Update July 2022: Things have changed significantly since the publication of this piece and Western-Chinese relations have deteriorated. At the same time, TikTok has gone on to become even more popular.
BuzzFeed News recently broke a story that user data was being accessed from China. Despite being headlined by a provocative title, “Leaked Audio From 80 Internal TikTok Meetings Shows That US User Data Has Been Repeatedly Accessed From China” and leading with terms like “backdoor”, the article doesn’t really contain any revelatory information.
When you dig down into the story, it’s really about audio leaks that show the immense technical challenges involved in the long term effort to protect US data from Chinese access:
“In the recordings, the vast majority of situations where China-based staff accessed US user data were in service of Project Texas’s aim to halt this data access.”
Project Texas is the company’s codename for its mission to overhaul its systems so that in the future, certain types of personal information on US users will no longer be accessible from China at all.
In a statement to Newsweek in 2021, the company did not deny that staff in China had access to US user data in the past, only that TikTok does “…not share information with the Chinese government,” and that any access it does have is the responsibility of a “…world-renowned U.S.-based security team that handles access.”
The BuzzFeed News leaks do not reveal any information that disputes this statement.
There are certainly serious issues between China and the West, as well as Chinese companies operating in the West. But Facebook currently has very similar issues regarding processing the data of European users on US servers, and it too is struggling with the technical challenges of abiding by regulations and consumer demands. But few who read an article about its problems would go away from it thinking that Facebook is spying on behalf of the US Government.
Evidence that TikTok is being used to spy for the Chinese Government is tenuous at best. This doesn’t mean that China never spies on the US–we have countless examples of this–it just means that TikTok is often dragged into this unfairly because it is Chinese.
While there are legitimate concerns about a company from an adversarial nation potentially having access to so much data, we still need to examine things in the proper context. A lot of important personal data is already collected and sold at scale. If the Chinese Government really wanted it, it could just buy it. It wouldn’t necessarily need TikTok if all it wanted was access to US user data.
If we really want to protect ourselves and our national security, we need meaningful legislation that limits data collection, storage and use for all companies, not just the ones based in China.
Is TikTok spyware? Should it be banned? Is it just the same as every other social media platform?
We’ve spent weeks looking through every news article, security review, lawsuit and whitepaper to finally get to the bottom of the TikTok debate. What did we find?
Unfortunately, the answer is a lot more complex than headlines or politicians may have you believe. In short, the video-sharing social network is no more dangerous to the average person than any other app. However, due to complications of Chinese law and the possibility of government influence, there are some situations where the app should be avoided.
The reality is that much of the media attention on TikTok is overblown and missing the real problem. So strap yourself in for the long haul so you can decide for yourself whether to use TikTok, and whether you think there is any merit behind the calls for a sale or a ban.
What is TikTok?
TikTok is a rapidly growing video-sharing social network. It helps its users create short videos, often focused on dancing, lip-syncing and comedy. TikTok was launched by its Chinese parent company ByteDance, as a copy of the popular app Douyin.
The two are similar, except Douyin is focused on the Chinese market, while TikTok is marketed to the rest of the world. This means that Douyin runs on Chinese servers and obeys Chinese restrictions, while TikTok’s servers are external and supposedly not subject to the same controls.
TikTok began to take off after it bought the US platform Musical.ly in 2018, a deal that was reportedly worth up to $1 billion. The app has become immensely popular with Gen Z, now boasting 2 billion downloads across the world, according to Sensor Tower. This includes 165 million downloads in the United States alone.
According to WeAreSocial, this translates to about 800 million monthly active users, 40 million of which are from the US.
In comparison, WeAreSocial estimates that Facebook and Instagram have 2.5 billion and 1 billion monthly active users, respectively. TikTok has exploded in popularity and is now a major player, a fact not lost on its competitors. Facebook COO Sheryl Sandberg told Business Insider, “…they’re huge, they’re growing really quickly, they’ve gotten to bigger numbers faster than we ever did”.
While TikTok has an American CEO and offices across the world, its parent company is based in China and registered in the Cayman Islands. The links to China are the source of most of the controversy surrounding the app.
What are the allegations against TikTok? What has it been banned for?
In 2018, TikTok faced several blocks and bans in various countries, but mainly for things like facilitating the spread of blasphemy and sexual content. It wasn’t until 2019, amid the platform’s rapid growth, that more countries and organizations began to express concerns about it, mainly in regard to issues of propaganda and censorship, security, and fears over data collection.
The most prominent moves against TikTok include:
Investigations
- October 9, 2019 – Senator Marco Rubio requested for the Committee on Foreign Investments in the United States (CFIUS) to “…launch a full review of the national security implications of TikTok’s acquisition of Musical.ly.” Senator Rubio cited concerns that “… Chinese-owned apps are increasingly being used to censor content and silence open discussion on topics deemed sensitive by the Chinese Government…”. The CFIUS is responsible for reviewing the national security implications of foreign investments in US companies, and was reported by Reuters to have an ongoing review of TikTok as of November 1, 2019. The review is ongoing at the time of writing.
- October 24, 2019 – Senators Tom Cotton and Chuck Schumer sent a letter to Acting Director of National Intelligence Joseph Maguire. It asked the Intelligence Community to “…conduct an assessment of the national security risks posed by TikTok and other China-owned content platforms in the U.S.” The main concerns involved TikTok’s parent company ByteDance being subject to Chinese laws, the potential for Chinese companies to be compelled to cooperate with the Chinese Communist Party for intelligence work, censorship and possible foreign influence in electoral campaigns. At this stage, it is not known whether this assessment is being conducted, or what any possible findings are.
