FB pixel

US sues TikTok for alleged violations of kids’ privacy, court order

US sues TikTok for alleged violations of kids’ privacy, court order
 

The U.S. Justice Department (DOJ) has sued TikTok, its parent company ByteDance and affiliated companies “to put an end to the social media giant’s … unlawful massive-scale invasions of children’s privacy” in direct violation of the Children’s Online Privacy Protection Act (COPPA) and a five-year-old federal court order.

In the suit it filed Friday, DOJ said that while “the precise magnitude of [the] defendants’ violations [of COPPA] is difficult to determine due to their failure to comply” with a 2019 permanent injunction that required the businesses to “keep records demonstrating their COPPA compliance,” the alleged illegal activity nevertheless effects “millions of children” who use the social media platform, which is most popular with kids and Gen Z.

In 2023, TikTok had 1.5 billion monthly active users and earned an estimated $16.1 billion, a 67 percent increase year-on-year. The platform is expected to reach 1.8 billion users by the end of this year.

Also on Friday, five friends-of-the-court briefs were filed in the U.S. Court of Appeals for the District of Columbia Circuit siding with the government against TikTok’s petition to the court for review of the constitutionality of the Protecting Americans from Foreign Adversary Controlled Applications Act, which requires TikTok to divest itself of the platform or be banned in the U.S. entirely.

TikTok Inc. CEO Shou Zi Chew has decried the act as an “unconstitutional … TikTok ban.”

Eight TikTok creators also sued the U.S. government, arguing that the law violates their First Amendment rights.

The DOJ complaint filed Friday was in response to a referral made to it by the U.S. Federal Trade Commission (FTC), the federal agency that administers COPPA. The FTC said TikTok has “flagrantly violat[ed]” the February 2019 U.S. federal court order upholding an FTC consent order banning Musical.ly, Inc., now known as TikTok, from collecting the personally identifiable information (PII) of its youngest users without their parents’ consent.

While TikTok neither admitted nor denied any of the allegations in the order, the court was clear about what the prohibited activities are that the six TikTok companies engaged in and were barred from doing under the agreed to order.

The FTC’s order accused TikTok of “failing to post a privacy policy on its online service providing clear, understandable, and complete notice of its information practices; failing to provide direct notice of its information practices to parents; failing to obtain verifiable parental consent prior to collecting, using, and/or disclosing personal information from children; failing to delete personal information at the request of parents; and retaining personal information longer than reasonably necessary to fulfill the purpose for which the information was collected.”

DOJ filed its suit in the U.S. District Court for the Central District of California. It asks the court to impose civil penalties against ByteDance and TikTok and to enter a permanent injunction against both to prevent future violations of COPPA. The FTC Act allows civil penalties up to $51,744 per violation, per day.

“The Justice Department is committed to upholding parents’ ability to protect their children’s privacy,” said Principal Deputy Assistant U.S. Attorney General Brian Boynton. “This action is necessary to prevent the defendants, who are repeat offenders and operate on a massive scale, from collecting and using young children’s private information without any parental consent or control.”

“TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina Khan, adding, “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.”

U.S. Representative Jan Schakowsky was quick to stay “comprehensive data privacy legislation is needed now to better protect kids and adults online.”

TikTok spokesperson Michael Hughes responded saying the company strongly disagrees with the allegations and reiterated a statement the company had made in June, saying many of the allegations relate to “practices that are factually inaccurate or have been addressed. [TikTok is] proud of our efforts to protect children, and we will continue to update and improve the platform.”

According to DOJ’s suit, “ByteDance and its related companies allegedly were aware of the need to comply with the COPPA Rule and the 2019 consent order and knew about TikTok’s compliance failures that put children’s data and privacy at risk.” But “instead of complying,” the Justice Department said, “ByteDance and TikTok spent years knowingly allowing millions of children under 13 on their platform designated for users 13 years and older in violation of COPPA.”

