Taking Stock of TikTok’s Troubles

It’s been a rough month for TikTok. First, the social media giant was dragged over the coals in a U.S. congressional hearing over its privacy practices and links to the Chinese government. Then, U.S. lawmakers introduced a bill to ban the app there unless it sells to a U.S. owner. Most recently, the U.K. government announced a £12.7m fine for misusing children’s data. Can anything go right for this company?

A TikTok Timeline 

In December last year, the U.S. government banned TikTok on federal government devices, and over half of all U.S. states have taken similar action locally. The U.S. is one of many. The E.U. followed suit with a February ban that forced all staff to remove the app on any device that uses official E.U. apps. Canada prohibited it from government phones in the same month. New Zealand vetoed TikTok on government devices in March, and Australia did the same in April. What are they all worried about?

TikTok, which is the international version of the domestic Chinese social media app Douyin, is the first Chinese social media app to gain significant global traction, ranking third among all apps for downloads globally in App Annie’s 2022 State of Mobile report. It has 150 million monthly active users in the U.S. (almost half of the country’s population).

Worries over Chinese theft of public and private sector data in the U.S. and other countries stretch back for years. The March hearing organised by the House Committee on Energy and Commerce voiced its concerns in its title: “TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms”. U.S. senators quizzed the company over perceived ties to the Chinese government.

TikTok CEO Shou Chew protests that while the company’s owner ByteDance resides in China, TikTok doesn’t and is not beholden to the Chinese government. He also cited a 2021 analysis by the University of Toronto’s interdisciplinary technology policy team, Citizen Lab, which found no data sharing with China in the international app. TikTok does not collect precise location data, he added.

Nevertheless, there has been some controversy over TikTok’s data collection. The FTC fined it for stealing children’s data in 2019. In 2021, the company settled a class action lawsuit accusing the company of sending data from U.S. users – primarily minors – back to China. TikTok insisted that it didn’t send data to Chinese servers, but lawyers for the plaintiff presented a technical analysis challenging that claim.

Recently cybersecurity consulting firm Internet 2.0 launched its analysis, which identified servers worldwide establishing regular connections with the iOS version of the app, including servers in China. It also criticised the app for excessive data harvesting, including checking Android devices’ GPS every hour. Two days before TikTok admitted to the Australian Financial Review that it did, in fact, track some users’ locations, Chew told the U.S. Congress that the company did not collect precise GPS data.

More recently, the company admitted spying on journalists in an attempt to find out who in its company was leaking information.

TikTok has done its best to allay concerns, announcing Project Texas, a plan to contain all U.S. user data domestically. Although details are scarce, this will likely involve a TikTok subsidiary called U.S. Data Security, with U.S.-approved directors and leadership. Oracle, which already hosts TikTok data, will protect it and compile the company’s code. However, critics say it’s impossible to review a large, fast-evolving code base continually.

How Politicians Might Neutralise TikTok 

The U.S. government is taking several approaches to curb what it sees as a national security threat from TikTok. The Committee on Foreign Investment in the United States (CFIUS) reportedly approached TikTok proposing a sale to a U.S. company, echoing a similar plan first presented by the Trump administration. Oracle and Walmart were working on an acquisition, but the Biden administration shelved a forced sale in February 2021 as it reviewed the situation.

ByteDance and the Chinese government still oppose a sale. In his prepared testimony, Chew said that “a change in ownership would not impose any new restrictions on data flows or access,” adding that “this is not an issue of nationality. All global companies face common challenges that must be addressed through safeguards and transparency.”

The White House has also signalled support for an aggressive approach to applications it deems risky to national security: ban them. In March, lawmakers introduced the “Restricting the Emergence of Security Threats that Risk Information and Communications Technology” (RESTRICT) Act. It would empower the Secretary of Commerce to review transactions with countries deemed adversaries to the U.S., including Russia and China, and others such as Iran and Venezuela.

The Dangers of Banning 

Critics warn that the bill could grant the U.S. government broad powers. It could, for example, restrict the use of VPN technology in the U.S., which would have a pronounced effect on digital rights. Others have mused that it could provide a back door for protectionist measures against foreign-owned subsidiaries far beyond national security concerns.

Banning applications carries a danger to the fundamental ethos of the Internet, which evolved as a platform for the free exchange of information. A U.S. ban risks escalating the balkanisation of the internet (what has become known as the ‘splinternet‘), but doing nothing risks permitting what politicians see as a national security issue. Many countries that the bill describes as adversaries have their own internet infrastructures and routinely ban western software and services.

The drama over TikTok misdirects us from a more pressing issue: the high frequency of privacy infractions among domestic applications in the U.S. Other mobile applications regularly harvest user data and sell it to data brokers. One such investigation claimed to have used brokered mobile app data to track a Catholic Priest’s movements, outing him as gay.

Although some U.S. states have taken measures to protect users from privacy-violating apps and data brokering, there is no GDPR-style federal privacy law in the U.S.. While TikTok has undoubtedly blotted its copybook with various privacy infractions, lawmakers should turn their attention to all companies that misappropriate their users’ information – not just those from overseas.