Why a TikTok Ban Would Miss the Wider Problem: A Massive Failure to Protect Privacy Online

News outlets and opinion columns are full of updates and comments about a US bill that would force TikTok’s Chinese owner either to sell the app or to see it banned in the US. Moves to ban TikTok are not new– they weren’t even new when we wrote about this topic a year ago.  

What’s different this time is that the US bill has passed with widespread, bipartisan support: the vote in the House of Representatives was 352 in favor, and 65 against. President Biden has said that if the bill is passed in the Senate too, he will sign it into law. It’s by no means certain that it will get through the Senate, but if it did, and it became law, it’s unlikely that such a complicated sale could be arranged within the six months the bill specifies. Moreover, the Chinese government would strongly oppose the forced sale of TikTok anyway. The end result would be a nationwide ban on TikTok in the US.

That would obviously be a major event in the online world, not least for the 170 million people who use the service in the US. Young people in particular would be affected, and such a move would have other undesirable knock-on effects. For example, it would make it much harder for the US or other Western countries to champion privacy and personal freedoms when they too ban apps.

One of the stated justifications for the TikTok bill is to protect users’ privacy. The aim of the bill is to halt US citizens’ personal data routinely flowing to China via TikTok when in fact, governments around the world have been gathering large quantities of highly personal information from social media for years. For example, we know that this is routine practice for both the US and the UK intelligence services, as Edward Snowden first revealed in 2013. Nor have things improved since then. In a recent letter, Senator Ron Wyden wrote to the US director of national intelligence:

US intelligence agencies are purchasing personal data about Americans that would require a court order if the government demanded it from communications companies. I first revealed in 2021 that the Defense Intelligence Agency (DIA) was purchasing, storing, and using domestic location data . Such location data is collected from Americans’ smartphones by app developers, sold to data brokers, resold to defense contractors, and then resold again to the government. In addition; the National Security Agency (NSA) is buying Americans’ domestic internet metadata.

A feature in Wired magazine confirmed how widespread this approach is among US agencies:  

US Customs and Border Protection, US Immigration and Customs Enforcement, and the US Secret Service—have bought more than 200 licenses from commercial ad tech vendors since 2019. They would use this data for finding border tunnels, tracking down unauthorized immigrants, and trying to solve domestic crimes.

The article notes that “Other governments’ intelligence agencies have access to this data as well.” President Biden’s new Executive Order to “Protect Americans’ Sensitive Personal Data” explains why such data flows are of concern:

The sale of Americans’ data raises significant privacy, counterintelligence, blackmail risks and other national security risks—especially for those in the military or national security community.  Countries of concern can also access Americans’ sensitive personal data to collect information on activists, academics, journalists, dissidents, political figures, and members of non-governmental organizations and marginalized communities to intimidate opponents of countries of concern, curb dissent, and limit Americans’ freedom of expression and other civil liberties. 

The “Protecting Americans’ Data from Foreign Adversaries Act” – which is distinct from the TikTok ban bill – also tries to address this problem of sales by data brokers. But neither the Executive Order nor the bill will do much to protect online privacy in general. There is a far larger issue here, one that we wrote about back in November 2023. We noted then that overseas companies are easily able to access real-time bidding (RTB) data, which provides detailed profiles of everyone online. Even with the Executive Order and the new bill, it will still be possible to set up what look like legitimate adtech companies in the US or other western countries to acquire RTB data, and then to covertly send it overseas. While the need to protect user data is clear, the current strategy is both too specific to be meaningful and also too easy to bypass.

As Julia Angwin noted in a recent opinion piece in the New York Times, only 31% of US citizens favor a nationwide ban on TikTok. Separately, a Pew Research study found that 72% of citizen want more regulation of what companies can do with their data. A nationwide TikTok ban in the US will do nothing to address the latter, but will bring with it many other serious problems. The best way to tackle the very real risks to both national security and the privacy of US citizens from online advertising’s constant surveillance is to pass a comprehensive federal privacy law in the US. To address the deep underlying problems of adtech based on RTB and microtargeting, the law needs to tightly control how highly personal information can be gathered and used by anyone – not just by foreign governments.