Will TikTok Make Good on Privacy Promises?

TikTok has a problem. Researchers continue to turn up oddities with respect to the storage of user data/information. The timing, of course, is precarious for TikTok, as they are under review by the Committee on Foreign Investment in the United States (CFIUS) and calls are being made by members of Congress to ban the TikTok app in the United States. Thus, TikTok finds itself under scrutiny by both the executive and legislative branches of the U.S. government; not an envious position for any company.

Robert Weissman, president of Public Citizen, an advocacy group, told Forbes, “Unauthorized location monitoring is one of the most invasive and insidious data practices imaginable. From this information, it can be determined where we live, where we work, where we pray, what type of healthcare we seek, and much more.” Weissman is not wrong.

Should user data find its way to China, then all bets are off with regard to its use, especially with respect to silencing dissent within the Chinese diaspora in the United States. China’s efforts to silence opposition abroad is not a matter of speculation, it is an ongoing and active effort as evidenced by the recent, successful Department of Justice efforts to neutralize the Chinese activities associated with China’s Operation Fox Hunt and the unsealing in May 2022 of an indictment against a U.S. citizen and four Chinese Ministry of State Security officers who targeted a U.S. citizen of Chinese descent for the purposes of silencing the U.S. citizen.

In September 2022, the White House issued its First-Ever Presidential Directive Defining Additional National Security Factors for CFIUS to Consider in Evaluating Transactions. The order is unambiguous and notes that some countries use “foreign investment to obtain access to sensitive data and technologies for purposes that are detrimental to U.S. national security.” Not a news flash by any means to those who follow the all-source intelligence collection operations emanating from China, but certainly an arrow in the quiver of those who are tasked with protecting the United States’ citizens and infrastructure.

With that as the backdrop, the June 27, 2022 letter by the CEO of TikTok Shou Zi Chew to members of the Senate takes on more importance and puts into perspective the CEO’s recent comments detailed by The Verge, where Chew tap dances through the privacy quagmire. The Verge characterized his answers as “straight from the 2010s Mark Zuckerberg/Jack Dorsey ‘social networking is good for the world’ playbook.”

Chew highlighted Project Texas in his letters to the senators and in his public statements; the project is TikTok’s solution to handling U.S. users’ data. The company consistently pledged to have those users’ data stored in an Oracle cloud environment located geographically within the United States and Singapore. Access would be restricted; i.e. TikTok is building a ‘wall’ within their corporate environment to restrict access to an undefined pool of data about U.S. persons/residents. The letter details that such protocols will be created in conjunction with the U.S. government, while his public comments refer to U.S. residents only. It is a start, though it is worth noting that a U.S. person may be a foreign national who is a permanent resident alien within the United States.

Separately, in late October 2022, Bytedance, TikTok’s parent organization, began paying eligible users under the settlement agreement ($92 million) to address the class action suit regarding TikTok’s efforts in collecting data from minors. Within the settlement, TikTok admits no guilt; however, the company agreed to the following injunctive relief:

“TikTok will not do the following unless disclosed expressly in its Privacy Policy and in compliance with all applicable laws (such as where applicable law requires express written consent):

  • Use the app to collect or store a user’s biometric information or identifiers (as defined by applicable law);
  • Use the app to collect geolocation or GPS data;
  • Use the app to collect information in user’s clipboards;
  • Use the app to transmit U.S. user data outside of the U.S.;
  • Store U.S. user data in databases outside of the U.S.; or
  • Pre-upload U.S. user-generated content.
  • TikTok will delete all pre-uploaded user-generated content collected from users who did not “save” or “post” the content.
  • TikTok will require newly designed training on compliance with data privacy laws and company procedures for all relevant incoming employees and contractors and annual training thereafter.
  • TikTok will provide a written verification under oath of compliance with the foregoing within 90 days of the effective date.

Are TikTok’s days numbered in the United States? Probably not. Will they remain in the privacy and national security limelight? Absolutely. The treasure trove of data created by users in the United States and elsewhere is a bonanza for any national intelligence or security service that is able to mine, catalog and chart users from youths to adults.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher