In late January, when it looked as if TikTok would go dark in the United States, users flooded the platform with videos mocking concerns over the app’s national security risks.
TikTokers bid farewell to their “designated Chinese spies” and pretended to mail packages containing copies of their fingerprints and social security numbers to Chinese leader Xi Jinping. Hundreds of thousands of users joined another Chinese-owned social media app, Xiaohongshu, which translates to “little red book,” a reference to a collection of sayings by Mao Zedong, the late founder of the People’s Republic of China.
Kris Dew, a 27-year-old content creator from Texas, was among these “TikTok Refugees,” a hashtag that trended on Xiaohongshu, also known as RedNote to English speakers. Before the ban was set to go into effect, she posted a TikTok captioned, “Me literally two hours after being on RedNote,” in which she speaks in Mandarin: “This is my cat. I am learning Mandarin.” It now has more than five million views.
For users like Ms. Dew, the memes were a way to express their feeling that the U.S. government had only geopolitical motivations for banning TikTok, rather than any real security concerns about their data. After all, data privacy has long been something individual users must navigate on their own, with little regulatory guardrails – including in Canada. And the outcome of tech companies gathering users’ data spans the spectrum from creepy targeted ads to personal information being leaked.
Beneath her joke, Ms. Dew is truly concerned about the amount of personal data social media apps collect and the way they harness it. After a breakup, for instance, she started seeing ads for a therapy app, the epitome of how personally intrusive it can be. But at the same time, with the modern world revolving so much around social media – especially for Gen Z – she feels she has to just accept the trade-off.
“Social media has become central to our culture. It’s how you meet friends, how you keep up with the world,” she said. “This younger generation has accepted this technology so much and grown up in these situations where it’s like, ‘This is not okay. But what else is there?’”
TikTok Chief Executive Shou Zi Chew testifies before a House Energy and Commerce Committee hearing as lawmakers scrutinize the Chinese-owned video-sharing app, in Washington, on March 23, 2023.EVELYN HOCKSTEIN/Reuters
Privacy experts and advocates say there’s a broad acceptance – or rather, resignation – that our personal data is going to be collected online without our permission. Every time we check Instagram, buy toilet paper off Amazon or Google a restaurant’s hours, we make a Faustian bargain with tech companies: we get to use these entertaining, life-improving and free apps, and they get to collect and sell our personal data to third parties who use it for their own purposes and profit, no matter the consequences for us.
Yet despite the collective shrug about how social media companies approach privacy, when Canadians are asked about it, they still express their discomfort with the situation. In a 2023 survey, the Office of the Privacy Commissioner of Canada found that just one in 10 Canadians trust social media companies to respect their privacy rights, while 87 per cent are concerned about how these companies or institutions might use personal information to make critical decisions about them, such as whether to give them a job or approve a health insurance claim.
For TikTok users specifically, the backlash against the law banning the app – and the subsequent stream of memes – speaks to how many people felt the government’s plan was hypocritical.
“There’s a feeling among many young people that China really isn’t that different from Meta when it comes to the amount of data it collects and the way it uses that data,” says Matt Malone, an assistant law professor at the University of Ottawa, and the director of the Canadian Internet Policy and Public Interest Clinic.
“The market valuation of companies like Meta, Google and Amazon is astronomical,” says Prof. Malone. “We’re talking the size of G7 countries. So we should not delude ourselves that these companies don’t have incredible power.”
This cynicism, or blasé attitude, from young people also stems from the fact that they view the older generations who are writing regulatory laws – and who didn’t grow up with these technologies – as out of touch.
Ms. Dew, the TikToker who learned Mandarin, says that became clear during the U.S. TikTok committee hearings in 2023. Viral clips circulated of American lawmakers asking TikTok CEO Shou Chew if the app tracks pupil dilation to drive the algorithm and if the app uses Wi-Fi.
“It’s very obvious that the people in charge don’t even know how these things operate,” said Ms. Dew. “So finding an actual solution from someone that doesn’t even know the problem, it feels like trying to teach a cat to swim, like it’s not going to happen.”
