TikTok and National Security: The Need for a Comprehensive U.S. Privacy Law

Last week, President Donald Trump threatened to ban the popular social media platform TikTok, whose corporate owner is a Chinese company with alleged ties to the Chinese Communist Party. Trump’s stated grounds for seeking to ban the popular application was that the app threatens U.S. national security. But exactly how?

I must confess I’m not a regular user of TikTok, but my adult children are. TikTok, which has several billion subscribers, allows users to create and share short videos—people impersonating president Trump, dog and cat videos, etc.—ranging from the benign to the puerile. So how is it that the application threatens national security?

The short answer is data—or more significantly, data privacy. Or, even more significantly, the unenforceability of data privacy policies.

Tik Tok, like almost every other social media and internet application, collects data on massive numbers of subscribers. It “knows” who they are, what they like, what they dislike, what they post and what they view. It also knows where they are when they are using the app (and often when they are not), what their IP address is, what kind of browser or phone they are using and a host of other details. Its customers are its product.

Like every other social media platform, TikTok has a privacy policy that purports to set out what data the company may collect, with whom it may share the data and how it can use the data. Nothing in the Tik Tok privacy policy says it can share, give or analyze subscribers’ data for the benefit of the Chinese Communist Party. It doesn’t say, “We may give any and all of your information to our Chinese Army overlords, who may use this to target you and your family as an American imperialist pig-dog …” It doesn’t say, “By using TikTok you agree that the Chinese Communist Party can know your sexual orientation and may use this and other knowledge to blackmail you should you ever pose a threat to the great leader …” But then again, nothing in the privacy policy says that TikTok can’t. At least not explicitly.

As a result, a number of privacy class action lawsuits alleging that TikTok violates the federal Children’s Online Privacy Protection Act (COPPA) have been recently consolidated into one single class action suit in the Northern District of California. The lawsuits allege that TikTok sends users’ data (including those of minors) to China. TikTok says that its servers are in the U.S., but also notes that the company can transfer data to Beijing, if it so chooses, without breaking any laws. As TikTok’s responsive pleading in the class action case noted, “[t]he App’s privacy policy also fully discloses that user data will be shared with TikTok’s corporate affiliates and third-party business partners and service providers, as is standard with free social networking apps that have a business model based on advertising.”

In fact, TikTok’s privacy policy is similar to those of Facebook, Twitter, WeChat and other social media outlets or short content providers. It provides general platitudes about only sharing data with “business partners” and only to “help provide services and enhancements …” and to “customize content” and “to infer information about you …” Like other providers, TikTok says, “We may disclose your information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims, or government inquiries, and to protect and defend the rights, interests, safety, and security of TikTok Inc., the Platform, our affiliates, users, or the public. We may also share your information to enforce any terms applicable to the Platform, to exercise or defend any legal claims, and comply with any applicable law.”

Again, on the surface, it’s pretty anodyne stuff. So why the “national security” tag? I mean, does information about dogs in pajamas really threaten to bring down the world’s longest-lasting democracy?

Knowledge Is Power

The short answer has little to do with the fact that TikTok’s parent company is Chinese-owned and has more to do with the power of information—particularly personal information. Information about people’s likes and dislikes, members of their family, facial recognition, travel, location, politics, finances, sexual orientation, friends, education, employment, search history and intimate connections are the kinds of things that used to take months or years for spies to collect and cultivate. Now it’s a few mouse clicks away. It is rife with potential for misuse and abuse. In fact, it’s often impossible to tell the difference between “appropriate” and “inappropriate” use of such data. Let’s face it, you are being surveilled—maybe by Facebook, maybe by Proctor & Gamble, maybe by the Coca-Cola Co., maybe by the Chinese Communist Party. And you are making it very easy to be surveilled. You post on Facebook, you share on LinkedIn and you tweet. And, if you are below a certain age, you use TikTok.

What distinguishes TikTok, at least in the opinion of the U.S. government, is not the information the company collects, stores, processes or shares. It’s not the aggregation, analysis and “slicing and dicing” of that information. It’s not the intimate profiling and use of the analyzed data or even the sharing of that data. And, it’s not that there is not something called a “privacy policy” that governs the collection and use of that data.

It’s that because TikTok’s parent corporation is Chinese, we don’t believe the company will adhere to its privacy policy, and, if it doesn’t, we have no effective remedy. Therefore, we have to assume (well, we say we have to assume) that everything collected and shared by TikTok is simultaneously shared with the Chinese Ministry of State Security (MSS). Just as Europeans may assume that everything collected or stored by U.S. companies or cloud providers is simultaneously shared with the NSA. It doesn’t matter whether it is true or not; it is perceived to be true, and that makes it a national security concern. Same for Huawei and ZTE—the U.S. government assumes that these entities are agents of the Chinese Communist Party acting on behalf of their government overlords. In fact, it was a perception that the NSA can compel U.S. companies to produce data—particularly mass data about non-US persons—that lead an EU court in July to rule that the U.S./EU commercial data-sharing agreement known as Privacy Shield was unenforceable.

Using data as a weapon is nothing new. Scraping and analyzing data can help intelligence agencies profile and target people for recruitment or intimidation. LinkedIn and Indeed can be used to gather information about people with high-level security clearances. Facebook and Twitter and other social media can be the source for massive facial recognition programs such as Clearview AI. Under current U.S. law, most of this data is entitled to little if any legal protection, provided that the anodyne and amorphous privacy policies can be said to provide some modicum of notice to the data subjects that their data is being collected and that it might be used. It is that issue that needs to be addressed: a firm and unshakable commitment to protect the privacy of social media information. With openness and completeness.

Frankly, reading TikTok’s privacy policy, I have NO CLUE whatsoever what it does with subscribers’ information, with whom it shares that information and for what purpose, and I read privacy policies for a living. The best I can say is the company collects a lot of data and shares it with anyone that helps with TikTok’s business model. And at least that part is true whether it is owned by ByteDance or Microsoft.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 199 posts and counting.See all posts by mark

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)