Summary:
TikTok has been widely criticized for its handling of U.S. based user data. The criticism is not without merit, as evidenced by numerous data security scandals and investigations. To quell concerns from Congress and beyond, TikTok has agreed to a unique data storage partnership with Oracle to limit U.S. user data from being accessed by Chinese authorities. (Prior to this, the video platform stored U.S. based user data in data centers in both the U.S. and Singapore.)
This case represents an attempt by a state actor to regulate a social media platform. Furthermore, it is an example of how a sovereign state can employ the services of a third private party in their effort to hold a platform publicly accountable without banning it.
Background
TikTok was previously known as Musical.ly, but changed names after its acquisition by Bytedance. It has been the subject of skepticism within the American political sphere for the last three years. In early 2020, it officially became the world’s most downloaded application. Not long after that, in July 2020, the Trump administration began to describe the social media app as a national security threat.
Following this, and after trying to ban the app in the U.S. entirely, the Trump administration approved a deal that would have seen 20% of TikTok being sold to Oracle and Walmart. The deal was put on hold by the Biden administration in 2021. TikTok, unlike its contemporaries, did not send executives to testify before Congress until later that year, in October 2021. Since then, TikTok has faced a growing chorus of political pressure centered around the concern that the data of U.S. based users may be vulnerable to Bytedance employees in China.
U.S. policy responses have included the recently enacted No TikTok on Government Devices Act which forbids federal employees from accessing TikTok—and, interestingly, “any successor application from the developer”—on their government-issued devices. Some states have already enacted similar bans, with the proposition of a nationwide ban on the horizon. All of this is taking place as countries all over the world rethink their respective relationships with online platforms.
The Case
The central issue with TikTok’s U.S. data privacy practices can broadly be broken down into two aspects: the app’s massive cache of U.S. based user data and its ownership by Bytedance.
As of 2023, TikTok boasts 1.53 billion users and more monthly active users than Twitter and Snapchat. In the United States alone, the app reportedly has 80 million monthly users. In 2021, the Chinese government took a 1% stake in a Bytedance entity. Crucially, this deal included a powerful board seat in the entity—Beijing Bytedance Technology—being given to the government.
The data security and privacy concerns around TikTok can be traced back to 2019. That year, the Federal Trade Commission found that the app had illegally collected personal information from children, resulting in the FTC’s largest fine at that point. A year later, it was under investigation once again for potentially failing to live up to its 2019 agreement with the FTC.
In June 2022, an investigation by Emily Baker-White found that the data of U.S. based users was accessed numerous times from China. Even more recently, TikTok’s own internal investigation concluded that the data of journalists, as well as other U.S. based users, was improperly obtained.
The Response
TikTok announced a partnership that would see the data of all of their U.S. based users stored in the Oracle Cloud Infrastructure by default. This announcement came on June 18th, 2022—the same day that Baker-White’s investigation was published.
This partnership includes the development of processes to have TikTok’s powerful algorithm audited by Oracle. At the time of writing, TikTok’s Singapore data center still serves as its backup against the potential loss of U.S. data, but the platform plans to delete the data stored in this center eventually.
This arrangement is part of a draft agreement between the Committee on Foreign Investment in the United States and TikTok. It includes the creation of the U.S. Data Security Division within the company. It is also just one part of a broader appeal from TikTok to U.S. lawmakers. At the time of writing, these negotiations seem to have slowed to a crawl, despite the proposed solution to data vulnerability. However, TikTok remains active on this front.
Insights
While governments continue to tackle platform regulation, this case shows one approach to the specific problem of data security. In contrast to regulations such as the GDPR or DSA (which cover a broad spectrum of companies), TikTok’s deal with Oracle acts as a potential regulatory framework that is specific to one company’s operations in one country. This case also shows how geopolitical dynamics can further complicate thorny issues of data security and platform regulation.
Company considerations:
- How might a similar approach work in other global contexts? Would global knowledge-sharing partnerships be possible in this instance?
- How might this sort of partnership work so that a third party doesn’t have undue access to user data?
- What other steps can platform providers take to pre-empt overregulation?
- How might companies be transparent about their proprietary algorithms? Should more transparency reports include sections about algorithm performance?
- To what extent do geopolitics affect a company’s approach to regulation?
Issue considerations:
- How might the algorithms, data security, and/or content policies of platforms be audited? Is there an answer in the private sector?
- Can partnering with industry to audit platform practices eliminate some of the implementation work of platform regulation?
- How might companies proactively assist governments with the process of auditing in a way that is both transparent and sustainable?
Written by Mohamed Abdihakim Mohammed, PhD Candidate at the QUEX Institute, January 2023.