from the transaction that you are reviewing. But IEEPA you could use for national security but also for some other issues related to foreign policy and economic concerns as well. So it's broader, but it's only supposed to be used for emergency situations.

And there's less, sort of, understanding about how that that decision process is made. And so we've seen that Congress is becoming less willing to extend deference to the president over IEEPA powers in recent years. And while some of that might be partisan kind of driven, there's concerns on both sides of the aisle as well on when it's appropriate to use those powers, and that's also because, you know, if you're stepping in too much, the business community is really going to take a hit.

EDELMAN: Right. So we've seen IEEPA used, obviously, in counterterrorism sanctions, we've seen it used in nuclear sanctions, we've seen it go even further in cases of human rights sanctions and Iran and Syria, some of them tech related in the last administration that were reupped here under Trump. But obviously, what we're seeing is this continual creeping and expansion of sorts of this particular authority. And I want to come back to Kara because now, you've worked at Facebook, you've seen the global footprint of a data operation there. And you've seen time and again how these sort of neat lines that we draw on geopolitics don't exactly line up with the realities of a global internet.

So I mean, let me just ask, do you buy the argument about the threat here to the extent that it's been presented by the Trump administration? And what, if anything, makes this unique, right, as far as cybersecurity concerns go? I mean, we are in an era statistically where almost every person on this call has had their sensitive information, Social Security number, PII, certainly MAC address, IP addresses spilled in commercial data leaks. So what's different here, and what is the administration trying to make the case is different here?

FREDERICK: So one thing I noticed when I went to Facebook in 2016, you know, through the presidential election then and leaving before 2018, was really this sort of, what I've been calling, a lack of a geopolitical cognition. Now, that's changed. Before it was all about, you know, shipping solutions and making sure that, you know, our global user base was satisfied and happy. And that, you know, we were solving problems for the users and the customers. What I'd say, I mean, that's changed, there's been a huge sea change within the halls of Facebook itself because of that.

And I don't speak for Facebook anymore at all, but I've absolutely noticed a difference, sort of a recognition that, yes, what we do in the halls of Menlo Park does impact the world, does have political impacts, you know, beyond the United States’ borders. There's a huge element of that now today. But what I think is very unique and I really think that the Trump administration did a good job of sort of identifying this, is what I'm calling, if you'll indulge me for a minute, systemic risk. And this is derived from the European Parliament, which basically categorized China in 2019 as a systemic rival, so a country that is promoting an alternative model of governance.

And to me, I think, solutions to these issues, and I do think the threat is real, it requires really identifying and mitigating that systemic risk that arises from dealing with platforms owned by authoritarian countries of the Chinese party-state, the CCP, very distinct from the Chinese people themselves and the Chinese populace. I think that always needs to be said, and there has been a big narrative issue and communications issue, I think, on these [executive orders] and a lot of these executive actions and that does need to be addressed going forward.

But I think that this risk really consists of those threats that are intrinsic to systems of governance that are distinct, and opposed to, open societies—free and transparent societies. And those are, you know, more intrusive data practices that are not subject to legal recourse, a liberal governance, and legal atmosphere, state-led economic systems, a lack of an independent judiciary, the lack of the rule of law, the absence of elements of representative democracies, and democratic governance, and lack of free and independent media institutions.

So when you're dealing with platforms owned by these governments, by these regimes, then you're incurring that type of risk that's really intrinsic to the nature of the interaction. And it does seem, a lot of people would call it abstract, but I really think that this concept is absolutely foundational when you're looking at digital platforms that suck up American data. We do know that employees in China, who are subject to leverage by the government, by the party-state, they did have access to U.S. user data up until 2019 at least. So I think it's very important to sort of recognize that uniqueness of that systemic risk. But, you know, what is China laying the groundwork to do with data?

We know that the OPM hack, like you said, most of us on this call probably had our Social Security numbers and our mom and dad's address scooped up in that hack. Marriott, Anthem, Equifax, you name it, you're looking at all of these data sets that, on their own, yes, are very useful to a potential hostile party-state, but when you are able to sort of layer this intelligence together, and I come from an intelligence background, where we're very familiar with integrating datasets and fusing the intelligence to identify patterns to make distinctions. Machines do it very, very well, as we've come to know in the past few years with the growth of artificial intelligence, particularly machine learning.

