Why A US FCC Commissioner Is Asking Apple And Google To Ban TikTok Immediately
TikTok continues to be the subject of many discussions and news stories regarding not only privacy and personal data sovereignty, but also national security. Like so many popular social media and entertainment apps, TikTok collects lots of user data, including usage behavior, for advertising purposes. Detailed advertising profiles enable advertisers to target specific demographics, making user data a valuable resource. However, while collection of user data has become a common practice, TikTok has been particularly notable for going to great lengths to collect user data, skirting both Apple and Google privacy protections.
In 2020, an iOS update revealed that TikTok was frequently monitoring users’ keyboards, three months after ByteDance, the company behind TikTok, promised to remove the app’s keyboard snooping. Not even a month later, a Wall Street Journal report found that TikTok was violating Google Play Store policies by exploiting a security vulnerability to uniquely identify Android devices by way of MAC addresses. The app was able to leverage the vulnerability to hide this tracking activity, leaving users without a choice to opt out of this form of unique identification. Then, in 2021, TikTok released an updated privacy policy stating that it may collect faceprints and voiceprints for a wide variety of reasons, including demographic classification, content and ad recommendations, and “other non-personally-identifying operations.”
All of these incidents and more have been cause for concern among privacy advocates, particularly given how popular and fast-growing the video sharing platform is. TikTok hit 3 billion total downloads in Q2 2021 and its viewership is growing faster than YouTube. On top of these privacy concerns are national security concerns. ByteDance is headquartered in Beijing, China and has been accused of being beholden to the Chinese Communist Party (CCP), which could mean that the CCP has access to TikTok user data. TikTok has sought to distance US operations from China by storing US user data outside of China. However, the physical location of TikTok servers doesn’t necessarily mean that US user data isn’t accessible from China.
In 2020, an iOS update revealed that TikTok was frequently monitoring users’ keyboards, three months after ByteDance, the company behind TikTok, promised to remove the app’s keyboard snooping. Not even a month later, a Wall Street Journal report found that TikTok was violating Google Play Store policies by exploiting a security vulnerability to uniquely identify Android devices by way of MAC addresses. The app was able to leverage the vulnerability to hide this tracking activity, leaving users without a choice to opt out of this form of unique identification. Then, in 2021, TikTok released an updated privacy policy stating that it may collect faceprints and voiceprints for a wide variety of reasons, including demographic classification, content and ad recommendations, and “other non-personally-identifying operations.”
All of these incidents and more have been cause for concern among privacy advocates, particularly given how popular and fast-growing the video sharing platform is. TikTok hit 3 billion total downloads in Q2 2021 and its viewership is growing faster than YouTube. On top of these privacy concerns are national security concerns. ByteDance is headquartered in Beijing, China and has been accused of being beholden to the Chinese Communist Party (CCP), which could mean that the CCP has access to TikTok user data. TikTok has sought to distance US operations from China by storing US user data outside of China. However, the physical location of TikTok servers doesn’t necessarily mean that US user data isn’t accessible from China.
Last week, BuzzFeed News published a report based on leaked audio recording from 80 internal TikTok meetings detailing how TikTok’s isolation of US user data is not as complete as the company has led the public to believe. While Chinese nationals are not allowed to join TikTok’s United States Technical Services (USTS) team, the team still reports to ByteDance. As one data scientist put it in a meeting, “I get my instructions from the main office in Beijing.” The recordings also revealed that among TikTok’s internal tools are items that “nobody knows what they’re for.”
As part of negotiations with the US Committee on Foreign Investment in the United States (CFIUS), TikTok announced last Friday that all US user traffic is now being directed to Oracle Cloud Infrastructure. The company currently maintains its own backup servers in both the US and Singapore, but according to the announcement, TikTok plans to “delete US users' private data from [its] own data centers and fully pivot to Oracle cloud servers located in the US.” However, in one of the leaked audio recordings, TikTok’s head of global cyber and data defense stated that “It’s almost incorrect to call it Oracle Cloud, because they’re just giving us bare metal, and then we're building our VMs [virtual machines] on top of it.” This admission calls into question whether the new Oracle Cloud Infrastructure can properly be considered independent from TikTok in a way that isolates US user data.
Amidst these latest revelations, Brendan Carr, an FCC Commissioner, has released a letter on Twitter calling on Apple and Google to remove TikTok from their app stores. In the letter, Carr writes that “TikTok functions as a sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data. Indeed, TikTok collects everything from search and browsing histories to keystroke patterns and biometric identifiers, including faceprints … and voice prints. It collects location data as well as draft messages and metadata, plus it has collected the text, images, and videos that are stored on a device’s clipboard. The list of personal and sensitive data it collects goes on from there.”
As part of negotiations with the US Committee on Foreign Investment in the United States (CFIUS), TikTok announced last Friday that all US user traffic is now being directed to Oracle Cloud Infrastructure. The company currently maintains its own backup servers in both the US and Singapore, but according to the announcement, TikTok plans to “delete US users' private data from [its] own data centers and fully pivot to Oracle cloud servers located in the US.” However, in one of the leaked audio recordings, TikTok’s head of global cyber and data defense stated that “It’s almost incorrect to call it Oracle Cloud, because they’re just giving us bare metal, and then we're building our VMs [virtual machines] on top of it.” This admission calls into question whether the new Oracle Cloud Infrastructure can properly be considered independent from TikTok in a way that isolates US user data.
Amidst these latest revelations, Brendan Carr, an FCC Commissioner, has released a letter on Twitter calling on Apple and Google to remove TikTok from their app stores. In the letter, Carr writes that “TikTok functions as a sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data. Indeed, TikTok collects everything from search and browsing histories to keystroke patterns and biometric identifiers, including faceprints … and voice prints. It collects location data as well as draft messages and metadata, plus it has collected the text, images, and videos that are stored on a device’s clipboard. The list of personal and sensitive data it collects goes on from there.”
Carr argues that Apple and Google should remove TikTok from their app stores on grounds of violating App Store and Play Store policies, citing instances in which Apple and Google have removed other apps from their stores for harvesting excess user data, including a case in which an app was sending user data to a Chinese server. He also contends that TikTok’s transition to Oracle servers does not address the privacy and national security concerns. The FCC Commissioner closes his letter by asking that Apple and Google explain why TikTok’s collection and sharing of user data does not violate their app store policies, if they continue to allow to app to remain on their app stores.
