TikTok, Privacy, and Chinese Government Surveillance: What We KnowPublished on: 2023-3-29
Last week, TikTok CEO Shou Zi Chew appeared before a US congressional committee. Among other allegations, Chew responded to claims that TikTok represents an unacceptable privacy and security risk that enables Chinese government surveillance.
Chew’s congressional grilling was part of a broader debate about banning TikTok in the US. The app is already illegal in several countries, including India and Indonesia, and is banned on government devices in the US, Canada, the UK, and other jurisdictions.
TikTok is not unique in collecting large amounts of data about its users. But the app does raise some particular concerns, including that TikTok data has been accessed in China—and used to track US journalists.
Yet a lack of meaningful privacy protection in the US has created a data-driven business environment in which TikTok and other social media platforms thrive.
This article will explore what we know about TikTok, focusing on privacy. We’ll consider how TikTok compares to other apps, whether TikTok presents a risk of Chinese government surveillance, and how Chinese and US law contribute to the TikTok debate.
Privacy: Is TikTok Worse Than Other Social Media Apps?
TikTok claims that it implements “privacy and security by design” and that its app collects less data than its competitors.
Some analyses of TikTok have found that the app’s data collection practices are not unusual by industry standards. Others have suggested that TikTok is more intrusive in specific ways.
A January 2023 study by Georgia Tech suggested that TikTok does not collect significantly more data than other social media apps.
The analysis found that TikTok collected device, app, and user data of similar categories to Facebook and other platforms. The authors emphasised that the risks of using TikTok vary depending on who is using the app.
The research found that the data collected by TikTok would not be of “espionage value” unless it came from users that were “intimately connected to national security functions” using the app in ways that “expose sensitive information”.
The authors assert that there are “individual privacy risks” to using TikTok but did not find any “national security” risks beyond those present in other social media apps.
A March 2021 study of TikTok’s source code by Citizen Lab found that TikTok did not exhibit “overtly malicious behaviour” and that the app was “not exceptional when compared to industry norms”.
Citizen Lab found that TikTok’s source code shares similarities with that of the app’s Chinese equivalent, Douyin.
The researchers expressed concern about customisations in the app’s source code, which could theoretically be used to enable “privacy-violating hidden features”.
But the research found that Douyin’s source code exhibited privacy risks not present in TikTok, such as “dynamic code loading and server-side search censorship”.
Neither app appeared to collect “contact lists… photos, audio, videos or geolocation coordinates without user permission” without permission.
Citizen Lab also did not find any evidence that TikTok transferred data directly to China. However, important revelations about Chinese access to the app have emerged since the study, which we will discuss later in the article.
A February 2023 study by Malcore, a division of cybersecurity firm Internet 2.0, cited TikTok as the worst of 23 apps tested in terms of third-party tracking, with a score of double the industry average (a high score indicating greater intrusiveness).
The study attributed TikTok’s high score to the presence of “nine trackers and a lot of permissions and code severity warnings”.
TikTok integrates third-party SDKs from Facebook, Google, and AppsFlyer (among others), mostly for login and analytics purposes. In eight markets, TikTok also integrates the Russian-owned SDK VKontakte.
Third-party SDKs can be problematic from a privacy perspective—but they are integrated into thousands of apps.
TikTok has disputed Malcore’s findings, suggesting that the study’s scoring method was arbitrary and non-transparent.
Last year, researcher Felix Krause published a study about in-app web browsers that open by default when a user follows a link within the app.
Kraus found that TikTok’s in-app browser could monitor keystrokes, meaning that TikTok could theoretically collect sensitive data including passwords. Kraus did not suggest that TikTok collects such data, only that it could.
A key difference between TikTok’s iOS app and other social media apps is that users cannot turn off TikTok’s in-app browser. Other apps, including Facebook and Instagram, allow users to opt for a third-party browser instead.
TikTok responded that it uses these functions for “debugging, troubleshooting, and performance monitoring”. More recently, the company stated that the “current version” of the app does not monitor keystrokes.
For people in Europe, there is an important difference between TikTok and some competitors. Unlike Facebook and Instagram, TikTok requests consent from EU users for delivering targeted ads.
Targeted advertising involves the collection and processing of personal data to build profiles about users’ behaviours and inferred preferences.
Meta’s terms of service require users to allow the processing of their personal data for ad-targeting. Regulators have found this policy to be illegal under EU law (Meta is appealing).
TikTok announced that it was adopting an “opt-out” policy last year — but quickly changed course following an intervention from the Italian data protection authority.
Does TikTok Transfer Data to China?
While TikTok’s data collection practices appear relatively normal, there is a reasonable concern that TikTok users’ data is either transferred to or accessible in China.
Early TikTok analysis, including the aforementioned Citizen Lab report, did not find evidence of the app transferring data to China—a finding repeated by TikTok CEO Chew in Congress last week, leading to pushback by the research group’s director.
However, in July 2022, Australian cybersecurity firm Internet 2.0 found that a version of the app contacted servers in Baishan, China. The Irish Data Protection Commission (DPC) is also investigating whether TikTok transfers personal data to China.
Can Chinese Employees Access TikTok Data?
Whether or not TikTok sends data directly to servers in China, it has become clear that TikTok data has been accessible to China-based employees of TikTok’s parent company, ByteDance.
TikTok’s privacy disclosures state that user data may be processed by entities in its corporate group, including in China.