So I think it's important to know what groundwork is being laid here, what can be done with the data that is new, what technology can be applied to these large datasets and then what happens in the end. We have an example of this in Xinjiang with the Integrated Joint Operations Platform where behavioral and biometric data is synced and used to identify potential dissenters. And you know, the concentration camps are teeming with human beings, some through no technology at all, just human intelligence, and then other through the Integrated Joint Operations Platform. So I think you should take a nation seriously when it represents the bleeding edge of what surveillance tools can do when they are turned inward on a population and not risk it with American data. They already have too much.

EDELMAN: Okay, Sarah, now Kara has just made this case, of course, of all these areas in which this is real concern. And you pointed out though that there seems to be a bit of a difference in these types of mechanisms that the government has used before. And certainly when we have punitive commercial measures like sanctions, the U.S. government has historically held itself to a reasonably high and specific evidentiary standard, or at least been ready to publicly produce some evidence of direct malfeasance.

Obviously, some of the cases that we're talking about here are extremely specific, some of them are general and systemic, as Kara said. Is the China case just different going forward? I mean, based on the conduct of the regime, and the various forms of backsliding we've seen under Xi, is this now a new paradigm and category under which all these mechanisms, whether it's day-to-day investment reviews all the way through IEEPA determination, is this the new paradigm we should expect?

DANZMAN: Yes, you know, I think that there are just, we're seeing how the tools that we have used in the past sometimes don't work as well as we would like them to when it comes to the PRC. So for instance, with CFIUS, right, and investment screening, normally we kind of know when we can—in most countries, for most countries, we can kind of know more definitively when a company is controlled by a foreign government and when it's not. And part of the issue here is that when it comes to Chinese-owned companies, there's just a lot of distrust. That's very understandable within the U.S. government about how much we can assume that a company that is notionally private within the context of China actually is, right.

And so when we have tools that are designed for circumstances in which we can tell the difference really easily, but the kind of concern is coming from states that have a different structure of the way that their government, society, and their business kind of operates, right, that this kind of breaks down and creates, at least, more challenges, right, because CFIUS was designed to maintain as open of an investment environment as possible while putting in really important guardrails to make sure that we weren't kind of keeping the doors unlocked for, you know, kind of stealing all of the important technology or can have access to critical infrastructure and so forth in a way that could be used against the U.S., you know, for national security reasons.

And, and so the kind of bias has been to not act unless we can really find a real risk that is attributable to that specific transaction. But when we're starting to see kind of these new patterns that are suggestive, the question is, well, how risk averse do we want to be as a country in terms of like denying access unless we can be sure that there's no national security concern? And I think that that's something that the U.S. government is really struggling with, because we, you know, as a society and as government, kind of ideationally, there's been a lot of emphasis on how what has made the U.S. economy work so well is its openness and that openness has allowed innovation in the U.S. economy for so long. And that if we tamp down too much, that there will be real severe negative consequences.

So I think that that's a really important issue that the next administration is going to have to think through—how are they going to approach this problem? And there are other areas that matter where the Chinese government presents some new challenges as well. So Kara was talking before about the propaganda kind of component of TikTok, which is really concerning. And the issue here is that ByteDance is not technically owned by the CCP, right. And so when we think about the tools that we have in the U.S. to sort of push back against state propaganda, we have FARA, right, the Foreign Agent Registration Act.

But that is really hard to use in this case because TikTok is not actually owned by the Chinese government even if we think that the CCP has leverage over its decisions. And also, that is mostly a voluntary registration, right? So when you have actors that are, you know, are specifically, you know, engaging in propaganda and misinformation in ways that are much more sophisticated and nuanced, the tools that we currently have just don't really match the kind of problems that we're facing right now.

