Let's Talk about TikTok

I seldom mention my time at Google because it was a mixed bag full of hard but meaningful work, a handful of lovely people, a couple of awful people, and lots of loneliness and isolation. It's time, though, for me to tell you about some of my work there.

I conducted user research for Google Search, and one of the specific teams I helped was the Privacy and Security Team. The team was interested in how people understood the data Google collected about them and how that data was being used. They were also interested in what users were doing to protect their Google accounts––in other words, how strong were their passwords? How often did they change their passwords? Where did they store their passwords? What kinds of information did they keep in Google apps, such as Gmail, Drive, and Sheets?

Well, folks, I'm here to tell you that people generally 1) have little to no understanding of what kind of data is collected about them and how it is used; and 2) are a security risk to themselves. Here are some specifics:

1. Despite Google's best efforts, most of the users I talked to didn't understand what data was being collected about them. Google did––and I believe still does––try to be transparent and clear about data collection and what it's used for. It does this by displaying pop-ups with copy written in plain language. It does this by offering clear set-up screens and/or warnings. But many users neglect to read such pop-ups and set-up screens. Many users just hit the "Next" button without thinking twice. I would've thought that if privacy and security were as important to people as they claim, they'd read everything obsessively. And make no mistake: Every single user I talked to claimed that privacy and security was important to them.
   
   As for how data was used––again, people did not have a strong understanding. It was lost on them that their shared data was used for things like relevant search results, targeted ads, reminders, and calendar notifications. They had next to no understanding of how technology actually works; for them, calendar notifications were the stuff of magic.
   
   Additionally, people often said they used Google applications to store the most important data about themselves. They sometimes emailed credit card usernames and passwords to themselves. They stored important dates, account numbers, and passwords in basic spreadsheets that they either emailed to themselves or stored on a computer with a simple and easily accessible password.
   
   
2. Remember when I said that every single user I talked to claimed that privacy and security was important to them? Well, those same people told me about their password practices, and those practices were lackadaisical, to say the least. Some people said they kept their passwords written on a Post-it or notepad next to their desktop computer. Some people said they used the same password over and over for numerous sites and apps. And few people used two-factor authentication for sign-ins.
   
   

The gist of what I'm saying is this: Individuals are their own worst enemies when it comes to data privacy and security––not nefarious organizations, not tech companies, not countries. Should we hold such groups accountable for breaches in data privacy and security? Absolutely. Should we outright ban an application or company (e.g., TikTok) simply because we don't understand how it works? No!

This brings me to my final point, which is that most people––and especially government policymakers––don't have a working knowledge of the Internet. A content creator I follow on TikTok, @nickdrom, explains Internet ignorance this way:

"It's because of how good technology is that we don't really have to know how things work. I think that is a primary difference of the Internet today compared to how it was when I was a kid. Today you really don't have to have any idea about how the Internet works, what algorithms are, what AI really is, anything about coding or software to still be able to do a lot of stuff with technology. [...] This also gives people a false sense of understanding. Because they're familiar with these things, they think they understand them." (https://www.tiktok.com/t/ZTRvXSoS1/)

So here we are in 2023, and the United States House Energy and Commerce Committee showered TikTok CEO Shou Chew last week with ludicrous questions and irrelevant statements that displayed their total ignorance about the app and the Internet in general. Among the questions were the following (my answers follow each question):

• Does TikTok access the home WiFi network?
  Yes, if the user accesses the Internet via WiFi. It's the same for any web application.
  
  
• Is it possible that [TikTok] can access other devices on that home WiFi network?
  The congressman didn't clarify what he meant here, but I'm assuming maybe he meant laptops or home virtual assistants? And the answer is a categorical no.
  
  
• When am I gonna get paid for the data you're getting from my children and my grandchildren?
  This question is nonsensical, but I'll try my best. The data that TikTok collects about its users (who are not just young people) include things like location, contacts, search history, in-app purchases, usage data, and browsing history. This data helps the TikTok software determine what kinds of videos you might like to see in the future. Also, you can essentially turn off some of this data collection if you want.
  
  
• Can you say with 100% certainty that TikTok does not use the phone's camera to determine whether the content that elicits a pupil dilation should be amplified by the algorithm?
  TikTok does not collect body, face, or voice data to identify users, and I'm not aware of phone app technology that can assess pupil dilation and associate it with specific content.
  
  
• Yes or no: As CEO of TikTok, why have you not directed your engineers to change the source code?
  This congressman also didn't clarify what he meant by this question, so I hardly know how to answer, but generally speaking, CEOs do not concern themselves with the code that engineers write. A Chief Technology Officer or a Director of Engineering would, however, care about source code and maybe even write some code him- or herself.

I can only assume that the knowledge of undersea cables would make the members of this congressional committee explode. Heck, they probably think that the Internet is an ethereal substance that floats through the air. (Note: It is not. It is a world-wide system of computers that are connected mostly with cables that conduct electrical currents.) Yet these are the men and women who are creating and approving policies about Americans' Internet and technology usage.* It's embarrassing, and more than that, this kind of oversight violates our free market and arguably our First-Amendment rights.

I am all for social media apps being banned from government-issued devices, but banning TikTok from 150 million American users (That's half of the country's population!) is absurd. Data breaches and security risks are a part of our modern world. If the federal government wants to remove foreign threats posed by social media, then it should create legislation that includes all technology companies, not just one.**

Thing I'm thankful for: dinners with friends

*The proposed bills associated with this topic are S. 1477 - DATA Act and S. 686 - RESTRICT Act.

**I realize that because TikTok's parent company is based in China, people are afraid that China is using TikTok to spy on the United States, but there is no evidence of such clandestine activity. Besides, such fear is unfounded––remember that TikTok uses the data it collects to determine what kind of videos you might like to see in the future. It does not have access to other devices in your home or to information you don't share with it. It's worth noting here, that TikTok's CEO is from Singapore, not China, and he met his American wife while studying at Harvard Business School. He seems to have no personal ties and allegiance to China. It's also worth noting that after the Facebook-Cambridge Analytica data scandal, Congress didn't pass a bill that effectively banned Americans from using Facebook. Because of this and because of the way the House Energy and Commerce Committee members treated TikTok CEO Shou Chew, I'm inclined to believe that the criticisms of TikTok are rooted in xenophobia, rather than a desire to truly protect the American public from breaches in data privacy and security. (To read more on that, see The Verge's article on the congressional hearing.)