Fraud Management & Cybercrime , Governance & Risk Management , Privacy

TikTok CEO Aims to Assure Lawmakers Americans' Data Is Safe

But Congress Questions Shou Chew's Promises of Privacy, Data Security and Safety
TikTok CEO Aims to Assure Lawmakers Americans' Data Is Safe
Shou Chew, CEO of TikTok, testifies before the House Energy and Commerce Committee on March 23, 2023. (Image: U.S. Congress)

TikTok CEO Shou Zi Chew appeared Thursday before Congress to defend his company against accusations that it is imperiling Americans' national security, privacy and mental health. But many lawmakers questioned his assertions that the company and its data remained free of inappropriate control from China.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

TikTok, owned by Beijing-based ByteDance, says its short-video app is used by 150 million Americans who use TikTok on a monthly basis, including two-thirds of American teenagers.

Appearing before the House Energy and Commerce Committee, Chew promised lawmakers that his company would prioritize safety, "particularly for teenagers," and would "firewall protected U.S. data from unwanted foreign access," promote freedom of expression and avoid being manipulated by any government, and maintain transparency.

Seeking to align what TikTok does with the practices of other large technology firms, Chew called on Congress to pass federal privacy legislation. "We believe what's needed are clear, transparent rules that apply broadly to all tech companies," he said. "Ownership is not at the core of addressing these concerns."

But the ownership question was high on many lawmakers' agendas, given that TikTok's privately owned parent company is based in China. ByteDance says global investors own 60% of its shares, employees 20% and its founders 20%, although the founders' shares come with extra voting rights, as is typical for technology firms. The Chinese government took a minority stake in ByteDance in 2021.

President Joe Biden has called on ByteDance to divest or risk seeing TikTok get banned (see: TikTok Says US Threatens Ban Unless Chinese Owners Divest).

In response, TikTok has suggested a "Project Texas" plan - so named because that is where its U.S. technology partner Oracle is based - that would not involve any forced sale. Instead, TikTok has pledged to spend billions of dollars to shift the storage of Americans' user data to U.S. soil and to hire third-party experts to review the company's source code and monitor its data security and storage practices.

But the committee's chair, Rep. Cathy McMorris Rodgers, R-Wash., dismissed Project Texas as being little more than a "marketing scheme." She said national security legislation passed by the Chinese government in 2017 compels "Chinese companies like ByteDance to spy on their behalf," and claimed companies such as TikTok must grant the government "access and manipulation capabilities as a design feature."

Likewise, the committee's ranking member, Rep. Frank Pallone, D-N.J., told Chew, "I still believe that the Beijing communist government will still control and have the ability to control what you do," as well as access Americans' data wherever it gets stored.

Chew replied: "I have seen no evidence that the Chinese government has access to that data."

TikTok Concerns Continue

Chew's appearance before Congress comes after two U.S. presidents have grappled with the question of how to handle TikTok. President Donald Trump in August 2020 ordered ByteDance to divest TikTok and banned U.S. companies from working with TikTok. The company fought the order in court, leading to it being suspended.

President Biden in June 2021 revoked and replaced the order and instructed the Committee on Foreign Investment in the U.S. to review foreign-built apps that might pose a national security risk. After that effort stalled, Biden ordered ByteDance to divest.

Instead, TikTok has proposed storing all U.S. data solely on U.S.-based servers, which Chew said could be accomplished by 2024, among the other Project Texas proposals.

The CEO also faced multiple questions from lawmakers about whether the Chinese government has the ability to restrict content on TikTok, including about the country's mass internment of Uyghurs or the 1989 Tiananmen Square massacre.

Chew said TikTok is not available in "mainland China" and added, "We do not promote or remove content at the request of the Chinese government."

The CEO's attempt to frame TikTok as remaining free of Chinese government control was complicated by remarks from Beijing.

On Thursday, in a Wall Street Journal report that appeared prior to Chew's testimony, a Chinese government spokesman said Beijing would "firmly oppose" any requirement that ByteDance divest its ownership in TikTok and said any such sale would also have to be approved under China's technology export control rules.

"Despite your assertions to the contrary, China certainly thinks it's in control of TikTok and your software," Rep. Michael Burgess, R-Texas, told Chew, citing the Journal's report.

Source Code Questions

Rep. Bill Johnson, R-Ohio, a former CIO, accused Chew of being "evasive" in his answers on the security, privacy and censorship fronts. Referencing a 2021 report from the University of Toronto's Citizen Lab, which studies government surveillance, Johnson said it had found substantial overlap between the TikTok app and its Chinese counterpart Douyin, also owned by ByteDance. "What is shocking to me is the shared source code," he said, as well as the fact that Douyin's censorship controls are also present in TikTok code - just deactivated.

Chew, in his written statement to the committee ahead of his appearance, said the Citizen Lab report "found that there was no overt data transmission by TikTok to the Chinese government and that TikTok did not contact any servers within China."

But Johnson said that the head of The Citizen Lab, Ron Deibert, tweeted Wednesday that Chew's assertions were inaccurate.

Deibert wrote in a tweet: "Our analysis was explicit about having no visibility into what happened to user data once it was collected and transmitted back to TikTok's servers," adding that it was technically feasible for the data to then get routed elsewhere.

Deibert also used the occasion of the hearing to call for better U.S. privacy legislation, saying lawmakers' TikTok concerns "should serve as a reminder that most social media apps are unacceptably invasive-by-design, treat users as raw material for personal data surveillance, and fall short on transparency about their data-sharing practices."

Multiple committee members also called for the passage of such legislation.

"We can't wait any longer to pass comprehensive national privacy legislation that puts people back in control of their data," Pallone said. "We must hold big tech accountable for its actions, and transparency is critical to that accountability."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.