TikTok's data dilemma

How do you protect user privacy in a country with no privacy standards?

TikTok's data dilemma
“data transferring into china, digital art,” as imagined by OpenAI’s DALL-E

Today, let’s talk about a theme from the Trump years that has recently been revived for the Biden era: fears that TikTok could be weaponized to harm Americans, and pressure on Congress to respond accordingly.

There are, and have always been, plenty of reasons to be concerned about what the Chinese government might someday force ByteDance and TikTok to do. In recent weeks, though, those concerns have taken a back seat to somewhat more abstract concerns about how the company handles data. And a recent letter from lawmakers to the company illustrates the degree to which the United States still has yet to reach consensus on how any tech company should handle data, whether the company that owns it poses a national security risk or not.

Lawmakers’ renewed focus on TikTok began June 17, when BuzzFeed’s Emily Baker-White reported that Americans’ user data had been repeatedly accessed from China. In the wake of President Trump’s failed effort to wrest TikTok away from ByteDance and hand it to his campaign donors, TikTok has spent the past year working to move data related to American users to US-based data centers and separate the service more fully from its Chinese parent. (Baker-White detailed this effort, known internally as “Project Texas,” in a separate report in March.)

On Tuesday, US Sens. Mark Warner and Marco Rubio, who lead the Senate Intelligence Committee, pressed the Federal Trade Commission to investigate the data access issues at TikTok. In a letter to FTC Chair Lina Khan, the senators wrote:

According to a recent report from BuzzFeed News, TikTok’s engineering teams ultimately report to ByteDance leadership in the PRC.

According to this same report, TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the [Chinese Communist Party].

Notably, the letter doesn’t suggest that ByteDance broke any American data laws — because we barely have any. And so instead, it suggests that company executives may have lied under oath during previous testimony, or violated a 2019 FTC consent decree related to children’s privacy. (Something we do have a law about.)

To the senators, the concern appears to be less that some Chinese employee might learn an American’s birthday than that China’s national security apparatus will begin combining that data with other information to target US users for surveillance or worse.

That leaves TikTok with two urgent tasks: one, to fully divorce American user data from its Chinese operations; and two, to convince lawmakers that it has actually done so. It’s unclear which of these tasks will prove more difficult — but for the moment, only the former is within TikTok’s control.

At a high level, Project Texas can appear to be a straightforward project. But drill down even a little, and the questions become staggeringly complex.

Massive social apps like TikTok comprise a large number of networked micro-services, each of which might transmit data around the world as part of their normal operations. Untangling the services after the fact has proven to be a herculean task for ByteDance: it is in the nature of data to flow from place to place, and mapping those flows, re-routing them, and securing them has not always gone smoothly.

Complicating matters is the lack of a national privacy law in the United States, which has left many basic questions about data security unresolved. Is the data “American” whenever an American citizen uses TikTok, or only when they’re in the country? When foreign tourists use the app while visiting, is that US data? If an American and European user are sending messages back and forth in the app, which country owns the conversation?

Maybe you read questions like that and think: I cannot possibly imagine a more boring subject of discussion. But these are the details you have to work out if you want to make data truly secure. And the fact that the details can be so mundane stands in contrast, I think, to the often hyperbolic ways in which data security is discussed. (Do you remember the panic over the Cambridge Analytica case?)

“TikTok is doing important work to put greater definition around where data is located and who has access to it — and we're holding ourselves to an incredibly high standard,” said Will Farrell, TikTok’s head of global cyber and data defense, in an interview Wednesday. (That’s Farrell with an ‘a,’ not Ferrell with an ‘e.’)