TikTok asks House of Representatives to rescind cyber advisory about company

Short-form video giant TikTok refuted claims made by the Chief Administrative Officer (CAO) of the U.S. House of Representatives last week and called on her to take down a cyber advisory that urged lawmakers to avoid the platform.

A two-page memo from the CAO has been circulating widely around Capitol Hill in recent days, warning that TikTok is a "high-risk" application that "actively harvests" biometric data as well as a range of other user information, including contacts, location, calendar details, SIM card serial numbers, Wi-Fi network names, and photos.

The U.S. House of Representatives’ Chief Administrative Officer has issued a cyber advisory on TikTok, labeling it “high-risk” with personal info accessed from inside China:

“we do not recommend the download or use of this application due to these security and privacy concerns.” pic.twitter.com/F87qwFiHhR

— Brendan Carr (@BrendanCarrFCC) August 17, 2022

"TikTok is a Chinese-owned company, and any use of this platform should be done with that in mind," the memo said. "The 'TikTok' mobile application has been deemed by the CAO Office of CyberSecurity to be a high-risk to users due to its lack of transparency in how it protects customer data, its requirement of excessive permissions, and the potential security risks involved with its use."

The memo concludes by saying that the CAO does not recommend its staff use or download the app, citing security concerns.

In a response letter obtained by Politico and dated August 11, TikTok's head of public policy for the Americas Michael Beckerman wrote that the cyber advisory contained "factual inaccuracies" and that the document needed to be rescinded. A spokesperson for the company confirmed the letter's authenticity to The Record.

Among other things, Beckerman said TikTok stores U.S. user information in company-run data centers in the U.S. and Singapore. The company recently announced that it is routing all U.S. user traffic to Oracle Cloud Infrastructure, and expects to delete personal information from the data centers.

He also denied that the company uses facial recognition technology, nor does it collect precise GPS location in the U.S. "We collect information about a user’s approximate location based, for example, on a user’s SIM card and IP address," Beckerman said. "As the CAO knows, other applications use this same data for similar purposes."

Additionally, he said TikTok does not collect various information highlighted in the cyber advisory, such as SIM serial numbers, active subscription information, or integrated circuit card identification numbers.

Beckerman asked to meet with Catherine Szpindor, the CAO, to discuss the cyber advisory and TikTok's reply. 

A spokesperson for the firm told The Record: "The allegations in the House CAO's advisory about TikTok range from misleading to wrong. We have requested a meeting to discuss the multiple inaccuracies in the advisory, and we look forward to working with them so they can advise Members and staff on concrete steps they can take to keep their data secure and private when using any social platform to connect with constituents."

The company did not say whether it has received a response from the CAO.