Between 2013 and 2016, 87 million people had their data harvested by Cambridge Analytica. The psychometric profiles gleaned from the personality quiz they created were used without their owners’ consents for political purposes and likely influenced the results of the 2016 US presidential election—and potentially many more. If the cataclysmic scandal taught us anything, it was that some of the secrets of the data trade wars are buried in the fine print no one reads.

In preparation for when my kids begin asking about the hugely popular lip-sync app TikTok, I dug into its privacy policy and its recent revisions. If you joined TikTok before 2019, what I found should worry you.

I’m getting used to grilling companies about their data practices. In 2017, I sued Cambridge Analytica. I was trying to get answers about arguably the most controversial data company in the history of big data, and prove that Donald Trump’s digital campaign broke UK law in the US election by politically profiling users in a territory that prohibits this. I mounted a private-action legal effort under the UK Data Protection Act—and won several key battles along the way before ultimately being defeated. I still don’t have control over all my data, and the companies refuse to answer any questions about it.

The quirk of US data being processed in the UK meant that it fell under the jurisdiction of the Information Commissioner’s Office (the ICO, no relation to cryptocurrency’s “initial coin offerings”), the UK’s data-abuse watchdog agency. Cambridge Analytica servers were seized under criminal warrant a short time after the scandal headlines started rocking the world. After more than two years of legal wrangling in the UK, in January 2019 the firm administrating the Cambridge Analytica companies pled guilty on behalf of the zombie company. If I hadn’t asked questions in 2017 and filed a complaint with the ICO, this criminal conviction of the administrators of Cambridge Analytica wouldn’t have happened.

In the weirdest possible way, we should be glad American data leaked to England. The UK’s two-decade-old data-protection regime is currently still devoting immense resources to solving a big mystery about the 2016 US presidential election. None of this would have happened if our data had remained in the United States.

But how would you feel if your data had leaked somewhere else? What if that place were China?

That might have happened with TikTok. It’s hard to tell.

What is TikTok?

TikTok is one of this past year’s trendiest apps, obsessing the youngs and befuddling the olds. You create your own mini video clips on it, often lip-syncing along to music; it’s kind of like selfie karaoke. As of last month, it has been downloaded 800 million times, and has half a billion active monthly users. (Turns out most of the world dreams of becoming a pop star.)

Unlike the rest of the social-media pack—Instagram, Snapchat, Facebook—TikTok is not a product of California. Beijing-based company ByteDance launched the Chinese original, Douyin (meaning “vibrating sound”), to the market in 2016. A year later they acquired another Chinese-owned app Musical.ly for $800 million and launched TikTok beyond the Great Firewall. Its incredible success dovetailed with the demise of Vine, the short video platform acquired and then shuttered by Twitter.

How could something so frivolous also be so dangerous? “We Should Worry About How China Uses Apps Like TikTok” exclaimed the headline in a recent New York Times op-ed. Nick Frisch, a fellow at Yale Law School’s Information Society Project, warned of China’s newest growth export: the surveillance state. He said we should be concerned by these “illiberal innovations,” and included the lip-sync social media sensation in his inventory of reasons to be more skeptical of the Made in China tech movement.

Having learned the crucial lesson of data sovereignty through my experiences with Facebook’s favorite democracy-destabilizing personality quiz, I’m now hyper-sensitized to the question of where our personal data ends up. When I sued Cambridge Analytica, I was simply demanding answers to the questions that everyone had about the company: Where did they get our data? What did they do with it? And with whom did they share it?

I had similar questions of TikTok. If the cataclysmic Cambridge Analytica scandal taught us anything, it was that some of the secrets of the data trade wars are buried in the fine print that no one reads. Being a privacy nerd and a parent of kids who will probably soon be on the Chinese-owned app (as soon as I let them), I did the thing that almost no one does: I read their privacy policy. I was alarmed to see this section, which in late 2018 stated that TikTok user data may be transferred to China.

There’s an underlying geopolitical reason why conscientious parents should go that extra mile to inspect the international jurisdictions of their kids’ apps. Recently, Facebook CEO Mark Zuckerberg warned against data localization laws in authoritarian states like China and Russia, which require companies to store data in their territories. This grants these governments unrestrained access to user data for political oppression, algorithmic surveillance, social control, and, who knows, election interference. As an example of this, Apple was criticized when it acceded to the Chinese government’s demands that it set up iCloud in state-controlled data centers. The tech company knew this would mean it could not promise privacy and security to its customers in China.

