TikTok is the fastest growing social media app in the world. It's home to celebrities, influencers, trend-setting dance crazes, and, increasingly, activism. It is also a massive spying tool passing information to the Chinese Communist Party, if the latest fears raised by governments and corporations are to be believed.
The last few weeks have seen TikTok come under a considerable amount of scrutiny. Politicians in Australia have called on the app to be banned in the country over fears that it is providing data to the Chinese government. India's government did ban TikTok, along with 60 other Chinese apps, as part of an ongoing clash between the country and China. In the United States, Secretary of State Mike Pompeo raised the possibility that the app may be banned in the country, though provided little explanation as to how the government would go about achieving that goal. Apparently spooked by these concerns, a number of major American corporations also issued warnings to employees regarding TikTok. Amazon briefly told its staff to remove the app from their phones before backtracking and saying the message was sent on accident. Wells Fargo actually followed through with this request, insisting that employees remove TikTok from company-owned devices.
The hoopla is enough to make some wonder if it's time to delete TikTok. The app is no doubt invasive, collecting a significant amount of user data that it likely sells to third-party companies. But that doesn't necessarily differentiate it from other social media apps like Facebook and Instagram, which are notorious for collecting troves of user data. What has earned TikTok the increased level of scrutiny is the fact that its parent company is based in China, maintains a nebulous relationship with the country's oppressive government, and has been less than forthcoming about what kind of information it collects. So just how big of a threat to security is Tiktok compared to some of its competitors, and is a ban worth considering?
What data does TikTok collect?
It also includes things going on under the hood of your phone. An effort to reverse engineer the app in order to see what information it collects revealed that TikTok can obtain phone hardware information including CPU type, screen dimensions, memory usage, hardware ID, and other information. It can gather identifying information from a user's network connection, including IP address, MAC address, WiFi access point name, and router MAC address. That's on top of GPS location. The app may also collect information about other apps that are installed on a user's device.
While this type of data collection seems particularly invasive, it's not uncommon. Researchers have found thousands of apps that perform similar types of excessive data collection, typically with the express goal of selling that information to third parties and data brokers. However, TikTok has been caught at times going above and beyond this, collecting information that the average user would never even think they would need to protect. The app was identified as one of a number of major apps that regularly copied the content of a user's clipboard — a practice the company claims to have stopped doing.
”Protecting the privacy of our users’ data is a critical priority for TikTok,” a spokesperson for TikTok tells Mic. “Our security team is led out of the US by our Chief Information Security Officer, Roland Cloutier, who has decades of industry and US law enforcement experience. TikTok collects much less US user information than many of the companies in our space and stores it in the US and Singapore. We have not, and would not, give it to the Chinese government.”
Is TikTok more invasive than other social media apps?
TikTok is unquestionably a data vacuum. However, many of its users, especially its young base, often greet this revelation with: "So what?" A lot of apps that people willingly use collect untold amounts of data about them and their activities, interests, and actions. Facebook tracks user activity across the web, even on unsavory sites that most people wouldn't want to be associated with their public persona. Google has such detailed location data about millions of people that it has been turned into a massive digital dragnet used by law enforcement to place people at the scene of crimes — sometimes leading to wrongful arrests. Even some of the more surprising aspects of TikTok's data collection, like sucking up clipboard content, is done by others. LinkedIn, which is owned by Microsoft, did the exact same thing. What's so different about TikTok?
According to experts that have taken a close look at social networking apps, TikTik collects a lot of data other apps do, but it is considerably more thorough. Penetrum, a cybersecurity company, is one of a number of organizations that have attempted to crack open TikTok and see exactly what is going on inside it. A researcher at the firm, who chose to remain anonymous, tells Mic that what TikTok is doing goes beyond what other companies collect. "TikTok’s data collection is much more worrisome than Facebook and some other applications because they are collecting information that they should not be," the researcher explains, pointing to the collection of clipboard content and queries for SMS logs as prime examples of overreach. "Facebook and other applications grab the low hanging fruit from the tree of users. Tiktok takes the entire tree."
The researcher noted this is particularly troublesome given that TikTok's userbase is considerably younger than many other social networks and the company has already taken heat for its handling of data from underage users. Regulators in the United Kingdom have started to investigate the app for collecting data from teens, and the US Federal Trade Commission fined the company $5.7 million last year for violating the privacy of children. TikTok has promised to change its practices, but the fact remains that the company's userbase is exceedingly young and its business model is data collection.
