If China Is Weaponizing Access to U.S. Data, We Need to See the Evidence

The Biden administration in recent months has raised alarms and taken a series of actions to prevent sensitive U.S. data from falling into the Chinese government’s hands—from an executive order preventing access to sensitive U.S. data by “countries of concern” to an investigation into Chinese-made connected cars, and a decision to remove and replace Chinese-made cranes from U.S. ports. Meanwhile, Congress is considering a bill to force TikTok’s divestiture (or ban it), and the Federal Trade Commission is investigating TikTok over allegedly faulty privacy and data security practices.

But while it is important for national security to prevent foreign adversaries from leveraging U.S. data for geostrategic advantage, it is also critical for U.S. economic security and technology leadership not to undermine the critical role that data and data flows play in modern commerce. So, before enacting laws and regulations that will redefine the U.S. approach to data governance, the Biden administration should disclose detailed information regarding how the Chinese government forces Chinese tech firms to provide access to their data and services, and how this affects U.S. national security, data privacy, and other interests.

Thus far, the debate over Chinese government access to data and tech services relies largely on broad analysis of Chinese laws, anecdotal media reporting, and vague anonymous statements and analysis from U.S. intelligence officials. The Biden administration needs to do a better job of presenting evidence to the public about the risk (and practices) of Chinese government access to data held by private firms. The existing public evidence base is insufficient for an informed debate. Even a public report with general descriptions and case studies (without divulging specifics such as identifying people, firms, or intelligence-gathering methods) would be highly beneficial. Given the fact that the Chinese government is unlikely to willingly disclose how it accesses Chinese tech firms’ data and services, it falls to the United States to shed light on the nature of this risk. This is crucial for better informing U.S. policy debates on China and safeguarding U.S. data privacy and security.

The central concern revolves around understanding how the Chinese government covertly surveils and influences Chinese tech firms’ data and services in order to expand its power and influence in other countries. There are two genuine and legitimate concerns over China’s government’s forced access to data and services: potential exploitation of U.S. individuals' data for espionage and other nefarious purposes, and control and manipulation of algorithms, such as those for TikTok, for propaganda. At the moment, there’s a lack of clear and detailed public information to address this question definitively.

It’s well known that China censors and controls content on Chinese tech platforms at home. It is becoming clearer that China also does this abroad. However, it's inadequate to rely solely on statements like the one found in the U.S. Annual Threat Assessment of the U.S. Intelligence Community report, which claims that “TikTok accounts run by a PRC propaganda arm reportedly targeted candidates from both political parties during the U.S. midterm election cycle in 2022.” This issue is not limited to TikTok and happens across platforms. This assertion about TikTok appears to come from media reporting rather than some means of intelligence collection. The Biden administration needs to do a much better of presenting its case to convince U.S. policymakers and allies that this is a major issue that needs to be addressed.

The Biden administration and Congress have legitimate concerns about whether Chinese tech firms can resist the demands of the Chinese government. U.S. policymakers frequently highlight broad and ambiguous provisions in China's national security, data security, intelligence, and cybersecurity laws to argue that Chinese citizens and firms are subject to direct orders from the government, including its intelligence agencies. Legal analysis suggests that it would be challenging (to say the least) for any Chinese citizen or company to resist direct requests from Chinese security or law enforcement agencies. Other analysis makes the point that China’s new data privacy law “serve to primarily regulate the relationship between large technology companies and consumers, as well as to prevent cybercrime. It does not create meaningful constraints on data collection and use by the state.” A European Data Protection Board legal analysis supports this in its own analysis, which shows that China lacks meaningful legal protections against government surveillance. These legal assessments are all fair and accurate, but insufficient for the broad and sweeping laws the U.S. is considering.

There are few specific details about how China’s government access to private sector data and services works in practice. This includes information on the frequency and types of data and services accessed, as well as the legal or extralegal mechanisms utilized. The situation is undoubtedly complex, given the Chinese Community Party is intertwined with tech firms through personnel and ownership stakes. However, it’s unclear what level of influence and operational control these connections provide. Shedding light on how this operates in practice is challenging. As Matt Sheehan (from the Carnegie Endowment for International Peace) states, for much of its history, ByteDance (which owns TikTok) had a fraught relationship with the Chinese government. It’s an open question about the nature of relationship following the government buying a stake in ByteDance and whether its broader crackdown on the tech sector changed the relationship. There’s also the painful, abjectly political apology that ByteDance’s CEO gave to China’s leaders. Some of the little public information available on whether and how ByteDance accesses TikTok’s U.S. data comes from anecdotal media reports quoting former employees. For example, The Financial Times has reported that four ByteDance staff (two in the United States and two in China) gained access to the IP addresses and other personal data of FT journalist Cristina Criddle. However, separate media reports raise questions about claims made by one key former TikTok employee regarding the transfer of U.S. data to China. This underscores the need for a more authoritative government assessment of the risk.

The potential role of Chinese intelligence and security agencies further complicates the challenge of producing a comprehensive public report outlining the nature of the risk. This is why selectively declassified intelligence is critically important. American intelligence officials have reportedly told U.S. senators in classified briefings that the Chinese government can use its direct and absolute control over ByteDance to exert a malign influence over what users see on TikTok and to spy on their private information. Senator Blumenthal said the briefing's "level of detail and specificity was extremely impactful." In a letter to Avril Haines, Director of National Intelligence, Sens. Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) have demanded the declassification of the briefing they received about TikTok as it showed how TikTok is “a clear and present threat to national security and privacy.” Senate Intelligence Committee Chairman Mark Warner (D-VA) also stated that he’d like to get as much of the briefing declassified as possible.

The Biden administration should lay out a detailed bill of particulars as to what is known about China’s control and use of its tech firm’s data and services. It should declassify intelligence (where possible), do a thorough review of open-source information, conduct confidential surveys, and gather, aggregate, and anonymize details and cases (including from allied countries) that relate to legal, extralegal, and extra-territorial government access to data and services from problematic jurisdictions like China. Likewise, the Biden administration should detail what the U.S. government knows about foreign government’s access to information about U.S. citizens purchased via data brokers.

More transparency would not only help inform debate in Congress, but it would also help get U.S. allies on board with new and emerging U.S. laws and regulations targeting China’s coercive access to data and services. It would help dispel concerns that recent U.S. measures targeting China are simply punitive tit-for-tat measures in U.S.-China geopolitical competition. It’s highly likely that after the United States enacts its data security regime, the administration will pressure U.S. allies to do the same. By extension, laying out details of China’s coercive access and use of data and services provides the juxtaposition to the positive principles and processes that the United States and dozens of other countries committed to at the Organization for Economic Cooperation and Development’s (OECD’s) agreement on Trusted Government Access to Personal Data Held by Private Sector Entities. If the Biden administration were to take the lead in publicizing and addressing regressive Chinese government data practices, it would also be stealing the European Union’s thunder as the supposed global leader of data privacy. This would be ironic given the European Union’s singular focus on U.S. surveillance practices, with no attention or action taken to stop EU personal data going to China or Russia despite the clear lack of legal protections in both countries.

The U.S. government, and other like-minded allies, need to do more to address the alleged threat posed by the Chinese government’s access and control of data and services. Greater transparency should be a first step.