Neither Canada nor the United States have updated their privacy laws in a meaningful way in more than 20 years, even as new technologies such as social media and AI have upended the way companies leverage our personal data. (For example, there are U.S. laws that protect the privacy of your video store rentals, but not what’s in your Gmail inbox.)
Canada has a smattering of rights that pertain to the collection, use and disclosure of your personal information. However, these outdated rights place their focus at the individual level, which experts say don’t apply to how companies use data now. An example is the Cambridge Analytica scandal, in which the British company accessed data from 87 million Facebook users without their consent and then used it for targeted political ads to help Donald Trump’s 2016 presidential campaign.
Global activists of Avaaz, set up cardboard cutouts of Facebook chief Mark Zuckerberg, at the European Union headquarters in Brussels, on May 22, 2018.JOHN THYS/Getty Images
“The harms that came out of the Cambridge Analytica scandal were population-level harms that came from aggregated data,” Mr. Malone says. “The problem with the privacy laws we have is that because they only focus on the individual level, they’re missing the zone where a lot of harm is happening.”
The pervasive, yet invisible, extraction of personal data for the purpose of targeted ads can feel invasive but, most of the time, is fairly benign. But when sensitive data is exposed without permission, or shared in a leak or data breach by a malicious actor, there can be potential real life consequences for users. The gay dating app Grindr is facing a lawsuit in the U.K. for allegedly sharing users’ HIV status to third parties without consent. And in the wake of the overturning of Roe v. Wade, experts feared that people seeking abortion care may be more vulnerable if they use period-tracking apps that monitor locations or continue to store personal data even after a user deletes it.
Although North America has been slow to adopt new privacy laws, Europe has made ground. In 2018, the European Union enacted the General Data Protection Regulation (GDPR), which regulates how personal data is collected, stored and shared. Some noticeable changes post-GDPR, which applies to all companies that processes the data of Europeans, includes websites now asking permission to collect cookies, the files used to track your online activities, rather than just assuming consent. The GDPR also introduced the “right to be forgotten,” which requires user data to be deleted by companies if requested.
Without comprehensive privacy laws, the burden is placed on individuals to try and protect themselves, a movement that experts call “responsibilization.”
“It’s when big structural issues like data privacy are placed on the shoulders of individuals,” explains Alice Marwick, an associate professor at University of North Carolina at Chapel Hill, and the author of The Private is Political. “It’s something that tech companies encourage with the emphasis on ‘You just need to configure your privacy settings better,’ even though virtually every major social site has had at least one major data breach.”
This means most of us make our own risk calculus for our online lives, even when the actions can feel inconsistent. “Most people have this kind of patchwork of privacy work where they’ll be like, ‘Well, I don’t want an Alexa in my house. But I’m okay with having a loyalty card because then I save 20 per cent at this store,’” says Ms. Marwick. “It’s not like it really has rhyme or reason. It’s based on vibes more than anything else.”
Illustration by Jarett Sitter
Tips to protect your privacy online
Turn off unnecessary location tracking for apps
Many apps and websites collect and track your location data without needing your consent. Leah Plunkett, a faculty member at Harvard Law School and author of Sharenthood: Why We Should Think Before We Talk About Our Kids Online, suggests turning off location settings unless you need it for a specific reason – and in general, make sure you’ve enabled the most private protective settings. “It can be a little bit overwhelming and confusing, but it’s worth it for good privacy hygiene to lock things down as much as possible.”
Say ‘no’ to cookies
Cookies are like little memory boxes that help websites remember details about you, such as your login info or what you’ve left behind in your shopping cart. Online advertisers often use third-party cookies that can track your movements across different websites, and eventually, build digital profiles of you. If you want a bit more privacy – for example, avoid getting stalked by that pair or shoes you looked at briefly online – opt-out of cookies whenever asked.
Use DuckDuckGo or another non-Google search engine
Google is one of the greatest offenders when it comes to collecting personal data. The privacy-focused search engine DuckDuckGo blocks online trackers from collecting data about you and doesn’t save your online searches.