- May 8, 2020 – The Dutch Data Protection Authority announced an investigation into how TikTok handles the data of young users, and whether it “…adequately protects the privacy of Dutch children.” Preliminary results from the investigation are expected later in 2020.
- June 10, 2020 – The European Data Protection Board revealed that it would establish a task force to examine TikTok’s security and privacy risks, as well as its data collection methods. The results have not been published at the time of writing.
Bans
- November 18, 2019 – Senator Josh Hawley introduced the National Security and Personal Data Protection Act of 2019. Senator Hawley, a prominent critic of large tech companies, introduced the bill to “…to combat the flow of Americans’ sensitive personal data to China and countries that similarly threaten America’s national security.” The legislation followed a Senate hearing where expert testimony discussed “…TikTok’s ties to the Chinese government pose a threat to America’s national security.” While the bill doesn’t only target TikTok, the video-streaming social network was prominently used as an example during the discussions. Among its provisions, the bill would prohibit Chinese companies (and those from countries that are deemed a similar threat) from transferring user data or encryption keys back to their home countries. It would also stop these companies from gathering more data than necessary to provide the service, and prohibit them from using collected data for secondary purposes. Although the Bill has been read twice at the time of writing, Skopos Labs estimated that it only has a three percent chance of passing.
- December 30, 2019 – The US Army banned soldiers from having TikTok on government phones, citing that, “It is considered a cyber threat”. This follows a similar ban from the US Navy on December 21. Prior to the ban, the army had even used the app as part of its recruitment drive. Although the armed services cannot prevent personnel from using TikTok on their personal devices, it does recommend caution. In January of 2020, it was also revealed that the Australian Defence Department does not permit TikTok on its devices. It did not explain its reasoning.
- February 23, 2020 – The US’ Transport Security Administration (TSA) banned employees from using TikTok to create social media posts for agency outreach. It cited national security concerns.
- June 29, 2020 – TikTok was permanently banned in India, because it posed “a threat to sovereignty and national security”. India had temporarily suspended TikTok several times beforehand, however, these instances were because the platform was facilitating the spread of inappropriate content. This ban has been one of the most significant so far, considering that Sensor Tower estimated that the app had been downloaded 611 million times in the country, which represents about 30 percent of TikTok’s total.
- July 7, 2020 – US Secretary of State Mike Pompeo suggested that the government was looking at banning the app across the country. When asked if he would recommend downloading the app, he responded, “Only if you want your private information in the hands of the Chinese Communist Party”.
- July 10, 2020 – The Democratic National Committee sent an email to campaign staff, warning them against using TikTok on personal devices. For campaign work, the DNC’s security team recommended using a separate phone and account. The Republican National Committee press secretary also announced that the RNC had advised its employees and stakeholders against downloading the app on their personal devices.
- July 20, 2020 – The House voted to ban federal employees from downloading TikTok on government-issued devices.
- July 31, 2020 – President Trump announced an order for ByteDance to divest its ownership of TikTok. He also threatened to shut it down completely. Microsoft is currently in talks with the company to acquire TikTok’s operations in the US and several other countries.
- August 6, 2020 – President Trump issued an executive order prohibiting US companies or individuals from transacting with TikTok’s parent company, ByeDance, beginning in 45 days time. While there is some uncertainty as to how it will play out, it’s thought that it may prohibit the app from being distributed via app stores, and prevent US advertisers from purchasing space on the platform. The order is not expected to affect the app if TikTok is bought out by US businesses before the 45 day period expires. A similar executive order was also issued against the Chinese messaging platform WeChat.
- August 6, 2020 – US Secretary of State Mike Pompeo revealed the administration’s plans for a “clean network” that would ban Chinese companies from certain areas of tech. These include undersea cables, apps, app stores, cloud services and mobile carrier networks.
Legal issues
- Feb 27, 2019 – TikTok agreed to pay the Federal Trade Commission $5.7 million over allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting private information from children. While TikTok says that it doesn’t allow those under 13 to use the app, its restrictions didn’t stop many from using it.
- November 27, 2019 – A lawsuit against TikTok was launched in California, accusing the company of secretly taking data without consent and transferring data to China. At the time of writing, there have been no public updates about the progress of the case.
- December 12, 2019 – TikTok agreed to pay a $1.1 million dollar settlement in response to a class action lawsuit. The suit alleged that its predecessor, Musical.ly had collected personal information on children under 13 years old. The suit alleged that the company had violated children’s privacy and state consumer protection statutes.
- April 30, 2020 – The guardians of four Illinois minors filed a lawsuit against TikTok and ByteDance, alleging that the companies didn’t obtain consent before collecting biometric identifiers, violating Illinois law. At the time of writing, there has been no resolution.
- 15 July, 2020 – TikTok was fined KRW 186 million (~ $156,000) by the Korea Communications Commission (KCC) for collecting the data of children under 14 years old without the consent of legal guardians. The Korean regulatory body found that TikTok collected more than 6,000 records involving children in a six-month time period, and it had failed to inform users that their personal data was transferred overseas.
What can we take away from this?
We’ve quickly covered each of the major investigations, bans and lawsuits, but where does that leave us? Upon first glance, things don’t look great for TikTok. When we dig further into the details, it’s not as bad. There certainly isn’t enough evidence to warrant much of the media attention and condemnation that the company has endured.
First of all, the investigations are simply investigations, none of which have concluded, or publicly turned up evidence against TikTok. There are good reasons to review TikTok’s operations, but it’s not fair to prejudge TikTok just because it is being investigated. The presumption of innocence is a legal right in most Western countries.
