TikTok’s software development kits could undermine Joe Biden's order to stop internet traffic flowing from federal employees' phones to TikTok within 30 days.
Joe Biden gave federal agencies 30 days to remove TikTok from government devices earlier this week. Until now, most politicians intent on punishing TikTok have focused solely on banning the app itself, but, according to a memo reviewed by Reuters, federal agencies must also “prohibit internet traffic from reaching the company.” That’s a lot more complicated than it sounds. Gizmodo has learned that tens of thousands of apps—many which may already be installed on federal employees’ work phones—use code that sends data to TikTok.
Some 28,251 apps use TikTok’s software development kits, (SDKs), tools which integrates apps with TikTok’s systems—and send TikTok user data—for functions like ads within TikTok, logging in, and sharing videos from the app. That’s according to a search conducted by Gizmodo and corroborated by AppFigures, an analytics company. But apps aren’t TikTok’s only source of data. There are TikTok trackers spread across even more websites. The type of data sharing TikTok is doing is just as common on other parts of the internet.
The apps using the TikTok SDK include popular games like Mobile Legends: Bang Bang, Trivia Crack, and Fruit Ninja, photo editors like VSCO and Canva, lesser-known dating apps, weather apps, WiFi utilities, and a wide variety of other apps in nearly every category. The developers for the apps listed above did not immediately respond to a request for comment.
“A simple ban on the TikTok app itself is not going to stop data flowing to TikTok,” said Daniel Kahn Gillmor, a senior staff technologist at the American Civil Liberties Union. “TikTok has software in other places, not to mention TikTok trackers spread across other parts of the web. I don’t have a TikTok account, but there are still plenty of ways the company can get data about me.”
Congress passed an official ban on TikTok on government devices in December 2022, and the app was already banned by some federal agencies, including the DoD as well as a growing list of states, not to mention bans on official devices in the EU and Canada. On Tuesday, a controversial Republican bill that would give Biden authority to ban TikTok and other foreign apps nationwide sailed through committee after being introduced just a week ago. The fast-tracked bill, which is opposed by Democrats, seems unlikely to pass the Senate. Among other problems, it would put Biden in a difficult position: choosing between looking weak on China or banning a wildly popular app beloved by users and businesses alike.
“A SDK is a set of tools that help software developers create applications for a specific platform. TikTok SDKs are used to share, not collect data,” said TikTok spokesperson Jason Grosse, adding that sharing happens both ways between apps, with data going to and from TikTok. “We don’t collect data from these SDKs except basic information about the usage of those SDKs,” Grosse said.
On Twitter, the company responded the Republican bill to give Biden power for a total US ban. “A U.S. ban on TikTok is a ban on the export of American culture and values to the billion-plus people who use our service worldwide,” TikTok’s communications team said. “We’re disappointed to see this rushed piece of legislation move forward.”
Why won’t a TikTok ban stop the flow of data to China?
TikTok is getting user data from lots of apps and websites the company doesn’t own or operate. This isn’t unique to TikTok—it’s a standard practice among social media and advertising companies. American social media companies expose your data to China, too. Even if they don’t do it directly, brokers and ad tech companies who get data from them do.
That makes privacy problems near impossible to rein in without comprehensive action across the whole internet. Experts agree that banning TikTok will not keep data out of the hands of China or anyone else. The White House did not respond to a request for comment.
If you think government employees would know better than to install these kinds of apps, think again. Department of Defense employees use a long list of banned apps, according to a report from the DoD itself published in February. That includes apps for drones made by Chinese companies, dating apps, games, third-party VPNs, and, apparently, TikTok—all installed on government phones in violation of security policies.
App SDKs are just one of the many ways TikTok harvests information. Last year, an investigation by this reporter detailed how TikTok tracks you across the web, even if you don’t have the TikTok app, on websites including Planned Parenthood, Weight Watchers, and even state government websites.
Organizations who want to advertise on TikTok put cookies and trackers called “pixels” on their sites, to send the company data about who visited the site and what they did there. “Advertisers can choose to send us data about events that happen in their apps so that we can measure the effectiveness of their ads, create audiences and improve ad delivery,” TikTok’s Grosse said. “We only collect the data that the advertiser chooses to send.”
TikTok provides technical information about how its trackers work and what data they collect on the company’s Business Help Center.
With a billion users across the world, the app is now a fundamental part of global communication and advertising, and connecting your organization’s systems to TikTok can be useful for a variety of purposes. The genie is out of the bottle, and banning the app from federal devices won’t put it back.
TikTok isn’t the only way China can get your data
A 2020 Gizmodo investigation found that Facebook, Twitter, Youtube, Gmail, and Snapchat and other apps expose Americans’ data to the same threats as TikTok because they all partner with Chinese advertising technology companies. That means American companies are sending data to servers in China governed by the exact same laws that make TikTok so terrifying to American policy makers.
