TikTok is a new social media trend amongst youngsters. This app showcases self-made videos from anywhere and about everything, from comedy to lip-syncs and cook recipes to personal grooming tips that users create and share to gain likes and followers. In India alone, there has been a record download of about 466.8 million.1 This quirky and funny app has hooked youngsters around the world. However, what is worrisome is the lack of understanding about the long-term implications of such social media apps with regard to data protection and national security.
Zhang Yiming, the founder of TikTok, was a Microsoft engineer and Chinese entrepreneur who first set up a company called ByteDance in 2012 to carry forward his ambition of running a global company. Bytedance was ranked as one of China’s top tech companies in 2018. Following the launch of ByteDance, Zhang launched a mobile app called Toutiao or Jinri Tautiao ‘today’s headline,’ an artificial intelligence (AI) enabled newsfeed that caters to the likes and dislikes of the users.2 In 2016, he developed a video sharing app called Douyin ‘shaking sound’ for the Chinese market. The global equivalent of the same app, called TikTok, was launched in 2017. It has since gained immense popularity. This was soon followed by the acquisition of another video-sharing app based in Shanghai, called Musical.ly. The idea was to blend “TikTok’s AI-fed streams and monetisation track record with Musical.ly’s product innovation and grasp of users’ needs and tastes in the West.”3 This simultaneously increased the user base as well as the profit margin for the TikTok App.
TikTok overtook Facebook as the most downloaded social networking application globally in the first quarter of 2019.4 In India, both Facebook and Twitter saw a market shrink as Tiktok saw a sharp surge. Tiktok’s reach in India rose from 1.12 per cent in January 2018 to 28 per cent in August this year. Even in terms of monthly active users and amount of time spent per day, Tiktok saw an exponential increase as compared to other social media applications.5
With more than 200 million active users, the app has found considerable popularity among the Indian youth.6 This 15-second video-making application is enough to create a star (equivalent of a local celebrity) out of an individual. While all the social media platforms carry a cautionary note stating that they are not directed at children, TikTok’s target audience encompasses preteens and adolescents.7 The desperation to get more people to like and follow the video has often led to youngsters attempting dangerous acts, causing serious injuries and even death in many cases.8 Over the last one year, at least 27 people are reported to have died while filming TikTok videos and another five for undertaking TikTok challenges.9 Additionally, there have been several cases of objectionable content being uploaded which eventually led to banning of TikTok in several countries, including Indonesia, Bangladesh and India.10
In April 2019, the app was briefly banned in India on the ground that it was being used as a platform for spreading of obscene and illicit content, and with the primary target consumer being children and young adults. The court ruling had also questioned the impact on mental health that the app was having on the average consumer.11
Another concern regarding the app has been that of data collection and censorship. A report by The Guardian revealed that TikTok tends to censor videos on issues that do not please China such as the Tiananmen Square incident, Hong Kong protests and Tibetan independence.12 This came to light through leaked documents outlining the site’s moderation guidelines. This has led the United States (US) to launch a national security review of TikTok. US believes that China is advancing its policy of control and censorship abroad through the app which is against the American value system that promotes free speech and competing ideologies.13 The parent company ByteDance has also been accused of possible links with the Chinese Government.14
The company has denied these allegations and has reported that the user data of US is stored domestically and the backup data in Singapore. However, with the parent company based in Beijing, TikTok is subjected to the Chinese jurisdiction and laws that often compel the private agencies to share information when needed. This is due in part to the Chinese Government’s deliberate integration of the public and private digital landscape through Article 7 of its National Intelligence Law that requires Chinese citizens and organisations to cooperate with state intelligence work.15 This has been further fortified by China’s 2017 Cybersecurity Law. As public policy researchers noted last year, these laws “[entail] strict provisions requiring data to be housed inside China, as well as spot inspections and even black-box security audits.”16
The recent incident of WhatsApp (despite being end-to-end encrypted) being used by the NSO Group, via a spyware, to spy on people has once again brought forth the concerns about data protection.17 One often tends to ignore the importance of protecting the personal data voluntarily disseminated on social media apps. With such data becoming a critical resource, the first question to be asked is where is the user data being stored? Currently, the TikTok data for Indian users is being stored in the third-party data centres located in the US and Singapore. In July 2019, ByteDance proposed setting up a data centre in India itself.18 However, no definitive timeline for the proposed plan has been given yet. Moreover, there is no clear indication as to what level the data would still be accessible or what set of security measures would be in place for data protection.
It is important to note that if a company stores Indian data overseas then that data is subjected to that country’s legislation which may or may not be in line with India’s interest. Furthermore, Indian lawmakers and citizens possess even less insight into data security practices of foreign-owned technology practices. The dearth of information with regard to real-time data collection, storage, levels of access, server locations, and third party partnerships present a national security risk. According to an article published in Quartz in May 2019, the previous version of TikTok’s privacy policy allowed data on the app to be shared with “any member or affiliate of [its] group in China” before the policy was revised in February 2019 with no clear indication of how much data has been already shared before the revision. Besides, the new privacy policy does not specify whether the user data can be transferred to or accessed from China.19 Without a deeper insight and greater transparency regarding storage and handling of data of the Indian users, there could also be concerns regarding possible backdoors or even introduction of security flaws.
TikTok app has been blamed for censoring politically sensitive information with respect to China in the name of content moderation. The same has not been true for other countries. In India, the app has been blamed for aggravating religious and caste-based hatred and political differences in the country. Although TikTok has community guidelines against hateful or violent content, and a moderation team that flags and removes problematic videos, the extent of their implementation remains far from satisfactory.20 Earlier, during the ban in April 2019, it had stated that around 250 people have been employed for the same, that is, 250 people for content moderation in a country with approximately 120 million active users. One can easily do the math and estimate the quality of content moderation.21
However, TikTok is not the sole case of a social media app misusing data or fomenting hatred and violence. The same has been true for other apps too. With most of the social media apps originating abroad, it is often difficult for the social media app makers to fully grasp the cultural complexities or sensitivities attached to certain social and political issues in other countries. This is where effective civil rights audit is required to ensure that misinformation or messages likely to incite hatred and violence are not proliferated through these applications. It is noteworthy that a civil rights audit was undertaken by Facebook in the US in May 2018 pertaining to concerns raised by more than 90 civil rights organisations.22 Till date, the company has been putting in place policies that protect against misinformation, identifies hate slogans and symbols connected to white nationalism and separatism, and prevents voter suppression.
Furthermore, with the availability of a variety of user data including data with high commercial value (biometric and behavioural patterns), private companies tend to lobby against strict data protection laws. With increasing data thefts and applications often becoming tools for spying, there is a dire need for a data protection bill to come into play. India needs to set up a grievance redressal mechanism for all the social media applications available in the country. It is also vital that the privacy rules of apps cater to the sensitivities of its Indian users and have their data centres within the country.
The draft Personal Data Protection Bill 2019 was recently introduced in the Lok Sabha and would now be examined by a joint select committee. The Bill emphasises the need for data localisation and the importance of treating data as a national property. Data is a strategic asset and should be handled with utmost security. It is important to ensure that customers are secure with respect to their data. Although the draft Bill may not be foolproof at this juncture, nevertheless, a beginning has been made towards having a stronger framework for the protection and security of data.
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.