Why has the FCC told Apple and Google to remove TikTok?

As FCC Commissioner Brendan Carr shares a letter to Apple and Android bosses, telling them to remove TikTok from its app stores due to “surreptitious data practices”, Reflectiz asks, does using TikTok as a business put your customer data at risk?

The FCC has written a letter to Tim Cook, CEO of Apple and Sundar Pichai, CEO of Alphabet, requesting that they remove TikTok, the popular video sharing application from their app stores.

“TikTok is owned by Beijiing-based ByteDance — an organization that is beholden to the Communist Party of China, and required by Chinese law to comply with the PRC’s surveillance demands. Through leaked audio recordings…[it has been] revealed that ByteDance officials in Beijing have repeatedly accessed the sensitive data that TikTok has collected from Americans… It is clear that TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijiing’s apparently unchecked access to that sensitive data.”

Avoiding TikTok Surveillance Might Not Be As Simple As You Think

Many end-users will simply think, “Wow, I should definitely delete TikTok from my phone!” Perhaps they have already chosen not to download it in the first place, and count themselves lucky that they have dodged a sensitive data-shaped bullet.

However, if the organizations with which you choose to do business use TikTok on their websites, it doesn’t matter if you personally never download the app. TikTok for business offers a wide range of opportunities for consumer websites, from integrating the app with their product catalog, to setting up ad campaigns and banners linked to their retail website, campaign and order management, or data insights.

For all of these functions to work, TikTok injects JavaScript code into the retailer’s website, When you visit that website — TikTok uses this code to track sensitive information about your location, your browser and device, or if the script goes rogue — even financial details that you enter into the checkout page.

As a matter of standard practice, according to Carr, “[Tiktok] collects search and browsing histories, keystroke patterns, biometric identifiers, draft messages and metadata, plus it has collected the text, images, and videos that are stored on a device’s clipboard.”

It doesn’t matter that you have opted out of using the app — if the businesses you work with are using TikTok, your data will be exposed anyway. Not only that, but because much of the functionality of TikTok for business can run behind the scenes, you may not even realize that your retailer is opening you up to potential violations of privacy.

With our own in-depth research at Reflectiz, we have uncovered that TikTok tracks more than 10% of US website users, and in many cases accesses PII such as usernames and passwords, causing a growing threat for today’s end-users.

What are the Risks for Today’s Businesses?

For consumer websites that do use TikTok as part of their marketing strategy, it’s time to consider your visibility and control. As the FCC speaks out against the app’s dangerous use of personal data, it’s clear that giving the app unchecked access to consumer information could risk your business in terms of regulatory compliance with laws such as GDPR and CCPA.

Not only could this result in heavy fines and penalties, the publicity around TikTok being potentially removed from the public app stores could be enough to make customers think twice about shopping on websites where TikTok has access to their information.

As part of protecting your consumers and proving regulatory compliance with the relevant authorities, you need to ensure that you have as much insight as possible into what’s happening with your third-party digital applications. For example, in your website privacy policy you should be able to outline who has access to what data, and how that data is being used. This should also include some kind of function for user’s to opt-out of data being used by third-parties.

Additionally, if third-parties are acting maliciously, or if as the FCC fears, you’re involved in a Nation State situation as collateral damage, you need to know that you can see what third-parties are doing with your data at all times, to ensure they are complying with the necessary guidelines that you have put in place over customer and visitor data.

This is why at Reflectiz we offer a single dashboard which shows you all of the third party applications, scripts and trackers which are currently on your website, what data the third-parties are collecting, and where that data is being sent.