How To Make a Child-Safe TikTok

Have you tried not spying on kids?

Cory Doctorow
11 min readApr 9, 2023
The exterior of a corporate office building, with the TikTok logo and wordmark over its revolving doors. From behind the revolving doors glares the hostile red eye of HAL9000 from Kubrick’s ‘2001: A Space Odyssey.” In front of the doors is a ‘you must be this tall to ride’ amusement-park cutout of a boy with a bow-tie, holding out his arm to indicate the minimum required height.
Cryteria/CC BY 3.0; Vxla/CC BY 2.0 (modified)

Rep. Buddy Carter, Republican of Georgia: I wanna talk about biometric matrix, and I wanna talk specifically. Can you tell me right now, can you say, with one hundred percent certainty, that TikTok does not use the phone’s camera to determine whether the content that elicits a pupil dilation should be amplified by the algorithm? Can you tell me that?

TikTok CEO Shou Chew: We do not collect body, face or voice data to identify our users. We do not.

Carter: You don’t —

Chew: No. The only face data that you’ll get, that we collect is when you use the filters that put, say, sunglasses on your face, we need to know where your eyes are —

Carter: Why do you need to know where the eyes are if you’re not seeing if they’re dilated?

Chew: —and the data is stored locally on your local device and deleted after the use, if you use it for facial. Again, we do not collect body, face, or voice data to identify our users.

Carter: I find that hard to believe. It is our understanding that they’re looking at the eyes. How do you determine what age they are then?

Chew: We rely on age-gating as our key age assurance —

Carter: Age?

Chew: — gating. It’s when you ask the user what age they are. We’ve also developed some tools, where we look at their public profile, then go through the videos that they post to see whether —

Carter: Well, that’s creepy. Tell me more about that.

Chew: It’s public. So, if you post a video, you choose whether to go public, that’s how you get people to see your video. We look at those to see if it matches the age that you talked about. Now, this is a real challenge for our industry because privacy versus age assurance is a really big problem —

Carter: Look, look, you keep talking about the industry, we’re talking about TikTok here —

House Energy and Commerce Committee hearing on TikTok, March 23, 2023.

In 1998, Congress passed the Children’s Online Privacy Protection Act (COPPA), which prohibits online service providers from collecting the data of children under the age of 13 without parental consent.

COPPA is remarkable, first because it is one of the very, very few federal privacy guarantees enacted by Congress, an exclusive club whose founding member is the Video Privacy Protection Act of 1988, passed by Members of Congress panicked at the thought of video-store clerks leaking their porn rental histories.

But the other remarkable thing about COPPA is how poorly it is enforced.

In this regard, COPPA is very similar to the General Data Protection Regulation (GDPR), the EU’s 2016 landmark privacy law. The GDPR has many more moving parts than COPPA, as befits a general data-protection regulation, but at core, the GDPR seeks to incinerate the absurd fiction at the root of commercial surveillance: namely, that we “consent” to commercial surveillance by clicking “I agree” on long, unreadable terms of service.

Under the GDPR, companies that want to collect, sell or process your data need to explain themselves, clearly: they have to tell you what they’re collecting and how they plan on using it.

What’s more, they have to secure your affirmative, enthusiastic consent for each act of collection and processing — for example, by asking you separately about each morsel of data harvested and each downstream use.

These separate questions need to default to “no” — and if you simply ignore the whole process, that’s equivalent to answering no to everything. Finally, the company can’t punish you by excluding you from its services simply because you opt out of data-collection: “take it or leave it” is not a consensual process.

Under this system, companies can’t do mass commercial surveillance, because no one wants to be spied on —and certainly not in the comprehensive, nightmarish manner of tech companies, data-brokers and ad-tech services.

When you move around the web — or, increasingly, the physical world —you are subject to thousands of acts of data-collection, and that data is held indefinitely and processed in a potentially infinite number of ways. No one explicitly consents to this —indeed, no one has the patience to review each act of collection and data-mining in order to consent to it.

The point of the GDPR is to say to companies: “You claim that your users consent to spying and data-mining? Fine: get that consent. Oh, wait, no one is willing to sit through a recital of all the creepy ways you harvest and use their data? I guess that means they don’t consent, so you’ll have to cut it out, then.”

But every European knows that the GDPR doesn’t work that way in practice. Instead, Big Tech companies have systematically subverted the GDPR, with near-total impunity.

The GDPR allows for data collection and processing without explicit consent, if it is a “necessity.” For example, if you want a weather website to display the temperature in Celcius rather than Fahrenheit, the website might set a cookie in your browser so it can maintain that preference as you move around the site.

