Analysis. With the TikTok conflict, we have the opportunity to enforce our current laws and establish new requirements for all data-harvesting services, including demanding independent third-party audits and ban the business model of micro profiling. Today, China does not need to collect our data – they can just buy it.
The EU is worried about the data harvesting Chinese-owned app TikTok which has become the epic center of a geo-political war between the US and China. The EU is choosing sides and is following the US in banning the data harvesting TikTok – at least for now on work phones belonging to politicians and public officials.
Some security experts and politicians believe that the US and the EU should ban TikTok from everybody’s phone – including teenagers. China has also banned the US-owned Facebook in China, so why don’t we do the same? But if so, why are data-harvesting apps from Meta and Google not banned from work phones in the EU, as we know from the Snowden revelations back in 2013 that the US is also spying via US-owned commercial services? Is the US right in worrying about TikTok’s harvesting more data than everybody else, profiling Americans and Europeans, and possibly manipulating them via TikTok’s powerful algorithms? And what is TikTok doing to try and wing trust?
There are many unanswered questions and a lot of speculation. Let’s first look at the claim that TikTok is harvesting more data than everyone else.
In 2020, The Washington Post hired experts from the US-based privacy company Disconnect to check what data TikTok gathered of data and concluded “TikTok doesn’t appear to grab any more personal information than Facebook. That’s still an appalling amount of data to mine about the lives of Americans. But there’s scant evidence that TikTok is sharing our data with China, and we should be wary of xenophobia dressed up as privacy concerns.”
In September 2022, US-based Consumer Report also hired Disconnect to analyse TikTok’s data collection compared to Google’s and Facebook’s, and the conclusion was:
“The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTok’s advertising business is exploding, and experts say the data collection will probably grow along with it.”
An Australian investigation last year concluded that TikTok’s app has the ability to collect keystroke information, including when you give a website your credit card number. But the investigators also said, that Instagram and Facebook’s practices are almost as extensive as TikTok’s and told the Guardian; “Their primary motivation is almost purely commercial and financial, whereas, with TikTok, there is a national security element that I don’t think is directly present with the others.”
In another Australian ‘military-grade cyber protection’ analysis of TikTok, it is shown what data TikTok collects, but it is not compared to e.g. Google or Meta. It concludes that ‘TikTok IOS 25.1.1 has a server connection to mainland China’.
Data Brokers Also Sell Data
A good point regarding the data collection is that China has been amassing data about Americans long before TikTok.
“China has been implicated in major personal data breaches, including hacks on the U.S. Office of Personnel Management and the one on Equifax that impacted nearly half of all Americans. Worse, China could also buy data about us from the data-broker industry that tracks and sells our personal information to companies around the world. So could any other government or company,” according to The Washington Post.
So, if it is the data collection from Americans that the US is worried about concerning TikTok, it should also ban data brokers and others to sell or even share data.
There is no evidence that TikTok’s parent company, Beijing-based ByteDance, has been passing on data on Australians, Americans, or Europeans to the Chinese dictatorship, and TikTok denies it.
But of course, the mere fact that TikTok is owned by a communist data dictatorship like China is – and especially in war times – is enough reason to distrust it and to want to ban it.
Get Into the Machine Room and Ban Micro Profiling
TikTok is trying to inspire trust from the West with several initiatives.
The wildly popular app comes in two versions. There is a strict Chinese version (where kids are allowed only 40 minutes per day), and an international version, which is based in the US.
Further and more importantly, TikTok has proposed that its content recommendation and moderation systems will be subject to review by US-based Oracle and an additional independent third-party inspector.
Since last summer, TikTok says it has routed all U.S. data to cloud services run by Oracle. ByteDance is still compelled to comply with requests for user data under Chinese law, and it’s not clear how ByteDance is able to resist. Oracle declined to comment on the record about how it keeps the government out when The Washington Post asked for a comment.
Further TikTok has promised, according to the Financial Times, that its European data security regime, known as Project Clover, will open two data centers in Dublin, and a third in Norway, to store videos, messages, and personal information generated by 150 million European users of the platform. Further, the FT writes:
“Other new security measures announced by TikTok included the aggregation of data to the point that TikTok was no longer able to attribute personal data to a particular individual. It also revealed plans to work with a European security company that will independently audit its data controls and protection, and then report to national security agencies and regulators.”
It is obviously not enough for a Chinese or American company to store their data in Europe and then we’re safe. It depends on their legal headquarter. Is it in China or the US, then the respective governments have a right to get the data. However, with heavy encryption and working with e.g. European security companies, the storage could be made safe.
With the TikTok conflict, we finally have the opportunity to enforce our current laws and establish new requirements for all data-harvesting services, including banning the business model of micro profiling and demanding independent third-party audits so they prove what they say, e.g. that there are no backdoors for snooping governments.
Banning TikTok is a non-democratic way of solving problems and it is a violation of our freedom of expression. Further, a ban is more rooted in fears than evidence, and instead, we could do the following:
1) TikTok should be banned from all work phones because of political and economic espionage risks. And so should other data harvesting apps like Facebook Messenger, Google Maps, Viber, Discord, and so on.
2) Kids under 16 (some European countries have set it for 13 years, but maybe they should set it at 16) should not use TikTok or any other social media like YouTube, Instagram or Snapchat. It is a regulation (GDPR), we’ve had for years now, and it has not been enforced. Let’s enforce our great European laws.
3) We need to update the Digital Service Act, DSA, so micro profiling, which is also called surveillance advertising (the business model) will be illegal not only when it comes to kids but everybody. Some politicians and many organisations tried to include it in the DSA, but it was lobbied out. The Norwegian Forbrugerrådet and a long list of other NGOs (including DataEthics.eu) tried to stop it in vain.
4) People over 16, who want to use TikTok, Facebook, Youtube, and other data harvesting apps should be educated in digital self-defense and how to behave like public persons, as those apps should be regarded as good old postcards; open and accessible for everybody.
5) Democratic societies should demand access to the machine room of the data harvesting apps and services and make sure that independent third parties can audit their processes and algorithms and secure there is no backdoors for governments.
Regulation and enforcement is indeed the most important way to change society and stop an undemocratic business model. Yet, we know regulation has shortcomings, e.g. it is slow, therefore you can take some measures yourself.
1) you don’t have to give social media apps your real name. Pick a pseudonym and use a trash mail when you sign up and don’t use that email for anything else.
2) don’t give any of the apps access to your microphone, location, contacts, camera photos, etc. If you, for example, are in love with Google Maps (instead of wego.here.com or Open Street Map) you can turn on location only while you use it and turn it off afterward. If you need to give TikTok access to your microphone because you need to record something then give it access while you do it and turn it off afterward
3) Install a VPN service on your phone and use it, so it’ll stop anybody from collecting your location. It is also a very good thing when you shop for hotel, flights and rental cars to change your location and see the price changes.
4) Block TikTok, Facebook, and others to track you outside the app. You can do that in the settings, and you can further install Disconnect for kids.
5) Regard TikTok, Snapchat, Instagram, and all the others as public platforms and ask yourself every time you post anything on them if you want to stand on a busy street and shout it out to everybody.
Also read the piece I quote several times in full on TikTok and the American claims against it in the Washington Post: https://www.washingtonpost.com/technology/2023/02/03/tiktok-delete-advice/
TikTok appeared before congress 23rd of March. Here’s their statement.
Julia Angwin had this piece in the New York Times: Banning Tiktok won’t keep us safe.
5th April: here it is in Spanish