TikTok and National Security: The Need for a Comprehensive U.S. Privacy Law – Security Boulevard

Last week, President Donald Trump threatened to ban the popular social media platform TikTok, whose corporate owner is a Chinese company with alleged ties to the Chinese Communist Party. Trumps stated grounds for seeking to ban the popular application was that the app threatens U.S. national security. But exactly how?

I must confess Im not a regular user of TikTok, but my adult children are. TikTok, which has several billion subscribers, allows users to create and share short videospeople impersonating president Trump, dog and cat videos, etc.ranging from the benign to the puerile. So how is it that the application threatens national security?

The short answer is dataor more significantly, data privacy. Or, even more significantly, the unenforceability of data privacy policies.

Tik Tok, like almost every other social media and internet application, collects data on massive numbers of subscribers. It knows who they are, what they like, what they dislike, what they post and what they view. It also knows where they are when they are using the app (and often when they are not), what their IP address is, what kind of browser or phone they are using and a host of other details. Its customers are its product.

Like every other social media platform, TikTok has a privacy policy that purports to set out what data the company may collect, with whom it may share the data and how it can use the data. Nothing in the Tik Tok privacy policy says it can share, give or analyze subscribers data for the benefit of the Chinese Communist Party. It doesnt say, We may give any and all of your information to our Chinese Army overlords, who may use this to target you and your family as an American imperialist pig-dog It doesnt say, By using TikTok you agree that the Chinese Communist Party can know your sexual orientation and may use this and other knowledge to blackmail you should you ever pose a threat to the great leader But then again, nothing in the privacy policy says that TikTok cant. At least not explicitly.

As a result, a number of privacy class action lawsuits alleging that TikTok violates the federal Childrens Online Privacy Protection Act (COPPA) have been recently consolidated into one single class action suit in the Northern District of California. The lawsuits allege that TikTok sends users data (including those of minors) to China. TikTok says that its servers are in the U.S., but also notes that the company can transfer data to Beijing, if it so chooses, without breaking any laws. As TikToks responsive pleading in the class action case noted, [t]he Apps privacy policy also fully discloses that user data will be shared with TikToks corporate affiliates and third-party business partners and service providers, as is standard with free social networking apps that have a business model based on advertising.

In fact, TikToks privacy policy is similar to those of Facebook, Twitter, WeChat and other social media outlets or short content providers. It provides general platitudes about only sharing data with business partners and only to help provide services and enhancements and to customize content and to infer information about you Like other providers, TikTok says, We may disclose your information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims, or government inquiries, and to protect and defend the rights, interests, safety, and security of TikTok Inc., the Platform, our affiliates, users, or the public. We may also share your information to enforce any terms applicable to the Platform, to exercise or defend any legal claims, and comply with any applicable law.

Again, on the surface, its pretty anodyne stuff. So why the national security tag? I mean, does information about dogs in pajamas really threaten to bring down the worlds longest-lasting democracy?

The short answer has little to do with the fact that TikToks parent company is Chinese-owned and has more to do with the power of informationparticularly personal information. Information about peoples likes and dislikes, members of their family, facial recognition, travel, location, politics, finances, sexual orientation, friends, education, employment, search history and intimate connections are the kinds of things that used to take months or years for spies to collect and cultivate. Now its a few mouse clicks away. It is rife with potential for misuse and abuse. In fact, its often impossible to tell the difference between appropriate and inappropriate use of such data. Lets face it, you are being surveilledmaybe by Facebook, maybe by Proctor & Gamble, maybe by the Coca-Cola Co., maybe by the Chinese Communist Party. And you are making it very easy to be surveilled. You post on Facebook, you share on LinkedIn and you tweet. And, if you are below a certain age, you use TikTok.

What distinguishes TikTok, at least in the opinion of the U.S. government, is not the information the company collects, stores, processes or shares. Its not the aggregation, analysis and slicing and dicing of that information. Its not the intimate profiling and use of the analyzed data or even the sharing of that data. And, its not that there is not something called a privacy policy that governs the collection and use of that data.

Its that because TikToks parent corporation is Chinese, we dont believe the company will adhere to its privacy policy, and, if it doesnt, we have no effective remedy. Therefore, we have to assume (well, we say we have to assume) that everything collected and shared by TikTok is simultaneously shared with the Chinese Ministry of State Security (MSS). Just as Europeans may assume that everything collected or stored by U.S. companies or cloud providers is simultaneously shared with the NSA. It doesnt matter whether it is true or not; it is perceived to be true, and that makes it a national security concern. Same for Huawei and ZTEthe U.S. government assumes that these entities are agents of the Chinese Communist Party acting on behalf of their government overlords. In fact, it was a perception that the NSA can compel U.S. companies to produce dataparticularly mass data about non-US personsthat lead an EU court in July to rule that the U.S./EU commercial data-sharing agreement known as Privacy Shield was unenforceable.

Using data as a weapon is nothing new. Scraping and analyzing data can help intelligence agencies profile and target people for recruitment or intimidation. LinkedIn and Indeed can be used to gather information about people with high-level security clearances. Facebook and Twitter and other social media can be the source for massive facial recognition programs such as Clearview AI. Under current U.S. law, most of this data is entitled to little if any legal protection, provided that the anodyne and amorphous privacy policies can be said to provide some modicum of notice to the data subjects that their data is being collected and that it might be used. It is that issue that needs to be addressed: a firm and unshakable commitment to protect the privacy of social media information. With openness and completeness.

Frankly, reading TikToks privacy policy, I have NO CLUE whatsoever what it does with subscribers information, with whom it shares that information and for what purpose, and I read privacy policies for a living. The best I can say is the company collects a lot of data and shares it with anyone that helps with TikToks business model. And at least that part is true whether it is owned by ByteDance or Microsoft.