TikTok bans
When we consider the extensive list of bans, we should keep in mind that none of these have been announced alongside public evidence of TikTok’s spying. While it may make sense to keep certain foreign-developed apps away from phones in sensitive scenarios, such as in the military and politics, this isn’t evidence of spying. It’s simply being prudent.
It’s also worth noting that the countries that have announced the most prominent bans against TikTok also have incredibly strained relationships with China. The US and China have been in a heated clash since the trade war. India and China are embroiled in a violent territorial dispute. Australia and China have also been in a trade skirmish following Australia’s prominent calls for an independent investigation into China’s handling of the COVID-19 pandemic.
It’s either an incredible coincidence that the countries with the most significant Chinese tensions are all pushing TikTok bans to some degree, or, these bans are at least partially politically motivated. If countries were banning TikTok based on evidence alone, perhaps we would see a more even spread.
See also: How to access TikTok when it’s banned
Lawsuits surrounding the data collection of minors
When it comes to the lawsuits, it’s hard to dispute that TikTok didn’t do enough when it comes to protecting children or asking for parental consent. This was particularly true in the company’s early days. While TikTok has made some positive changes, protecting children online is still a big challenge for tech companies, parents and regulators. Facebook and other tech giants have faced similar problems.
Accusations of collecting biometric data
Taking people’s biometric identifiers without their consent is another huge issue. The lawsuit claiming that TikTok violated Illinois state law cites several of Tiktok’s features, including a tool that scanned people’s faces to estimate their ages, one that “…permits users to superimpose facial features onto a subject’s moving face…”, and another that let’s them face-swap with videos.
Although the case is still ongoing and none of the claims have been proven, let’s just stop for a moment and work under the presumption that TikTok is guilty of collecting this data without consent. Even so, the far bigger issue here is that this isn’t even illegal in most of the United States, or the rest of the world.
Europe’s GDPR is the main data law protecting biometrics on the international scene, and there are only a few states in the US that have these protections. There’s such a huge lapse of biometric laws across the country, that when Facebook was brought to a $550 million settlement for similar actions, it wasn’t through some federal action. It was under Illinois state law, the very same state that TikTok is being sued in.
Why? Because in much of the US, collecting biometric data without consent is completely legal. This is just one indicator that we need to focus more on regulating the industry in general, rather than on individual players like TikTok.
The California lawsuit
The November 27, 2019 lawsuit, launched in California, also made some serious allegations. While the case appears to be ongoing, let’s look at some of its major claims. One involves the company’s supposed ability to collect videos recorded through the app, even if the user declines to post them.
It’s hard to know how this will be seen in the eyes of the law, but given just how pervasive these apps are known to be, it’s hard to think that many in the general public would be surprised or worried to find that their activity within the app has been collected. That isn’t to say that this is a good practice, it’s just seen as normal. Tremendous amounts of our data are collected, and most of us are blasé about it.
Other major claims include that TikTok takes “…a broad array of other private user data, and develop[s] sophisticated user profiles of dossiers for tracking and targeted advertising, without notice or consent.” The suit then goes on to explain details of data collection that are hardly desirable, but again seem to be standard practice in the industry.
Another claim is that the app takes user data when the app is closed. Again, this is not exceptional. One of the final allegations is that the app is sending data to Chinese servers. We will discuss this later in the Where does TikTok’s data go? section.
It’s hard to know how this lawsuit will end. The point of defending TikTok has nothing to do with its practices being good, but the sad reality that this is standard for the industry. Chasing after one player just because it’s Chinese distracts from the main issue, that we need a serious regulatory overhaul for the entire industry, an overhaul that focuses on transparency and protecting individuals.
The potential risks of Chinese technology
It’s difficult to discuss TikTok and its possible links to the Chinese Government objectively because it’s a strongly politicized issue. In recent years, the relationship between China and many Western nations has become much more adversarial. We see examples of this in the Chinese-American trade war, in territorial disputes such as the South China Sea and in tensions over coronavirus.
Despite these issues, China and the West still rely on each other. One of the key areas in which they depend on one another is technology. Because of this, both parties need to be especially wary about what they use, how and where they use it, and what precautions are put in place.
This is because so much of our world relies on technology to keep it running, and if that technology is under the control of an adversary, it could be used for propaganda, censorship, spying or sabotage.
We can’t know for certain how relations will develop between any two nations in the future, so it makes sense to carefully analyze any foreign tech that is being considered, and only use it in ways that won’t harm citizens or national security, both now and in the future.
This is why it makes sense to take a deep look at what TikTok really is, who owns it, whether it is connected to the Chinese Government, and whether it could be used as a tool against the United States or any other country.
See also: Are censorship and Propaganda on TikTok a threat?
One of the major issues that separate Chinese companies from US ones is that the Chinese State holds a much tighter grip over its businesses, and it’s debatable how independent they can be.
There are also several laws that put businesses that operate in China in a tight position. These include China’s 2016 Internet Security Law, which contains clauses that companies fear could compel them to hand over data, source code or encryption keys to the authorities.
Another is the 2017 National Intelligence Law, which among its provisions, obliges citizens and organizations to support state intelligence work. One of the major concerns is that businesses may be forced to hand over data to the authorities.
The 2014 Counter-Espionage Law raised similar fears, with passages stating that organizations and individuals cannot refuse to hand over information when under investigation by Chinese state security.
One of the driving concerns in the debate over TikTok is that Chinese authorities could force it – through its parent company ByteDance – into acting as an agent for the Chinese Government, against the interests of other countries.
