On June 17, BuzzFeed published an article revealing that Chinese TikTok employees had access to sensitive data of US citizens. The information is based on data leaked from 80 internal employee meetings and statements from 9 people working for TikTok.
TikTok is not just another video app.
That’s the sheep’s clothing.It harvests swaths of sensitive data that new reports show are being accessed in Beijing.
I’ve called on @Apple & @Google to remove TikTok from their app stores for its pattern of surreptitious data practices. pic.twitter.com/Le01fBpNjn
— Brendan Carr (@BrendanCarrFCC) June 28, 2022
Following the scandal, the commissioner of the US Federal Communications Commission issued a letter calling for Apple and Google to remove TikTok from their app stores. In this article you will read about TikTok’s past involvement in users’ privacy infringement, its future and what data SentiOne retrieves from the social media platform (and how we handle it).
Chinese TikTok employees have access to US citizens’ data
80 meetings, 14 statements, 9 employees: screenshots, tapes and one simple conclusion — the employees at TikTok’s Chinese branch have access to private user data from the US. That’s despite the assurances made by the company’s representatives that there is a special data security team at TikTok, which ensures that the data that should remain on the local market remains there.
In a way, TikTok isn’t lying — most of the leaks come from employees working on Project Texas. The aim of the project is to ensure that data of users from the United States is stored on Oracle servers in Texas, which is the subject of discussions between TikTok, Oracle and the Committee on Foreign Investment in the United States. Which data is exactly supposed to be stored is still being refined. Internal recordings also show that Oracle will only provide servers, while data management is to happen via TikTok’s software overlay.
This is not the first time TikTok has been the target of public criticism. Doubts about the scope of data gathered by the application have hounded the company since it appeared on the international market in 2017.
We wrote about a TikTok data collection scandal exactly two years ago. In June 2020, reddit users, using reverse engineering, discovered exactly what data TikTok collects. As it turns out, it’s everything it can: contacts on our phones, list of other downloaded apps, model of the phone we use and data of the network through which we connect to the Internet.
Do. Not. Use. TikTok.
"@tiktok_us can circumvent security protections on @Apple and @Google app stores and uses device tracking that gives TikTok’s Beijing-based parent company ByteDance full access to user data." https://t.co/bQ4oHBGTk6
— Klon Kitchen (@klonkitchen) February 15, 2022
Politicians speaking about TikTok often imply ties with the Chinese government. For example, in the aforementioned tweet Carr seems to be intentionally using the phrase “are being accessed in Beijing”. Any direct link between the company and the government, however, is impossible to prove. Nevertheless, the risk of data leakage is real, because TikTok collects more information than just the information that Project Texas aims to keep secret.
If the Chinese government wanted to buy this information, it would not have much of a problem doing so. Experts, however, suggest that there are other sources from which the purchase of the data could turn out to be cheaper and simpler.
Personal data protection: TikTok doesn’t budge
Today, a TikTok exec said it was “simply false” for me to say that they collect faceprints, browsing history, & keystroke patterns.
Except, I was quoting directly from TikTok’s own disclosures ⬇️
TikTok’s concerning pattern of misrepresentations about U.S. user data continues. https://t.co/mflMAC2yzZ pic.twitter.com/sJMqj4hwrg
— Brendan Carr (@BrendanCarrFCC) July 3, 2022
Carr’s tweet speaks for itself. TikTok’s official policy of personal data processing is… transparent, yet disturbing.
TikTok released an official statement regarding the management of personal data in the United States. It’s nothing new — thus far, TikTok has been storing data of people from the States on servers in Virginia and a backup server in Singapore. According to the statement, all server traffic in the United States is currently directed to Oracle servers. Backup servers in Singapore are still operational, but ultimately the Oracle cloud is to be the only place where US user data is stored.
On June 27, nine republican senators wrote a letter to TikTok CEO Shou Zi Chew, demanding explanations on a number of issues, including whether the data of US citizens go to ByteDance employees in China, whether the data of US citizens was transferred to the government of the People’s Republic of China, whether the government of the PRC has shares in ByteDance and whether it is has the power to appoint any board members.
Chew responded to the senators’ questions in a letter dated June 30. TikTok’s CEO denies that the information in the BuzzFeed article is factually true, although indeed some TikTok employees in China have access to data of US citizens, albeit only after passing a rigorous security procedure. Chew also assures that the data used to train TikTok’s algorithms for the US are to come from the US only.
Meanwhile, in the EU — stronger restrictions on TikTok
#tech BIG report today by @ICCLtweet calling on the Irish Data Protection Commission —@Apple @fbnewsroom @Google @Microsoft @tiktok_us have European headquarters in Ireland– to stop failing its duty to enforce #GDPR. @johnnyryan lays it out nicely here🧵👇🏾 https://t.co/hekGnakNKy
— Karina Montoya (@pressgirlk) September 13, 2021
After the Netherlands imposed penalties on TikTok last year for violating the privacy rights of minors and the ongoing struggle between the EU and Ireland to comply with the latter to GDPR, TikTok finally introduced new regulations to protect minors.
An agreement was reached after several independent investigations launched by, among others, the EU, Ireland and the Netherlands. The result is a new set of regulations concerning the protection of personal data of minors. Ads are to be easier to identify, in-app purchases are cancellable for 14 days, and paid services are better described and available in the currency of the app’s country of use.
BEUC, the body that lodged the complaint with the EU, is of the opinion that the new regulations are a step in the right direction, but don’t go far enough. The entities interested in the protection of minors’ data remain skeptical about the effectiveness of the adopted solutions. It does not help that it is Ireland that TikTok cooperates most closely with when it comes to implementing EU guidelines on the protection of personal data, and Ireland itself seems to block the full implementation of the GDPR in the EU.
Does SentiOne have access to sensitive data from TikTok?
Absolutely not. We are a company based in the European Union. We comply with the GDPR and our access to platform APIs is contingent on compliance with their procedures, as well as relevant EU laws.
In addition, in accordance with the agreements under which we collect data, social media platforms are not allowed to provide us with sensitive personal data of their users. The information we receive is highly sanitized to safeguard user privacy.
TikTok provides us with the following information:
- user-owned ad content
- comments under ads
- public posts
- publicly available comments from profiles.
SentiOne does not obtain or process any sensitive data of users of the platforms it monitors.
Potential TikTok ban in the States — what if?
This is not the first time that TikTok is under threat in terms of its position in the US. The Trump administration previously threatened the platform, but ultimately the resolution never came into force and was eventually refuted by the Biden government. However, the scenario in which TikTok is blocked in the Apple and Google app stores in the US cannot be completely ruled out. So the question remains: what then?
TikTok is currently the third largest social media platform in the world. Cutting it off from one of its largest markets would have tremendous consequences. Companies and influencers who make a living creating TikToks would be forced to look into other ways to reach the audience. The migration would most likely take place towards Instagram Reels and YouTube Shorts, which are currently competing with the TikTok format (although it is possible that alternative platforms would also arise).
Some existing users would likely continue to use TikTok by downloading it from sources other than app stores. For Android users this is not a problem. In the case of iOS users, however, it is impossible without violating the warranty license of your device. In the most extreme scenario, TikTok could be forced to relocate its servers outside the United States, which would probably kill the platform in that market.
In turn, for companies that advertise their products on the US market with TikTok, it would mean departing from this market or trying to stimulate engagement in other ways. Without TikTok, on one hand, opportunities to diversify the social media market could arise. On the other there is always the looming threat of hegemony of Meta and Google.
Time will tell what decisions the administration of President Biden will make and how the investigations into violations of the privacy of minors will end for TikTok.
