TikTok continues to face pressure over its latest privacy faux pas, with two US senators asking the FTC to investigate the company.
News broke in June that TikTok was sharing US user data with its employees in China in direct violation of the company’s own claims. The reports were based on leaked recordings of some 80 internal meetings. The reaction has been swift and predictable, with FCC Commissioner Brendan Carr asking Apple and Google to ban the app from their stores. Adding to the company’s woes, two senators have penned a letter to the FTC asking the agency to investigate.
Senate Select Committee on Intelligence Chairman Mark R. Warner and Vice Chairman Marco Rubio penned the letter, accusing the company of acting in direct violation of its executive’s sworn testimony:
“We write in response to public reports that individuals in the People’s Republic of China (PRC) have been accessing data on U.S. users, in contravention of several public representations, including sworn testimony in October 2021,” the senators wrote to FTC Chair Lina Khan. “In light of this new report, we ask that your agency immediately initiate a Section 5 investigation on the basis of apparent deception by TikTok, and coordinate this work with any national security or counter-intelligence investigation that may be initiated by the U.S. Department of Justice.”
The senators also make the case that TikTok was aware of the issue, and the company’s failure to do anything, along with its collection of biometric data, represents a major security threat:
“TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the CCP.”
This isn’t the first time TikTok has found itself in hot water over its data practices. The company has stumbled from one privacy scandal to another, been the subject of multiple investigations and lawsuits, and was nearly banned in the US during the Trump administration.
All things considered, it’s truly amazing the app is still on the market.
The senators’ letter is quoted in its entirety below:
Dear Chairwoman Khan:
We write in response to public reports that individuals in the People’s Republic of China (PRC) have been accessing data on U.S. users, in contravention of several public representations, including sworn testimony in October 2021. In an interview with the online publication Cyberscoop, the Global Chief Security Officer for TikTok’s parent company, ByteDance, made a number of public representations on the data security practices of TikTok, including unequivocal claims that the data of American users is not accessible to the Chinese Communist Party (CCP) and the government of the PRC. As you know, TikTok’s privacy practices are already subject to a consent decree with the Federal Trade Commission, based on its improper collection and processing of personal information from children. In light of this new report, we ask that your agency immediately initiate a Section 5 investigation on the basis of apparent deception by TikTok, and coordinate this work with any national security or counter-intelligence investigation that may be initiated by the U.S. Department of Justice.
Additionally, these recent reports suggest that TikTok has also misrepresented its corporate governance practices, including to Congressional committees such as ours. In October 2021, TikTok’s head of public policy, Michael Beckerman, testified that TikTok has “no affiliation” with another ByteDance subsidiary, Beijing-based ByteDance Technology, of which the CCP owns a partial stake. Meanwhile, as recently as March of this year, TikTok officials reiterated to our Committee representations they have previously made that all corporate governance decisions are wholly firewalled from their PRC-based parent, ByteDance. Yet according to a recent report from Buzzfeed News, TikTok’s engineering teams ultimately report to ByteDance leadership in the PRC.
According to this same report, TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the CCP.
A series of national security laws imposed by the CCP, including the 2017 National Intelligence Law and the 2014 Counter-Espionage Law provide extensive and extra-judicial access opportunities for CCP-controlled security services. Under these authorities, the CCP may compel access, regardless of where data is ultimately stored. While TikTok has suggested that migrating to U.S.-based storage from a U.S. cloud service provider alleviates any risk of unauthorized access, these latest revelations raise concerns about the reliability of TikTok representations: since TikTok will ultimately control all access to the cloud-hosted systems, the risk of access to that data by PRC-based engineers (or CCP security services) remains significant in light of the corporate governance irregularities revealed by BuzzFeed News. Moreover, as the recent report makes clear, the majority of TikTok data – including content posted by users as well as their unique IDs– will remain freely accessible to PRC-based ByteDance employees.
In light of repeated misrepresentations by TikTok concerning its data security, data processing, and corporate governance practices, we urge you to act promptly on this matter.
Sincerely,