While US companies have collaborated extensively with the US Government in the past, they do appear to have more freedom, as exemplified by Apple’s refusal to cooperate in the San Bernardino shooting case.
Although not directly related to TikTok, the situation is also clouded by the Chinese Government’s long-standing support of cyberespionage and intellectual property theft. However, the US Government is also guilty of similar actions.
Politically motivated attacks
While the stakes make it important to be critical of Chinese technology, there’s also another side of the debate that’s often left out. If you really want to get as close as possible to the truth, you need to also recognize that because China is considered adversarial to countries like the US, many political, intelligence and military figures are actively trying to work against it.
We see inferences of politics in the bans that we mentioned earlier, which line up quite neatly with the countries straining hardest against China. We also see political influence in the debate over Huawei, where political and intelligence figures make a whole lot of claims without much evidence to back it up.
Chinese tech companies aren’t the only ones that go through this – the Russian cybersecurity company Kaspersky also had similarly dubious claims made against it.
The media is also far from neutral, often highlighting certain ills of China while completely glossing over similar or worse actions by Western nations and companies.
The debate is also clouded by rampant Sinophobia. Negative views on the Chinese have become more prominent during the trade war and the Covid-19 pandemic.
This is an extremely complicated political issue. If we, as societies, want to make the best decisions on how to move forward with TikTok, we need to be aware of these biases from our political figures, the media and ourselves, and instead focus on the actual evidence.
What are the potential dangers of TikTok?
The potential dangers of TikTok can be broken down into two groups, personal and national security, although there is some overlap. On a personal level, the biggest issues surround what kind of personal data TikTok collects, where it could end up, and how it could affect users.
One aspect of TikTok’s possible national security complications involves whether it could be used to collect or steal data from high-level individuals, such as government and military officials, business executives and others. This includes data relating to their work, such as secret plans or intellectual property, as well as personal communications that could be tapped.
TikTok also has the potential to affect national security through censorship or propaganda. As we saw in the 2016 elections, adversarial countries like Russia are willing to manipulate social media for their own benefit. They could do this in the hopes that their ideal candidate wins, to improve perceptions abroad, and for other reasons.
Bear in mind that Russia made a significant impact on Facebook, a company that was far from the reaches of the Russian operatives that were manipulating it. Imagine the potential for disruption when one of these tools is actually owned by an adversarial nation, just as TikTok is. We will discuss this at greater length in a companion article.
TikTok & the threat of data collection
You’ve probably heard countless allegations of TikTok being spyware or some kind of apparatus that collects data on behalf of the Chinese state. But is it really?
To figure that out, we have to look at what data TikTok actually collects, where it gets sent, and also discuss the unknowns and worst-case scenarios. However, we also need to put it in its proper context.
If you look at TikTok’s data collection in a vacuum, then of course it looks awful. But when we contrast it against the Facebook collective, we get a very different picture.
What data do we know TikTok collects?
Websites and apps collect an ungodly amount of your data, and it would be tedious to go over every single aspect. But we’ll touch on the major ones that TikTok has access to:
- The private messages people send through TikTok.
- The videos they watch, and how long they watch them for.
- IP address.
- Country information.
If given permission, TikTok also collects:
- A phone’s contacts.
- A phone’s location.
- The phone number.
- The age of an individual.
- Details from other social network connections.
The Washington Post recruited the privacy company Disconnect’s CTO Patrick Jackson to trawl through the app and see what conclusions he came to. Ultimately, he stated:
“It doesn’t appear that TikTok takes more data than Facebook but they do take measures to hide what they are collecting”.
One of his more specific worries regarded TikTok’s large amount of data sent from devices to company servers. In just the first nine seconds, Jackson found 210 network requests, amounting to more than 500 kilobytes of data.
The Post stated that this was mostly information about the device, such as its Apple identifier and screen resolution, which is generally used for fingerprinting. This is an unnerving practice that allows you to be tracked across the internet, even when you aren’t logged into your account, purely on the basis that many users have unique configurations. Despite the creepiness, this is hardly a new or rare occurrence in the industry.
Jackson’s other major point of concern was that it isn’t possible to verify everything that TikTok does, because some of its activity is encoded. In the Post article, a spokesperson for the company claimed that this was done, “In order to disrupt hackers and those who wish to manipulate the app”. This is a common practice, but ultimately, it means that we can’t know everything about the app for sure.
Jackson’s conclusions were echoed by researchers from the cybersecurity firm Proofpoint. They stated, “All in all, TikTok should be treated like any social media app: one that can be used with relative safety if you’re aware of the information it gathers and what it does with the data.”
iOS security researcher Will Strafach’s inspection also backed up these claims in a Wired article.
“For the iOS app available to Western audiences, it appears to collect very standard analytics information,” he said, “Most data collection by apps concerns me, I don’t like any of it. However, in context, TikTok appears to be pretty tame compared to other apps.”
TikTok’s data collection may seem bad, but how does it compare to Facebook?
We will compare TikTok to Facebook, simply because it is the largest and most powerful social media platform. Other social networks collect similar amounts of data, as do many apps and tech companies. We will stick to Facebook’s practices, just to simplify the discussion.
As far as we can tell, the TikTok app takes a similar amount of data as Facebook. However, that’s only part of the equation. Facebook gathers data through its main website, as well as the Facebook and Facebook Messenger apps. There’s also its range of smart displays, Facebook Portal.
