The Trump administration tried to ban TikTok, and the Biden administration has threatened to — because of its ties to China. Now, Montana has passed legislation banning the app in the state to protect residents’ “personal and private data from the Chinese Communist Party.” However, many believe the law may not hold up in court.
The right to spread information — even information that may counter national security interests — is well established. The concerns raised by Montana and two presidential administrations go far beyond this, focusing on the app’s tracking — including gathering information about others — and collection of information on a mass scale. This collection could lead to numerous threats, ranging from future cyberattacks to election tampering to recruiting U.S. citizen spies. This information is also useful for commercial purposes such as targeting advertisements for goods and services.
The United States has several competing interests to consider. The first is constitutional: we value the freedom of speech, and TikTok is a speech platform. It is a way that millions of content creators connect with their viewers and followers. In most cases, the U.S. and state governments are constitutionally limited from regulating speech.
We also want our companies to be able to do business worldwide. If the United States is not seen to welcome foreign enterprises, other countries can justify their actions based on their perception of U.S. actions. This may limit the ability of U.S. manufacturers, farmers, software developers and others to sell their products abroad.
The United States also has a strong national interest in delivering messaging about American values to other countries. Our television, movies, books, websites and apps are all part of sharing our values and culture with those in areas less open than the United States. Again, U.S. action to limit apps and ideas from other countries can be readily used by our strategic competitors and adversaries to justify banning American content.
While the openness of idea-sharing is important and powerful, we don’t need to share all our data — particularly if this risks greater foreign-based identity theft and other cyberattacks. This is part of a broader question regarding how much data apps, websites, governments and others should be collecting (and how it should be collected and stored). Notably, foreign data storage places the data outside U.S. regulatory control, increasing the potential for misuse and reducing the accountability for abuse when it occurs.
App-based social media, including TikTok, raise concerns over their ability to collect extensive data. Such data ranges from GPS-based location tracking to personally identifiable information, such as birth date, age, and answers to common security questions, including physical attributes and background details gleaned from content. In the wrong hands, TikTok videos lend themselves to creating deepfakes and impersonations. Moreover, the problem is exacerbated by the app’s popularity, particularly among youth — a demographic that may not fully understand the implications of their online behavior. As such, social media companies must address these legitimate privacy concerns and ensure the protection of their users.
While foreign control of companies like TikTok intensifies the data problem, there can also be similar problems with domestic companies. A domestic firm may collect and share data with foreign partners, have data stolen via a cyberattack by a foreign state or state-aligned group, or even be purchased by a foreign firm. Of course, the domestic firm may misuse the data itself, or it could be stolen and misused by a domestic criminal organization.
Except for the lack of regulatory control and the organization’s intent, the domestic and foreign data collection problems are similar. Several things can be done to help.
First, we need to reduce our reliance on easily compromised identifiers. For example, the Social Security number was not designed to serve as the primary identifier it has become. Companies also don’t use it responsibly, as relying on a number that can be readily stolen from any number of locations in a singular way, typically along with some basic contact information, to extend credit or verify an individual’s identity is highly problematic. The use of the Social Security number should be phased out in deference to other secure identifying mechanisms.
We also need national privacy protections that give individuals control over how their information is used and by whom. This is a combination of a technical and policy issue. On the technical side, we need technologies that give consumers control over their identities and payment mechanisms. We will need policies that hold companies accountable for delivering what they claim to, respecting consumers’ decisions, and regulating the use of reusable legacy identifiers and other information.
Education is also essential. Everyone needs to understand and be on guard regarding their personal information, to whom they provide it and for what purposes. Requiring companies to respect individuals’ privacy decisions is ineffective if individuals don’t do their part. Technological and policy safeguards must protect those who lack — due to age, disability or otherwise — the ability to protect their own data.
Finally, we should require reciprocity from nations whose companies operate in our market and use access to our market to guarantee our companies equitable and fair access to other markets. We also should consider sanctions against countries that refuse to play by fair rules. The United States must commit to promoting and enforcing digital rights, ensuring citizens have control over their data and access to an open internet.