EDELMAN: So in about five minutes, we're going to get to Q&A. And so I would ask all of those who are in attendance, start thinking about your questions for our three panelists. But before we do that, let's pull the lens back a little bit and talk about, this is obviously not just a U.S. operating in a vacuum affair, and what the U.S. is doing in this context is already being mirrored, if not exacerbated, back in China. Beijing has its own views about how to pursue this particular case. Fred, you spent ten years in China for Dell, the Chinese government has its own reactions, particularly by export controls most recently. Tell us a little bit about what's happening over there. And, you know, how unusual do you read these new steps to be? Are we just going to be in this tit-for-tat back and forth and will things escalate? Or is there a bit of a way out here for the next administration?

TSAI: I certainly hope so and I think so. Well, first off, I think this is just an unproductive tit-for-tat response by the Chinese. At a higher level, I believe that forced commercial intellectual property transfers are bad. Just flat out, be it a Buick, or an algorithm, or a line of code that amounts to really the the commercial value of a product. I think forced intellectual property transfers are not a good thing. And I don't think the U.S. should be mirroring Chinese bad behavior. As a background to your point, David, shortly after President Trump ordered TikTok to be divested from ByteDance, China changed its export control laws to require the approval of regulators for the deal to go through China. The restricted list of technologies included what is essentially that secret sauce that was mentioned earlier—that technology, the algorithms behind TikTok’s success, the recommendation engines that really keep users glued to their screens. In the end, though, it's just a line of code. But it's what makes TikTok so special. The TikTok case, in my view, is one of the U.S. really trying to mirror China's historic, bad behavior. And I just don't think it works.

One reason why U.S. tech companies are the world's most innovative is because of the fact that we have a stable regulatory environment here in the U.S., and we just don't make the arbitrary moves and decisions that threaten the entire existence of commercial and private entities. I'm not even sure if the whole TikTok situation was really even productive, or if the Trump administration is going to get out of it what it really wanted. If you look at the actual proposed Oracle and Walmart transaction with TikTok, it's really just a partnership and an investment for about 20 percent of the company.

It's not an acquisition. I'm just not sure what all this drama and disruption really got us as the United States. And I think this is why it's the perfect opening for the Biden administration to restart the S&ED, this strategic economic dialogue that Obama had started and were shut down by President Trump, so that we can have real and lasting American access to China's internet and cloud market. We want to replicate the kind of success that U.S. hardware makers have had—Apple has about 15 percent of its sales based out of China, Dell historically at about 10 percent, huge numbers—who want to replicate that kind of historical success that U.S. companies have had with this generation’s American internet leaders.

If Google can open up Google Cloud Platform, for real, and thrive and make money in China, if Amazon's AWS and SasS companies like Salesforce, don't have to go through a Chinese joint venture and can actually go there and be in China and actually thrive in China properly, then I think that's a huge win. These are very, very complicated matters that will require a sustained structured dialogue with China. And I think, you know, the Biden administration, by restarting the S&ED with China, would start off really well.

EDELMAN: Thanks, Fred. So a tremendous amount to unpack here. And I want to bring the rest of our group into the conversation. So with that, why don't we move over to the Q&A and I'd like to hand it back over the operator who can tell you more about how to get your questions in and for this panel. So over to you.

STAFF: We will take the first question from David Kirkpatrick.

Q: Oh, thank you very much. I think I'm unmuted. I had two related questions which flowed from something Kara was saying. It was a really great conversation, by the way, for all of you. I think the question I have, both of them are related to the motives of China. And when Kara enumerated all the attacks that have occurred, etcetera, it reminded me of the thought that I've heard numerous times over the years that there may be a national effort in China to build a database of Americans on a really wholesale basis. And I'm curious if any of you think that that is actually their goal.

And second of all, and this maybe is more especially for Kara since she worked at Facebook, and it's a company I know well, I have frankly believed for a long time there's a good chance that Chinese and other intelligence agencies have infiltrated our American tech companies. And when you note that, even as recently as 2018, Facebook didn't have a geopolitical consciousness, one can only imagine how little they were actually guarding against that sort of thing. So do you, any of you, believe that we have an issue there that could potentially engage in this issue of data collection? Thanks.