Then comes all of the subsidiaries Facebook owns, such as Instagram, WhatsApp and the virtual reality company Oculus. It also seems likely that the recently acquired GIF search engine GIPHY is, or will soon be, sharing its data,
Facebook also tracks people everywhere they go across the internet. Many websites run Facebook’s Pixel for their own data analytics purposes. It’s a single pixel that runs code to install cookies in your browser. This allows Facebook to track activity across the web, and link people’s Facebook accounts to their browser activity. Of course, this practice allows it to gobble up even more data.
Pixels are complemented by those Like and Share buttons you see on so many news and other websites. These aren’t there purely for your convenience. They also act to send data about your visit back to Facebook. According to research from the Electronic Frontier Foundation, Facebook has this and other cookie-sharing code in about 30 percent of the web’s top 10,000 websites.
There’s more. Many third party app developers rely on Facebook’s software development kit (SDK). This makes it easy for them to offer convenient services to users, like enabling them to log in to the app with their Facebook details.
Whether it’s Spotify, Airbnb, Tinder or any of the countless others, the Facebook SDK opens up the door for data sharing between the platforms. When Privacy International tested free apps from Google’s Play Store, they found that 61 percent were transferring data to Facebook.
When Gado Images CEO and blogger Thomas Smith peaked through his own data collected by Facebook, he found more than 1,000 companies had shared data with the social media giant.
The point is that Facebook ends up with far more data than whatever is on your Facebook profile. Sure, there are some things that we don’t know about TikTok, but it’s still a relatively new company, and doesn’t have anywhere near Facebook’s sophistication of data collection infrastructure. Even if TikTok dreams of surpassing Facebook, it seems ludicrous to heap so much criticism on what’s essentially a data collection mouse while the elephant stands next to it.
Prominent claims against TikTok
If we want to clear up the debate, it’s important to analyze some of the most popular claims that TikTok’s detractors use against it.
Canvas & audio fingerprinting
A security researcher named Matthias Eberl discovered two types of less-common fingerprinting, which can be used to uniquely identify visitors. One is canvas fingerprinting, which draws an image in the background with vector graphic commands. This data is often unique, and can be used to differentiate visitors.
The other is audio fingerprinting, where a sound is created internally and the bitstream recorded. This creates another identifier. Eberl wrote that Bytedance claims these fingerprinting techniques are for identifying malicious browsers. He found the assertions, “…hard to believe, as the website still works as expected even when the corresponding script is blocked.”
While these particular fingerprinting techniques may not be as widespread as others, fingerprinting is hardly the smoking gun we are looking for if we want a legitimate reason to ban TikTok. Sure, be skeptical, but banning something over this would be excessive, especially considering all of the other scandals that grip the industry.
ProtonMail
Another of the more reputable claims against TikTok comes from the secure email company ProtonMail, which is generally well-regarded. However, its article is just a summary of claims made elsewhere, similar to the one you are currently reading, although covering the topic in much less depth.
While Proton Mail’s blog is reasonable in questioning TikTok, much like we are, it doesn’t put as much effort into questioning the validity of the allegations against TikTok as well. This includes many of the lawsuits we have covered, as well as a Penetrum paper that we will discuss in a moment.
A Redditor’s reverse engineering
It’s worth mentioning a Reddit post made by a user named u/bangorlol, because it spread quite widely on social media and has also been covered by some publications. The user claimed to have reverse engineered the app and that “TikTok is a data collection service that is thinly-veiled as a social network.”
u/bangorlol followed this up by stating that they had also reverse-engineered many other popular social media apps, and concluded that TikTok was far worse when it comes to data collection. “It’s like comparing a cup of water to the ocean – they just don’t compare.”
Not only does this fly in the face of what other researchers have found, but the user never provided any evidence to back up these claims. This individual is either a super-genius able to find information that no one else has, or, as the lack of evidence implies, is making it up or exaggerating.
Penetrum’s report
Another piece that has featured prominently in the debate is Penetrum’s security analysis of TikTok. When it comes to the type of data collected, the paper doesn’t reveal anything revelatory, simply highlighting that it logs:
- Device information
- Geographic location
- User activity
While it delves into these in a bit more depth, these claims by themselves are nothing substantial or rare in the industry. It even goes on to say, “…we are not saying that TikTok is using these things for nefarious purposes in anyway [sic].”
The paper then goes on to discuss some security issues. The first is that TikTok executes OS commands from user input, which can leave apps open to compromise. However, in the very same paragraph, it goes on to state that, “More research will need to be done in order to make a concrete determination if TikTok executes from user input…”
It then claims that TikTok uses MD5 for hashing. MD5 is a weak algorithm that was deprecated in 2011, so this is certainly a security issue if true. Although it isn’t too uncommon to see MD5 these days, it’s hard to believe that a major tech company like TikTok would still be using it months after it had been pointed out, especially while it’s in the battle of its life to present itself as a secure and safe company. Note that no other security researchers seem to have commented on this.
Following this, the paper states that there is potential for user-defined SQL queries, which could leave it open to SQL injection attacks. Again, if this was part of the code, it’s hard to believe it is still there, considering that it has been made public.
The paper also states that TikTok hardcoded its API tokens as plaintext, uses TLS insecurely in webview, and also allows user-defined commands to be executed within webview.
If Penetrum’s claims are true, you could argue that TikTok was negligent, or was possibly even leaving these vulnerabilities open as backdoors. But given the poor quality of the report, and the fact that no respected security experts seem to be echoing these same assertions, it’s hard to take the whitepaper’s claims as fact.
The Penetrum paper has been widely shared and been a pivotal part of the debate over TikTok, so let’s take a quick dive into Penetrum itself.