DOJ alleges that “for years [the] defendants have knowingly allowed children under 13 to create and use TikTok accounts without their parents’ knowledge or consent, have collected extensive data from those children, and have failed to comply with parents’ requests to delete their children’s accounts and personal information.”

As of 2020, the government said, TikTok had a policy of maintaining accounts of children that it knew were under 13 unless the child made an explicit admission of age and other rigid conditions were met, and that TikTok’s human reviewers allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child.

DOJ says that “since at least March 2019, [the] defendants have offered in the United States what they refer to as TikTok for Younger Users, or Kids Mode, to children who identify themselves as being under 13 when they create an account, and a regular TikTok experience to other users,” but that they “have knowingly allowed children under 13 to create accounts in the regular TikTok experience and collected extensive personal information from those children without first providing parental notice or obtaining verifiable parental consent, as required by the COPPA Rule.”

“Defendants have also violated the COPPA rule by collecting, without parental notice and consent, several varieties of personal information from children with Kids Mode accounts, and by using children’s information in ways that the COPPA rule prohibits,” the suit says.

“Since at least March 2019,” DOJ alleges, “when consumers in the United States attempt to create a TikTok account, they generally have had to go through the platform’s ‘age gate’ by providing a birthday (day, month, and year),” and that “if a consumer indicates that they are 13 or older, they are prompted for a username, password, and email address or phone number. Defendants then create a regular account for the user, and the user can view, create, post, and share videos, as well as message other TikTok users.”

But there’s more. DOJ alleges that TikTok collects “a wide variety of personal information” beyond name, age, email address, phone number. users who self-identify as 13 or older at the age gate. It alleges TikTok also collects “persistent identifiers for the device(s) used to access TikTok, social media account information, and profile image(s), as well as photographs, videos, and audio files containing the user’s image and voice and the metadata associated with such media (such as when, where, and by whom the content was created).”

In April, President Joe Biden signed into law the bipartisan Protecting Americans from Foreign Adversary Controlled Applications Act, which could lead to a nationwide ban on TikTok if it does not have a “qualified divestiture” of the business within 270 days, subject to a one-time 90-day extension.

U.S. lawmakers and defense and intelligence officials have long expressed concerns that China is exploiting TikTok for the purpose of spreading propaganda and to gather data on vulnerable Americans. They say the popular social media app poses a threat to U.S. national security because under China’s National Intelligence Law, all the data TikTok collects on its users must be provided to its China-based parent company.

U.S. counterintelligence officials told Biometric Update on background that the U.S. Intelligence Community has long been concerned that “sensitive” information contained in the user accounts of U.S. government employees and contractors who use the app on their personal devices “have the potential of being exploited.”

In an amici curiae brief filed in support of the government against TikTok’s challenge of the constitutionality of the divestiture law, nearly two-dozen former U.S. national security officials said the app “presents a serious and unique national security threat to the United States because the data it collects is made available to the Chinese Communist Party (CCP) and its ability to influence information shared through the application is subject to the direction and control of the CCP.”

“Chinese government control over TikTok affords the CCP direct access to the massive amounts of personal data of … 170 million American TikTok users, and it allows the CCP to manipulate what those Americans see and share on TikTok. The former enables the CCP to collect, use, and exploit those vast swaths of personal information for its own benefit,” the brief alleges.

Fifty-seven members of Congress – led by the chair and Ranking Member of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party – also filed an amici curiae brief urging the court to uphold the law, saying it “does not regulate speech or require any social media company to stop operating in the United States. The Divestiture Act is instead focused entirely on the regulation of foreign adversary control and provides a clear path for affected companies to resolve the national security threats posed by their current ownership structures.”

“Congress has long understood how internet-based applications can be a vector exploited by foreign adversaries to compromise Americans’ devices and to surveil, covertly influence, and repress,” the lawmakers said.

The Wall Street Journal reported in January that while TikTok says it has walled off its American user data, “employees say data is still sometimes shared with its China-based parent” company. The newspaper said TikTok’s effort to wall off U.S. user data only focused on the “front door,” while leaving the back door wide open.

