In a highly anticipated congressional hearing, TikTok CEO Shou Chew will testify in front of the House Energy and Commerce Committee Thursday to address lawmakers’ concerns about the influence of its Chinese parent company, its approach to dealing with children’s mental health issues and overall data security practices.
The hearing comes as Congress weighs legislation that would empower the Biden administration to ban TikTok along with other foreign apps that many politicians in Washington and around the country say pose a U.S. national security threat.
According to his prepared testimony, Chew is ready to dispute those claims, asserting that TikTok’s parent company ByteDance is “not an agent of China.” He will make the case that TikTok’s $1.5 billion plan (Project Texas) to firewall Americans’ data in U.S.-based Oracle servers will put to rest any concerns about TikTok’s origins.
So far, the Biden administration has not been swayed by the plan and, presently, TikTok reportedly faces an ultimatum: divest its Chinese owner or face a potential ban. While national security is still likely to be a key theme of Thursday’s hearing, going in front of the House’s consumer protection committee means that TikTok will also face some of the questions about privacy and online safety that its industry peers have also been scrutinized over.
Here are some of the key questions Congress may ask:
What data does TikTok collect?
In his written testimony, Chew says that TikTok collects “a limited amount of information when people set up an account, such as date of birth and username.” The company also requires an email or a phone number. He also notes what the platform doesn’t require, such as real names, employment or relationship status. According to the testimony, “current versions of the app do not collect precise or approximate GPS [location] data from U.S. users.”
TikTok’s terms of service state that the also automatically collects information “such as your IP address, user agent, mobile carrier, time zone settings, identifiers for advertising purposes, device IDs, approximate location based on your SIM card and/or IP address, keystroke patterns for rhythms, connected audio devices.”
Combinations of that information can go a long way in tracking an individual across the internet and, as a few researchers have shown, potentially deanonymizing them. It’s something that has sparked privacy concerns about every major tech company, not just TikTok.
“One thing that we’re looking out for and that we’ve recommended to [members of Congress] is asking questions surrounding the tracking practices TikTok deploys on devices and across sites to monitor user engagement,” said Willmary Escoto, U.S. policy analyst for digital rights group Access Now.
Access Now wrote a letter to TikTok in February pressing the company on its “Focused View” tool, which promises to deliver ads to users who are most likely to engage for at least six seconds. Escoto said Congress needs to ask if TikTok has studied the potential privacy and human rights impact of the feature.
The bottom line, experts say, is that Congress needs to pass legislation that would limit how all companies collect user data, not just TikTok. It’s something the House Energy and Commerce Committee has already expressed a desire to do, passing out of committee last year federal privacy legislation that would have placed guardrails on what data companies can collect and use.
“If you’re concerned about data practices by TikTok you need to be equally concerned about U.S. companies doing the same thing,” said Calli Schroeder, senior counsel and global privacy counsel at the Electronic Privacy Information Center. “They may say there isn’t the same national security angle with U.S. companies but there is because these companies that are siphoning up all this data are also selling it. There needs to be a universal standard for what is and isn’t allowed.”
TikTok’s CEO says the company “fully endorse[s] congressional efforts to adopt comprehensive federal privacy legislation.”
How is TikTok protecting teens?
Children’s privacy and online safety have become the cause du jour for the House Energy and Commerce Committee and social media companies are at the center of the discussion. TikTok is no exception.
As the name of the hearing suggests, members of Congress plan to probe issues including media reports about the exploitation of children on TikTok and issues regarding teen mental health. Given committee efforts to pass two pieces of legislation on this front, the issue will likely get significant play during the hearing.
“TikTok’s colossal data-gathering practices have given them the ability to tailor content at an unprecedented level. With TikTok’s popularity, this certainly has national security implications, but we cannot overstate the independent threats to the health, safety and well-being of young Americans,” Rep. Doris Matsui, D-Calif., ranking member of the House Energy and Commerce Subcommittee on Communications and Technology, said in an email to CyberScoop. “This systematic churn of information epitomizes the problematic targeting of our children, teens, and most vulnerable users … My priority will continue to be protecting our children from these exploitative practices and holding companies accountable.”