Penetrum is relatively new and small, having only started posting on Twitter in late March, a couple of weeks before it posted this report. Its investigation into TikTok seems to be only the second piece of research it published.
There is limited information about the company on its website or its LinkedIn, although its director of cybersecurity does seem to have been involved in other cybersecurity roles prior to Penetrum.
The company was strangely evasive when confronted on Twitter. Ryan Merket, Head of Product and Engineering at Goodfair, posted a screenshot of a Reddit comment, which stated:
‘…And there is nothing on the internet on the Penetrum company. All of their “white papers” are generic java code. They have 114 followers on twitter. No CEO listed, no employees.’
It led to the following exchange:
This is one consecutive conversation. Ransom the Ghost appears to be a Penetrum employee.
While this doesn’t completely invalidate any claims made in the Penetrum report, it does give reason to be skeptical. One of the fundamental aspects of cybersecurity is trust, and if a company is unwilling to hand over information about itself or those behind it, it becomes incredibly difficult to trust it.
The questionable nature of Penetrum is far from insignificant. Many conversations across social media about TikTok reference its report. It has also been quoted in many articles. The Penetrum paper and u/bangarlol’s Reddit comments have added significant weight to the allegations against TikTok, but they are hardly solid evidence.
Security issues in TikTok that have since been addressed
In January 2020, researchers from cybersecurity firm Check Point found two vulnerabilities in TikTok. One allowed attackers to send spoofed SMS messages that contained malicious links. If the user clicked on the link, an attacker could take hold of the account, upload unauthorized videos, make private videos public, or delete videos.
One of the platform’s subdomains was also vulnerable to XSS attacks, which enabled the researchers to retrieve personal information from user accounts. Check Point notified TikTok’s developers who then patched up the vulnerabilities so that these specific attacks were no longer possible.
In March, the developers behind Mysk discovered that TikTok was one of many apps that were accessing data stored in the clipboard of iPhones, and sending data back to company servers. Dozens of other popular apps, such as those from NPR and the New York Times, were found to be doing the same. However, TikTok was one of many that fixed the issue promptly.
Facebook has had many of its own security vulnerabilities over the years, some run-of-the-mill, some egregious. To a degree, vulnerabilities are expected in software, and thus far, the ones that have been found in TikTok aren’t particularly significant or worrisome.
Where does TikTok’s data go?
The main fear surrounding TikTok seems to be that its data could end up in the hands of the Chinese Government. But does it? We will discuss things in the US context, because this is where most of the current controversy is brewing. TikTok has different privacy policies and server arrangements for other parts of the world.
The Californian lawsuit from November 27, 2019, which we discussed at the start, alleged that data had been sent to China, at least in the past. It quotes a November 2018 Affinity article, which stated that TikTok’s privacy policy at that time said that it stored and processed data in the “United States of America, Singapore, Japan or to [sic] China.”
The suit also claims that an archived version of TikTok’s 2018 privacy policy stated that the company can transfer international user data to China. It alleges that user data was sent to two Chinese servers as recently as April 2019, and at least another four Chinese servers up until February 2019. However it is not clear what evidence the plaintiff is basing this on.
The suit then asserts that Chinese tech companies work closely with the Chinese government, however it does not make specific allegations of TikTok sharing data with the government.
In its defense, TikTok offered the findings of consultants, who concluded that there was “no indication” that the Chinese government accessed TikTok users’ data. The consultant’s team found no way that TikTok could send data to China. However, even the consultant admitted that the analysis only held true for a period from July-October, 2019.
TikTok also issued a public statement:
“We store all TikTok U.S. user data in the United States, with backup redundancy in Singapore. Our data centers are located entirely outside of China, and none of our data is subject to Chinese law.”
Now, let’s unpack what all of this means. First of all, this is a lawsuit that has yet to have any public conclusion. At this stage, the allegations from the plaintiff are just that, allegations.
However, other sources back up claims that TikTok previously processed data in China. A Quartz article by privacy advocate David Carroll featured an email exchange with the company and a TikTok representative stated:
“Data from TikTok users who joined the service before February 2019 may have been processed in China. ByteDance has since reorganized its structure and operations to prevent user data from flowing into China.”
Earlier in the exchange the representative expressed the company’s policy after that date:
“TikTok user data is stored and processed in the U.S. and other markets where TikTok operates at industry-leading third-party data centers. It’s important to clarify that TikTok does not operate in China and that the government of the PRC has no access to TikTok users data.”
However, things become more complicated two sentences later when the TikTok representative states that, “Data may be shared with others in our corporate group…”. This presumably includes the Beijing-based parent company, ByteDance.
Confused?
Taken at face value, we can assume that TikTok used to process data in China, but no longer does so. But how could it share data with its corporate group if it doesn’t send it to China? This remains a mystery.
When Patrick Jackson investigated the app on behalf of the Washington Post, he did not discover any data being sent to China. However, he concluded, “it’s possible (and likely) that data transmitted to these servers are transferred to other locations but it’s not verifiable from our end.”
So we can’t know for sure that TikTok doesn’t send data back to Chinese servers, even though the company’s statements are adamant that this practice no longer continues.
The next question is: Does TikTok share user data with the Chinese Government, or has it done so in the past?
The company has made repeated statements that it does not, has not, and will not share user data with the Chinese Government. There isn’t any evidence that TikTok has ever done so, either. But we can’t know for sure that it hasn’t or won’t happen.
Evaluating what we know: Does it make sense for TikTok to spy?
