How a TikTok ban in the U.S. might work

If TikTok is banned in the U.S., connecting to the app likely won't be as easy as using a virtual private network.

How a TikTok ban in the U.S. might work

The TikTok logo is displayed outside TikTok social media app company offices in Culver City, California, on March 16, 2023.

Patrick T. Fallon | AFP | Getty Images

TikTok is at risk of being banned in the U.S. if Chinese parent ByteDance won't sell its stake. Millions of Americans who use the popular video app are left wondering what that means for them.

Some fans of the service may turn to virtual private networks (VPNs) to try and connect to TikTok should a ban take place, a workaround that can make it seem like their internet connection is coming from a different country. But that loophole may not be so easy to exploit.

It's not an issue yet, as there are still some ways a TikTok ban could be avoided or accessed legally in the U.S. Here are the key things under consideration.

What a ban or forced sale could look like

The Committee on Foreign Investment in the U.S. (CFIUS) is the interagency body evaluating national security concerns around the app to determine how to minimize risk if it continues to operate domestically. The group can recommend to President Joe Biden that ByteDance's 2017 acquisition of Musical.ly, a TikTok precursor, be unwound, forcing a sale of those assets.

TikTok has recommended a mitigation plan as an alternative to a forced sale. But that's a longshot solution as CFIUS already threatened a ban if ByteDance won't sell its stake.

A forced sale would be a complex step, requiring a years-old transaction to be unwound. The Trump administration pursued that route once before to no avail. The Chinese government would likely oppose it again, but it would need to be careful in its protests because the heart of its argument to the U.S. is that TikTok operates independently.

"That would be part of the calculus and how aggressively China would want to respond," said Lindsay Gorman, a senior fellow for emerging technologies at the German Marshall Fund's Alliance for Securing Democracy. Gormany previously served as a senior advisor at the Biden White House.

Should the U.S. ban TikTok, the mechanics on what happens from there get murky. Oracle is the cloud hosting service for all of TikTok usage in the U.S. Internet service providers like Comcast (NBC Universal's parent company) and Verizon direct traffic to end users. And the app stores controlled by Apple and Google are the primary places for consumers to download the TikTok app.

Shannon Reaves, a partner in Stroock's CFIUS compliance group, said any requirement on a third party would not come from CFIUS, which is tasked with evaluating foreign investments alone.

"There won't be action from CFIUS as a result of this review that will be taken against third parties that are not a part of this transaction," Reaves said. "So your Apples and your Googles and so forth, that that will not happen."

The government may have to turn to legislation or executive orders to get app distributors, ISPs and cloud services to block access to TikTok.

 LightShed's Rich Greenfield

While there will likely always be cracks that can be exploited by a subset of computer literate users, the typical consumer would find it difficult to access a government banned service, said Douglas Schmidt, an engineering professor at Vanderbilt.

"There will almost always be ways around this," Schmidt said. "It would just be a lot more difficult for the average person to do it without getting an advanced degree in computer security or something."

In other words, a VPN won't be enough, in part because going that route would still likely require app store credentials, which will indicate a user's location. Gerald Kasulis, a vice president at NordVPN, said there's also technology available to detect when a user is trying to access an app with a VPN.

The security concerns

Concerns around TikTok's security risk come down to two main issues. The first is who can access U.S. consumer information and the second is who has the ability to determine what information reaches U.S. users. Under Chinese law, companies can be required to hand over internal information to the government for supposed national security purposes.

TikTok has sought to reassure the U.S. government that U.S. user data is stored outside of China. The company has developed an elaborate plan known as Project Texas that includes the vetting of its code in the U.S. and a separate board of directors for a domestic subsidiary, with members reviewed by the U.S. government.

TikTok CEO Shou Zi Chew, who's set to testify before a U.S. House panel next week, told The Wall Street Journal that Project Texas would do just as much as divestment to resolve any security concerns.

But the mood in Washington isn't moving in TikTok's favor, and legislators have lost whatever trust they once may have had in China and its motives. That issue resurfaced earlier this year, when a suspected Chinese spy balloon was spotted flying across a large swath of the U.S. Biden ordered the military to shoot down the balloon last month.

When it comes to consumer technology, users have no idea what information is making its way to the Chinese government. And the U.S. government has a lot of work to do to provide clarity on what would happen if the app was to be banned.

"Even for someone who studies this stuff, it's not easy to detach and detangle all these apps," said Gorman. "As a society, we have not made the decision that the app stores, the Apple App Store or the Google Play Store, should be restricting apps based on the amount of information they collect. It can't be put on any individual and it really does need to be addressed by governments."

While many users may think their casual social media use would be of little interest to a foreign government, Schmidt said that data can have a surprising amount of value to bad actors.

"Having information about your habits and your interests and your interactions and where you go and what you do could be used for things like either phishing attacks to get access to more information, or for things like blackmail, if you're doing things that you might not want other people to know about," Schmidt said.

It's unfamiliar territory for U.S. companies, in contrast to China, which blocks access to all sorts of content, including most major U.S. internet services.

"Trying to police data access is very, very difficult, especially when there's suspicion that the folks who are doing this have a reason to do it," Schmidt said. "And they're heavily incentivized to collect this information and use it for all kinds of purposes."

Subscribe to CNBC on YouTube.

WATCH: Uncertainty about the fate of TikTok sends competitor stocks soaring

Uncertainty about the fate of TikTok sends competitor stocks soaring