Congressman asks Apple, Google if they require mobile app developers to disclose overseas affiliations

On December 13, Congressman Stephen F. Lynch, a Democrat representing Massachusetts and the chairman of the Subcommittee on National Security, announced that he had sent letters to both Google and Apple requesting information about whether the companies require app developers to disclose foreign affiliation before an app can be approved for distribution on app stores.

What’s to worry about? — The letter specifically calls out popular apps TikTok, FaceApp, and Grindr. TikTok and Grindr were originally U.S.-based, before being sold to Chinese firms ByteDance and Beijing Kunlun Tech Co Ltd. respectively, while FaceApp is built by a Russian company called Wireless Lab. As first reported by Reuters, TikTok (called Music.ly before being sold to ByteDance in 2017), didn’t seek clearance from the Committee on Foreign Investment in the United States (CFIUS) during its acquisition, and CFIUS is now retroactively investigating the deal.

The three apps are massively popular; TikTok has close to 1.5 billion users globally and in March, Grindr told the BBC it has roughly four million daily active users. And with those users comes access to a remarkable amount of their data.

Blackmail, not disinformation — General concern over how little control you have over your personal data is warranted, but in this case, lawmakers like Lynch have a more specific worry: that in the vast trove of data harvested by popular apps, foreign governments will gain access to and exploit compromising information from people who become strategically important.

This concern is valid; it’s easy to imagine personal data shared on a dating and hookup app like Grindr being used for blackmail down the road.

What happens now? — App makers have responded to some of these security concerns. Kunlun has said it plans to either IPO Grindr in a stock exchange outside of China or sell it by June 2020 and in an official statement, TikTok said “We store all TikTok US user data in the United States, with backup redundancy in Singapore. Our data centers are located entirely outside of China, and none of our data is subject to Chinese law.” Still, Lynch is correct to press Apple and Google. As the owners and gatekeepers of the two largest app stores, they have a responsibility to protect user data from malicious individuals, companies and state-sponsored actors.

Lynch links to both of the letters. You can read the one to Google here and the one to Apple here. Neither Apple nor Google had commented on Congressman Lynch’s request at the time of publication.