The boundaries between the Communist party and the major tech titans like Alibaba, Baidu, and Tencent are as thin as rice paper.

In the People’s Republic of China, the Communist Party apparatus is embedded in the state university system, where R&D labs devised the Great Firewall, innovate new surveillance tech, and swallow up oceans of big data in the AI arms race. China has not only successfully isolated its billions of citizens from the rest of the internet behind the Great Firewall—it has also built its own parallel tech industry. It has its own Google (Baidu), its own Twitter (Weibo), its own Amazon (Alibaba), and its own Facebook (Tencent).

President Xi Jinping has been overseeing the expansion of a hyper-dystopian surveillance state while advocating censorship as “internet sovereignty.” The results of this have been wielded oppressively against the Uyghur population in Xinjiang province as well as citizens in major metropolitan cities. The boundaries between the Communist party and the major tech titans like Alibaba, Baidu, and Tencent are as thin as rice paper. Xi’s “little red app” has been understood as a digital version of Mao’s Little Red Book; the app’s data analytics and social coercions evolve the party’s totalitarianism into the 21st century.

So where does TikTok stand?

Follow the data

I wanted to apply Cambridge Analytica like a litmus test to TikTok. The result illustrated a perplexing new economic and political web of data trade routes across regulatory boundaries.

In February 2019, the company revised the privacy policy that first concerned me, shortly after its $5.7 million settlement with the Federal Trade Commission for violating the US child privacy law, COPPA. ByteDance was caught knowingly allowing (even promoting!) underage kids on the platform, which goes against US law.

Their new privacy policy reflects the splintering of data-protection regimes around the globe, offering different policies depending on the jurisdiction of TikTok users. According to its varying privacy policies, people living in the EU (especially Germany) and India get specific rights, such as the right to access their data; the US policy does not extend the GDPR voluntarily. (India’s regulator recently banned TikTok for concerns about pornography, but the state court lifted the ban as the company claimed to be losing $500,000 per day in lost revenue and 15 million users.) At least we protect the data privacy of our kids in America, right?

When I dug into the new privacy policy for TikTok that applied to users in America, I could not find any language that clearly specified whether or not user data would be transferred to or be accessible from China. I decided to ask them.

At the end of March 2019, I sent an email to privacy@tiktok.com asking whether or not TikTok user data was transferred to locations in China.

Date: Tue, Mar 26, 2019 at 1:20 PM

Subject: Revised policy

To: <privacy@tiktok.com> I have a question to clarify the privacy policy that was revised as of February 19, 2019. The previous version of the TikTok privacy policy included the language: “We will also share your information with any member or affiliate of our group, in China, for the purposes set out above, to assist in the improvement and optimisation of the Platform, in order to prevent illegal uses, increase user numbers, development, engineering and analysis of information or for our internal business purposes.” Does the revised policy signify that that TikTok user data is no longer stored in or shared with affiliates, and/or accessible within China? It is unclear from the new language whether or not this is still the case.

I was initially ignored. After two weeks, I sent a reminder. After a month, still nothing.

If I was a resident of the EU, I could have filed a complaint with my country’s data protection authority that my inquiry was ignored by TikTok after a month, exposing them to further regulatory action. But in the US, where we have no data rights and no general data-privacy laws, all I could do was ask nicely in an effort to get answers to entirely reasonable questions.

Then I had another idea. I sent another email acknowledging that I would be publishing the fact that I was ignored in a major publication. After all, the free press is pretty much all we have in our toolkit as Americans to hold the data economy accountable for potential abuse and opaque practices.

That’s when I think someone at TikTok finally googled me.

I finally received a response.

From: TikTok Privacy privacy@tiktok.com

Subject: Re: Revised policy

Date: April 28, 2019 at 4:23:12 AM EDT Dear David, Sorry for the late reply. We have involved the staff who is the most professional person in this area to contact you directly in the next few days.

The follow-up from ByteDance corporate affairs soothed my distress. (Bolding our own.)