“I’m not at all saying TikTok is innocent, but focusing specifically on one app from one country is not going to solve whatever problem you think you’re solving. It truly misses the point,” Kahn Gillmor said. “Do we really think that Facebook or Google are not capable of being influenced by the Chinese government? They know a market when they see one. I think the pressure that’s building is basically a race to be seen as tough on China.”
There’s an even easier way your data might be exposed to a foreign power. If Chinese government officials want American data, they can just buy it from American companies. There are hundreds of data brokers in the United States with near-zero regulatory oversight. Their entire business model is vacuuming up your data and selling it to anyone who wants a piece.
“If policymakers are serious about addressing Chinese security risks, they should limit the ability of commercial data brokers to sell information to adversarial foreign entities (or their intermediaries), in general,” a report released last month by the Brookings Institution reads. “Even if TikTok did not exist, China could purchase confidential information on U.S. consumers from other companies and use that material for nefarious purposes, creating similar national security challenges.”
What a real TikTok ban would look like
Blocking traffic going directly from a phone or a computer to TikTok’s servers wouldn’t be technically difficult, but it requires a holistic approach, according to Mark Stockley, cybersecurity evangelist at Malwarebytes, a digital security company.
“There are several layers where they can try and block this and make quite a serious dent,” Stockley said. Organizations commonly use mobile management software on the devices they give employees. That gives IT departments control over what happens on the device, including which apps are installed and what domains and servers the device is allowed to contact. On centrally managed environments (like a wifi network, for example) organizations can set up block lists that prevent traffic going to or from a particular source.
“These are things that organizations do every day, it’s a well worn groove,” Stockley said. “I suspect the hardest part is getting it done in 30 days. Everyone already has a to-do list.”
It’s not clear what the Biden administration’s guidelines are for federal agencies aside from one vague reference to “prohibiting internet traffic.” But if the government simply bans the app without taking these additional steps, it would be a half measure that wouldn’t solve the problem concerning legislators.
“Americans should keep in mind that TikTok’s connection with China is far from an anomaly in the market; many US firms either manufacture in China or rely upon components developed in China,” the Brookings Institution says. “The U.S. needs stronger overall platform governance and data privacy regulation to mitigate problems not just from TikTok but from social media platforms overall.”
There’s nothing special about the kind of data TikTok collects, or the way it harvests it. What is different is who has jurisdiction over that data. Chinese law lets the government force companies to hand over nearly unlimited amounts of information, which sparked a long, agonizing debate over national security. The Biden administration was nearing a deal with the company to set up a special system that would allow TikTok to operate while quelling security concerns. However, the deal floundered after reports suggested TikTok used its own app to spy on an employee leaking information to the press and on journalists investigating the company.
“Lots of people have had a good look at the TikTok app, and they haven’t found a smoking gun, or anything that looks different from what happens with Facebook, Twitter, and other social networks,” Stockley said. “If the federal government had something within the app that they could expose, I would expect they’d do it.”
“If there’s anyone who knows what a government might have access to by intercepting social media data, though, it’s the United States,” Stockley added.
Banning TikTok could set a dangerous precedent
If the US government starts blocking traffic from going to a particular company, or country for that matter, it starts to look a lot like practices the US has spent years criticizing China for. The so-called “great firewall of China” sets up significant filters that censor and monitor the Chinese internet, keeping out businesses that pose threats to the nation’s economy and political control. If you ask the Chinese Communist Party why it does this, it will tell you it’s for the good of the Chinese people, and it protects national security concerns. It also limits free expression.
“Right now this is just about controlling government devices and networks, and we’re a long way from what the internet looks like in China,” Kahn Gillmor said. “But at a certain point, we’re going to start looking a lot like the folks we’re supposedly opposing. We’re laying the groundwork for homogenized control over the internet. I think that is not something we should be doing, and it’s distressing.”
TikTok, just like every other popular social media app, has serious privacy concerns, and privacy issues lead to all kinds of risks from national security issues, to marketplace competition problems, to risks to people’s personal safety.
The American public wants these problems to be addressed. But so far, the political system has been hesitant to address the source of this dilemma: the structure of the entire internet.
You can ban TikTok and scrub every Chinese app from the face of the Earth. It wouldn’t stop the spread of American data because the internet is spreading your information all over the world, by design. So far, lawmakers refuse to do anything about it except yell at Mark Zuckerberg that somebody really ought to do something about all this data stuff.
Blocking TikTok may address some very specific hypothetical concerns, but if you’re worried about privacy, it would be like throwing a rock into the Mississippi river and hoping it stops the flow of water.