ByteDance’s TikTok needs to work on vulnerabilities around data protection.
In recent years, there have been increasing concerns that misinformation and disinformation and other cybersecurity threats are spreading rapidly, with adverse effects on society, in particular through abuses of user trust. In response, many governments have started to legislate – and are applying existing laws more strictly.
The difference between the first two threats refers to whether inaccurate information is deliberate (disinformation) or unintentional (misinformation). ‘Cybersecurity threats’ is a larger term encompassing all malicious actions based on abuse of digital systems, including hacking, viruses, unwanted surveillance, sexual abuse, and more.
The inclusion of false information as a form of cyber threat is a phenomenon that has gained particular importance recently.
Misinformation and disinformation came to the forefront through two highly publicized events in 2016: the US election (when accusations of ‘Fake News!’ flew frequently) and the UK’s Brexit referendum. During the build-up to these important votes, misinformation was spread, both by small-scale outlets and individuals and state-level actors in the form of covert or overt propaganda.
Research on the aftermath of both events has shown that fake news undermined public trust and possibly influenced election outcomes. However, the spread of misinformation and disinformation is not limited to the US and Europe – it has also been spreading in Latin America, Africa, South Asia and Southeast Asia. In India, for example, the ruling Hindu-nationalist BJP party has been accused of fomenting and benefitting from numerous disinformation campaigns.
These events reflect that political actors around the world have realized that social media can be used to influence electorates, both inside their countries and in foreign countries. Overall, two broad drivers of misinformation/disinformation and cyber security threats can be distinguished: propaganda and commerce.
The commercial drivers of misinformation and disinformation are the ‘clickbait’ triggers that persuade us to engage with and share content online. Modern algorithms have enabled actors large and small to attract large audiences on social media platforms, which is then monetized. Some people have responded by creating fake news or clickbait to make an income. Income is generated by attracting attention and serving targeted advertisements. The publisher of the disinformation is paid by the ad network based on the number of visitors they manage to attract.
Other threats that overlap with the commercial drivers of online content have clustered around the gathering and monetization of user data. A resonant scandal in this regard cropped up after Donald Trump’s election, when a British research firm was found to have been able to access data for millions of American voters, enabling the Trump campaign to target them more narrowly.
Much of the blame for the bulk of the fake news and data scandals has been laid at the door of Facebook. However, other social media networks and search engines, including Twitter and Google – as well as ByteDance products – are also increasingly implicated as sources of cybersecurity threats, often as creative bad actors use new (sometimes under-regulated) technology to stir trouble.
Take TikTok. TikTok is a Chinese-developed social network that allows for creation and sharing of original content, especially videos and pictures. Used by millions of mostly young users worldwide, over the past 12 months, the app was downloaded more than 750 million times on app stores, outpacing US competitors Facebook, Instagram, YouTube and Snapchat, according to data from research firm Sensor Tower. It now counts more than 500 million monthly active users across the globe, including some 12 million in its largest markets in Europe – mostly in Germany, France and the UK.
However, the app’s developer, Beijing-based ByteDance, was labeled a national security threat by US lawmakers earlier this year. The Federal Trade Commission found the app had illegally collected personal information from children, and in February and fined the company USD 5.7 million.
Moreover, the United Kingdom’s data protection authority launched its own investigation, looking into whether TikTok violated privacy rules in handling the personal data of its underage users. According to The Guardian, Information Commissioner Elizabeth Denham told a parliamentary committee that the probe started in February after the US Federal Trade Commission levied a USD 5.7 million fine against TikTok for breaking laws protecting children’s privacy.
Denham further said that the commission is examining how TikTok collects private data and has concerns about the open messaging system, which may allow adult users to contact children. “We are looking at the transparency tools for children. We’re looking at the messaging system, which is completely open, we’re looking at the kind of videos that are collected and shared by children online. We do have an active investigation into TikTok right now, so watch this space,” she said.
In addition, European interventions could follow, under the EU’s tough General Data Protection Regulation, which allows for fines of up to 4 percent of a company’s annual global turnover. Recently, The Italian authority for Privacy (GPDP) has launched a coordinated action to review the risks linked with the TikTok app – an attempt to protect children’s privacy rights.
The Italian DPA is calling on the European Data Protection Board (EDPB) to set up an ad-hoc task force. In a letter sent to the EDPB on the 20th of January, Antonello Soro, President of the Italian DPA, confirms that they have already received alerts regarding alleged vulnerabilities of the smartphone app and that other supervisory authorities such as the UK ICO and the US FTC have already started separate investigations. Soro asked that this issue be put on the agenda of the next plenary meeting of the EDPB, to be held in Brussels on the 28th and 29th of January.
On the other hand, ByteDance seems eager to get itself a seat at the policymaking table. In the past few months, the company has hired policy experts in London, Dublin, Paris, Berlin and Brussels to help it navigate the European legislative environment and get involved in policy debates.
In fact, this is not the first time a Chinese technology company has been faced with disinformation /misinformation and data security concerns.
TikTok’s domestic competitor KuaiShou is even worse when it comes to data protection, especially children’s data protection. While this writer was working at KuaiShou’s headquarters in Beijing two years ago, the company’s app didn’t have any algorithm whatsoever to prevent adults sending private messages, or videos with unsuitable content, to children. Moreover, if those adults were reported to the company for harassing others, the company would only freeze their account for a week or two. There were also loose controls over collecting parental confirmation from users under 13. As a result, there were a lot of complaints from overseas markets, and their brand in those markets started to decline. Currently the company has lost most of its foreign market share and is trying to boost its domestic market more.
However, it seems like TikTok is playing its cards well enough to stay alive in overseas markets. In France, where lawmakers are intervening heavily on content moderation, ByteDance recently joined Syntec Numérique, one of the country’s main trade associations. In the UK, TikTok joined the Internet Watch Foundation, an organization fighting child pornography online that counts Google, Facebook and Snapchat among its members.