As social media platforms originating in non-Western countries like China become more popular worldwide, states face associated risks of users’ data landing in the wrong hands. Some countries are considering banning these platforms to avoid unwanted entanglements, but in the long term such solutions would breach principles of openness and impede online digital rights while not necessarily protecting user data.
The government of India recently decided to ban 59 Chinese apps determined to be “engaged in activities prejudicial to [the] sovereignty and integrity of India”, including the social video sharing app TikTok, one of the fastest-growing social media platforms in the world. The ban followed rising tensions between China and India on their Himalayan border and was partially justified by cybersecurity concerns. The US has also expressed its intention to ban TikTok and Australia has started a security investigation into the social media platform. While concerns have been voiced in Europe over TikTok’s growing presence on the European market, the EU has relied on appropriate data protection regulation and its enforcement to ensure users’ security. While bans of the app in the US, Australia or other Western countries may ultimately be unlikely due to civil rights concerns, TikTok has become a clear symbol of the increasing role of geopolitics in security assessments of social media platforms.
Data Insecurity as a Feature
Since its establishment in 2012, TikTok has faced scrutiny from other governments and private actors. In 2019, several countries accused the company of violating child privacy by collecting user information from children under the age of 13. Most recently, security researchers found that TikTok had access to Apple’s universal clipboard, which syncs clipboard information across several Apple devices. Multiple other apps also appeared to have accessed this clipboard (LinkedIn was even sued over its practice) but TikTok was notable for being caught even after promising to stop using it. Reverse engineering suggests the app is also collecting information from a variety apps without obtaining explicit user permission. TikTok’s casual approach to user data, opaque recommendation algorithm and dismissive attitude towards censorship concerns regarding politically charged posts have all caused concern. On top of that, there is uncertainty about whether the Chinese government may be able to access the collected data.
To be clear, such practices are not unique to TikTok: they have become the new normal for social media platforms. Western social media apps have not been paragons of good behaviour either, from Facebook’s multiple data collection scandals and related abuse by malicious actors to the documented linkages between YouTube’s algorithms and radicalisation. A mentality of “move fast and break things” has systematically put user rights and security secondary to profit and expansion. With TikTok, the danger lies not just lie in potential exploitation of users for profit, but also in geopolitical threats.
Cybersecurity or National Security?
The fact that TikTok originates from China poses a significant problem for policymakers. While ByteDance, the company that owns TikTok, claims to be independent, it has on multiple occasions signalled its close relationship to the Chinese state. ByteDance’s CEO acknowledged that their technology should be led by the “socialist core values system” and the company has hosted CCP party-building exercises in its headquarters.
TikTok’s lobby machinery is working hard to convince governments around the world that the company has not and would not share data of non-Chinese users with the Chinese government. There is, however, no guarantee that the CCP will not at some point force ByteDance to hand over data, even if Bytedance claims not to store any data on servers outside of China or to tweak TikTok’s algorithms to amplify messages favourable to China and silence its critics.
The risks associated with TikTok have more to do with national security concerns than with cybersecurity or data protection concerns. As diplomatic relations between China and the rest of the world are under stress, it is understandable that policymakers prefer to exercise caution and avoid any entanglement with China that involves personal data of users. There are clear parallels to the debate over Huawei, during which the lack of trust in the Chinese company prompted some countries to remove Huawei from its networks. But while banning the Chinese social media companies might seem like the safest choice at this moment, such decisions may have dire consequences for digital rights and the free and open Internet in the long term.
Protecting User Rights
While states likely have the best of intentions and are only attempting to protect their citizens, at the end of the day, the victims of this geopolitical strife are the users. TikTok has fostered experimentation thanks to its novel tools for video creation; it has closed cultural gaps, blasting rural users in India into stardom; and it has allowed a mostly young userbase to bond in social distancing times. Actively banning apps because they do not seem trustworthy sets a dangerous precedent for online rights, specifically the right to freedom of expression and the right to freedom of assembly. TikTok may be known for its silly dance videos and lip-syncing, but it has also become a platform for activism for teenagers, who used the app to highlight political and social justice issues during the Black Lives Matter protests. Doctors have even used the app to connect with users and battle disinformation during the COVID-19 pandemic. If there isn’t an actual security case to be made against it, banning an online platform is likely to do more harm than good to user security.
Free, Open but Rules-Based
The concerns over TikTok and other Chinese apps leaking into non-Chinese markets are legitimate. And of course, principles of openness should not paralyse states, resulting in inaction. It would be irresponsible to allow any company to potentially harvest user data and share it with a government. It is, however, unnecessary to speak in absolutes. The choice is not between banning and doing nothing; apps like TikTok provide an opportunity for states to draw up rules of engagement for social media platforms and to increase protections for users. This opportunity should not go to waste, as this will not be the last time users flock to an app with practices that some governments find problematic.
To protect users while keeping the Internet open, countries should regulate social media companies’ processes and demand transparency on enforcement. In Europe, the General Data Protection Regulation (GDPR) already provides comprehensive tools to protect the data TikTok has on European citizens. The GDPR established rules on the processing and transfer of EU citizens’ personal data, including fines in case of non-compliance or violation. Denmark and the Netherlands have started looking into TikTok’s compliance with the GDPR over children’s privacy and the European Data Protection Board has set up a task force on TikTok to investigate its data processing across the EU and data transfer to third countries. The upcoming European Digital Service Act (DSA), an update of the e-commerce directive, should provide the EU with tools to more effectively regulate the online ecosystem and to ensure responsible behaviour from apps like TikTok on data protection as well as disinformation and hate speech. TikTok’s creation of a transparency centre on moderation and data practices and its accession to the EU code of practice on disinformation is a step in the right direction for the company.
If ByteDance fails to comply with or falls short of rules and transparency requirements, banning is a potential part of the European Union’s response. The red line, however, must be drawn based on the rule of law rather than geopolitical distrust. Paradoxically, the debate around TikTok’s global presence might finally create additional international pressure for more responsible behaviour from all social media platforms – regardless of their origins – and create a rights-respecting space for all users online.
About the Author
Nathalie van Raemdonck
Nathalie van Raemdonck is an Associate Analyst at the EU Institute for Security Studies working on the EU Cyber Direct project. Prior to joining EUISS, Nathalie worked for the Centre for Cybersecurity Belgium and the Cyber Emergency Response Team, focusing on improving national capacity. Follow her on twitter @eilah_tan