Banning TikTok? It's time to fix the out-of-control data exploitation industry - not a symptom of it
- The primary threat from apps is the data they can collect and the profiling that can ensue
- Analysis of TikTok shows the app doesn't necessarily share more data than any average app
- Big Tech have been repeatedly caught red-handed collecting more personal data than users would expect, including from competitors through SDKs or App Stores
- How governments can access and use the data apps collect is a serious and legitimate concern
- What is needed is not a ban but strong technical and legal safeguards, and enforcement
Chinese apps and tech companies have been at the forefront of the news recently. Following India's ban of 59 chinese apps in July, President Trump announced his desire to ban TikTok, shortly followed by his backing of Microsoft's intention to buy the US branch of its parent company ByteDance. Other than others lip syncing his public declaration, what does President Trump fear from this app, run by a firm, based in China?
It's all about that data
One clear answer emerges: the exploitation of users' personal data. As illustrated multiple times, notably with Cambridge Analytica, personal data are the gateway to manipulation, control and disinformation.
Access to huge amounts of data allows companies to profile people and generate intelligence, sometimes far beyond what the user expects - such as when Strava, a fitness app tracking app, revealed the location of secret US army bases by releasing a data visualisation map of its users' activity. To be clear, the public found out about this when Strava published this data openly; but every firm that collects location data quietly will have these very same insights.
Profiling also enables micro-targeting, a practice consisting of the delivery of specially crafted messages for very specific and narrow audiences. This raises concerns as it can be used to manipulate opinion and influence elections.
Finally, when merged with data from other companies in the gigantic online tracking ecosystem, this data collection can enrich existing profiles and be used in completely different contexts, without users being aware of it or having any control over it. Such practices are at the center of PI's complaint against AdTech companies, Data Brokers and Credit Rating agencies.
Chinese firms' apps = bad?
The abusive collection and processing of personal data isn't purely the prerogative of Chinese companies, and at the moment TikTok is not necessarily doing worse than any of the aforementioned companies.
As security researcher Baptiste Robert demonstrates in his analysis of the app's logs:
"As far as we can see, in its current state, TikTok doesn’t have a suspicious behavior and is not exfiltrating unusual data. Getting data about the user device is quite common in the mobile world and we would obtain similar results with Facebook, Snapchat, Instagram and others".
That's not to say that TikTok is harmless. Its practices are still being understood, and could change without our knowledge. And like every internet firm, its privacy policy makes it clear that the app collects a vast amount of user information, including internet tracking data, e.g. web beacons, and real-world tracking data, GPS location data.
This doesn't mean that Chinese tech companies and government agencies shouldn't be subjected to far more scrutiny, especially as they continue to supply surveillance technology and training around the world.
The point is that apps such as TikTok don't clearly present any substantially different risks than any of the other social media giants. The problem is far more pervasive than any single company. We've said this about Zoom, and we've said this about Grindr. It's not the nationality of the app that should matter, it's the lack of legal and technical safeguards.
Big Tech has been there, done that, and should have been regulated by now
And now Microsoft is in the frame to purchase TikTok, the original Big Tech company as the 'solution' to the TikTok challenge.
We don't see how this helps at all, considering the long history of data exploitation by American tech companies, amidst weak legal protections in US law. And that dominance, based on those legal weaknesses, affect people globally.
Facebook has been a key platform for political micro-targeting around the world, enabling the use of its very detailed profile for disinformation and manipulation, notably by external state actors such as Russia. Facebook also displayed aggressive tracking behavior through technologies outside of its own platform such as its Android SDK, used by many popular apps which collected personal information without users consent.
Google is not to be outdone and displayed similar out-of-bounds questionable behavior. It recently used its control over the Android OS to track usage of competitors apps.
These examples illustrate how US companies are leveraging their dominance in certain markets to gain specific advantages, and collect more data than a single Chinese company app could ever dream of.
And yet these companies have also complied with Chinese Government requests for data, including data localisation.
Chinese government surveillance?
Social media and tech companies such as TikTok which rely on data exploitation as a business model have been under increasing pressure from governments unwilling to be left behind.
This has resulted in a series of surveillance initiatives and laws around the world aimed at forcing companies to provide data on their customers (and non-customers!) to government agencies. Consumers are increasingly concerned about these practices by industry and government, and want legal protections, yet governments rarely regulate themselves. The present upwelling of the Chinese public discourse and regulatory activity on personal data protection focuses on companies and pointedly refrains from challenging the government’s ability to access people’s data if national or public security is invoked.
China is amongst the most prolific surveillance actors, alongside other giants including France, Israel, Russia, the UK and the USA. The Chinese government’s abuse of surveillance powers is hard to oversee due to secrecy but very well-documented. Those powers are beginning to integrate AI technologies -- helping, for example, to fuel successful facial-recognition companies and even Covid-related temperature-scanning cameras.
For its part, TikTok claims to store all "US user data in the United States" and that their data centers are "located entirely outside of China, and none of our data is subject to Chinese law."
But such claims are hard to verify and subject to change. And this says nothing of US surveillance agencies which access user data stored in the US, or what this means for non-US users around the world.
In short, the problem is much bigger than TikTok. There is still huge uncertainty about the extent to which consumer services may now or in the future integrate with government surveillance systems, and there is little reason to believe these company-focused privacy protection measures can limit government intrusions.
The world we want, and ever more urgently need
In that case, is a ban really necessary? Does it actually improve user or national security? Not really. Banning might appear to be a strong economic and geopolitical move, and a lot of the motivations here appear to be geopolitical in nature - but from a security and privacy standpoint it does very little.
PI advocates for strong surveillance safeguards and data protection laws to protect people's data, providing individuals with rights over their data, imposing rules on the way in which companies and governments use data, and establishing regulators to enforce the laws. Applied blindly to all companies collecting personal data, such laws address many other concerns such as user privacy and abusive data exploitation practices.
At PI we want a world where you can use services that are
- verifiably designed to protect your privacy,
- in whatever country you are in,
- where there are laws that safeguard against unwarranted government surveillance,
- built by a company, anywhere in the world, that is well-regulated under an enforceable data protection law,
- where the data held by that company is kept under strict legal and technical controls from unlawful government surveillance, and that
- governments abide by the rule of law and conduct surveillance only when it is necessary and proportionate.
Rather than wage industrial cold wars that achieve little other than perpetuate dominance and limit our abilities to communicate, can't our leaders build this world instead?