TikTok deal: Now China and the US can breach users

TikTok deal: Now China and the US can breach users’ privacy

By Ray Walsh

Following months of threats against TikTok, the Trump administration has given the go-ahead to a deal that will put US users' data at risk of snooping – not only from ByteDance, but also from US companies and the US government. It's another loss for consumer privacy in the United States.

The deal agreed to in principle by Trump will result in the creation of a new company called TikTok Global, which would be headquartered in America. According to ByteDance, the new international TikTok subsidiary will be 20% controlled by US interests – specifically Oracle and Walmart – the latter of which would become a commercial partner able to advertise to US consumers on the platform.

Following the deal, US TikTok data would be housed exclusively on Oracle cloud servers within America. As a result, US government agencies would be able to access American users' data by leveraging warrants and gag orders.

The deal raises new privacy concerns for users – concerns that could potentially affect international TikTok users. It was previously claimed that TikTok Global would be setup to control the data of Canadian, Australian and New Zealand TikTok users as well, which theoretically means that the US government can snoop on those countries' users too. On this, we have yet to receive clarity regarding the Oracle deal.

The TikTok shake-up is being touted as a win for US national security because it would permit US-based experts to audit TikTok's source code and algorithms. However, even with those audits undertaken, it seems like it could be hard to conclusively ascertain whether the versions of the TikTok USA apps published to app stores by ByteDance were not still exfiltrating data back to China.

After all, despite Trump's claims, ByteDance has made it clear that the deal would leave the Chinese company as the majority stakeholder in TikTok Global. As a result it would still own and control its apps, and any data that it collects via its platform. To this end, ByteDance will not be transferring any ownership of its source code or algorithms to US companies.

This means that ByteDance will still be able to exploit consumer data for marketing purposes, it will still have access to the data that is stored on Oracle’s servers, and it could still potentially alter its apps after they have been checked for backdoors.

These concerns have also been expressed by Senator Marco Rubio, who is wary that the deal fails to adequately rectify the national security threats posed by TikTok. This risk is compounded by the fact that – because it remains majority controlled by a Chinese company – TikTok Global is technically legally compelled to comply with China's National Intelligence Law.

As a result, it would seem that rather than limiting where data collected for US TikTok users ultimately ends up, the deal simply serves to expand the amount of data surveillance those users are exposed to  – including US companies and its own intelligence community. Hardly the win for privacy and security that the Trump administration would like voters to believe it is.

Unfortunately, this is the kind of outcome data privacy advocates expected. The US government has proven itself to have no real interest in protecting people’s data and privacy. Instead, it is far more concerned with engaging in a trade war with China – by getting its fingers in the TikTok pot for US companies like Oracle. It now stands to gain a massive new customer to prop up its ailing cloud storage business.

For US citizens the outcome is lackluster, and the potential effect on international TikTok users is troubling, to say the least. With the deal in place, TikTok will continue to be a massive threat to consumer privacy, and, even if the app can be prevented from exfiltrating data back to China, consumers will have a new data predator working behind the scenes to harvest everything.

In the meantime, despite all the rhetoric, what US citizens really need is a strong Federal-level privacy bill that restricts the amount of data that companies are legally permitted to harvest in the first place, and what that data can be used for. Unfortunately, with US intelligence keen to take as much data as possible, this is the part of the puzzle that seems permanently out of reach.

Ray Walsh is a digital privacy expert for ProPrivacy. You can follow the group on Twitter here.

The opinions in Politics.co.uk's Comment and Analysis section are those of the author and are no reflection of the views of the website or its owners.