Last week the U.S. House of Representatives overwhelmingly voted to approve a bill that would ban TikTok in the U.S.—unless the wildly popular short video app is sold to a non-Chinese parent company. President Joe Biden and some U.S. lawmakers have called the app a potential national security threat and warned that the Chinese Communist Party could use it to glean sensitive data on its 150 million users in the U.S. But there is only very limited evidence—involving pro-democracy protesters in Hong Kong—that TikTok’s parent company, ByteDance, has ever directly shared any user data with the Chinese government. And there is no public proof that ByteDance has handed U.S. user data to Beijing.
Despite legitimate concerns over big data, privacy and social media platforms’ influence on users’ opinions and beliefs for profit, multiple technology and privacy experts say singling out TikTok is not a fix. Foreign and domestic intelligence agencies alike have plenty of other access to sensitive information on people in the U.S. via the ever expanding global trade in digital data. Sanctions on any one app can’t solve these problems.
Trying to ban TikTok “is a form of security theater,” says Calli Schroeder, a senior counsel at the Electronic Privacy Information Center, a nonprofit organization that advocates for digital privacy and online freedom of expression. Legislators “are smart enough to know this doesn’t address the root of the problem, but they want credit for looking like they tried,” Schroeder adds. “You could get rid of TikTok today, and China would not lose any significant [amount] of personal information on Americans.”
On supporting science journalism
If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.
The app has already been banned on all federal devices and on state-issued ones in most U.S. states. Montana passed a TikTok ban last year, but a federal judge blocked it a few months later. The judge questioned the ban’s constitutionality and declared that it “oversteps state power.” Because a law based on the recent House bill (officially called H.R. 7521) would restrict U.S. users’ access to information and online platforms, it clearly raises some significant legal and First Amendment questions; the bill’s fate is highly uncertain as it moves to the Senate.
Many tech policy analysts say it’s worth rebutting lawmakers’ arguments for a ban, whether it gets through Congress or not. “Banning access to one application does not create safety or security for Americans’ data from China or from any other country,” says Kate Ruane, an attorney at the Center for Democracy and Technology (CDT), a nonprofit civil rights organization. That’s because “so many applications and social media services collect our data and sell it or leak it all over the world, all the time.” Whatever TikTok might contribute, Ruane says, is “barely a drop in the bucket.”
For one thing, TikTok is far from the only app that is owned by a Chinese company and collects data on U.S. users, says Anne Toomey McKenna, a cyber law and privacy professor at the University of Richmond. There is also the messaging app WeChat, the payment platform Alipay and others. “Targeting TikTok in particular seems to be more political drama than really effective legislation designed to protect Americans’ data security and privacy,” McKenna says.
And such apps are hardly the only online threat to Americans’ privacy; many foreign and domestic tech companies collect data on their users at staggering scale and depth. Many of those data are traded globally in legal markets through third-party data brokers. LiveRamp (previously part of Acxiom), one of the largest U.S.-based brokers, has amassed about 3,000 pieces of data on every U.S. consumer and up to 1,500 data points on each of 2.5 billion people globally, according to a 2020 research report from the NATO Strategic Communications Center of Excellence. Information can come from your phone, smart speaker, connected car, dating app, front door camera or any other Internet-connected device. This is precisely why you can use a social media service such as Facebook or Instagram without paying an upfront cost. But those services aren’t truly free. You’re paying in data.
In theory, these data are anonymized and traded between tech companies and advertisers so they can target their marketing efforts at an ever-more-specific audience. A recent Consumer Reports analysis of about 700 Facebook users found that for each individual user, an average of 2,230 companies had shared that person’s data with Facebook. In practice, the amount of detail contained within these data (for example, fine-scale location-tracking information) makes it simple to identify individual people and infer many things about their habits, interests, political leanings, whereabouts, religion and even sexual activity. As a result, governments and intelligence agencies worldwide are interested in such data—and the U.S. is no exception. In a report that was declassified in 2023, the Office of the Director of National Intelligence revealed that U.S. intelligence agencies can use commercial data markets to access “sensitive and intimate” information, exceeding what once required a warrant or subpoena to obtain, on “nearly everyone.”
“There’s so much free-flowing data online that the data ecosystem is essentially unregulated,” says Eric Null, co-director of the CDT’s Privacy and Data Project. “Foreign governments likely have a pretty trivial time finding information.”
On February 28 Biden signed an executive order intended to prevent U.S. data brokers from selling information to buyers based in certain countries, including China, Russia and North Korea. A related bill has passed through committee in the House. Both policies signal “a welcome approach,” Null says, but red-listing buyers by location is “a hard thing to enforce.” Neither the executive order nor the House bill would stop data brokers from selling to most buyers—whose locations can be difficult to verify anyway. The new policies would have limited authority to prevent selling data to intermediaries, who might in turn sell them to red-listed countries. Additionally, tech companies wouldn’t officially be considered “brokers” and would thus remain free to sell data to any foreign buyers. If the House’s current TikTok bill becomes law and the app divests to a U.S. individual or company, Null notes, “there’s nothing in the bill [or executive order] that would prevent the new TikTok from selling data directly to foreign adversaries.”
And those are just the lawful paths that data can take. Even if this policy managed to stymie the legal flow of U.S. data to foreign adversaries, there are many illicit ways to collect digital information, says Joe Jones, director of research and insights at the International Association of Privacy Professionals. Hacks and breaches are common. “Unless we have an effective federal data privacy law or framework that limits collection to begin with, we’re never really going to address the problem,” McKenna says. Ruane and Schroeder agree.
The European Union has imposed a law, called the General Data Protection Regulation, that broadly cracks down on data collection and sales. But a comprehensive federal data privacy law would be deeply unpopular with the powerful U.S. tech lobby, Schroeder says, adding that American legislators would likely “face significant pushback from tech companies in the form of media campaigns and lost donations.” Going after a lone foreign-owned company is more politically convenient, she says.
Political convenience does not amount to privacy protection, however. Simply by going online in the U.S., most Americans have freely signed an agreement—whether they fully understand it or not—to share their digital data with tens of thousands of interested parties. “There are big concerns about TikTok because China is presented as this authoritarian government who may misuse information,” Schroeder says. “I’m not saying that’s untrue—but I would have people ask why this level of invasive tracking is okay when it’s a private company or when it’s the U.S. government.”