In June 2022, Buzzfeed revealed leaked audio, including “14 statements from nine different TikTok employees”, suggesting that TikTok user data was accessible to employees in China.
One Beijing-based TikTok employee described themselves as a “master admin” with “access to everything”. Another said that "everything is seen in China".
That same month, Chew admitted in a letter to US Senators that Chinese employees “can have access to TikTok US user data”, subject to oversight by US-based employees.
Did ByteDance Spy on US Journalists?
Last December, TikTok confirmed that China-based ByteDance employees accessed US several journalists’ IP addresses and other data in an attempt to uncover their sources.
ByteDance said these actions were “misguided" and that they “seriously violated the company's code of conduct”. The employees have reportedly been fired.
In Congress last week, Chew said that he disagreed with the characterisation of these activities as “spying”, but failed to confirm that other TikTok users could be subject to similar surveillance.
Note that US tech companies have been accused of similar activity. For example, a 2015 complaint alleged that Uber tracked the location of journalists reporting on the company. Meta has also allegedly used platform data to surveil employees.
But of course, US journalists and their sources operate in a very different environment from their Chinese counterparts.
TikTok’s ‘Project Texas’
“Project Texas” is part of TikTok’s plan to satisfy US concerns about Chinese access to data.
TikTok claims that all US user data is currently stored by Oracle, a US cloud services provider. The stated intent of Project Texas is to further reduce the risk that data can be accessed by Chinese employees.
In July 2022, TikTok established a new subsidiary, TikTok US Data Security Inc. This entity will have decision-making power over data access, with an independently-appoint board overseen by a US government body.
In Congress last week, CEO Chew described Project Texas as the process of “building what amounts to a firewall” to protect data from Chinese access. He conceded that Chinese employees can still theoretically access “legacy data”.
Under Project Texas, all US user data should eventually be processed via Oracle’s Texas-based infrastructure. US user data currently processed in Singapore and Virginia would be deleted.
Is TikTok Subject to Chinese Law?
We’ve explored how TikTok collects personal data, and established that some data remains accessible from China.
TikTok plans to reform its corporate structure and relocate US users’ data. But will these measures protect TikTok from the influence of the Chinese Communist Party (CCP)?
Does the Chinese Government Control TikTok?
In Congress last week, Chew asserted that TikTok’s parent company ByteDance is “a private company” that is “not owned or controlled by the Chinese government”.
A March 2023 report submitted to the Australian Parliament disagrees, stating that the CCP exercises so much control over ByteDance that the company “can no longer be accurately described as a private enterprise”.
The report accuses TikTok of obfuscating its management and ownership structures to conceal the extent of Chinese government influence.
The authors highlight the Chinese government’s “golden share”: a 1% stake in TikTok’s Chinese sister company Douyin, which allegedly provides the CCP with “open insider access to corporate decision-making, and influence through board seats and veto rights”.
TikTok maintains that the “golden share” is a condition of Douyin’s license to operate in China and that the CCP does not have any influence over ByteDance’s board.
China’s National Security Law, like much Chinese legislation, contains several open-ended and broad provisions, such as a requirement on “all citizens and organisations” to “support, assist, and cooperate with national intelligence efforts in accordance with law”.
In 2021, UN researchers accused the Chinese government of “systematically (invoking) national security to target human rights defenders” and using national security law to bypass “basic due process”.
Furthermore, Human Rights Watch suggests that legal requirements aside, China’s alleged tendency to “forcibly ‘disappear’ business executives” presents an unavoidable threat to TikTok’s independence.
What About US National Security Law?
Without wishing to draw comparisons between the CCP and the US government, it is important to note that US national security law is also problematic.
Indeed, the bill introduced to ban TikTok, the “RESTRICT Act”, would provide US authorities with extensive powers to investigate and penalise a broad range of private activity.
It is reasonable for US politicians to worry about Chinese government access to personal data. However, a similar debate has been ongoing since at least 2015 between the US and the EU. Transfers of personal data from the EU to the US have been effectively banned twice.
By European standards, US surveillance law breaches fundamental rights, particularly due to the lack of legal remedies available for privacy violations.
As such, European regulators have repeatedly sanctioned companies for using tools that transfer data to the US, such as Google Analytics and the Meta Pixel.
Try Wide Angle Analytics!
The US Privacy Problem
Compared to most democratic countries, the US lacks an effective data protection and privacy regime. This lack of meaningful privacy protection in the US has enabled data-driven social media platforms to flourish.
Excessive data collection and lax controls on data sharing are legal in much of the US.
Even if TikTok is not exporting users’ information to China, the CCP could conceivably purchase US citizens’ data online. Indeed, the FBI admitted purchasing Americans’ location data in early March.
The market value for “data brokers” alone was estimated at over $240 billion in 2021. A recent Stanford University study showed how sensitive health information is commercially available online, with minimal vetting of buyers.
By the end of 2023, the number of US states with a comprehensive privacy law will increase from two to five. These laws are limited in scope and application, but they are a step towards real privacy rights in the US.
The Federal Trade Commission (FTC) has also ramped up privacy enforcement in recent months, targeting the frivolous sharing of health information with advertisers like Meta and Google.
Last year, US lawmakers debated the American Data Privacy and Protection Act (ADPPA), a proposed federal privacy law that could provide some privacy protections — not just from TikTok, but domestic social media firms, too.
Whether TikTok is banned or not, the debate around Chinese surveillance should not distract US politicians from improving their own privacy laws.