Skepticism of TikTok, the Chinese video-sharing app, reached its peak with President Trump’s signing an executive order that would ban the social-media software from the United States after September 20. TikTok’s parent company ByteDance, which is based in Beijing, is in late-stage acquisition talks with Microsoft and has reportedly also explored a deal with Twitter.
The Trump administration’s case against TikTok is based on the premise that its Chinese ownership is beholden to Chinese Communist Party requests for user data, including of Americans. It’s well-documented that ByteDance has caved to CCP pressure before, and even the Chinese Foreign Ministry calls it a Chinese company, despite its claims to be based in the Cayman Islands.
Still, what was missing from the case for regulating TikTok more stringently was evidence that it has transferred user data to Beijing (the company says that its servers are based in the U.S. and Singapore, and that it would not honor such requests). A new Wall Street Journal report sheds light on TikTok’s insufficient data-privacy practices:
TikTok skirted a privacy safeguard in Google’s Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found.
The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn’t disclosed to TikTok users. TikTok ended the practice in November, the Journal’s testing showed.
This practice, according to article, allowed TikTok to send user data to ByteDance’s servers. Crucially, it also concealed that collection of data:
As with virtually all modern apps, TikTok’s Internet traffic is protected by the web’s standard encryption protocols, making it unlikely that an eavesdropper can steal information in transit. That makes the additional, custom encryption code TikTok applies to user data seemingly extraneous — unless it was added to prevent the device owner from seeing what TikTok was up to, said Nathan Wood, a researcher at the International Digital Accountability Council, a watchdog group that analyzes app behavior.
“TikTok’s obfuscation of this data makes it harder to determine what it’s doing,” Mr. Wood said. That added layer of encryption makes it harder for researchers to determine if TikTok is honoring its privacy policy and various laws. He said he isn’t aware of a business purpose for the encryption.
TikTok’s defenders say that U.S.-based social media companies, such as Facebook, engage in opaque data-privacy practices, which is all the more reason to enact broad regulations touching all social-media platforms. They make this point to argue against singling out TikTok. But given ByteDance’s history of cooperation with the CCP, it’s difficult to give TikTok the benefit of the doubt — it’s reasonable to scrutinize it even more for its links to the Chinese government.
TikTok recently pledged transparency, offering up its algorithms and content moderation practices for scrutiny by researchers. As I wrote last month, this was a ploy to draw a contrast with other social-media platforms, which certainly face their own significant problems. But what American consumer can reasonably trust TikTok’s transparency assurances now?
When Facebook sells your data, it goes to advertisers and even perhaps political operatives, with many worrying about major privacy breaches. When TikTok collects it, though, your data could well end up in the hands of an authoritarian government with aspirations to exercise influence beyond its borders. These things are not the same. The latest Wall Street Journal report is further confirmation that TikTok’s activity calls for a different response.