Representative John Moolenaar, chairman of the House Select Committee, said “Congress and the Executive Branch have concluded, based on both publicly available and classified information, that TikTok poses a grave risk to national security and the American people.”

In June 2023, in response to questions from Senators Richard Blumenthal and Marsha Blackburn, TikTok said the “U.S version of the app is free from outside manipulation,” and that ‘protected data’ will not be allowed to be transferred outside of the U.S.-based Oracle and USDS infrastructure, nor will it be accessible by non-USDS employees, with limited exceptions …”

TikTok said the “certain, limited exceptions to the definition of protected data … include categories such as public data, business metrics, interoperability data, and certain creator data, if a creator voluntarily signs up for a commercial program to be supported by TikTok in reaching new audiences and monetizing content …”

A Forbes article went further, reporting that TikTok stored the financial information of U.S. TikTok creators in China. And a New York Times report not only said that U.S. TikTok user data was stored on servers in China as late 2022, but that sexually explicitly images of children as young as 3 years old had been shared between employees of Lark, “a business collaboration and productivity platform used by TikTok and ByteDance” that their “global workforce uses for internal messaging and management functions, as well as to provide around-the-clock support with troubleshooting account issues.”

TikTok denied the reports in its response to Senators Blumenthal and Blackburn.

In January 2020, the U.S. Army and Navy had already banned TikTok on government devices after the Defense Department identified it as a security risk. That was followed in 2022 by the U.S. Congress banning the app from all federal government devices. And, as of March, more than 30 states have banned TikTok from state-issued devices over national security and privacy concerns.

DOJ’s complaint further alleges that “beginning in 2023, TikTok transferred personal information of children to [TikTok] U.S. Data Security Inc.,” a Delaware corporation DOJ alleges “has maintained” [this] data without notice to … children’s parents or parental consent.”

Established in 2022, TikTok U.S. Data Security (USDS) is a separate company that is tasked with managing all TikTok business functions that require access to U.S. user data identified by the U.S. government as needing additional protection and ensuring that the content in the U.S. version of the TikTok app is free from outside manipulation.

TikTok says it has long stored its U.S. user data at its two data centers located in Virginia and Singapore. The Virginia data center includes physical and logical safety controls such as gated entry points, firewalls, and intrusion detection technologies. In 2022, the company says its “default storage location” for all U.S. user data and traffic “is being routed to [an] Oracle Cloud Infrastructure.

Last month, TikTok US Data Security announced it is “further enhancing the security of TikTok users’ data and protection against cybersecurity threats by appointing HaystackID and OnDefend to serve as Independent Security Inspectors.”

According to TikTok, USDS controls access to protected U.S. user data, content recommendation[s], and moderation systems in the secure Oracle Cloud,” and “brings heightened focus and governance to TikTok’s operations in the U.S., including data protection policies and content assurance protocols to keep U.S. users and their data safe and ensure users have an authentic experience on TikTok.”

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Cameroon ends 2024 biometric voter registration drive with 755k new enrollments

The Director General in charge of Elections at Cameroon’s elections management agency (ELECAM), Dr Erik Essousse, says 755,085 new potential…

 

Malaysia completes biometric border clearance pilot at Singapore border

Authorities in the Malaysian state of Johor say plans are being finalized for the implementation of a biometric border clearance…

 

New Burkina Faso biometric passport further cements ECOWAS departure

The government of Burkina Faso has unveiled a new generation biometric passport in a move that highlights the countries unwillingness…

 

India to digitize the agricultural sector through unique digital farmer ID

India’s Finance Minister Nirmala Sitharaman announced the implementation of DPI for agriculture in the Union Budget 2024-25. The approved Digital…

 

Protean acknowledged for leadership in digital public infrastructure

Protean Tech has been recognized for its contributions to the digital public infrastructure (DPI) sector at the 2024 Global Fintech…

 

Federal law enforcement must now conduct transparent, standardized AI field testing

A White House advisory panel voted to approve a 24-page report that sets forth specific actions that all federal law…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events