Last month, media reported that TikTok’s U.S. privacy policy was updated to say the company “may collect biometric identifiers and biometric information as defined under U.S. laws, such as faceprints and voiceprints.” TikTok’s new policy also states it may “share all of the information we collect with a parent, subsidiary, or other affiliate of our corporate group.”
This poses enormous challenges for U.S. policymakers—ones that go to the heart of data collection in a globalized world. TikTok’s parent company is Beijing-headquartered—ByteDance—one of China’s technology giants that specializes in artificial intelligence and machine learning-enabled social media platforms.
It is standard practice for global companies to acknowledge, via their privacy policies, that user data may be transferred, and when transferred, governed by foreign laws outside of their own jurisdiction. Chinese companies are not exceptional in this way. But what is exceptional is the way the Chinese Communist Party-state has used such laws—and other tools—to give it ultimate influence over digital technologies and the flow of data.
ByteDance’s own privacy policy says it will share data without the subject’s prior consent if “the data relates to national security, national defense, public security, or public health” or to “meet the requirements of relevant laws, regulations, procedures, and judicial proceedings.” The very definition of activities that allegedly harm national security is arbitrary at best in China. It effectively boils down to what the state wants, the state gets.
Such expectations are not abnormal for Chinese companies. They are the rule.
The Trump administration’s efforts to ban TikTok made headlines in 2020—but the focus was on the wrong place. Discussion centered around whether the Chinese government could apply pressure on TikTok to censure or influence content in the United States. But the biggest worry should have been how TikTok’s data could be fed back into the data ecosystem being built by the Chinese government.
For the Chinese government, the global data it seeks can be harvested from multiple source types and through various means. An obvious source is malicious cyber intrusions—like the January Microsoft Exchange hack allegedly perpetrated by Chinese security agencies. But data can also be sourced from less visible and far more normalized means of data collection, which leverage legitimate downstream data access through digital supply chains.
Most obviously, data (such as location data) can enable the surveillance of specific individuals, like the Pegasus spyware found to target data from phones of “lawyers, human rights defenders, religious figures, academics, businesspeople, diplomats, senior government officials and heads of state.” But it also targets what is still a relatively isolated group of people.
Less obvious are examples like Global Tone Communication Technology (GTCOM), which is the subsidiary of a Central Propaganda Department-controlled conglomerate. It collects data through the machine translation products it offers—which are embedded in solutions provided by globally recognizable companies like Huawei. For GTCOM, “real-time listening and interpretation of cross-language data” helps it support China’s state security objectives by enabling “image recognition on top of text and voices” that can “better prevent [state] security risks,” said Liang Haoyu, GTCOM’s director of big data.
But data collection like this does not have to target specific individuals to have relevance or use to a state actor.
Technology companies from both the United States and China have a dominant presence across all key layers like software applications, storage and software infrastructure, hardware, and carrier infrastructure. The difference between the two is largely in the way China conceives of the data’s usefulness, which goes beyond traditional intelligence collection, as well as the ways China accesses data that extends into the normal operations of Chinese-based companies with a global presence.
Most of the 27 companies tracked by the Australian Strategic Policy Institute’s (ASPI) recently relaunched Mapping China’s Tech Giants project are heavily involved in the collection and processing of vast quantities of personal and organizational data—everything from personal social media accounts to smart cities data to biomedical data.
Data applications like TikTok collect can be valuable for a number of reasons, such as for sentiment analysis tracking public feeling about particular events or issues. With this information, the data from platforms like TikTok not only reveals what messaging is effective or ineffective for particular demographics but also how effective it is, in the same way as U.K.-based political consulting firm Cambridge Analytica used the data of 50 million Facebook users to influence the 2016 U.S. presidential election—and, allegedly, the Brexit referendum.
Similarly, data can support a state in carrying out policies, including repression of marginalized groups. A Reuters investigation recently found that genomics company BGI Group used globally acquired data from its prenatal tests to run analysis, including for a study to detect mental illnesses that singled out repressed Tibetan and Uyghur minority groups.
China’s new Data Security Law, enacted in June, established that in China, data will be collected, stored, and processed in a manner that’s consistent with the party state’s paramount security concepts and objectives. As described in a new ASPI policy report I worked on, “Mapping China’s Tech Giants: Supply chains & the global data collection ecosystem,” the party’s Central State Security Commission is directed under the Data Security law to oversee “decision making and overall coordination on data security work, and researching, drafting and guiding the implementation of national data security strategies and relevant major guidelines and policies.”
This law applies not just to domestic data-handling activities but also to data-handling activity taking place “outside the territory of the PRC.” If those activities are seen to “harm the state security, the public interest, or the lawful rights and interests of citizens” and organizations of China, they are to be pursued for legal responsibility “in accordance with law.”
The Chinese authorities have not been shy about applying such laws related to national security globally. Hong Kong’s new state security law, enacted in June 2020, illustrates this. It criminalizes separatism, subversion, terrorism, collusion, and support for any of those activities by anyone in the world no matter where they are located. Hong Kong authorities have already charged U.S. citizens and U.K. residents under the law for Hong Kong pro-democracy activities.
In an age where information warfare and disinformation campaigns occur regularly across social media platforms and are among the greatest threats to social cohesion, data that’s about public sentiment is as strategically valuable as data about more traditional military targets.
Western states urgently need an effective long-term framework for dealing with data security risks emerging from China and global operations of Chinese companies.
No assurances from any individual China-based company—no matter how loud or compelling they may be—can mitigate the political, security, and supply chain risks that now come with operating in China. The Chinese Communist Party has absolute power over China-based companies, which its laws—like the 2021 Data Security Law, 2015 National Security Law, 2016 Cybersecurity Law, or 2017 National Intelligence Law—have reinforced. For companies that host massive amounts of data, especially data that originated from other parts of the world, including the United States, the risks are now even greater. Recent scrutiny of businessperson Jack Ma and his company Alibaba as well as the investigation into ride-hailing app DiDi Chuxing further reinforces the party state’s willingness to exercise its power to rein in China’s technology giants and force them to adhere to the party state’s interests.
Western policymakers are starting to adjust to this reality. The Biden administration, for example, issued an executive order in June protecting Americans’ sensitive data from foreign adversaries. The order calls for evaluating risks of applications, such as TikTok, and if undertaken with careful consideration, it offers a more long-term and much needed policy reset. The administration also revoked an executive order made by former U.S. President Donald Trump that banned WeChat and TikTok but did not go into effect after a series of court defeats.
The Biden administration has taken an important and necessary step. This is not a softer stance; it is shifting the focus away from individual companies and apps and, instead, is placing policy emphasis on the problems that stem from the companies’ operating environments.
This reset does not mean companies like TikTok will face less scrutiny. Instead, it points U.S. policy toward seeking out systemic risk rather than isolated cases of single firms, moving on from the short-term and unsustainable game of whack-a-mole that so many governments have played with Chinese technology companies, including in dealing with 5G and issues with Huawei.
The onus shouldn’t just fall on governments alone. As I’ve argued in “Mapping China’s Tech Giants: Supply chains & the global data collection ecosystem,” organizations must know and assess the value of their data. They must also determine the value of that data to any potential party in their supply chain that may have access to it or that might be granted access. Risk needs to be understood in a way that keeps up with the current threat landscape, in which otherwise innocuous data can be aggregated to carry meaning that can undermine a society or individuals.