When Microsoft officially emerged as the frontrunner for a potential acquisition of the teen-fave-turned-national-security-concern TikTok earlier this week, tech critics ‘round the globe found themselves with an endless set of questions that seemingly nobody could answer. Why would a company as corporate as Microsoft be throwing its hat into the tweenage market? Did President Donald Trump seriously just ask for the U.S. Treasury to get a cut of what’s promising to be a multibillion-dollar deal (even though that’s not how any of that works)? Would a buyout even solve any of the alleged privacy concerns surrounding TikTok, or would it just spew out a litany of new ones?
That last one’s been gnawing at me for a while now. While I’m a bit rusty on the nitty-gritty of geopolitics, I have been spending a little more than a year closely watching TikTok’s evolving plans to track and target teens abroad. Over time, what’s become very, very clear is that while, say, Google and Facebook and TikTok are ultimately at the whims of local regulators, the same can’t be said about the digital Rube Goldberg machine of platforms, subsidiaries and shady third-parties these companies use to churn our data into massive profits. Our current digital economy, to a certain degree, depends on global ties that are built to run far deeper than any ban or buyout could ever hope to touch.
Or, to put it more bluntly: If Trump’s real concern is keeping the data of our squeaky clean American phones out of the clutches of that dirty, no-good communist adversary China, then Microsoft buying TikTok won’t do shit — our data is making its way from U.S. companies to servers in China constantly, regardless of who owns TikTok.
Generally, when we talk about the unchecked data-mining done by a given social network, we’re talking about data-mining that’s done in the name of targeted ads. That’s what’s supposed to happen. But thanks in part to the absurd sprawl of the ad ecosystem, a legal system that’s proved to be less than adequate at wrangling that sprawl and a general don’t-give-a-fuck attitude a lot of adtech players have, we’ve seen a lot of this data repurposed for federal surveillance.
But as multiple lawsuits (and U.S. Secretary of State Mike Pompeo) have shown us, the issue isn’t as much with the data that’s being hoarded as it is with where that data is being stored. In December, Chinese authorities officially enacted a piece of legislation that would give them a certain degree of unfettered access to data stored on servers based in the country or being transmitted through China-based networks.
Despite TikTok’s repeated insistence that it stores the data of its U.S. base on servers based locally and in Singapore, and despite the complete lack of available evidence that any U.S. user data is being stored in mainland China, pundits have been pointing to the company’s China-based parent company, Bytedance, as reason enough to be concerned.
Looking at that alone, I can see why the Microsoft buyout makes sense. Replacing a Beijing-based parent company with one based in Seattle would pacify any paranoia about servers based in China. But that’s a scheme that only works if the wacky world of data makes any goddamn sense. When an app beams your data from your phone into TikTok’s (or some advertiser’s) line of sight, there’s a nearly infinite array of detours that it’s taking to get there at all — and those partnerships get even more tangled if your data happens to cross international borders somewhere along the way.
This metaphorical rat king can be partially untangled by inspecting the back end of an app yourself, but that really only tells half the story, if that. Unpacking the rest of it, ironically enough, takes two things that the current U.S. administration can’t get enough of: business savvy and charts.
For the sake of this story — and to give our government officials the benefit of the doubt — let’s assume that officials in China can’t wait to get their mitts on any American’s data, from any app, and aren’t afraid to tap any data-brokering companies within their borders in order to do so. And since this is what I picture whenever Pompeo brings up the imminent threat of Chinese authorities, here’s what’s going on one end of our chart:
If you’ve ever experienced the utter absurdity of sites like Wish.com, then you’re probably familiar with the ways some Chinese corporations have made a name for themselves in targeting consumers overseas with cheap crap that they don’t really need but will almost definitely buy. And generally, where buyers go, marketers follow: While recent numbers are hard to come by, a 2017 report found that 50 adtech orgs based in mainland China were cutting deals based around targeting consumers in the States. And because the U.S. ad-targeting industry has been effectively swallowed by Facebook and Google, that means Facebook and Google are pretty motivated to strike up the occasional multibillion-dollar deal with data brokers and ad aggregators based across the region.
So if we’re going on the oft-parroted argument that any data stored on any China-based server is potentially up for grabs by China’s government, let’s just assume, hypothetically, our little Chinese leader at the end of our graph is pulling data from one of those 50 China-based adtech firms. Sifting through all 50 would get real boring (and also real scary) real fast, so I’m zooming in on one player named Adtiger — which sells ad space from American companies to Chinese brands, among other things — partially because of its data-mining partnerships with major tech players in the West, and partially because here at Gizmodo, we stan a good tiger.
If you wanna play along at home and get super bummed out, I’ll be using red arrows to show which players are passing your data where. Much like TikTok, I couldn’t find any trace of the Adtiger team beaming our details back to state authorities, so it’s worth noting that this relationship (and, thus, our charts depicting potential data-sharing) is entirely hypothetical.
