TikTok CEO Shou Zi Chew is scheduled to testify before the House Energy and Commerce Committee on March 23, 2023, amid a chorus of calls from members of Congress for the federal government to ban the Chinese-owned video social media app and reports that the Biden administration is pushing for the company’s sale.

The federal government, along with many state and foreign governments and some companies, has banned TikTok on work-provided phones. This type of ban can be effective for protecting data related to government work.

But a full ban of the app is another matter, which raises a number of questions: What data privacy risk does TikTok pose? What could the Chinese government do with data collected by the app? Is its content recommendation algorithm dangerous? And is it even possible to ban an app?

As a cybersecurity researcher, I’ve noted that every few years a new mobile app that becomes popular raises issues of security, privacy and data access.

Apps collect data for several reasons. Sometimes the data is used to improve the app for users. However, most apps collect data that the companies use in part to fund their operations. This revenue typically comes from targeting users with ads based on the data they collect. The questions this use of data raises are: Does the app need all this data? What does it do with the data? And how does it protect the data from others?

So what makes TikTok different from the likes of Pokemon-GO, Facebook or even your phone itself? TikTok’s privacy policy, which few people read, is a good place to start. Overall, the company is not particularly transparent about its practices. The document is too long to list here all the data it collects, which should be a warning.

There are a few items of interest in TikTok’s privacy policy besides the information you give them when you create an account – name, age, username, password, language, email, phone number, social media account information and profile image – that are concerning. This information includes location data, data from your clipboard, contact information, website tracking, plus all data you post and messages you send through the app. Chew’s testimony includes the claim that current versions of the app do not collect GPS information from U.S. users, according to a transcript posted ahead of his appearance on Capitol Hill. There has been speculation that TikTok is collecting other information, but that is hard to prove.

If most apps collect data, why is the U.S. government worried about TikTok? First, they worry about the Chinese government accessing data from its 150 million users in the U.S. There is also a concern about the algorithms used by TikTok to show content.

If the data does end up in the hands of the Chinese government, the question is how could it use the data to its benefit. The government could share it with other companies in China to help them profit, which is no different than U.S. companies sharing marketing data. The Chinese government is known for playing the long game, and data is power, so if it is collecting data, it could take years to learn how it benefits China.

One potential threat is the Chinese government using the data to spy on people, particularly people who have access to valuable information. The Justice Department is investigating TikTok’s parent company, ByteDance, for using the app to monitor U.S. journalists. The Chinese government has an extensive history of hacking U.S. government agencies and corporations, and much of that hacking has been facilitated by social engineering – the practice of using data about people to trick them into revealing more information.

...continued