Logo of the social network application Tik Tok on the screen of a phone. (Martin Bureau/AFP via Getty Images) NEW YORK (VINnews) — Employees who formerly worked in TikTok, the popular social media app, have expressed their concern that the company is controlled by the Chinese parent company. The employees say that the Chinese government could theoretically use TikTok to spread propaganda or censorship to American audience, or to exercise influence over users who may come to regret what they posted on the service.

A CNBC report described how the employees were concerned that the parent company, ByteDance, has access to all of the American user data, including a user base of nearly 92 million people in the US. The popular app has even surpassed Instagram in popularity, becoming the second favorite social media app behind Snapchat according to an October 2020 report by Piper Sandler.

Former President Donald Trump sought to ban TikTok in the U.S. or force a merger with a U.S. company. The Trump administration, including Secretary of State Mike Pompeo, expressed national security concerns over the popular social media app’s Chinese ownership, with Pompeo saying at one point that TikTok might be “feeding data directly to the Chinese Communist Party.” TikTok has consistently denied those claims, telling CNBC, “We have never provided user data to the Chinese government, nor would we do so if asked.” In the company’s last four semi-annual transparency reports, it does not report a single request from the Chinese government for user data.

President Biden recently revoked Trump’s order to ban the app unless it merged with a US buyer but did discuss criteria for evaluating security risks of foreign-based apps.

A look at TikTok’s privacy policy states that the company can share the data it collects with its corporate group, which includes ByteDance.

“We may share all of the information we collect with a parent, subsidiary, or other affiliate of our corporate group,” the privacy policy reads.

The former employees said that this means that the parent company maintains sensitive personal information on all of its users, including IDs and other information the company has about its users. Moreover the users have already granted the legal right to the company to use the information and share it with the Chinese legal authorities if required, according to Bryan Cunningham, executive director of the Cybersecurity Policy & Research Institute at the University of California, Irvine.

As CNBC reported in 2019, China’s National Intelligence Law requires Chinese organizations and citizens to “support, assist and cooperate with the state intelligence work.” Another rule in China, the 2014 Counter-Espionage law, has similar mandates.

Cybersecurity experts who spoke with CNBC said there are a number of risks that come with TikTok being so interwoven with its parent company.

One set of risks is how the Chinese government could spread propaganda or influence the thinking of the Americans who use TikTok each month. This could be done through short-length videos that the Chinese government may want to show to Americans, whether it be factual content or misinformation. The company could also choose to censor certain types of content.

This has already happened in a few instances. For example, the company instructed moderators to censor videos that mentioned Tiananmen Square, Tibetan independence or the religious group Falun Gong, according to a September 2019 report by The Guardian. Following the report, TikTok said it no longer practiced that censorship and said it recognized that it was wrong.

“Today we take localized approaches, including local moderators, local content and moderation policies, local refinement of global policies, and more,” the company said in a statement at the time.

In November 2020, TikTok’s U.K. Director of Public Policy Elizabeth Kanter admitted during a parliamentary committee hearing that the app had previously censored content that was critical of the Chinese government in regard to forced labor of Uyghur Muslims in China. Afterward, Kanter said she misspoke during the hearing.

“Anytime [the Chinese government has] control over a platform like TikTok that has billions of users and is only getting more popular, it gives them power to feed our mind what we should think about, what we consider truth and what is false,” said Ambuj Kumar, CEO of Fortanix, an encryption-based cybersecurity company. Kumar is an expert on end-to-end encryption, including dealing with China’s special conditions for data encryption.

A bigger and much less discussed concern is the data TikTok collects from its users and how that data could be exploited by the Chinese government.

TikTok’s privacy policy explains that the app collects all kinds of data. This includes profile data, such as users’ names and profile images, as well as any data users might add through surveys, sweepstakes and contests, such as their gender, age and preferences.

The app also collects users’ locations, messages sent within the app and information about how people use the app, including their likes, what content they view and how often they use the app. Notably, the app also collects data on users’ interests inferred by the app based on the content that users view.

Most importantly, TikTok also collects data in the form of the content that users generate on the app or upload to it. This would include the videos that users make.