Since this is a data-mining partnership we don’t really have proof of (to my knowledge), we’re gonna make that arrow dashed, while the real, tangible, also-scary relationships we know it has are marked with a straight, solid line. Keep that in mind, because shit’s going to get really confusing pretty soon.
Regardless of whether it’s to cover their arse from regulators or competitors, third-party vendors like Adtiger are usually pretty tight-lipped about where their data comes from. Luckily for us, Adtiger spilled some of these specifics in the massive tome it put out for any curious investors looking to take a bite from its recent multimillion-dollar IPO.
As it describes its business, Adtiger’s primary role is connecting China-based marketers with the sorts of platforms and apps we know and love here in the U.S. For the most part, this doesn’t mean working directly with, say, Facebook or YouTube; instead, it aggregates user and ad data from large players that are chummy with these respective companies.
And since these details are from Adtiger’s own documents that they sent to their investors, it’s worth assuming this relationship, y’know, actually exists. So a solid line it is. Meanwhile, the key aggregators they list off — with names like Onesight and Meetsocial — are also based in China, which means that on this very fun, very hypothetical train we’re riding, any data that they’re getting their hands on can also be beamed back to these national authorities, legally speaking.
Adtiger’s IPO specifically names Meetsocial as its go-to for siphoning Facebook data, Onesight for Twitter data, and Vidoads for data from Google properties like YouTube or Google Search.
Like these players, Snap also has a long-running local partnership — with the China-based search giant Baidu, in this case — that Adtiger uses to tap into the millions of Snapchatters in the U.S.
Because Facebook’s own site for its China-based marketers lists Adtiger as a primary partner, I figured it’d be best to just add a direct line there, too. On top of that, Adtiger also lists off a direct line to Google’s ad-serving systems, along with more direct lines into Yahoo’s and TikTok’s own networks.
Ironically enough, this means that, in a sense, the Trump administration’s worst nightmares about offshore data sharing are kind of reality — only it has nothing to do with whether the platform is based in the U.S. or anywhere else. The entire clusterfuck of digital dollars that fuels our internet has essentially flattened state lines by promising people that they can tap into any consumer, anywhere they want — for a price.
The layers of intermediary partners mean that even if TikTok (or Google, or any other major tech player) swears up and down that it keeps any user data here in the U.S., that point is mostly moot. As soon as a foreign intermediary gets its hands on the data, any liability — or really, any control — is largely out of a U.S.-based company’s hands. Hell, even if you try to wedge a company like Microsoft in there, the point is still moot, because it has a massive footprint in Shanghai that helps local brands use Bing to target “high-end” consumers in America and abroad.
So, summing it all up, this means that when you open your phone to, say, Facebook, or Twitter, or YouTube, and see an ad that Adtiger (or any of its intermediaries) helped plop onto your screen, this is pretty much the basic path your data might go down — only multiplied by about 50 or 100, or by however many of these companies there are, and there are many. The wonderful world of digital advertising is built on black boxes inside of black boxes inside of black boxes. This means that there’s a good chunk of people who work at these companies who likely can’t tell you exactly where your name, your phone number, your precise location, or other personal data might actually end up.
If you’re wondering what kind of data this eensy-weensy corner of the digital economy is getting their hands on, the only vague clue Adtiger offers is that it’s siphoned from these partners’ respective APIs, which, as they put it, gives them a nearly infinite funnel of “real time” data about the American audience that might’ve glossed over (or clicked) on a given ad.
Figuring out what data is being passed along which network is just as much of a pain in the arse as finding those networks in the first place. The good news is that these sorts of APIs are usually public, which means you can just freely peruse them at your leisure, as one does — and I promise TikTok’s own data-sharing practices are far from the worst ones here.
- The data sent from Facebook’s Marketing API
- The data sent from Twitter’s Ads API
- The data sent from Google’s Adwords API
- The data sent from Snapchat’s Ads API
- The data sent from Yahoo’s Analytics Reporting API
- The data sent from TikTok’s Ads Manager API
In light of all this utter bullshit (which, I can’t stress enough, is a fraction of a fraction of what’s actually going on behind the scenes), you might wonder whether the Trump administration has actually put any thought at all into its planned TikTok ban, or a possible ban of the many, many popular apps that came here directly from the Chinese market. That’s one of the proposals officials floated this week as part of the State Department’s proposed Clean Network, which is supposedly meant to “secure our data from the CCP’s surveillance state,” along with other foreign entities.
For the past few months, I’ve been taking a lot of shit for my stance that TikTok isn’t the only problem here — but I really don’t think that it is. Banning TikTok (or shifting it under American ownership) is the digital data equivalent of selling a burning skyscraper to new owners and expecting that to put out the fire. It won’t, and neither will TikTok, as the company’s general manager promised us this past weekend.
Of course, all of this is based on the argument that the privacy of Americans is central to the Trump administration’s desire to ban TikTok or any other product with ties to China. Chances are, it’s not. (We’re looking at you, trade deal negotiations.) And even if it were, we can all rest assured that a ban on TikTok will have virtually zero consequences for our personal data, which is beyond violated as it is.