TikTok Bans Miss the Point, But Are Still Great News for Privacy

Posted on Mar 9, 2023 by Glyn Moody

Privacy concerns about the social media platform TikTok, owned by the Chinese company ByteDance, are not new. We’ve been reporting on them on the PIA blog for several years. More recently, though, the worries seem to have increased, and the calls for TikTok to be banned have grown louder and more widespread. That’s bad news for TikTok, but could be great news for privacy in general.

Although not without its irony, it is certainly fitting that one of the most privacy-invasive apps is the final straw that leads to the wide public becoming aware of the fight for individual privacy. Under these circumstances, we should also take a careful look at Google and Meta (previously Facebook), both of which are just as problematic from the perspective of privacy.

How TikTok Is Shining a Spotlight on Privacy

The company’s case was not helped by a specific incident last year that made headlines. In October, Forbes published a story alleging that TikTok’s parent company, ByteDance, planned to use its TikTok app to monitor the personal location of specific US citizens. At the time, TikTok did not deny the surveillance capability, but claimed on Twitter that “TikTok has never been used to “target” any members of the U.S. government, activists, public figures or journalists, nor do we serve them a different content experience than other users.”

Two months later, Forbes reported that was precisely what some TikTok employees had done:

An internal investigation by ByteDance, the parent company of video-sharing platform TikTok, found that employees tracked multiple journalists covering the company, improperly gaining access to their IP addresses and user data in an attempt to identify whether they had been in the same locales as ByteDance employees.

TikTok said of the surveillance: “The misconduct of certain individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data.” Their reply did not engage with the central problem, which was never who had carried out the surveillance, but that it was possible at all, and had happened without managers being aware of it.

Under these circumstances, it’s no wonder that countries around the world have started implementing various kinds of TikTok bans. For example, in December 2022 the New York Times reported:

In the past several weeks, at least 14 [US] states have banned TikTok on government-issued devices. In Congress, lawmakers are expected to vote this week on a sweeping spending bill that includes a ban of TikTok on all federal government devices. A separate bipartisan bill, which was introduced in Congress last week, would ban the app for everyone in the United States. In addition, Indiana’s attorney general has sued TikTok, accusing the company of being deceptive about the security and privacy risks the app poses.

TikTok Bans Become a Global Phenomenon

More recently, the anti-TikTok rhetoric has been taken up a notch. The Republican chair of a US congressional committee, Michael McCaul, described TikTok as a “spy balloon in your phone.” He was alluding to the recent incident of the suspected Chinese spy balloon that was shot down over the US, and which has soured relations between the two countries.

TikTok could be one of the main victims of this recent political chill, as the US House Foreign Affairs Committee has voted to advance a bill that would allow President Biden to ban TikTok completely in the US, where it is used by over 100 million people. If this ever happens, it would certainly be the icing on the irony cake, as one of the first decisions President Biden made was to undo President Trump’s ban on TikTok.

TikTok Has Even More Issues with the EU

The US is not alone in locking TikTok out from government devices. Canada has also issued a ban, as has the European Commission and the European Parliament. TikTok faces even more problems in the EU thanks to the region’s tough GDPR privacy laws.

In September 2021, the Irish Data Protection Commission (DPC) opened two inquiries into the Chinese-owned company. For one, concerning TikTok’s processing of children’s personal data, the DPC has submitted a draft decision to the other EU data protection authorities. The other, regarding TikTok’s transfers of personal data to China and its compliance with the GDPR in terms of personal data transfers to third countries, is still on-going.

To address the concerns about the transfer of EU citizens’ personal data outside the EU, TikTok is opening a second data center in Ireland. Its aim is to “reduce employee access to European user data; minimizing data flows outside of Europe; and storing European user data locally,” according to a report on the Silicon Republic site. It will also use a third site in Norway for storing the data of European users. A similar localization approach is being discussed with the US government, in the hopes of staving off a complete ban there.

Are TikTok Bans Effective?

In any case, even a total ban would not stop the flow of personal information to TikTok. Gizmodo found that over 28,000 apps use TikTok’s software development kits to integrate their services with TikTok’s systems.

By integrating TikTok in other apps, the latter also send ByteDance user data, in the same way that huge numbers of apps routinely send users’ personal information to Google and Facebook. This underlines the fact that the real problem here is not TikTok, but the entire surveillance advertising business model underlying social media, something that we’ve warned about many times.

As Evan Greer, director of Fight for the Future, explained during the launch of the #DontBanTikTok campaign:

TikTok uses the exact same surveillance capitalist business model of services like YouTube and Instagram. Yes, it’s concerning that the Chinese government could abuse data that TikTok collects. But even if TikTok were banned, they could access much of the same data simply by purchasing it from data brokers, because there are almost no laws in place to prevent that kind of abuse.

As Greer rightly notes, we don’t need hollow bans on particular services, but strong privacy laws that tackle the abuse of personal data by social media as a whole. For all its faults, the GDPR does this to a degree in the EU, but the US still lacks a broad federal data protection law that would rein in the massive and continuing abuse of privacy by all the social media giants, not just the ones who happen to be owned by Chinese companies.

Although the current political grandstanding over TikTok bans misses the point, it does have the benefit that more people are talking about privacy and its protection than ever before.