Hi David, I apologize that you were not provided a timely response to your inquiry. I have instructed the relevant managers to review this case and implement necessary modifications so this doesn’t happen again. In regards to your question, please allow me to address it. TikTok user data is stored and processed in the U.S. and other markets where TikTok operates at industry-leading third-party data centers. It’s important to clarify that TikTok does not operate in China and that the government of the PRC has no access to TikTok users data. In the United States, TikTok is operated by our US entity. Data may be shared with others in our corporate group as defined in the Privacy Policy for the explained purposes. The privacy and security of our users is a top priority for TikTok, and we abide by local laws and regulations in the markets where we operate. We rolled out updates to our Privacy Policy in February and do so from time to time to ensure compliance and increase ease of understanding & transparency to our users. Please email me if you have any questions. I’m also happy to get on a Zoom call in the next few days.

After breathing that sigh of relief, it quickly hit me: What about before February 2019?

The spokesperson was glad to further clarify. I asked if he could confirm this statement, which I drafted to attempt to distill the key concern:

“Data from TikTok users who joined the service before February 2019 may have been processed in China. ByteDance has since reorganized its structure and operations to prevent user data from flowing into China.”

They confirmed that my statement was accurate but wanted to clarify:

“… there’s a difference between data being physically processed in China and data being processed by systems designed and operated by one of our China registered entities. As a general practice, TikTok is not a service offered in China and as a result there has not been personal and un-aggregated data physically processed there.”

The company responded to my concerns with an inscrutable combination of yes, no, and maybe. This is the nature of the emerging “splinternet,” where democratic and authoritarian states are disconnecting and fracturing from the global vision of the hyperconnected internet. That liminal feeling is the new uncanny data sovereignty in the age of surveillance capitalism.

Does their answer mean that ByteDance entities in China are now accessing US-based servers and processing the data here? Is this how they firewall TikTok from the Chinese government? Are teams sitting side-by-side in Beijing building both TikTok and Douyin, with one international team processing data on servers abroad beyond the reach of the government, and the domestic team running on servers in China subject to censors and security forces?

TikTok asks us to trust its own firewalls around the Great Firewall.

The good news is that ByteDance is not suspected of any wrongdoing or data crimes on behalf of the Xi regime, as far I can tell. But it’s clear that the company is aware of these entirely reasonable concerns and has had to operationalize itself around this uncomfortable reality. The FTC penalties appear to have forced the maker of Douyin and TikTok to reorganize its privacy policies around the delicate dance of data sovereignty. The company asks us to trust its own firewalls around the Great Firewall, as tech workers in China help build a product on servers in the US.

Then again, people may not care if the Chinese Communist Party is mining their TikTok user data. But it’s that usual “I have nothing to hide” attitude that ends up breeding more authoritarianism.

Data privacy is national security

The Cambridge Analytica story was just the canary in the coal mine. It woke us up to our reckless attitude about our personal data. We may roll our eyes at the seemingly innocuous, but the risk of regulatory penalties for data-privacy violations is real. My experience with TikTok—a company on probation with the feds—informs our understanding of data trade routes, as China learns how to navigate the data-protection regimes and norms of democratic states.

The reaction to Cambridge Analytica’s epic data spill shows that people do care about their data and think of it as something that deserves protections, with enforceable rights. But this doesn’t align with our behaviors, where we repeatedly opt-in to trading our privacy for convenience. We readily enroll in coercive contracts buried in privacy policies. The ecstatic rush of enjoying social apps is simply too potent to resist. And data-driven businesses monetize this so-called privacy paradox.

By asking tough questions about the US elections, we triggered a massive data forensics investigation by the UK data cops, resulting in criminal seizures and prosecutions of Cambridge Analytica. But what would happen if there was a dispute about how ByteDance was processing data in the United States for its Chinese entities?

TikTok is supposed to be fun. Lawmakers in Washington, DC have sounded the alarms about threats to national security from Chinese tech firms when it comes to hardware products, like networks and mobile devices, and the Trump administration is presently renegotiating trade agreements with China, including new agreements on data transfers. But what about monitoring the salacious soft power of lip-syncing?

If lawmakers on Capitol Hill knew that their children’s TikTok data may have been flowing right into China, I bet they’d worry about it as much as I do.