Matt Bacon Sep. 23rd, 2020
The Trump administration has railed against Chinese owned social media company TikTok in recent months citing grave national security concerns around data privacy. The rhetoric reached a fever pitch in mid-August with President Trump threatening a full TikTok app ban if corrective measures weren’t immediately taken. Despite a relatively laissez-faire reception to the news by the American public, the President’s concerns aren’t without their merit.
The State Department was the first to signal trouble with warnings in December of 2019. The Department of Defense and The State Department both banned employees from using the app in January of 2020 after their own separate internal reviews. The TikTok app ban impacting the American public, which was only narrowly averted, was a bold move.
If you’re curious about the kind of data the app collects, here is a quick run down:
- Your IP address (unique identifier)
- Browsing history (the content you viewed on TikTok)
- Mobile carrier
- Location data if you’re accessing the platform on a mobile device
- Info from the device you used to access TikTok (if you are on an Android device this includes your IMEI number, which is essentially your device’s fingerprint so it can be identified, and potentially your IMSI number, which is used to track users from one phone to another)
By the way, TikTok collects all of the above if you download the app and never create an account! Once you do create an account and login, which requires your phone, email and date of birth, the app can then see everything passing over its network. This includes things like the kinds of videos you watch, like, share, how long you watch, and the full message history of everyone you speak with on the app. TikTok will also store your payment information if you transact in the app.
The company claims to delete your data within thirty days following your decision to delete your account. However, this claim is impossible to independently verify short of a full review of all TikTok data centers. Similar to Facebook, the company will also share your browsing history and email address with third parties in order to serve you targeted ads.
Late last year, a class action lawsuit was filed in California over a series of alleged privacy violations. Proving these will be hard, if not impossible, but the claims that TikTok “includes Chinese surveillance software” provides several disturbing allegations:
- TikTok collects and stores all videos on the app, even those that are not published or saved.
- The company uses the photos and videos uploaded to collect biometric data (such as face scans) without the user permission
- The app continues to collect biometric data even after the app is closed.
There are also claims that TikTok secretly sends user data back to China. A similar lawsuit in Illinois also makes this assertion. This was a rallying cry in the crusade against Huawei that began several years earlier, and it stems from a law passed in China in 2017.
The Separation (or lack thereof) of Corp and State
China’s National Security Law allows the government to compel any Chinese company to provide almost any information it requests, which can include data on foreign citizens and foreign state actors. Other laws can force these requests to be kept secret and excluded from transparency reports, making it impossible to know when the Chinese Community Party (CCP) has pilfered your data from TikTok. The US National Defense apparatus is gravely concerned about this and rightly so.
Even if the law weren’t in place, how long could ByteDance realistically resist pressure from the CCP to turn over data? Chinese companies of any real size are legally required to have Communist Party “cells” within them to ensure they tow the party line. A lack of an independent judiciary all but eliminates a company’s ability to push back on government requests. It’s incredibly difficult to determine just how independent an organization is in China and how much it coordinates with the CCP.
In TikTok’s case, the company says that its data centers are located entirely outside of China and that none of its data is subject to Chinese law. Evidence seems to suggest otherwise. Cybersecurity firm Penetrum released a white paper that found over a third of the IP addresses the TikTok APK connects to are based in China. The majority of these IP addresses are hosted by Chinese ISP Alibaba, an organization with a police post at its headquarters to facilitate data sharing with authorities.
Beyond the sweeping national security concerns, TikTok is also at risk of the more conventional threats posed by hacking, phishing, and other cyber attacks. This is nothing new, but separate security research firms discovered flaws in TikTok in December of 2019 and April of 2020 that allow hackers to monitor user activity and alter videos. TikTok has said the flaws have been fixed but this hardly a great start or impressive track record for a $100bn company.
Perhaps what has US Brass so rattled about this is the predominant user base of TikTok: children. 20 advocacy groups alleged earlier this year that TikTok is violating the Children’s Online Privacy Protection Act (COPPA) by retaining data on children as well as failing to prevent kids under age 13 from signing up without parental consent. Moreover, concerns have been raised about TikTok’s ability to shape opinions through the use of its algorithm, which is not US controlled and could potentially be manipulated by the CCP.
China has a history of bullying tech companies into providing data that is then used to threaten, censor, intimidate, coerce, or engage in human rights abuses. The mistreatment and exploitation of the Uighur population in Western China is perhaps the best known and widely publicized example, but the lesser known “blacklist” of roughly 13m untrustworthy citizens who can’t buy train or plane tickets is no less menacing.
Show me the Data
Every concern regarding TikTok is related to privacy and data management. The US isn’t lobbying for the inner workings of its algorithms or any intellectual capital – its all about who knows what and why. After President Trump’s ruling that TikTok would be banned in the US, the company almost immediately began looking for a US suitor. It found one in Oracle and, somewhat surprisingly, Wal Mart.
Just this weekend, Trump blessed a deal giving Oracle and Wal Mart a combined 20% stake in a new company called TikTok Global that will be based in the US. The company will have five board members, four of which will be American. The app will be operated from the new US-based company but there are still plenty of questions that remain.
Oracle will be able to review the app’s source code before passing it on to users. TikTok’s data, including usernames and passwords, will be hosted stateside on the Oracle cloud. Oracle and Wal Mart will not own any of the algorithms or other TikTok technologies. This is how nearly every US company in China is required to operate. Chinese data doesn’t leave China, but US data seeps across borders with ease. The deal appears to satisfy this concern.
Worryingly, Oracle and TikTok parent company ByteDance issued conflicting statements about the new ownership structure of TikTok Global. Senator Marco Rubio has also voiced concerns that the deal doesn’t go far enough to protect American’s data. While Trump has given his blessing, the deal does not have his formal approval yet. It’s also not clear whether the deal has the backing of Beijing. Anxiety over the fate of this deal still weighs heavy and the outcome is far from certain.
Consequences Moving Forward
The deal appears to be an informal adoption of a long-standing Chinese policy by US authorities; US data must stay on US shores. Regardless of any parity brought about by the deal, China may leave the table with a bitter taste. TikTok is a homegrown success story with 100m US users and around 800m global users. Being forced to kowtow to US authorities over TikTok will likely exacerbate the ongoing rift and set the precedent for future deals to come.
The threat of a total shutdown of TikTok’s US business represents incredible value destruction for investors. The proverbial ‘nuclear option’ appears to have been avoided in this instance but that may not always be the case. If anything, the TikTok deal has laid bare the growing political risks US investors face when doing business with Chinese companies. Proceed with caution.