TikTok, the popular short-video app owned by China’s ByteDance – as well as Apple, the American technology giant – came under heavy fire in Washington on Tuesday as lawmakers and experts called to testify at a US Senate hearing dismissed assurances by both companies that the data of their American users is secure from hacking by Beijing.

“TikTok claims they don’t store American user data in China,” Senator Josh Hawley, chairman of the Senate Subcommittee on Crime and Terrorism, said in opening remarks at the hearing titled: “How corporations and big tech leave our data exposed to criminals, China, and other bad actors.”

US Senator josh Hawley, Republican of Missouri, questioned TikTok’s ability to refuse to transfer any data the Chinese government might seek. (Picture: US Senate)

“That’s nice, but all it takes is one knock on the door of their parent company, based in China, from a Communist Party official, for that data to be transferred to the Chinese government’s hands whenever they want it,” said Hawley, a Republican representing Missouri, who has emerged as a leading congressional critic of Beijing.

Experts at the hearing largely agreed with the way Hawley and the subcommittee’s ranking Democrat, Senator Sheldon Whitehouse of Rhode Island, characterized the cybersecurity threat that TikTok and Apple pose.

“While TikTok claims to store its data in the United States as of today, its Beijing-headquartered parent company, ByteDance, is subject to” a new cybersecurity law that China will fully institute in 2020, Kara Frederick, a fellow for technology and national security at the Washington-based think tank Center for a New American Security, said.

“In addition to this legislation, technical vulnerabilities in systems built and owned by Chinese companies abound,” she added.

Frederick, who previously served as a senior intelligence analyst for a US Naval Special Warfare Command and spent six years as a counterterrorism analyst at the US Defense Department, said those vulnerabilities included “much-discussed backdoors in code that would allow the Chinese government access to third-party systems and security flaws hidden in a programming vulnerability, or bugdoors.”

Kara Frederick, of the Center for a New American Security, testifying on Tuesday at a Senate hearing in Washington. (Picture: US Senate)

Flaws could even be introduced later via a software update.”

After surging in popularity in recent years, TikTok has received increasing scrutiny from the US government over privacy concerns and censorship by China. It was the most downloaded non-game app in the US at the start of 2019 and the world’s fourth most-downloaded non-game app in the world last year.

The Committee on Foreign Investment in the United States (CFIUS), which reviews deals involving foreign buyers for potential national security risks, began looking into TikTok because ByteDance had failed to seek clearance from CFIUS when it acquired Musical.ly, a similar social-media service, according to a report by Reuters, citing people with knowledge of the matter.

ByteDance also owns content apps including Douyin, the mainland Chinese market’s version of TikTok, and news aggregator Toutiao. A year ago, Bloomberg valued ByteDance at US$75 billion based on funding provided by SoftBank Group, a financing round that made the company the world’s biggest privately backed start-up.

The Chinese-owned video app TikTok, the most downloaded non-game app in the US at the start of 2019, is drawing attention as a potential security threat to the personal data of Americans who use it. (Picture: AFP)

TikTok’s US general manager, Vanessa Pappas, asserted in a letter to Hawley and Whitehouse that the company stores all US user data in the United States, “with backup redundancy in Singapore.”

“TikTok’s data centers are located outside of China,” the letter continued. “Further, we have a dedicated technical team focused on adhering to robust cybersecurity policies, data privacy, and security practices. In addition, we hired a leading US-based outside auditing firm which analysed TikTok and its data security practices, and we are committed to doing this type of audit on an ongoing basis.”

On censorship, Hawley referred to a report in The Washington Post on Tuesday that cited former US TikTok employees saying that the company’s moderators based in Beijing had the final call on what content was approved for the platform. The former employees said their attempts to persuade Chinese teams not to block or throttle some content were routinely ignored, according to the report.

“Countries like China have strict laws governing online speech and are utilizing tools like facial recognition, drones and biometric scanners to monitor and detain minority groups in the western province of Xinjiang,” said William Carter, deputy director of the technology policy program at the Washington think tank Center for Strategic and International Studies, who was also asked to testify.

“Companies that operate in China may have no choice but to censor and identify users engaged in political speech and provide the government with nearly unfettered access to their data if asked, and companies who sell these technologies to China may be knowingly or unknowingly enabling human rights abuses,” Carter said.

Apple also came under criticism for moving to comply with China’s new cybersecurity law, which requires any company running data through the country to store these data on local servers, which could theoretically provide access to government organs.

To comply with China’s cybersecurity law, Apple entrusted its iCloud operations to Guizhou-Cloud Big Data (GCBD), which reportedly has close ties to the Chinese government. GCBD later transferred Chinese Apple users’ iCloud data to servers run by China Telecom, one of the country’s three state-run telecoms companies.

Before the transfer, the Chinese authorities would have to go through US courts to obtain iCloud data for a specific user. The move by Apple triggered widespread concern about the Chinese government's access to the personal data of Chinese Apple users.

Apple, which sent the committee no representative and no statement, has said that it controls the encryption keys, not its Chinese partner. But Klon Kitchen of the Washington-based Heritage Foundation, another witness called for the hearing, disagreed.

China’s cybersecurity law “simply requires access,” said Kitchen, a senior fellow for the think tank’s technology, national security and foreign policy program.

“Anyone who thinks that [China’s companies or the Chinese units of US companies] can look at the government in Beijing and tell them ‘no’ – that’s a fundamental misunderstanding of how the government in Beijing works,” Kitchen added.