EDELMAN: Thanks, David, great to hear from you again. So why don't we begin? Kara, do you want to start with your response there and we’ll move to others that might have a view on these.

FREDERICK: Yes, thank you, David. And I'm sure you know, as you know, since you're familiar with a lot of these social media companies, the default setting is openness. So it's different from, you know, I went into government and then I went to Silicon Valley and most people don't do that. Most people go to Stanford, get their BS, get their MS, go right to these companies, and especially the artificial intelligence community, the programmers, the engineering community, I mean, they are very, very open. There's a lot of efforts underway to open source a lot of these developments.

So you know, when they're working with the programmer in the cubicle next to them or in our open office plan, they don't see them as a potential national security threat. They're seeing them as Joe who works next door and who's just a bit of a better coder than they are. So I don't think that's necessarily something that was, you know, at the forefront of a lot of his company's minds. However, when there's been, you know, a succession of Big Tech, as people call them DC, hearings on the Hill in front of the Senate just as recently as a few weeks ago, and when asked, and this was brought to my attention by a staffer yesterday, so I can't get credit for this, but when asked, Mark Zuckerberg was the only one who said, yes, there's probably some espionage going on here. There's probably happened. Everybody else, Google and whatnot, were kind of like, oh, we're not so sure.

So I think they are thinking about that. I don't think that it's beyond the pale whatsoever. We have, you know, since at least 2014, we have lots of documentation of IP theft, corporate espionage. And I think there has been, and what these executive orders were meant to represent, whether or not they were well executed, was the fact that we are pushing back against, you know, decades of unscrupulous practices that have been propagated by the party-state, that, you know, a lack of market reciprocity, all of that corporate espionage that I talked about before, information control and suppression that's been occurring, taking the IP transfer and whatnot, as Fred talked about, so it's, you know, it's definitely been happening. It's been happening for decades.

And in terms of, you know, China's intent, there are many people who do much better work on this particularly at the Australian Strategic Policy Institute, Sam Hoffman, I would point into her work. She talks about this global data ecosystem of which China is sort of actively engaging and, you know, sort of laying the groundwork to exploit the data. We don't necessarily know that they have exploited it to the fullest extent right now. But they're definitely gaining the mechanisms to do so. You saw it with the database on prominent Australians and Britains, with private companies with links to Chinese intelligence were compiling. This is kind of, you know, this happens. It's, you know, people like to know, sort of what's going on, they like to have those full intel pictures of the people that they're working with. Corporations do this and it's not necessarily sinister.

But I think that we, we basically need to remain vigilant and knowing what the technological capabilities are. And just continue combing through those policy documents that China does publicize—the great people who translate those words. I think it's very, very necessary to keep our eyebrows raised because we are aware of what they're capable of. They have the data now.

TSAI: And just to echo Kara on that point, I always assume that the Chinese are up to no good. No matter what, in all these cases. So yes, I absolutely agree with you, Kara, you have to always assume that they're watching. And it's the same thing in terms of the usage of these apps, right? There's no one I know, in terms of who used WeChat, and I use it myself, none of us would ever put really sensitive information over the network because we frankly assume that Beijing has a hold of it. In the same breath with Telegram and unclear whether or not they have continued links or not without with Russia, and I use it every day as well, but I certainly would never put anything sensitive. So always assume that they're watching. And that's why you have to always have a structured sort of system in place to protect against potential security threats. And to make sure that you're auditing—constantly auditing,

EDELMAN: So Fred, do the app stores have a duty to warn so that everyone who is using these apps knows that all the information might be sucked away by foreign governments. Is there a duty to warn there, there aren't that many app stores out there right now?

TSAI: And I believe so, yes. And I don't think it's a very hard to do, we can see that with YouTube and others, noting that it is owned by the Russian government; owned by the Chinese government; X, Y and Z. And so I don't, clearly, we know how to do it, we know how to mark potentially dangerous sites and apps—it wouldn't be hard to implement it.

EDELMAN: All right, we'll move to our next question.