Some experts said they’re concerned that content created by a teenager now and uploaded to TikTok, even as an unpublished draft, could come back to haunt that same person if they later land a high-level job at a notable American company or start working within the U.S. government.

“I’d be shocked if they are not storing all the videos being posted by teenagers,” Kumar said. “Twenty years from now, 30 years from now, 50 years from now when we want to nominate our next justice to the U.S. Supreme Court, at that time they will go back and find everything they can and then they’ll decide what to do with it.”

American companies such as Facebook, Google and Twitter also possess significant information about their users but cannot be forced to submit information to the government. ByteDance however is subject to Chinese law.

“ByteDance is a Chinese company, and they’re subject to Chinese national law, which says that whenever the government asks for the data a company is holding for whatever reason, the company must turn it over. They have no right to appeal,” said Jim Lewis, senior vice president and director, strategic technologies program at the Center for Strategic & International Studies, a foreign affairs think tank. Lewis previously worked for various agencies in the U.S. government, including on Chinese espionage.

“If the Chinese government wants to look at the data that ByteDance is collecting, they can do so, and no one can say anything about it,” Lewis said.

The Chinese government’s track record when it comes to human rights and widespread surveillance is reason for concern.

“Given the Chinese government’s authoritarian bent and attitudes, that’s where people are really concerned with what they might do,” said Daniel Castro, vice president at the Information Technology and Innovation Foundation, a nonprofit, nonpartisan think tank.

In particular, these experts cite the 2015 hack of the Office of Personnel Management, in which intruders stole more than 22 million records of U.S. government employees and their friends and family. The hackers behind the breach were believed to have been working for the Chinese government.

“They’ve collected ten of millions of pieces of data on Americans,” said Lewis. “This is big data. In the U.S. they use it for advertising … in China, the state uses it for intelligence purposes.”

Americans who decide to use TikTok should do so with the understanding that they are likely handing their data over to a Chinese company subject to the Chinese government, said Bill Evanina, CEO of Evanina Group, which provides companies with consultation for risk-based decisions regarding complex geopolitics.

“When you’re going to download TikTok … and you click on that ‘I agree to terms’ — what’s in that is critical,” Evanina said.

Not all experts, however, are concerned that TikTok is a threat.

Graham Webster, editor in chief of the Stanford-New America DigiChina Project at the Stanford University Cyber Policy Center, notes that most of the data that TikTok collects could just as easily be gathered by the Chinese government through other services. China doesn’t need its own consumer app to exploit Americans’ data, he said.

“I find it to be a very low-probability threat model for actual national security concerns,” Webster said.

Cybersecurity experts are now demanding that TikTok to be more transparent about what its data collection process is in order to gain public credibility.

Jason Crabtree, CEO of cybersecurity company Qomplex, formerly served as a senior advisor to the U.S. Army Cyber Command during the Obama administration. He said TikTok should be clear on what it collects, where it is stored, how long it is stored for, and which employees of which companies have access to the data.

A TikTok information sheet states that the company stores U.S. user data in Virginia with a backup in Singapore and strict controls on employee access. The company does not specify which user data it collects, saying “the TikTok app is not unique in the amount of information it collects, compared to other mobile apps.” The company says it stores data “for as long as it is necessary to provide you with the service” or “as long as we have a legitimate business purpose in keeping such data or where we are subject to a legal obligation to retain the data.” The company also says any user may submit a request to access or delete their information and TikTok will respond to the request consistent with applicable law.

“If all those things are documented and attested to, you have a much better shot at explaining to the U.S. public, to regulators and other interested parties why this is no issue to consumers,” Crabtree said. “If you don’t or are unwilling to provide real clarity then that’s something people should rightfully be really concerned about.”

However Cunningham is unsatisfied: “As long as TikTok is a subsidiary of ByteDance, I certainly will not be satisfied with any purported technological fixes,” he says.

Rather than focusing specifically on TikTok or Chinese apps, the U.S. should make stronger privacy regulations to protect Americans from all tech companies, including those with ties to adversary nations, Webster said.

“The solution ought to be comprehensive privacy protection for everyone, protecting you from American companies and Chinese companies,” Webster said.