TikTok is Not the Only Problem

The debate over the national security risk posed by the misuse of personal data, and whether a ban or restructuring of TikTok is a necessary policy intervention, has taken a new twist recently with the Biden administration now demanding that TikTok be sold from its Chinese parent company, ByteDance, and sold to a company based in the United States or face a potential ban in the U.S. The Committee on Foreign Investment in the U.S. (CFIUS) has been conducting a review of TikTok’s foreign ownership and national security concerns surrounding the company’s data processing over the past two years. The recent call by the Administration for separation or prohibition is the latest in a series of proposals to address the threats to national security posed by TikTok.  

The national security concerns voiced by the Administration and members of Congress have largely focused on three issues: 1) the amount and type of user data collected by TikTok; 2) Chinese security law allowing government access to Chinese company-held data on demand; and 3) the potential for the Chinese government to use the app to spread misinformation or censor information critical of China.  

TikTok, like most U.S. tech companies, collects a substantial amount of data about its users, which, according to TikTok’s privacy policy, may include name, age, phone number, email, approximate location, IP addresses, contact lists, messages, biometric identifiers (like face or voiceprints), keystroke patterns, and information gathered from interaction with the app, such as user-generated content, interests, preferences, and associated metadata. It also draws substantial inferences from this data to enrich its user profiles.  

There are concerns that this data could be used by the Chinese government in espionage and surveillance activities. China’s National Intelligence Law, Cybersecurity Law, and other components of the interconnected cybersecurity and law enforcement regulatory package allow the Chinese government broad license to require Chinese companies and citizens to “support, assist, and cooperate” with Chinese intelligence work. Since “intelligence work” remains undefined, this could potentially allow the Chinese government unfettered access to data held by any Chinese company. Should China access TikTok’s user data, there is concern that the information could be used to target individuals for blackmail or as potential spy recruits. There is no evidence that China has accessed this data to date and TikTok’s CEO stated that the company would refuse such requests, but the legal issues remain a concern. 

Finally, concerns have been raised that the Chinese government could use its access to TikTok’s inner workings to pressure the company into censoring content, removing content critical of Chinese government practices, or pushing propaganda, potentially influencing U.S. politics and society.  

Project Texas Proposal 

In the wake of executive orders issued by President Trump in 2020, TikTok drafted a proposal that they hoped would sufficiently address concerns about national security and prevent a ban or divestiture mandate. The plan, dubbed “Project Texas,” would shift certain functions to a U.S.-based TikTok subsidiary that would be governed by an independent board of directors reporting directly to CFIUS. Functions run by the subsidiary would include access to U.S. user data, content moderation, hiring and managing U.S. employees, and all other functions that require processing U.S. user data. Oracle would host this subsidiary, oversee all data transfers, and conduct assessments and security reviews of TikTok software. 

But Project Texas does not solve the privacy issues raised by TikTok’s collection and creation of detailed user profiles. Indeed, Oracle is one of the largest data brokers in the United States. Oracle “claims to sell data on more than 300 [million] people globally, with 30,000 data attributes per individual, covering ‘over 80 percent of the entire US internet population[.]’” In 2020, when the potential TikTok/Oracle partnership was announced, EPIC sent demand letters to Oracle and TikTok calling on Oracle to commit not to sell TikTok user data or merge it with Oracle products. Oracle refused to make such a commitment. The Project Texas proposal is insufficient to protect TikTok users or national security and it exposes the weaknesses of a TikTok ban without the additional protections of a comprehensive privacy law. 

TikTok is just one app in a vast commercial surveillance ecosystem that has been allowed to grow unencumbered over the past two decades due to the lack of a U.S. privacy law. Even if the U.S. bans TikTok, millions of apps would continue to collect the most intimate details about us and profit off of them. The endless web of data brokers who buy and sell data would continue to exist, and foreign adversaries such as China could still obtain Americans’ personal data by simply purchasing it from data brokers on the open market. This is a data privacy crisis with serious national security implications and it is past time for Congress to act.  

Don’t Just Ban One, Regulate Them All: Enact Comprehensive Privacy Legislation 

Comprehensive privacy legislation such as the American Data Privacy and Protection Act (“ADPPA”) would go much farther to protect Americans’ personal data from bad foreign actors than a ban on one app. Here, we breakdown how the provisions of ADPPA would address the national security concerns being raised by lawmakers this week: 

• Reduces the volume of personal data collected: The ADPPA’s baseline data minimization rule that requires companies to limit their data collection to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the individual (or pursuant to certain enumerated purposes) will dramatically reduce the data points collected on all Americans. Data that is never collected in the first place cannot be misused, breached, or sold.
• Limits the flow of personal data to data brokers: ADPPA’s limits on collection and disclosure would reduce the flow of personal data to data brokers, strengthening our national security by cutting of the source of many data sales to foreign adversaries. Additionally, the ADPPA directs the FTC to establish a centralized “Do Not Collect” mechanism. The strict limits on data brokers in ADPPA has led to a flood of lobbying by brokers pushing for weaker standards.  
• Provides heightened protections for kids and teens. The data minimization rule is even stricter when it comes to sensitive data such as the personal data of minors under 17 years old. Collection of sensitive data is permitted only when strictly necessary and not permitted at all for advertising purposes. Targeted advertising to minors is banned. Strictly limiting the collection and use of the personal data of minors will make all apps safer for kids and teens.    
• Algorithmic impact assessments. Under the ADPPA, large entities are required to conduct algorithmic impact assessments. These assessments must describe steps the entity has taken or will take to mitigate potential harms from algorithms, including any harms specifically related to individuals under 17 years of age and harms to civil rights. The assessments must be submitted to the Federal Trade Commission and to Congress by request. This will bring transparency to the content recommendation algorithms on TikTok and other apps. 
• Data security requirements. ADPPA requires entities to adopt reasonable data security practices and procedures that correspond with an entity’s size and activities, as well as the sensitivity of the data involved. Strong data security standards strengthen national security by protecting the personal data that has been collected and ensuring that data is deleted after it is no longer needed for the purpose for which it was collected. 
• Transparency regarding data practices with foreign adversaries. ADPPA requires entities to include provisions in their privacy policies disclosing whether any data collected by entity is transferred to, processed in, stored in, or otherwise accessible to China, Russia, Iran, or North Korea. This means that any app using a Chinese cloud provider who would have similar obligations to the Chinese government regarding data access and disclosure as there is concern about TikTok having would have to disclose that connection.  

Simply forcing a ban or divestiture on TikTok in the U.S. without broader privacy rules will not solve the core national security concerns of data collection and exploitation by foreign governments nor will it do anything to change the data collection practices by the millions of other apps whose business practices pose similar national security issues. The lack of a U.S. privacy law means that the Chinese government can purchase a vast array of Americans’ personal data, either from the new owners of TikTok or from any one of the U.S. companies collecting and selling the same data points from users. These concerns would be more effectively addressed by the passage of a strong, comprehensive U.S. privacy law.