The commercial surveillance industry has turned this narrow exception into a blowtorch, reducing the entire consent basis for the GDPR to ashes.

Facebook, for example, claims that its terms of service — which boil down to “Facebook will spy on you from asshole to appetite, and will process that data in ways so creepy would make your eyes bleed if we explained it to you” — are a contract with you, a promise that the company has made to you. The company claims that it has an obligation to you to uphold this promise, and therefore it must spy on you.

Facebook’s GDPR ruse — “we promised we’d spy on you and it would be unethical to violate that promise” — stands out for its laughable stupidity, but the whole tech sector has spent the past seven years wiping its ass with the GDPR. Those surveillance “consent” popups on every page? The GDPR says you should be able to just ignore them and be assured that your privacy won’t be violated by the site.

The EU’s failure to enforce the GDPR reveals a problem endemic to the whole project of European federalism. The EU treaties were drafted by neoliberals interested in furthering the interests of big business, which is why Margaret Thatcher was such an active supporter of the EU, and it’s why the European Central Bank is designed to impose brutal austerity on member-states.

It’s also why EU member states are allowed to compete with one another to serve as tax-havens for multinational corporations. EU members like Malta, Cyprus, the Netherlands, and Ireland all compete to offer the world’s most rapacious companies the financial secrecy and tax-evasion they need to erode the tax bases of other countries all over the world.

Ireland is Europe’s most efficient corporate crime jurisdiction. It may not have the showiness of Malta, where journalists who expose corporate crime can be car-bombed by mysterious parties who somehow impossible to identify, but even so, Ireland offers the world’s most rapacious and lawless corporations a flag of convenience that allows them to maintain the fiction that all of their global revenues are suspended over the Irish Sea in a state of untaxable grace.

Corporate tax evasion is a low-margin, precarious business. When your country’s main export is corporate crime facilitation, it requires that you must constantly innovate new ways to osculate the cloacae of large firms, lest they slither over to another country and set up “headquarters” there (by definition, a company that has arranged its affairs so that it can pretend that it is Irish can easily pretend that it is Maltese or Cypriot instead).

One of Ireland’s most exciting corporate crime innovations was defunding its police: specifically, the Irish Data Protection Commission, the agency charged with enforcing the GDPR in Ireland. In a year when Ireland’s data cops bestirred themselves to address a mere 17 major cases, their German counterparts managed about 100.

Companies that fly an Irish flag of convenience have long insisted that this means that their GDPR violations must be heard in Ireland. Activists like Max Schrems have spent years fighting legal battles to have their cases against Big Tech heard in more vigorous jurisdictions, alongside Irish activists like Johnny Ryan. And even the Irish enforcers eventually had to get out of bed, get dressed and do something about Big Tech’s open lawlessness.

If the GDPR were enforced, companies wouldn’t collect your data for commercial purposes, except in the narrowest of circumstances — circumstances so important and rarified that they’re willing to risk your impatience by breaking down the use into bite-sized pieces that are presented in a series of dialog boxes that are so important to you that you actually bother to read them, instead of clicking anywhere else to make them go away and while you continue merrily along.

The US is a trailblazer in failing to enforce privacy laws. The EU has allowed tech giants to flout the GDPR for a mere seven years, while America has been turning a blind eye to COPPA violations since 1998 — that’s a quarter of a century of inaction!

Go back to the top of this article and reread that transcript of Rep. Buddy Carter grilling TikTok CEO Shou Zi Chew. Now, Carter is a dunderhead, but he’s dunderheaded in a way that illuminates just how bad COPPA enforcement is, and has been, for 25 long years.

Carter thinks that TikTok is using biometric features to enforce COPPA. He imagines that TikTok is doing some kind of high-tech phrenology to make sure that every user is over 13 (“I find that [you aren’t capturing facial images] hard to believe. It is our understanding that they’re looking at the eyes. How do you determine what age they are then?”).

Chew corrects the Congressdunderhead from Georgia, explaining that TikTok uses “age-gating”: “when you ask the user what age they are.”

That is the industry-wide practice for enforcing COPPA: every user is presented with a tick-box that says “I am over 13.” If they tick that box, the company claims it has satisfied the requirement not to spy on kids.

But if COPPA were meaningfully enforced, companies would simply have to stop spying on everyone, because there are no efficient ways to verify the age of users at the scale needed for general operation of a website.