STAFF: We will take the next question from Jamaal Glenn.

Q: Thank you. My name is Jamaal Glenn. I'm an impact investor in an organization called Schmidt Futures. So my question is related to, you know, some of the points you guys just hit upon. What should be my personal calculation, my personal risk assessment on whether or not I have TikTok on my phone. I have had the app on my phone two different times, and both times I deleted it mostly because it was sucking up productivity. I was spending way too much time on the app. And my understanding is that there are a number of other very popular apps on my phone that have the same sort of data intrusiveness. And so, you know, if I'm thinking selfishly, what should my personal risk assessment be? And then if I'm thinking, you know, as a patriot, what should my assessment be about whether to have TikTok on my phone?

EDELMAN: All right, who wants to take that one?

DANZMAN: Don't do it.

EDELMAN: Sarah says don't do it. Why?

DANZMAN: Yes, no, don't do it. I mean, yes, it's the case that all social media apps are collecting data, but actually ASPI, which Kara mentioned, is doing great work out of Australia on these issues, does have a really great report on both TikTok and WeChat that came out in September. And what they find is that that TikTok really is taking data that, you know, is more concerning than even some of the biggest kind of other U.S.-based apps.

TikTok has access to Clipboard and therefore your credit card information, passwords. Kara mentioned how it turned out that TikTok was surreptitiously collecting MAC information. So if you have an Android and if you downloaded TikTok through that Android, then you know the CCP might have that number that can never be erased from that phone ever again. And there's just too much of a risk to put it on your phone. I mean, I think Kara Swisher mentioned how she just has a burner phone for her TikTok, and that's what I would suggest.

There's just so much information to indicate that not only is the kind of the amount of data and the sensitivity of the data that TikTok is collecting, even just that much more of a problem than other apps. But we also know that TikTok is basically required to give that information to the CCP if they ask for it. We have no ability to know if the PRC has asked for that information or not because there's no transparency, and we can't trust that TikTok is going to be forthcoming about that. And so, it's just, you know, just don't do it.

EDELMAN: So there you go, free tech support courtesy of the Council on Foreign Relations, Fred, you have anything to add before we move on?

TSAI: I would do it with caution, meaning, you know, for instance, I like to keep a separate work phone from personal, if at all possible. Caution, meaning if you have little ones. Our daughter, for instance, I don't think we will allow her onto any social media until the age of eighteen. Period. Especially ones, you know, that are backed by Chinese entities, etcetera. I kid a little bit but and you just have to be careful, you have to make sure that if you're running an organization, you have the proper security protocols in place. Do not allow applications onto the corporate network, I just would not allow them on to the corporate assets in general. I personally don't believe that social media and whatnot should be on corporate assets. And then in our personal lives, we have to be really, really careful.

EDELMAN: And we'll have to see what the arms race goes, of course, between the app stores, the device manufacturers that are putting more and more barriers in, and the app developers that are finding more and more ways to be promiscuous with that data ingestion. So, all right, next question, please.

STAFF: We will take the next question from Eleanor Fox.

Q: Hello, thank you for this very, very interesting discussion. I feel that there are huge tradeoffs both ways in terms of not having the competition from China on the one hand, and not protecting our security on the other hand. We’ve had so many hearings, as you mentioned, Sarah, hearings on Big Tech, because we're worried that our own Big Tech is taking too much data and has too little competition facing it. So in theory, TikTok would be a great competitor to put competition on the market and help solve the problem.

So my question is, how do we cut the problem if you want to be sure there's a national security concern and it's not a political ship that's being played by the president? And on the other hand, do you see solutions coming up in the future, technological solutions, so that there's more security that we can protect through devices so we can almost have it both ways. Huawei is another example of a company that offers lots of good technology to the U.S., but we're really very afraid of it because it has so much technology that China could, if it wants to, reach in and get. And we may need to depend on China for 5G or 6G and yet we're worried about the national security interests of doing so. Thanks.

