TikTok, the social media behemoth that has amassed millions with its endless stream of viral videos and a new generation of influencers, has found itself embroiled in a global geopolitical storm.
Governments worldwide are ramping up scrutiny of the Chinese-owned app, with concerns over data privacy, cybersecurity, and harmful content taking centre stage, along with fears about the platform's ties to the Chinese Communist Party.
From the United States to Europe, a growing number of countries are imposing restrictions on TikTok, primarily banning its use on government devices.
India was the first country to fully ban TikTok in 2020. More recently, Ireland has advised public servants against using the short-form video-sharing app on work devices as a "precautionary measure".
In East Asia, the Japanese government is facing mounting pressure to ban the app.
Meanwhile, private enterprises such as the British Broadcasting Corporation have advised their staff to delete the app from work phones. In some places, such as schools in Florida, US, TikTok usage has been restricted.
The reason? Many fear that ByteDance Ltd, TikTok's Beijing-based parent company, could be compelled to share sensitive user data with Chinese authorities, or manipulate its recommendation algorithm to promote pro-Beijing propaganda and misinformation, or to suppress topics that do not align with China's interests.
Committees, privacy panels, and security investigations are now underway, with lawmakers increasingly viewing TikTok as a national security threat.
Will or should Malaysia be the next country to join the ranks of nations imposing restrictions on TikTok?
In the first of a two-part series, experts cautioned that while there is no concrete evidence to suggest TikTok is a national security threat, concerns are rooted in general distrust of China and awareness of Chinese espionage.
PART 2: Should Malaysia ban TikTok?
They, however, said the safety and privacy risks facing TikTok users, particularly civil servants and lawmakers, could not be ignored.
Experts said it is important for the Malaysian government to take a measured approach in addressing these concerns.
This, they said, might involve investigating global concerns over the app, increasing regulation to ensure responsible and ethical use of TikTok, limiting or controlling data collection, and banning the app's use on government devices.
TIKTOK TROUBLES: IS YOUR DATA SAFE?
Associate Professor Dr D. Ravichandran K. Dhakshinamoorthy, an expert in security studies and human security, said the concerns raised over the app's safety and security are justified.
This, he said, is because the Chinese government structure is "quite authoritative", where they might "force the company to share TikTok user data".
"So, user information may not be safe and can be used for many other purposes," he warned.
According to recent data from Statista, TikTok has surpassed one billion users worldwide, with 150 million users in the US alone.
In Malaysia, TikTok has seen a significant increase in its user base. Reports indicate that more than 53 per cent of social media users are on TikTok. There were over 14 million users in Malaysia last year.
Ravichandran, from Universiti Kebangsaan Malaysia's Research Centre for History, Politics & International Affairs, said China's lack of robust data sharing and Internet ethics regulation poses a legitimate theoretical concern regarding TikTok's security.
ByteDance is headquartered in Beijing's Haidian district, but is registered in the Cayman Islands. TikTok itself has two headquarters — in Singapore and Los Angeles.
China's 2017 National Intelligence Law states that "any organisation" must assist or cooperate with state intelligence work while a separate 2014 Counter-Espionage Law says "relevant organisations... may not refuse" to collect evidence for an investigation.
Thus, while TikTok does not operate in China, ByteDance could still be subject to Chinese government pressure to comply with Chinese regulations and security activities, including possibly the transfer of TikTok data.
Chinese authorities can utilise various measures, such as licence revocations, tax and regulatory investigations, and other sanctions to pressure both domestic and foreign companies operating in China to conform to their demands.
In recent years, several incidents have raised concerns about China's potential involvement in cyber espionage and data breaches.
In December 2022, ByteDance fired four employees for improperly accessing the personal data of two journalists, who worked for the Financial Times and BuzzFeed, on the platform.
In February, this year, the US military shot down a Chinese spy balloon off the coast of South Carolina.
In 2015, Chinese hackers breached the computer system of the US Office of Personnel Management, compromising the data of millions of federal employees.
Ravichandran, however, pointed out that there is still no substantive evidence to suggest that TikTok poses an imminent threat to national security.
"There appears to be a concerted effort by the West and several Asian countries to 'attack and curtail' China's Internet penetration.
"China's lack of transparency to deal with issues regarding Internet spying, cybersecurity risk, and data privacy exacerbated these concerns," he added.