In his written testimony, Chew points to several precautions the company has taken to protect teens, including limiting screen time for users under 18 by default and working with the National Center for Missing & Exploited Children. Chew said TikTok supports potential updates to federal children’s privacy law as well as conversations around age verification, both items Congress is considering.
Sen. Ed Markey, D-Mass., co-author of the original Children’s Online Privacy Protection Act, has already used the hearing to renew calls for passing an updated version, which he plans to reintroduce. “Here’s the reality: asserting that TikTok stands alone as the one platform that poses a serious surveillance threat to our nation’s youth is deliberately missing the Big Tech forest for the TikTok tree,” Markey said in a statement. “My update to the Children’s Online Privacy Protection Act gives young people and their parents an online bill of rights that would rein in Big Tech and stop those companies from putting profits over people.”
How will TikTok keep up its commitment to transparency?
TikTok has made opening the hood to its inner workings a key selling point of its proposed agreement with the administration. In February, the company launched a research API allowing U.S. academic researchers to analyze public content. It’s a stark contrast to how peers such as Twitter, which cut off access to its API entirely, and Facebook, which has gone after researchers in court, have approached the issue.
Rep. Lori Trahan, D-Mass., plans on asking Chew about the recent announcement and how it intends to make sure researchers have sufficient access, according to her office.
How has TikTok dealt with past employee violations of user privacy?
One of the clearest examples to date of TikTok’s Chinese ownership posing a threat to users is when employees of its parent company ByteDance accessed TikTok data to spy on two U.S. journalists to sniff out leaks at the company. TikTok acknowledged the violation and the employees were fired, but the scandal raised major concerns about what other kinds of spying could be occurring on the platform. Forbes and other outlets reported this month that the Justice Department is now investigating the incident.
Chew says in his written testimony that he has “zero tolerance” for the behavior and TikTok has since restructured the department and put new policies in place. But experts say that Congress can’t ignore the company’s past issues.
“I’m all for moving forward, but I think this is one of the times where we can’t ignore past practices either,” said Brandon Pugh, policy director of cybersecurity and emerging threats at the R Street Institute. He said that it’s crucial for Congress to know what TikTok’s data collection practices were before Project Texas as well as the latest information on TikTok’s process to delete all historic U.S. user data.
It’s worth noting that TikTok isn’t the first tech giant to have employees inappropriately access user data. In 2014, an Uber manager accessed the data of a journalist writing about the company. In August, the U.S. convicted two Twitter employees for accessing company data to spy on Saudi dissidents. In testimony in front of the Senate Judiciary Committee, Twitter’s former head of security Peiter “Mudge” Zatko alleged that the company lacked protocols to track how employees accessed internal data and would be blind to additional spying as a result.
What impact could the company’s partnership with Oracle have on consumer privacy?
Project Texas hinges on TikTok’s business partnership with Oracle, which, as of June, has been routing all American data for the app. Oracle also started auditing TikTok’s algorithms and content moderation in August, Axios reported. The partnership has raised eyebrows from privacy advocates given Oracle’s data-tracking business arm.
A TikTok spokesperson told CyberScoop that Oracle’s access is related only to its role in Project Texas to audit and monitor TikTok’s compliance with its commitments to the U.S. In 2020, privacy advocates said TikTok’s connection with Oracle, a well-known data broker, could pose a risk to consumers. In response, Oracle said those worries amounted to “speculation, hyperbole and innuendo.”
Congress should have serious questions for the White House, too.
While Chew will be in the hot seat, many of the looming questions about a possible TikTok ban are ones that only the Biden administration can answer. Civil liberties groups, privacy experts and some members of Congress say that the administration has yet to show what China can get from TikTok that it couldn’t acquire from America’s robust data broker industry, one that has thrived in no small part due to a lack of federal privacy protections.
“I’d really like to hear from the administration what they think China can do with TikTok data that they can’t do with data from other data brokers,” said EPIC’s Schroeder.