EDELMAN: Great. Thanks, Eleanor. Eleanor raises a lot of points. Let's start with that first one. And obviously we've seen cases of, obviously, Brazil, India, UAE, Pakistan. Right? Other countries have engaged in versions of app bans to varying levels of satisfaction to the U.S. government. How do we prevent this race to the bottom? How do we prevent a new dynamic whereby the only apps that are permissible in U.S. app stores are ones that are invented and coded here in the United States by Americans? Surely, that isn't the only end goal here, although, obviously promoting the domestic economic component is a major long-term goal. So Kara can talk about how we prevent this sort of mutual arms race and race to the bottom on these kinds of bans?

FREDERICK: Definitely—lead in privacy. That is what I think the next ridge line is. The United States has its work cut out for it, it can do it at the technical level, and it can do it at the policy level. At the policy level, I think a national federal data protection framework. Articulated components of a strong privacy regime would be very helpful. Accept some of those recommendations by the Cyberspace Solarium Commission, which basically say, hey, we need a federal, you know, a framework for thinking about privacy. And then second, at the technical level, I think most social media companies—I think NIST [National Institute of Standards and Technology], I think IARPA, I think DARPA, I think so many of these federal entities can really invest in finding that privacy solution of they can work together to devote engineering capacity to finding the technical solutions, implicit in things like differential privacy of federated models of machine learning, of finding the best commercially viable privacy solution, export it to those states that you talked about.

I call them global swing states, those with elements of democratic and autocratic governance, like India, going to be huge, Brazil, Indonesia, Philippines, these are massive markets. And if we can imbue these technologies with our values of openness and transparency, individual liberty, privacy and make them attractive to those nation states, have them, you know, sort of cleave toward our democratic impulses, vice taking China's subsidized cheap infrastructure and products on this unsecure infrastructure and other products and databases. You've seen sort of a backlash already internally in China because a lot of these surveillance apparatuses have really poor cybersecurity measures. So find that privacy solution, as the United States and maybe a cadre of democratic partners would be helpful as well. Get together, find the privacy solution, export it and ensure the world is on the side of democracy rather than closed repressive regimes.

EDELMAN: So shore up our privacy? Get that comprehensive data privacy law nationally? Fred, Sarah, is that enough? What else do we need to be thinking about here?

TSAI: I mean, first of all, Eleanor, that was a great question. And Kara, I agree with your points. Absolutely. The U.S. should have come up with GDPR [General Data Protection Regulation] first, right, in terms of a groundbreaking privacy regime first. And we've got that opportunity to do so with the new Biden administration. But to Eleanor's question about, you know, is it a good thing that we are advocating for an open and freer internet? And I believe the answer is yes, I think with TikTok and others becoming these dramatic internet growth stories, not just in their own domestic markets in China, but also globally, including in developed markets like in the U.S., it actually increases China's skin in the game, which I think is really, really important.

It's important having Chinese-connected internet and cloud companies that are actually relevant in the developed world and in the free world, because it could give us more leverage, because China has more to lose in the end. So you know, in my view, it's a game that we can actually win. And frankly, if we are aggressive and pushing back on China, and making them play by the, you know, by the global norms and by fair rules, if we can actually open up that market, that's the thing that the Chinese are scared of the most, and I know that Chinese tech companies are scared of the most. Most of them are simply big because of a protected domestic environment, period.

And I know that if the barriers were open to China in a real and meaningful way, in terms of the internet and the cloud, I believe U.S. companies would absolutely dominate. I know many, many people who use U.S. services and go through a VPN, etcetera, etcetera, because there's simply better than the Chinese offerings—competition matters. And I know if the Biden administration is able to help open up China in some significant way, I believe it's a space where we would win.

DANZMAN: So just to not to belabor the point, but to add in two quick things, because I really agree with what Kara and Fred are saying and especially on the point of leading on data security, which is really important and can solve a lot of the issues that we are talking about today. So first is when we think about who's the first country that banned TikTok? It was China, right. So, when we think about ByteDance like we think about TikTok as being a Chinese app, but you cannot use it in China. Instead, ByteDance has a kind of similar product called Douyin that operates off of the same architecture, but it's different.

