Is TikTok a National Security Threat? Or Is It Meta?

Much steam has been blown about the “unacceptable national security risk” that the Chinese company TikTok poses to users in the United States. Federal Communications Commission (FCC) Commissioner Brendan Carr publicly posted a letter in June 2022 he sent to Apple and Google detailing the reprehensible user data collection practices engaged by TikTok owner ByteDance (notably by allowing access to that data by the Chinese government). He requested that the firms remove the application from their respective app stores for failing to comply with their own policies, which purport to protect consumer privacy and data. While neither of the companies has removed the offending application, to date, from their stores, nor have they made any public communication to that effect, ByteDance cropped up to provide an unsolicited response to the letter, promising to better comply with app store requirements around security and data protection.

Commissioner Carr’s national security fears are not unfounded. TikTok’s data collection practices are exploitative, and the company is almost certainly sharing information with Chinese authorities, without user notification. More worryingly, ByteDance (alongside Alibaba) has also shared algorithm information with Internet regulator Cyberspace Administration of China (CAC). Much of the Chinese government oversight is undeniably tied to China’s extensive effort to control public opinion, ensuring it is aligned with its own state prerogatives and official narratives. There is little doubt that a tech company like ByteDance is being used as a “sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data” by China, per the commissioner’s own words. And not only is China doing this with its own citizens, it is also likely focused on people outside of the country as well, including expatriates and citizens of other nations.

But while Commissioner Carr’s stance is laudable, it is, at best, either incredibly short-sighted or, at worst, willfully hypocritical. To call out TikTok, but not Meta, makes his objection derisory. Meta engages in the same practices and is equally guilty of reprehensible user data practices, through its social media platforms (Facebook, Instagram, and WhatsApp), and it cannot even rely on the paltry excuse of government exigency. Meta’s practices have long been the subject of privacy and data protection scrutiny in the European Union (EU), where it is constantly challenged by regulatory institutions. For example, Ireland’s Data Protection Commission (DPC) fined Meta US$18.6 million because the tech giant breached 12 data privacy articles of the EU’s General Data Protection Regulation (GDPR). Although to a smaller degree, Meta is also undergoing some limited scrutiny in the United States.

But the difference in approach across the Atlantic is stark. While the EU has long leveraged its regulations and directives to protect its citizens against predatory business practices, the same cannot be said in the United States. That’s because trust in corporate America far outweighs trust in government. As a result, data protection and consumer privacy take a back seat in deference to formidable billion dollar behemoths like Meta.

If Commissioner Carr’s argument is that TikTok poses a national security risk because it collects sensitive user data and because it is shared with China, then it stands to reason that Meta does as well. Meta’s data are for sale to any advertisers that want to purchase it. If China wants to know what Meta’s subscribers are up to, then it only has to pay for that privilege. And in a post-Roe America, there is increasing incentive for U.S. law enforcement to avail itself of the great trove of sensitive and private user data harvested by Meta's various social media platforms (which it is already doing today).

Ultimately, for the likes of Commissioner Carr and his ilk, it is only important that the right people do the data collecting, rather than it being an issue of nefarious data collection at all.

The gross invasion of privacy that platforms like TikTok and Meta engage in is egregious and excessively harmful to users. There is a balance that needs to be struck between technology innovation driving successful business models and the protection of consumers. However, this is far short of being met today. Platform terms and conditions outlining data use are simply not enough to warrant bulldozing privacy to such an extent, simply because the user clicked the consent box. There is just too much going on behind the scenes that users are not aware of, let alone privy to: what types of data are being collected, how are they used, who are they being sold to, how do algorithms determine shown content, how are data being tied to third-party products, etc. For example, TikTok’s Terms of Service include the consent of sharing the following information, among other data:

• Mobile carrier
• Device ID
• App and file names
• Keystrokes
• Information from shared devices

Indeed, these types of data are collected by a wide range of companies. Not only is that collection often wholly excessive for their corporate purposes, but data are further shared with full impunity with other companies and governments, with undue regard for user privacy. The result is that social media has become the vehicle of excessive and one-sided collection of data; analyzed, filtered, repackaged, and sold to the highest bidder, out of reach of the average user. TikTok and Meta are not much more than exploitative data collection hubs, operating under the façade of social media.

But this does not need to be the case. There are plenty of ways to develop successful social media business models that involve consumer consent; it simply requires better data sharing and notification processes, and the splitting of revenue. It would also allow for the emergence of new markets in data brokerage and data insurance. There is clearly an interest and a demand for a user data market, as evidenced by the turbid rise of crypto-assets and Non-Fungible Tokens (NFTs). A lucrative data market could emerge that is both privacy-aware and not a threat to national security, as long as there is more accountability required of companies like TikTok and Meta, better regulation, and greater incentive to involve users in the commoditization of their own data.

There is no denying that social media has been a blessing for many governments, authoritative or not. Not only are they an excellent tool for surveillance, but they can also be used to mold public opinion. China, the United States, and Russia, among others, have been adept at exploiting their home-grown platforms. But even when there is genuine concern, it can fall short of effective protection. The EU, in theory, has the consumer’s interest at heart, and works hard to ensure protection from corporate malpractice through regulatory instruments. However, the reality is that many within the EU’s institutions are in thrall to social media and tech companies generally, where their aggressive lobbying practices often succeed in delaying and watering down consumer protection efforts.

The arm of social media is long, and while statements like those expressed by Commissioner Carr should absolutely be heeded, they will too often fail to make any lasting impact in terms of security if they do not comprehensively and systematically target data misuse practices with regulation, with lobbying, and with widespread awareness-raising efforts. They need to offer an alternative business model that can espouse both consumer protection and profit-making. This is the way to successfully and ethically monetize user data, while keeping the national and user security threats at bay.