U.S. Digital Privacy Troubles Do Not Start or End with TikTok

As with many policies stemming from the previous administration, the aftermath of Trump’s August 2020 executive order to bar TikTok has been chaotic at best: after Biden nullified Executive Order 13942 in June 2021, the Department of Justice is now reportedly negotiating an agreement that would permit the video-sharing app to continue to operate in the United States under increased data security measures. But the matter is not settled. In the past few months alone, a handful of predominantly Republican senators, Federal Communications Commission (FCC) commissioner Brendan Carr, and other skeptics have escalated calls for the Biden administration to take a harder stance against TikTok—with some, such as Senator Marco Rubio (R-FL), echoing Trump’s desire for a “complete separation” of TikTok and its Chinese parent company ByteDance altogether.

What TikTok and its detractors cannot seem to agree upon is whether ByteDance’s country of origin—coupled with the app’s popularity among Gen Zers and detailed data collection practices—poses an inherent threat to U.S. national security in and of itself. On one side, TikTok’s opponents point out that several Chinese surveillance statutes allow its government broad discretion to access information that private companies process within its borders—which, they claim, the Communist Party of China (CCP) could potentially exploit to identify specific TikTok users, track or censor political dissidents, and target disinformation campaigns in the United States. On the other, TikTok continues to refute these claims, maintaining that it has not and never will disclose personal data to the CCP, and moreover, that it would work with Oracle and the U.S. government to store user information within U.S. data centers and limit employee access.

Adding to this back-and-forth is an element of unknown: while there is no clear evidence to show that the Chinese government has yet attempted to obtain or weaponize data from U.S. TikTok users, many of TikTok’s stated internal data security practices have also not been verified by independent researchers. Still, the United States should base policy action upon the known facts—and there are at least four important reasons why a more comprehensive approach to U.S. data protection is necessary, which should extend beyond TikTok or China-based companies only.

  1. On a fundamental level, TikTok is far from the only mobile app to engage in extensive data collection, storage, and transfers. Each month, Sensor Tower estimates that the average American uses over 46 mobile apps per device that span almost every facet of everyday life, including personal finance, messages, reproductive health, navigation, transportation, e-commerce, food delivery, social media, dating, interactive games, and more. Many of these mobile apps have built their business models around collecting and sharing granular levels of sensitive personal information—such as device identifiers, geolocation, phone contacts, calendar appointments, and biometric data—which can identify specific people, who they contact, where they are, and what they do on a daily basis.

  2. The U.S. economy has become increasingly globalized; numerous U.S. companies apart from TikTok transfer sensitive personal information across international borders, including with entities located within China. For example, PayPal shares customer names, addresses, transaction details, and device identifiers with two companies based in China (Cheetah Mobile and Money Swap Exchange Limited) in order to process payments and target advertisements. While PayPal has publicly identified its third-party service providers pursuant to Luxembourg banking law, the vast majority of U.S. digital platforms, services, and apps—which are generally not subject to such transparency regulations—tend not to publicly reveal which foreign individuals, private companies, or governments they might transfer user information to.

  3. Even if most smartphone apps possess fewer than TikTok’s approximately 140 million monthly active U.S. users, they can still pose a problem of scale—there is a burgeoning data brokerage industry that combines user information from multiple mobile apps and sells it to both domestic and foreign companies and governments. For example, the data broker Kochava, which the Federal Trade Commission (FTC) charged in August 2022 with unfairly selling geolocation history from “hundreds of millions” of mobile devices, displayed a privacy policy “for mobile Analytical Data” between November 2015 and October 2022 that stated: “personal information may be transferred to countries . . . [that] may not have the same data protection safeguards as the country where [mobile app developers or end-users] reside.” Other large U.S. data brokers such as Acxiom, Epsilon, and Oracle vaguely disclose that they sell information to government agencies, and LexisNexis states that it “may” store and process information in China. But the industry is generally unforthcoming about the specific identities or locations of their clients, so the full extent of data brokerage partnerships with foreign governments is currently unknown.

