Article in it-daily from September 04, 2020
Recently it was announced that US President Donald Trump plans to issue a decree prohibiting business with the owners of the Chinese apps TikTok and WeChat. The American head of state issued an ultimatum - the decree will take effect 45 days after its announcement - unless a US company takes the place of the current operators. Trump is therefore asking them to sell directly to an American company. Specifically, the owner of TikTok is the Bytedance group, WeChat belongs to the Tencent company. This step caused international publicity and speculation about the president's true motives - the battle for the data, it seems, is already in full swing.
US Giant Microsoft as well as Twitter Aim for a Deal
After Trump made the threat, Microsoft showed interest in taking over the U.S. business of TikTok and declared that it wanted to conclude a contract with the Chinese owner by mid-September. The business in Canada, Australia and New Zealand would then also be part of the agreement. Mid-September is also the deadline set by the U.S. president - by this date, in his opinion, a solution for the sale of the video portal should be found. Microsoft's self-declared goal is to ensure that all personal data of US citizens is transferred there and will continue to be collected only there. In addition to Microsoft, the short news service Twitter also reported interest and according to the Wall Street Journal, both companies have already held talks, even though neither Twitter nor ByteDance officially confirmed this upon request.
Donald Trump: Privacy Protectionist?
But is this the intention of Donald Trump? Officially, the government said that TikTok automatically collects a large amount of user data, including search histories and geodata. The White House said that the Chinese government could use this information to spy on or blackmail government employees and service providers. The background here is the suspicion that the parent company ByteDance may be very close to the Chinese Communist Party and its interests, and that information may be passed on to it. For Trump, this derivation is probably the justification for taking political action against the Beijing-based company.
The fact that TikTok collects a very large amount of data from its users is now a fact. In March of this year, security experts Talal Haj Bakry and Tommy Mysk discovered that TikTok - like a number of other applications for iOS and Android - had direct access to disproportionately large amounts of user data. TikTok was able to 'read' virtually any information that they copied to their clipboard. This included messages, URLs, but also selfies, account information, passwords and Bitcoin addresses. It is also fatal that the experts discovered that access to the user's clipboard not only affects local data on the respective end device - when using the same Apple ID via the so-called Universal Clipboard, the data was even read across devices. While according to security experts, some apps do have permission to access this clipboard in order to function. With TikTok, this is not the case and the access does not make sense for functionality reasons. After all, the video portal as well as other affected apps assured that these processes would be prevented. It is currently unclear whether the feature has been removed.
Even more devastating are the findings of an app researcher who subjected TikTok to "reverse engineering". He published his results on the Reddit portal under the user name Bangorlol. He also revealed that the app collects an enormous amount of data - this is how the user location is to be tracked to a large extent, but he also believes that information on the hardware used, connected networks and other apps in use is collected. The researcher, who says he deals with the functioning of apps on a daily basis, even went so far as to say that TikTok does not meet formal malware criteria, but is nonetheless frivolous and he strongly advises against its use for privacy reasons.
In this context, it is important to emphasize that Facebook, for example, has also been repeatedly criticized by data protectionists, even though the Group has been striving for greater transparency in this area in recent years.
USA vs. China: Dispute over Power over User Data?
Nevertheless, TikTok's practices are undoubtedly disturbing, but how justified is Trump's accusation that ByteDance is close to the Chinese government? This question remains unanswered. As the Tagesspiegel recently reported, there is certainly cause for concern here. For example, the government has introduced an IT security law that allows access to data collected by tech companies. There are also party cells in numerous Chinese companies that influence decisions made by the company. Furthermore, there is a clear requirement that IT companies based in China also store their information on Chinese servers - a fact that ByteDance seems to circumvent. After all, it is the company policy that TikTok user data outside China is also stored outside the country. ByteDance has also emphasized that it is trying to reduce the data exchange between TikTok and the Chinese version of the app, Douyin, to a minimum and to separate the data analysis of the two applications from each other. So what the relationship between the government in Beijing and the tech group ByteDance actually looks like in reality, and whether data from users outside China is actually not stored in the country, is currently unclear.
It is undisputed that the US president is aware of the importance and power of data. It should come as no surprise that Trump wants to take the only two market companions in the area of consumer social media off the market or put them in American hands, which have a significant market share and can really take on giants like Facebook, Twitter and Instagram. The White House's move also draws attention once again to the way the U.S. government and U.S. corporations handle personalized data - for example, that of EU citizens. As is well known, since the introduction of the CLOUD (Clarifying Lawful Overseas Use of Data) Act in spring 2018, there has been a contradiction between the law and the European basic data protection regulation. Finally, the CLOUD Act - an extension of the Patriot Act - authorizes U.S. government authorities to inspect user data of American corporations, even if the data is stored in Europe, for example. This represents a clear disadvantage for European users and companies when they use American services. In fact, the Act poses a risk to the data sovereignty of individuals and critical corporate data.
Fortunately, however, a trend reversal seems to be in the offing and US providers are slowly recognizing the importance of the topic of data protection in Europe - this is shown, for example, by the lively participation of providers from the USA in the GAIA-X project, the "Europe Cloud". While the reactions on the part of American manufacturers were consistently negative when the project was announced, corporations such as IBM, Microsoft and Google are now pushing to become part of GAIA-X. This is to be welcomed in any case - perhaps the introduction of the EU-DSGVO as a historic push for more data protection in Europe and the world has once again made them aware of the importance of the issue.
President Donald Trump's move to give the operators of the successful social media apps TikTok and WeChat an ultimatum to be taken over by a US company shows the uncertainty of the US government with regard to a possible loss of control. TikTok in particular is the only serious non-American market companion of U.S. giants in the field of consumer social media such as Facebook, Twitter, etc. These companies are 'covered' by the Patriot Act and the new CLOUD Act - in other words, the government in Washington can gain access to user data if necessary. Chinese-led services with a large number of users are excluded. In addition to economic interests, is Trump primarily concerned with the supremacy of control and possible access to user data? For users and companies based in Europe, data protection and IT security must be one of the top priorities in these times. The 'battle' between the two countries shows how important user data is for them and that users should protect this 'good'. The GAIA-X project is very promising and could lead to greater independence for Europe in the cloud. To be on the safe side, companies and end users must rely on a solution from Germany that is already subject to the strict local data protection laws and enables uncomplicated and certified compliance with the EU-DSGVO. With German or European providers, the data sovereignty of the individual is given and users know at all times where their information is located.