China has a well-chronicled appetite for Americans’ data. Meanwhile, the popular, China-based video app TikTok collects significant information on its users.
That confluence has made the app a focus of concern among privacy watchdogs, culminating last week in reports that the U.S. is positioning itself to ban TikTok.
The app has become the subject of widespread concern and paranoia, even reaching into the world of esports, with the popular gamer known as Ninja tweeting that he was deleting the app over privacy worries. The bank Wells Fargo told its workers to delete the app. Amazon ramped up the scrutiny of TikTok on Friday after a leaked internal email said company employees needed to remove the app from their phones. Amazon later clarified that no such edict had actually been issued.
But the reality of TikTok's threat is far more mundane and not particularly unique, experts say. While users should be skeptical of the app's data collection and handling, the attention paid to the app owes more to how TikTok has ended up in the middle of the growing societal concern about data privacy and increasing paranoia about the threat of China.
TikTok has had major privacy concerns flare up in the past and is reportedly under investigation by the Justice Department and Federal Trade Commission for potentially failing to adequately delete videos from users who are 13 and under, as required by law.
But that doesn’t mean the company is unique in how it handles user data, said John Davisson, counsel at the Electronic Privacy Information Center, a think tank that advocates for online privacy for consumers.
“I think TikTok's actions are alarming, and it is good that federal regulators are paying close attention to it,” Davisson said. “But it is ultimately one of many platforms that collect, and use, and analyze, and rely on, and profit off of personal data.”
Like practically all tech platforms, TikTok stores not only the content that users create on it, but significant metadata on them — and will turn that information over to law enforcement if legally compelled to do so. According to a leaked document provided to police and reported by Business Insider, for TikTok that can mean usernames, how and when users signed up for the service, phone numbers and device types, and significant location data.
While that kind of information may seem invasive, it’s the norm for phone apps to track it, especially location data — and that kind of information is bought and sold on a daily basis in markets that China has access to.
“China could buy similar mobile data from data brokers or ad networks. Most ad networks are collecting the same, if not worse, information,” said Whitney Merrill, a former lawyer for the Federal Trade Commission.
“I think if they really wanted to get this information, they’d get it from a whole bunch of other sources, and disallowing TikTok isn’t making any incremental improvement,” Merrill said.
China does have a proven track record of hoovering up Americans’ personal information. Many of the biggest breaches in U.S. history — the hacks of Equifax, several insurance companies, and the U.S. Office of Personnel Management — are widely accepted as the work of Chinese intelligence.
Those hacks were part of a massive operation to steal and process Americans’ data, FBI Director Christopher Wray said in a livestreamed talk Tuesday.
“The data China stole is of obvious value as they attempt to identify people for secret intelligence gathering,” Wray said. “On that front, China is using social media platforms, the same ones Americans use every day to stay connected or find jobs, to identify people with access to our government’s sensitive information and try to target those people to try to steal it.”
The Trump administration has yet to take concrete action to ban TikTok from the U.S., but the Pentagon banned its use for military personnel in December. Amazon, which has bid for enormous military contracts, sent an email to staff Friday saying it was banning personnel from using the app on work devices, then announced in a press release that the email “was sent in error.”
As Secretary of State Mike Pompeo has stressed, Chinese law gives the state broad legal authority to inspect data stored in China or by Chinese companies.
TikTok has claimed that’s not an issue. “We have never provided user data to the Chinese government, nor would we do so if asked,” spokesperson Jamie Favazza said in an emailed statement.
It may not be possible to know with certainty whether TikTok could indeed resist Chinese authorities if it demanded users’ data, but there’s no indication of that so far, said Adam Segal, an expert on Chinese technology and national security at the Council on Foreign Relations.
“It all comes down to the argument that no Chinese tech company can resist the demands of the Chinese Communist Party or government for data,” Segal said. “We have no evidence those demands have been made or the company would need to follow through.”
“I don’t know what's unique about TikTok data,” he added. “Especially because it's primarily teens.”