So if you get on to TikTok in the U.S. or anywhere else in the world, like you're not able to communicate directly with people who are in mainland China because they can't get on the app. So one thing that we might want to kind of push more is that, you know, if the PRC wants to, you know, complain about these types of bans, like maybe they can start by allowing these apps to function in their countries as well. So we might want to think a little bit about that. There's so much hand wringing over app bans in the U.S. and the West, which I think there should be because I think there are huge First Amendment concerns with going around banning apps. But we shouldn't lose sight of the fact that, you know, that China is not even allowing this app in its own country.

And then my second point that I just want to bring up, and this is totally against my interest as someone who, you know, is a scholar of investment security, but one of the things that I think that we need to do is to keep CFIUS out of the headlines, right? Like, when CFIUS is in the headlines, it means that something has gone wrong. When it's not, it means that the process is working fairly and coherently and as apolitically as possible. So I think that, you know, in the next administration, you know, not trying to use that CFIUS process to sort of gin up this idea that we're being strong against China is really important, because, you know, the more that we kind of bombast on these types of things, the more problematic it becomes.

You know, we don't really know what's going to end up happening in terms of the divestment, but it could be the case that we've had this huge, you know, back and forth, and, you know, everyone throughout the world seen the U.S. kind of doing these things that, you know, might seem a bit problematic and what are we going to get out of it? Like, not a divestiture, right. So like, let's just try to keep it a little bit, you know, less out in the open. And trust that, you know, behind the scenes the committee can do its work fairly, and that if it's not, that the companies themselves will come forward to complain because they can always do that if they think that they're not being treated fairly.

EDELMAN: Great points. All right. We'll take, I think, one more question so we can move on to the next question.

STAFF: All right, we'll take the last question from Jeff Bialos.

Q: Hi, there. Nice to see you. I'm a partner at a law firm in Washington, used to be deputy undersecretary of defense for industry and sat on CFIUS and actually have been involved in many CFIUS cases, the sanctions case itself? Look, I think the question for the new administration is how to manage the national security risk here. One can't be too pollyannish and say there's no risk, right? But the issue is the quantum of risk, what's the evidentiary basis? Is it just propensity evidence? Do we really know that somebody's going to do this? And then can the risk be mitigated? And I guess I disagree with Sarah, because, I think, fundamentally this administration hasn't struggled with this.

They've come to the clear view that these risks can't be mitigated because they take the view that if China could use the National Intelligence Law and tell Huawei or TikTok or WeChat or whoever to go in and surveil, or in some cases, mess with U.S. infrastructure, that's a propensity risk. And the U.S. has taken that judgment and won't allow mitigation. TikTok tried every mitigation, you can imagine—U.S. CEO, all sorts of procedural controls—insufficient. So the question for the Biden administration is how do you think about that and whether you allow certain mitigation? I mean, if you take TikTok, everyone's on notice. Military people told not to use it. And everyone's on notice that there's a risk. So is there really a serious enough risk that that's not sufficient mitigation? I mean, that's, I think, the question for everyone here today.

EDELMAN: So Jeff, let me add a question to the end of your question, which is, we've talked about the risk, we talked about that we buy it, let me ask each of our panelists in our in our last couple of minutes here, obviously, give us a minute or two on do you see this risk, how real, and let's say you're on the street in the next week or two. Joe Biden's passing by and he sees a teenager flicking through TikTok on their phone, he looks over and then he turns to you and says, hey, Kara, Sarah, Fred, what should we do about all this? So what's your one minute of advice for dealing with this threat for the next administration? Why don't we go in reverse order of my screen? So Sarah, we'll start with you.

DANZMAN: Okay. Well, thank you. This has been a really excellent discussion. And, Jeff, just to follow up on your point. I take your point that on the specifics of TikTok, it seems as if CFIUS has decided to not, you know, pursue mitigation. But I would say that, you know, we have to be careful to not take too much out of any individual case because CFIUS is a case-by-case process. And we do know that CFIUS does engage in a lot of mitigation, but that mitigation is built on trust. And I think that one thing that we probably can see throughout the course of this administration is a growing distrust that mitigation is going to be effective.