It’s telling that Carter can’t imagine that this is even possible. Instead, he assumes that TikTok (and, presumably, its rivals) do incredibly invasive biometric data-collection as part of their privacy compliance.

This is an idea so stupid that it is what the physicists call “not even wrong.” There is no way that Congress’s legislative intent with COPPA was to force companies to spy on everyone, including people under 13, in order to make sure that they weren’t spying on kids under 13.

Just as the intention of the GDPR was to reserve commercial data-collection and processing to rarified instances where there is a legitimate, user-serving need for it, COPPA’s intent was to head off the routine collection and processing of data, period.

As Chew explained to Carter, the company can offer a broad range of services to its users “locally on your local device,” and the data needed to offer those services can be “deleted after the use.”

For example, TikTok could store the list of accounts you follow on your device (with an end-to-end encrypted backup on its servers so you can use multiple devices and recover your subscriptions when you lose or break your device). Your device could request those users’ latest posts from TikTok, without TikTok retaining a log of those requests after it fulfills them.

TikTok could suggest posts to you by having your device compile a list of keywords and other characteristics from the videos you interact with and then request more videos that match those criteria — again, without TikTok logging those requests on its central servers.

Doing so would limit TikTok’s profits —and that’s the point. COPPA weighs private profit against the public cost of data collection and processing and puts its thumb on the scale for the latter.

Like the GDPR, COPPA has some escape hatches: under COPPA, firms can collect under-thirteens’ data with parental consent. Taken seriously, that’s a high bar to hurdle: how do you know if the person you’re hearing from is really a child’s parent or guardian?

Plenty of institutions could make this work, though: schools, libraries and pediatricians won’t find this particularly difficult. But fast-fashion brands hoping to get 12-year-olds to splash out for Ayn-Rand-themed pre-distressed tee-shirts? Their profits would take a back seat to kids’ right to a private life.

America has plenty of onshore off-shore tax-havens — Delaware, Nevada, South Dakota and Alaska for starters — but these states aren’t the reason we’re not enforcing COPPA.

The reason that your kids’ lives are under a commercial microscope from the instant their newborn fingers brush up against a screen is that the all-powerful American business lobby will not permit the enforcement of our existing, razor-thin privacy laws, nor the passage of new, muscular laws.

As David Cohen, CEO of IAB — the commercial surveillance industry’s main lobbying body — told his members, “Extremists are winning the battle for hearts and minds in Washington, D.C., and beyond. We cannot let that happen.”

Cohen’s co-conspirators at the Privacy For America — an anti-privacy corporate lobbying group — told Congress that the “responsible data-driven” surveillance industry saves Americans $30,000/year.

Put another way, this trade body is boasting that its members steal $30,000 worth of data from every single American, every single year. Of course, the claim is as absurd as the Privacy For America’s Orwellian name: as Julia Angwin points out in the New York Times, the number is pure fiction.

But whatever price-tag you put on the data that is nonconsensually harvested from all of us, it adds up to hundreds of billions, and some of that money is laundered into the official US government policy on privacy: “don’t enforce our existing laws, and don’t pass any new ones.”

The most remarkable thing about Carter’s laughable interaction with Chew isn’t his conspiratorial ideas about pupillary dilation: it’s that it took Cold War 2.0 to get Congress to finally make some movement on privacy.

But don’t get too excited: both the GOP and establishment Democrats aren’t interested in protecting your privacy — rather, they’re interested in protecting your privacy from a single, Chinese-owned company.

If we want to protect Americans’ privacy, we’d pass a federal privacy law with a private right of action, and slam the door on all commercial surveillance. After all, the Chinese government doesn’t need to extract our data from TikTok’s server logs — they can just buy that data in the same marketplaces that Google, Meta and every other large business in the world shops at.

Cory Doctorow ( is a science fiction author, activist, and blogger. He has a podcast, a newsletter, a Twitter feed, a Mastodon feed, and a Tumblr feed. He was born in Canada, became a British citizen and now lives in Burbank, California. His latest nonfiction book is Chokepoint Capitalism (with Rebecca Giblin), a book about artistic labor market and excessive buyer power. His latest novel for adults is Attack Surface. His latest short story collection is Radicalized. His latest picture book is Poesy the Monster Slayer. His latest YA novel is Pirate Cinema. His latest graphic novel is In Real Life. His forthcoming books include Red Team Blues, a noir thriller about cryptocurrency, corruption and money-laundering (Tor, 2023); and The Lost Cause, a utopian post-GND novel about truth and reconciliation with white nationalist militias (Tor, 2023).