We don’t have all of the information about the past, and no crystal ball that allows us to see into the future or deduce the true intentions of TikTok and the Chinese Government. But there are certain things we do know, and they can help us to evaluate the situation:
- TikTok’s parent company is based in China, whose government currently has strained relationships with many Western countries.
- China maintains tight control over many of its businesses, and has strict laws regarding data and national security.
- TikTok collects significant amounts of data on a large user base.
- It’s possible to modify apps for more intensive spying, both against general populations and individuals.
- This type of information could be used against other countries, organizations and individuals.
On the other hand:
- Even the CIA says that there is no evidence of past government spying.
- Any security weaknesses that have been found are pretty standard for the industry.
- TikTok is being watched closely by cybersecurity researchers, politicians, the media and intelligence services. Given this, it’s likely that any major spying would be caught relatively quickly.
- TikTok has been valued at $50 billion. If not for this debacle, it seems like it has plenty of room to grow.
When you consider each of these factors, put yourselves in the shoes of a high-level official in the Chinese Communist Party. You could use TikTok to spy on people, and the data would come in handy, but how long until you got caught? When you did get caught, what would happen to the company?
It’s hard to know how long it could last for, but such a big secret would probably get out sooner rather than later. Considering that TikTok is already on the cusp of being banned in the US, despite a lack of evidence, you have to imagine that being caught red-handed would result in the immediate loss of US revenue, and a considerable portion of international revenue as well.
This brings us down to the ultimate question: Would the information obtained from spying be worth sacrificing the tens or hundreds of billions that TikTok could bring in?
Probably not, especially when you consider all of the other ways that the Chinese Government can obtain this information.
How else can the Chinese Government get data?
It could try a similar tactic to the UK company Cambridge Analytica, and harvest data from another platform (Facebook has clamped down since then, but it’s not out of the question for similar data to be harvested through other methods or platforms).
The government could also steal the data, just as the US Justice Department alleges that members of China’s PLA were responsible for the Equifax breach that stole the data of more than 140 million Americans.
One of the popular solutions to this debacle is to just sell off TikTok to US investors. But even if TikTok became an American company, there aren’t strong enough laws to prevent it’s data from ending up in the hands Chinese Government. The complex world of data brokers isn’t regulated anywhere near tightly enough to prevent the Chinese Government from just buying the information at any time.
When it comes to data from specific government agencies, companies or individuals, there are other ways to get this information too. China already takes advantage of them. Here are just some examples:
- Chinese spies listen in on President Trump’s phone calls.
- European Union Diplomatic cables presumed to have been hacked into by Chinese operatives.
- Attacks on IBM, HP and their clients attributed to China.
Given all of these other ways to acquire data, and the billions of dollars at stake, does it really make sense for the Chinese Government to pressure TikTok into spying for it? Probably not.
Even if it may not make a lot of sense, we should still be prudent, take precautions and plan our usage around worst-case scenarios.
Should normal people use TikTok?
If you have any privacy concerns, you probably shouldn’t. But this goes for Facebook, Google, Amazon and countless other companies as well.
Let’s be realists. For many people, giving up these tools would uproot their work and personal lives too much for it to be a viable option. Yes, these platforms are awful in many ways, but they are also too convenient and pervasive for most of us to completely avoid them.
With that in mind, if you are just a normal person, with a normal job and a normal family life, you probably don’t have to worry any more about TikTok than you would about the others. It collects less data than Facebook does, and even if your data somehow ended up in the hands of the Chinese Government, what exactly is it going to do to you?
The Chinese Government doesn’t have jurisdiction in the US, so in some ways, it’s more worrisome for US citizens when American companies share their data with the likes of the NSA. US agencies have power over them, while Chinese ones do not.
We’re treading into conspiratorial territory, but about the only way that TikTok could blow up in your face worse than any other social media platform, is if it’s some elaborate blackmail scam.
Let’s say it’s all a ruse with the Chinese Government secretly at the helm, and the main goal is to collect messages, data and videos from all of the teenagers. Phase two comes ten years later, when they have risen up in the world. All of the juicy or scandalous information is then used to extort the victims into doing their bidding.
Of course, this is pretty far-fetched, so it’s not something that should weigh on your mind too heavily.
If you’re a normal person, and you like social media, then using TikTok isn’t really any more harmful than the other platforms. But be smart about it, and don’t post anything that will come back to bite you.
Should TikTok be restricted in certain scenarios?
Amid the calls for general bans on TikTok, the app has also been banned at other levels, such as in militaries, for government employees, and in some companies. While a general ban is far too extreme, these actually make a lot of sense.
Some organizations and individuals hold on to a lot of valuable information, and it is in both their interests and the wider society’s to keep it guarded. In these circumstances, they must take much more extreme precautions than your everyday grocery store clerks or digital marketers.
Politicians, executives, high-level government employees and others need to use secure communication tools, store their data with encryption and take many more extreme precautions to keep themselves and their information safe. This extends to the apps that they use in their free time.
Even though we have no evidence that TikTok has ever been used to spy on behalf of the Chinese Government, or that it ever intends to, it is technically feasible. The close ties between government and industry in China make the app a little more worrying.
Even if the chances are small, worms. should act cautiously and not use it in any sensitive scenarios. The amount of information that apps are capable of sucking up, and the potential negative effects make it not worth the risk.
Is a TikTok ban even feasible?
Given President Trump’s August 6 executive order, there are strong chances that the app will either get bought out or banned. However, the second option may not be as easy as it sounds. Jennifer Golbeck, a professor of data privacy at the University of Maryland told CNBC that she wasn’t aware of the Government ever having banned an app before.
