TikTok: an application under surveillance

TikTok, which currently counts 150 million users in the United States and 134 million in the European Union, is one of the most closely watched applications in the world. As you may recall, the video-sharing mobile app was banned in February 2023 from the telephones of European Commission employees and then from those working for the European Court of Auditors, the European Parliament and the European Council.

The European Commission justified this decision in a press release. « This measure aims to protect the Commission against cyberthreats and actions that could then be used for cyberattacks against the institution… The Commission is determined to ensure that its staff is well protected against the increase in cyberthreats and IT incidents. It is our duty to react as quickly as possible in the face of potential cybersecurity alerts. »

A few weeks before, the social network had also been banned in the US from the mobile phones of those working for Congress, the army and federal agencies. The press releases’ careful wording hides the fear of seeing users’ data exploited by the mobile application created by Chinese company ByteDance, perhaps directly by the Chinese government.

An updated and clarified privacy policy

To clarify how it used its users’ data, TikTok disclosed in November 2022 that some of its employees located in multiple countries around the world could access European users’ data.

In an update to its privacy policy, the Chinese company stated, « we currently store European user data in the U.S. and Singapore. Based on a demonstrated need to do their job, subject to a series of robust security controls and approval protocols, and by way of methods that are recognized under the GDPR, we allow certain employees within our corporate group located in Brazil, Canada, China, Israel, Japan, Malaysia, the Philippines, Singapore, South Korea, and the United States remote access to TikTok European user data.

But one month later in December 2022, the New York Times revealed how certain TikTok employees could access sensitive data, including IP addresses, to track two journalists who were investigating ByteDance. The goal was to identify the journalists’ sources: the people working for ByteDance feeding them information. In a statement to Agence France-Presse, the Chinese company condemned it as a « misguided initiative that seriously violated the company’s Code of Conduct« .

TikTok: multiple layers of analysis

« We have to take into account several aspects when we talk about TikTok. First, we have to think globally and ask ourselves what data users want to share with social media in general. In this respect, TikTok really isn’t that different from other platforms. When you install the app, you can share your contacts, access your photos, your geolocation, just as you would with Facebook or X (Twitter), » says Gérôme Billois, partner at Wavestone.

The second aspect to consider is the risk that the application is rigged. « This would be the case if an app update was released with new features to spy on the phone. Technically, there is a real risk of this, since nothing prevents TikTok’s publisher from adding such features that, if well hidden, could slip through the net during verification. Thankfully, to date we have had no evidence of any such actions on the part of TikTok, or any other social networks, for that matter, » says Gérôme Billois.

Finally, we need to place TikTok within a much broader geostrategic context. « It is interesting to look at TikTok from the perspective of the war being waged in the digital space between a Western bloc and a Russia/China bloc. The war is happening through TikTok, but it goes much deeper than this. Just remember that iPhones are prohibited in Russia and China. There is a mutual fear on the part of the United States and Europe on the one hand and China and Russia on the other of the resources that can be used for digital espionage, » says Gérôme Billois.

Surveillance by the authorities on all fronts

Surveillance of TikTok by the authorities also covers the company’s practices in spreading information and its protection of under-18s. In October 2023, the European Commission requested information from TikTok (as well as Meta) under the European Digital Services Act (DSA), which came into force on August 25, 2023.

The Commission asked TikTok to provide more information about its measures to comply with its obligations in terms of risk assessment and mitigation measures to prevent the spread of illegal content, including violent content, content made by terrorists, hate speech and the alleged spread of misinformation. The request sent to TikTok followed the request sent to X (formerly Twitter) the previous week.

In early November 2023, Brussels also opened an investigation into measures taken at TikTok (as well as YouTube) to protect under-18s. Among other things, the European executive is worried about the consequences of certain videos on children’s « mental and physical health« . The European Commissioner for Internal Market, Thierry Breton, has made child protection one of his priorities. He is committed to ensuring very large platforms comply with the obligations under the Digital Services Act.

You may recall that, on September 15, 2023, TikTok was fined €345 million for breaching the GDPR in its processing of minors’ data. The fine was handed down by the Irish Data Protection Commission (DPC), acting on behalf of the EU.