Associate Professor Dr Ainuddin Wahid Abdul Wahab of Universiti Malaya highlighted that the primary concern with TikTok was its ties with the Chinese government and the potential national security risks it posed.
"As with other countries, Malaysia's concern with TikTok is data privacy and intelligence gathering by foreign nations."
TikTok, he said, collected a vast amount of user information, including location and ideology, based on the content posted.
"This includes details that are not publicly available, such as behavioural information, but can be harvested by the platform even if the data is given with user consent.
"This is a valid concern unless we have no issues with them," said the deputy dean of research at the Computer Science and Information Technology Faculty.
UNDERSTANDING THE THREAT
Farlina Said, a senior analyst at the Institute of Strategic & International Studies Malaysia, said Malaysia's National Security Policy defines national security as "a state of being free from any threat, whether internally or externally, to its core values".
Malaysia's primary national security concerns are territory and national unity but for cyberspace, she said, authorities might be concerned with the protection of critical national information infrastructure and the integrity of functions.
On TikTok's potential threat to national security, Farlina noted the importance of understanding the app's risks by breaking it down into its physical, logical and social layers.
The physical layer, she said, referred to the location of TikTok's servers, which are bound by the jurisdiction of their location.
"The ideal jurisdiction is one that has good oversight mechanisms, is transparent in investigations, and upholds norms of responsibility to manage data.
"Some governments may move data into their own jurisdiction or onto national soil, which is often called data localisation."
ByteDance stated that its data was stored in servers in the US and Singapore, entirely outside of China, but reports claimed that "everything is seen in China".
The logic layer, Farlina said, included codes and algorithms that enabled the app's functionality but could also skew suggestions, develop biases, or possess vulnerabilities that could lead to data leakage.
"It is also here that the dangers of data collection and social networking sites can be found. While these sites claim to collect information to tailor user experiences, there is a tendency for excessive collection of information.
"For example, Facebook tracks data from sites where users can like or log in with a Facebook account.
"TikTok reportedly drops trackers that can be enabled by website owners, and the information collected includes the user's behaviour on the page, such as what they click on or what they type. This information is then used by advertisers for targeted ads."
The social layer, where users form digital representations of themselves and their social ties, can also pose a threat as it allows people with malicious intent to congregate, such as recruitment efforts for extremists, Farlina said.
However, she said, not all data is at the threshold of national security.
In Malaysia, there are two data protection regimes: the Personal Data Protection Act 2010, in which data is classified as personal data or sensitive personal data. The latter refers to information such as health records.
The other, Farlina said, is the public sector where in reference to the Official Secrets Act 1972, classification such as confidential, restricted, secret, and top secret would clearly demarcate the national security risk of the information.
THREAT TO NATIONAL SECURITY, PRIVACY: GOVERNMENT MUST ACT
TikTok states the types of data they collect on their privacy policy page, which includes IP address, profile across devices and location.
Other types of information that may be collected and stored are the visuals of the content before it is uploaded.
The information is also collected and accessible by third parties, where some reports state that data collected is inclusive of keystrokes and scrolling patterns.
Farlina said these information could be sensitive and impact the personal security of an individual, especially if the app tracked an individual's activities across sensitive sites such as those on health records.
"The overt data collection functions on consent. However, hidden data collection that builds on trackers may not be easily circumvented.
"As data retention is throughout the usage of the application, a person's digital profile built by TikTok and trackers would be available for the lifespan of the application with an individual," she warned.
She stressed that an individual's rights and choices on the platform are dependent on the control regulations that governments impose on the platforms.
Thus, on the policy page, it was stated that in some jurisdictions, there could be rights to delete or be informed of the processing of your data — which would make data transferred through third parties less opaque, Farlina noted.
For this, she said, it might be worthwhile for the government and society to construct the parameters and compliance needed to limit or control data collection.
"The app itself may have mixed assessments of thresholds for national security.
"Content produced by users and data collected then manipulated could instigate issues detrimental to national security such as those on national unity.
"A user could upload confidential information that is a national security concern, thus releasing confidential information to the public.
"A user of high interest could have their data tracked across applications and browsers which opens the vulnerability to influence campaigns.
"It should be noted that TikTok publishes Transparency Reports, inclusive of information requested by governments.
"However, if source codes and backdoors are a part of jurisdiction oversight mechanisms, there can be less trust in the application for the user."