  4. Concerns over mass surveillance are not limited to foreign entities—it is important to acknowledge that U.S. government agencies, too, have accessed Americans’ smartphone data without adequate privacy or civil liberties safeguards. In recent years, government agencies such as the Federal Bureau of Investigation, Department of Homeland Security, U.S. Special Operations Command, Internal Revenue Service, and Defense Intelligence Agency have reportedly purchased massive amounts of U.S. mobile app geolocation information from data brokers—without warrants or proper oversight. Furthermore, U.S. private companies, such as Clearview AI, Palantir, and Giant Oak have collectively scanned billions of social media posts—which could include TikTok content—for photos, videos, or keywords to help U.S. federal, state, and local law enforcement agencies conduct investigations, including for nonemergency issues such as visa overstays. Even outside those commercial transactions, U.S. government entities additionally submitted 1,580 legal requests to directly compel TikTok to hand over user information for investigations in 2021, approximately 80 percent of which were accommodated (in contrast, TikTok has claimed that the CCP has never asked for user information and that it would not accommodate any such requests).

In other words, the recent calls for a targeted ban or divesture of TikTok would not dramatically improve user privacy overall when there are still many other channels by which government agencies can access information. For example, although several U.S. military branches instructed personnel to remove TikTok from their personal smartphones in late 2019 and early 2020, such an action would not prevent dozens of other apps from tracking service members’ locations—as which occurred in 2016, when analytics firm PlanetRisk learned it could track the movements of U.S. military operations in Syria using aggregated data from multiple smartphone apps. Some legislators have proposed simply prohibiting data brokers from selling certain types of information to select foreign entities, such as China, as with the Protecting Military Service Members’ Data Act and the Protecting Americans’ Data from Foreign Surveillance Act. But a safer, more thorough approach would be to impose legal boundaries on how all businesses operating in the United States amass, store, and share user information in the first place; as long as digital platforms are permitted to accumulate unnecessary, sensitive personal data, it is possible for foreign adversaries to access it.

Over the past few years, numerous legislative proposals have emerged that, if enacted, could establish data minimization as a universal standard in the United States. As a few examples, the American Data Privacy and Protection Act (ADPPA), SAFE DATA Act, and Consumer Online Privacy Rights Act all put forward ways to govern how private entities treat U.S. personal information and empower individuals to control and delete it. In addition to reducing the scope of data that all businesses that operate in the United States process from users, it is also possible to impose special transparency provisions on the opaque data brokerage industry; for example, the ADPPA framework proposes to (a) require all third parties to register with the FTC, (b) enable individuals to request the names of third parties that have access to their personal information, and (c) explicitly mandate that corporate privacy policies disclose whether China, Russia, Iran, or North Korea can access user information. Going further, it is becoming increasingly urgent to consider new rules on how private companies, and especially data brokers, may voluntarily disclose personal information not only to foreign entities, but domestic government agencies as well.

Short of bipartisan agreement on privacy legislation in Congress, another possible path to curb commercial surveillance practices arises from the FTC’s Section 18 rulemaking power. In August, the FTC issued an Advance Notice of Proposed Rulemaking (ANPR) to explore data collection and security measures in the private sector. In doing so, several commissioners stated that they aimed to explore clearer limitations or bans to prevent data abuses within specified contexts or types of uses, ways to approach business models that are inherently built around surveillance, and commercial processing of biometric information—all topics that could directly affect smartphone apps similar to TikTok. If Congress passes a comprehensive federal privacy bill, several commissioners have stated that the agency could reconsider whether to continue rulemaking at that point—but either way, recent developments such as the ANPR and ADPPA are both constructively reframing the public stakeholder discussion away from TikTok and toward wider-reaching rules that could improve digital privacy protections for all businesses and individuals.

On a final note, a forced divestiture or ban on a single company primarily based on its country of origin could raise serious antitrust and free expression concerns—especially given the fact that TikTok is becoming one of Meta and YouTube’s few major competitors in a concentrated social media market, and could increase their economic incentives to compete. Given the general absence of digital privacy standards in the United States, TikTok is neither the only nor the greatest threat to U.S. national security—but has rapidly become a recurring theme that sends a strong message about the current state of U.S.-China relations nonetheless.

Caitlin Chin is a fellow with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.