Penetrum is not the only company that found TikTok's reach to be concerning. Ken Lloyd, the Vice President of Risk for cybersecurity firm Zimperium, tells Mic, "There are very few apps that have the ability to extract data to the extent that TikTok does." While Lloyd says he won't speculate on what TikTok does with the data it collects, he notes that "TikTok does gather a lot of personal data and is not a U.S.-based corporation."
While TikTok's data collection may go farther than companies like Facebook or Google, it's also worth noting that much of that data is likely collected and sold by other apps. If someone, be it a government agency or an advertiser, wanted to, they could likely put together just as complete a profile of a person simply by buying the huge swaths of existing data collected and sold by other apps in bits and pieces. TikTok might have a more complete picture than others, but odds are the data it is collecting is being collected by someone else, too.
Justin Sherman, a fellow at the Atlantic Council's Cyber Statecraft Initiative, tells Mic that for the average user, "content censorship would be far more concerning a risk" than data collection. He also notes that part of the reason why TikTok is able to collect so much data is simply because it can. "There is also reason to wonder why an app like TikTok could collect so much information on American users in the first place," he says. "[It] comes back to a lack of strong US federal privacy rules to limit data collection, analysis, and sale by private companies, as TikTok is hardly the only app in the States collecting far more data than users might suspect."
Are TikTok's ties to China a legitimate concern?
There is one significant, undeniable difference between TikTok and competitors like Google and Facebook, and that is where the companies are headquartered. TikTok is owned by Bejing-based startup ByteDance. For some, this is enough to raise suspicion all on its own. It doesn't help that TikTok has been less than forthcoming about its ties to China. At one point, the company insisted that ByteDance is actually incorporated in the Cayman Islands so should not be considered a Chinese company. They have also named an American CEO to try to win over some good will from critics who insist TikTok is inextricably tied to the Chinese government.
That alleged connection raises concerns for those who fear that China's Community Party may be accessing information about Americans. This is why the US military has blocked access to TikTok, as have other intelligence agencies both in the US and overseas. Corporations fearful of international espionage have also started to try to cut off the app. "For some organizations, the risk associated with [TikTok] is not worth the reward," Lloyd says.
It's not clear what ties, if any, TikTok actually has with the Chinese government. It has been accused of sending data back to the country, and a national security investigation launched by the US federal government last year claims to have evidence to support that accusation. A lawsuit against TikTok makes similar claims. However, research into the app has not revealed any direct link showing user data flowing to China. TikTok claims that it does not store data on servers located in China, where the government would have much more of a case for accessing the information. Instead, the company says data is stored on servers in the United States and Singapore.
Sherman notes that the Trump administration in particular has tried to establish a posture as a China hawk, attempting to appear tough on the country that it constantly positions as a competitor. The same type of tactic was used in the administration's ongoing battle with Huawei, which eventually led to the Chinese technology company being banned from doing business in the US. However, Trump quickly created loopholes that allowed Huawei back in as the president partook in trade negotiations with China. "The Huawei saga is a prime example of this fact, where despite the presence of real security risks, and far clearer security risks than in the TikTok case), the Trump administration used its policy on Huawei as a bargaining chip in a trade war, all for political ends," Sherman says.
Sherman says that it is reasonable for the federal government and even corporations to prevent employees and contractors from using TikTok on their work devices. "That narrowly targets a risk of espionage through the app," he says. But he notes that the supposed ban of the app "immediately raises numerous questions about internet censorship, about affecting the many citizens using TikTok to share content and express themselves and politically organize.”
If TikTok's Chinese ties present any immediate, observable threat to American consumers, it is the importing of Chinese censorship to overseas markets. Reports indicate that moderators for TikTok have been informed to censor or throttle the spread of videos from users who are deemed too ugly, poor-looking, or disabled. Posts mentioning the repressive crackdown against the Muslim Uighur minority in China have also been removed from the platform, as have references to Tienanmen Square and Tibet. This sort of content crackdown is more likely to directly affect American consumers, who are used to having their data collected but less accustomed to having their voices silenced.