And the, you know, moving into a new administration, I think that we need to be clear eyed about the risk. But there's also an opportunity to think through when can we trust more that mitigation could work, but also sort of when is it just not feasible to get the, you know, our most ideal outcome here, which it seems like we're probably not going to get the ideal outcome when it comes to TikTok. And it seems like we are getting, you know, that the potential kind of Microsoft deal seemed, at least in terms of the reporting, to be better than for the U.S. government than the deal that's being reported out now.

So in terms of what I would say to the Biden administration, is that I think that right now CFIUS is being asked to do too much, and that it was always designed to be a tool of last resort. And it's just a bad idea to overuse it for a bunch of different reasons. It's really much better for the sake of enabling investment climate to lay out more transparent regulations when possible as opposed to sort of doing this kind of case-by-case ad hoc review.

So CFIUS is really important, and we need to use it when it's appropriate, but we should also be working on other regulation that can kind of take care of some of the problems that CFIUS is being shoehorned into. We already talked about a comprehensive data privacy law, that's number one on the list. The second, I already mentioned FARA, I think it needs to be invigorated to better handle state influenced propaganda that is not obviously state-owned.

And the third, we didn't really talk about this at all over the past hour, but I think that we are going to need to think more about dual-use technology. And I think right now we're kind of entering into a phase where we are thinking a little bit more broadly than is helpful when we're thinking about dual use. So I think there's going to be a really difficult process to think through what technologies that are better broadly dual use really should be and also quite frankly, can be controlled and contained. So we're going to need to think not just sort of what is our most preferred outcome, but we're going to need to be a little bit more strategic about when we decide to intervene.

EDELMAN: All right, we've got ninety seconds, forty-five seconds apiece. I guess the vice president moving quickly. Fred, what's your forty-five second advice for him?

TSAI: Really quick one. Number one is restarting the S&ED. Up level it, put it under Vice President-Elect Harris, so she can go head-to-head with China's Wang Qishan. Number two is we got to keep China as part of the system, meaning we got to keep Chinese-related tech players as part of the U.S. system. We want U.S. VC investors in Chinese companies. We want Chinese companies to list here in the U.S. So we've got to do whatever it takes to continue to maintain a stable regulatory environment and to also focus on U.S. commercial interests.

Remember, the entire tech market is a $3.6 trillion dollar market. China owns about 10 percent of it. It's very, very large. We already have large positions in China—Apple, 15 percent; Dell, a large of a piece; Microsoft about 10 percent of their business. We need to both defend those positions and win new ones for Google, Facebook, and the other software and internet giants that we have. We can go out and actually win against China because, again, their offerings domestically are pretty darn mediocre.

EDELMAN: All right, Sarah. Take us home.

FREDERICK: All right. So have a country neutral risk-based framework for addressing this tech competition with China, publicize it, and then you could even go further and establish a really simple, if-then rule set. If a risk is tripped, then this policy mechanism as an act of Leahy laws, Magnitsky Act to that kind of thing, message the national security threat clearly, and deal with it in a way that's measured and not fitful. Don't let them obfuscate an otherwise very noble policy—have a framework.

EDELMAN: Fantastic. Well, thank you so much. Thank you all for joining us for today's meeting. The audio and transcript of today's meeting will be posted on CFR’s website shortly. And to conclude, please join me in virtually thanking Sarah, Kara, and Fred for all their insights. Have a great night, everyone.

(END)

Top Stories on CFR

Trans-Pacific Partnership (TPP)

Though President Trump withdrew from the TPP, the remaining members of the trade pact have forged ahead with a new version, leaving the U.S. role in the Asia-Pacific in question.

Cybersecurity

Democracies should ask themselves whether forming yet another elite club of wealthy states represents the best means to counter China’s and fellow authoritarians’ digital rise.

Middle East and North Africa

The assassination of Iranian scientist Mohsen Fakhrizadeh will intensify debate in Tehran over whether to reengage in the nuclear deal with the Biden administration.