I think "selling your information" is a good high level description that conveys the essence of what is going on - your information is being used by whomever will pay to use it. But yes, digging into the details it's more like F/G are trusted third parties who keep comprehensive surveillance records on you, and sell services based on exploiting those records, with an incentive to not leak the whole trove because it's their competitive advantage.

The argument for this topic then becomes if F/G are found to be providing services to foreign governments that undermine national security, domestic laws can then be made to stop this behavior. But this assumes that the way those services can be abused will be blatant, the foreign powers using those services will be easy to spot, and also that foreign governments won't be able to exfiltrate significant parts of the databases through their use of the services (what Cambridge Analytica did).

Focusing on F/G also skips the entire ecosystem of smaller players that don't have the scale, scope, or product to be acting as trusted third parties, but instead do just sell the raw records themselves - to F/G, and also to any startup that comes along with funding and an acceptable narrative. Like the carriers and intermediaries selling phone tower data. And that whole cottage industry of apps and frameworks that collect data. And ANPR and other pure infrastructure providers. And the traditional surveillance industry ("credit bureaus").

The essential commonality in both of those is that while it feels good to address the most glaring high-level problems, as long as the underlying incentives remain it just becomes a game of wack-a-mole. And wack-a-mole isn't enough to stop determined foreign actors.

A few things are curious to me about all of this, which leads me to believe it’s political posturing.

The EU has a similar arrangement to the US in that they have an “auditor partner” and host the entirety of the EU infrastructure and services within the EU. The EU is not taking severe business actions in the shadow of undisclosed national security grounds.

There’s frequent statements about “massive data collection”. What data? I can only find IP addresses and volunteered contact information being collected. TikTok doesn’t have access to device location data, so IP addresses are the closest there is to geo location. TikTok has said they scrub that when stored - easy to verify.

TikTok has given their auditor (at least in the US) access to the recommendation engine algos. I assume that access comes with some ability to confirm what they audit is what’s actually in use, but haven’t seen reporting that confirms it.

And finally I don’t understand why so many politicians, including all presidential candidates and a not insignificant number of congressional members use TikTok.

Just some of the reasons I think this is more special interest/politically motivated rather than actual national security issues that would be any different than other socials.

Addressing "change the algorithm to promote their own talking points" is what I meant by "maintain competition by requiring open interoperability". Bundling content publishing/hosting services together with client presentation software (including feed ranking editorialization) is anticompetitive and should be prohibited by requiring published APIs for all interaction between the two products. Then users could use competitive clients to access TikTok content (and Facebook content, etc), rather than having to suffer whatever manipulation has been deemed legally acceptable.