“If they were to do this, I suspect it would be through new regulations that Apple and Google need to comply with in their app stores,” said Professor Golbeck.
Countless apps have been banned by Google’s Play Store and Apple’s App Store, but this has always been done at the companies’ discretion, not at the behest of the Government.
Professor Golbeck cited the US’ blacklisting of Huawei, which prevented US companies from providing technology to the telecommunications giant in many circumstances. She imagined the US Government taking similar steps to force companies like Google and Apple to stop offering TikTok for download from their platforms.
The executive order will prohibit businesses from making transactions with TikTok’s parent company ByteDance, starting 45 days after it was issued. While the order is light on the specifics, it will run into several stumbling blocks if the ban pushes ahead.
“The tech community will be very hesitant to go along with this app ban,” Wayne Lam, an independent technology analyst, told CNET, “It sets a precedent for the government to ban other apps or even for other global apps to be inaccessible to the US market.”
The ban also faces significant legal hurdles.
“There is absolutely no way the United States is going to ban TikTok because of the First Amendment,” Eva Galperin, the EFF’s director of cybersecurity, told Protocol, “Code is speech. TikTok is code.”
Galperin’s statement alludes to the conclusions of the 1995 Bernstein vs the US Department of Justice case. The Ninth Circuit Court of Appeals ruled that source code is speech, and therefore protected by the First Amendment. This made regulations preventing its publication unconstitutional.
There are also technical challenges. Even if the administration can get Apple and Google to back down and boot the app from their stores, it won’t make TikTok disappear completely. All it will do is prevent future downloads and updates through those platforms.
Existing users will still have the app on their devices, while Android users and those with jailbroken iPhones will still be able to download it from other sources. If anything, this could create a more dangerous situation, because users may no longer receive updates that patch the latest security vulnerabilities.
Another option for implementing the ban involves ordering all American ISPs to block the app. However, TikTok may find technical avenues to subvert these efforts. Arturo Filasto, the Open Observatory of Network Interference’s co-founder, told CNET that the US doesn’t have the capability to keep the app from working on the internet.
“There is no central place where you can go to and implement a unified filtering strategy, like there is in places like China and Iran,” he said.
The best way to move forward
Let’s run through a quick summary:
- TikTok is bad, but only really as bad as other social media platforms that we view as acceptable. Normal people should educate themselves on its data collection practices, but use it in whatever capacity they are comfortable using other social media platforms.
- Apps can be modified for more extreme spying. Given the links that TikTok has to China, it’s simply not worth the risk to use it in sensitive situations.
But while everyone is so busy talking about TikTok, we’re ignoring the much bigger problem
Countless articles and political point-scoring have been focused on singling out one company for spying on us, when in reality it’s an industry-wide problem.
TikTok isn’t even the most egregious offender. If we ban TikTok or sell it off to US buyers, it suddenly doesn’t get rid of these huge data profiles that have been built up on us. It won’t stop every moment of our digital lives from being tracked.
So what should we do?
We need wide-sweeping data regulations. The industry has moved ahead so rapidly, but the laws protecting us are stuck in the era of blacksmiths. It seems pretty clear that people don’t like companies spying on them, but they just grumble, then end up surrendering their data for the sake of convenience.
This TikTok debacle, countless Facebook controversies, Amazon’s many scandals and Google’s questionable actions against its own don’t be evil policy have all made big waves in the news, but we are yet to do enough to protect people’s privacy and data rights.
This isn’t the time or the website to lay out the particulars of the rules – that’s probably best left to regulators – but something like Europe’s General Data Protection Regulation wouldn’t go astray. We need legislation that puts the power back in the hands of users, that informs them and asks for their consent, that controls where the data goes, how it’s used, and how long it stays around for. But that’s only the tip of the iceberg.
Let’s not focus so much on banning TikTok, let’s protect people from every company that does the exact same thing.
But wait, there’s more. The issues surrounding TikTok are more complex than just its data practices. Platforms like it can also be used for censorship and propaganda. Stay tuned for our companion piece, where we analyze TikTok in these contexts, and reveal whether or not it’s anything to worry about.
good read!
-penetrum people!
I’m assuming this is really the director of cybersecurity for Penetrum, because it would be quite strange for someone to impersonate you. My article was quite hard on your company’s paper, but mainly because it was held up as a smoking gun and clear evidence of Chinese spying by so many other articles and internet users. While your paper certainly pointed out some flaws that needed to be looked into, do you think that it was misinterpreted by many, or at least taken out of context? While a lot of the vulnerabilities you guys pointed out were bad, it seems like people don’t realize just how bad the security of many apps is, and that it isn’t necessarily an indication of spying, often just incompetence.
While my article may come across as somewhat defensive of TikTok, it is not because I think that there is anything particularly good about the app. The app certainly has a range of issues, which you guys helped to point out, but I do not believe that there has really been enough public evidence to show that TikTok is significantly worse than any other social media app. Honestly, I think the attacks against the company were mainly political and part of a wave of sinophobia. I also feel that focusing on the one big bad Chinese app distracted from the real issue – that pretty much everyone is doing this kind of stuff to some degree, and we desperately need some kind of legislation to protect our data ASAP, rather than looking for foreign boogeymen. What are your thoughts?
Also, I hope that you didn’t take offense at my criticism of your company’s behavior surrounding the report. Obviously, it’s hard to have a trusted reputation when you are still a relatively young company. However, within the security niche I think it is very important for organizations to be clear, open and transparent in their communications, even on Twitter. Being evasive or mysterious only served to undermine the hard work you put into the report.