Dear privacy pros,
I hope things are calming down for you at work as we approach the end of what has been a tumultuous year.
One of the articles in the Asia-Pacific Dashboard Digest that caught my attention covers a letter recently sent by U.S. lawmakers to the CEOs of Google and Apple, asking these technology giants what they intended to do about mobile applications that pose serious security and privacy concerns, especially where the failure to remove such apps "makes Americans vulnerable to foreign surveillance, particularly from adversarial actors like China." Specifically, the representatives asked whether Google and Apple intend to remove access to TikTok, the popular video-sharing app from Chinese company ByteDance.
This is, of course, not the first time TikTok has come under fire. In 2020, then-U.S. President Donald Trump issued an executive order calling for TikTok to be banned over potential national security concerns arising from large-scale collection of personal data about U.S. citizens.
The issue was reignited in July of this year by U.S. Federal Communications Commissioner Brendan Carr. The revelation that prompted the resurgence of concern over the app was the leakage of 80 audio clips from internal meetings where TikTok employees purportedly admitted that personal data of U.S. users were repeatedly being accessed from China, despite assurances from TikTok’s executives that such data was stored in the U.S. and would not be disclosed to the Chinese government.
Recent developments are nonetheless noteworthy for a couple of reasons. While previous attempts were largely highly politicized with Republican efforts initiated by the Trump administration (Commissioner Carr was appointed by Trump in 2018), there appears to be broadening bipartisan support that the internal workings of the app and the company bears closer scrutiny, based on genuine technical concerns about how U.S. data is being collected, used and accessed. U.S. Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., on the Senate Intelligence Committee have urged the Federal Trade Commission to investigate TikTok over the report highlighted above. The recent letter from U.S. Reps. Jan Schakowsky, D-Ill., and Gus Bilirakis, R-Fla., appears to stem from a report published by security expert Felix Krause, whose research suggests that the in-app browser of the iOS version of the app is capable of injecting code into external websites allowing the logging of the user’s keystrokes.
It is also significant that TikTok is facing similar issues in other regions outside the U.S. Ireland's data protection authority, the Data Protection Commission, is currently leading a probe into data transfers to China that could potentially fall foul of the EU General Data Protection Regulation. This appears to have already triggered internal reflection about how the company operates, as TikTok recently updated its privacy notice to "include greater transparency into how (TikTok) share(s) user information outside of Europe."
It remains to be seen whether these efforts in the U.S. will bear fruit. But if so, the impact on TikTok could be grave as the Apple and Google app stores are the main gateway through which users would download the app. It will also be interesting to see if the scrutiny will be extended to other apps that adopt similar practices, since the report from Krause also covers other popular apps from U.S. companies such as Meta-owned Facebook.
In the meantime, it would not hurt to stay safe out there in the wilderness of the internet. Read this report to get a sense of what data the most popular Android apps are collecting from users, and stay away from free apps and social media apps if you can.