The alarm even rang among TikTok’s target demographic: Gaming superstar Tyler “Ninja” Blevins tweeted on July 9 that he’s deleting the TikTok app.
Why the fuss? TikTok is owned by a Beijing-based company called ByteDance and has fallen in the crosshairs of a global technology battle. It’s not just playing out in the U.S.: Last month, India banned TikTok and several apps from China, citing security concerns. Personal technology and geopolitics are becoming increasingly intertwined: Last summer, there was a similar privacy freakout over the Russian-made FaceApp, a program that takes photos of people and “ages” them using artificial intelligence.
Advising everyone to just delete TikTok out of caution isn’t so simple — it has been downloaded more than 2 billion times, and millions of young Americans are relying on it for connection during the coronavirus pandemic. TikTok is the 2020 equivalent of “Star Search” crossed with “America’s Funniest Home Videos,” creating culture particularly through recorded dance moves. In other words: If you mess with Generation Z’s favorite app, be ready for a fight.
So let’s look at this decision beyond the geopolitical jousting. I recruited Patrick Jackson, chief technology officer of privacy company Disconnect, to help peer under the hood at what data the TikTok app actually gathers. (He’s helped me conduct past studies of snooping iPhone apps and websites.)
I also asked TikTok some pointed questions about its data practices.
“Protecting the privacy of our users’ data is of the utmost importance to TikTok,” said spokeswoman Ashley Nash-Hahn. “TikTok collects much less U.S. user information than many of the companies in our space and stores it in the U.S. and Singapore. We have not, and would not, give it to the Chinese government.”
My takeaway: TikTok doesn’t appear to grab any more personal information than Facebook. That’s still an appalling amount of data to mine about the lives of Americans. But there’s scant evidence that TikTok is sharing our data with China, and we should be wary of xenophobia dressed up as privacy concerns.
I don’t mean to excuse China’s record of online repression — it’s possible China will force TikTok to change its practices in the future. For now, it comes down to whether you inherently distrust data mining from Chinese-owned companies more than data mining from U.S.-owned ones. Just remember: companies in China probably make your phone, laptop and TV, too.
Let’s dive into the specifics.
What data does TikTok gather?
Aside from every TikTok video you watch — and how long you watch it for — TikTok has the full contents of private messages you can also send through its app.
That all adds up to a profile of you useful not only to target ads, but also to understand who you are, who your friends and family are, what you like, what you find funny and what you say to your friends.
Jackson, from Disconnect, said the app sends an “abnormal” amount of information from devices to its computers. When he opened TikTok, he found approximately 210 network requests in the first nine seconds, totaling over 500 kilobytes of data sent from the app to the Internet. (That’s equivalent to half a megabyte, or 125 pages of typed data.) Much of it was information about the phone (like screen resolution and the Apple advertising identifier) that could be used to “fingerprint” your device even when you’re not logged in.
And there is a hole in our ability to verify all of what TikTok does. Jackson said the app uses some technical measures to encode its activity, meaning some of it is hidden from independent researchers looking under the covers. “In order to disrupt hackers and those who wish to manipulate the app, we use obfuscation to help reduce automated attacks, like bots,” Nash-Hahn said.
Does the TikTok app do anything shady?
In March, app developers at a company called Mysk discovered TikTok was accessing the contents of people’s iPhone clipboards every few seconds, even when the app was running in the background. TikTok said it was an anti-spam measure, and has updated the app to stop it.
In December, researchers at Israeli security firm Check Point said they found bugs in the app that could have let attackers access personal data, which the company also says it fixed.
Last but not least: In 2019, TikTok paid $5.7 million to the Federal Trade Commission for violations of America’s children’s privacy law by its predecessor Musical.ly, which it acquired in 2017. It has since increased parental controls, though some children’s advocacy groups say it is not sufficient.
What are the U.S. government’s concerns about TikTok?
First, TikTok is under national security review by the Committee on Foreign Investment in the U.S. (CFIUS) after lawmakers accused it of censoring some videos to satisfy the Chinese government. TikTok denies that. My colleagues Drew Harwell and Tony Romm reported last year that former U.S. employees bristled at commands to restrict videos that Beijing-based teams had deemed subversive or controversial. When your ultimate bosses are in China, it’s hard to resist China’s restrictive view of acceptable speech.
The broader concern is that China could collect personal data about millions of Americans — one reason TikTok is banned for use on official devices by the U.S. Army. China’s government has a lot of power over its technology companies, and generally expects them to comply with censorship demands or efforts to track down suspected spies or dissidents.
CFIUS could force a sale of the company or take steps to prohibit its operations in the U.S. The government did that in 2019 with dating app Grindr, which had been purchased by a firm in China.
Does TikTok data get stored in China?
TikTok says user data is stored only in the U.S. and Singapore.
Trust but verify: Jackson and I watched data flow out of the app, and did not see any headed to addresses that were clearly based in China. Most went to cloud services such as Amazon Web Services. But “it’s possible (and likely) that data transmitted to these servers are transferred to other locations but it’s not verifiable from our end,” Jackson said. He also found several references in the app to Internet addresses based in China or registered there, though saw no traffic going to them.
It’s possible TikTok has changed some of its data practices for the better recently. A lawsuit filed in California claimed as recently as 2019 that TikTok was sending data to several Internet addresses in China, without citing sources for the claim. It also claimed the app contained source code from China’s Internet giant Baidu, as well as advertising software called Igexin that security researchers have said has the capability to spy on people.
Nash-Hahn declined to comment on the case, but said, “We neither use code of, nor send any data to, Baidu or Igexin.” Lawyers for the case did not respond to a request for comment.
Can the Chinese government force TikTok to hand over your data?
TikTok said the Chinese government has never asked it for user data, and it would refuse such a request. TikTok also said its security team is led out of the U.S. by an executive who has decades of industry and U.S. law enforcement experience.
How well it could actually resist an order is a separate question.
TikTok is trying to thread a difficult needle as a China-owned app that doesn’t have to play by China’s rules. In early July, it pulled out of the Google and Apple app stores in Hong Kong, following the implementation of a new sedition law in the Chinese special administrative region. The law could force companies that do business in Hong Kong to hand over data to China.
But TikTok is hardly the Chinese government’s only way to gather information about Americans. The U.S. has repeatedly accused it of espionage, including the 2017 hack of the Equifax credit reporting agency. Americans’ personal data is put at risk every day by American corporations that collect, sell and store it in insecure ways.
Is TikTok better or worse than Facebook?
In some ways, TikTok gathers less data. In addition to most of the types of personal information we saw TikTok gathering, Facebook also tracks users across devices, and inside other apps and websites. As I’ve written, it even tracks you when you’re not using Facebook and your phone is off. We didn’t see any behavior close to that in the TikTok app.
“It doesn’t appear that TikTok takes more data than Facebook but they do take measures to hide what they are collecting,” Jackson said.
Facebook has also run afoul of the FTC, including a $5 billion settlement over privacy invasions — the largest fine in the FTC’s history.
Is there anything you can do to reduce your privacy risk and keep using TikTok?
A TikTok privacy setting called “personalized ads” will let you stop the app from using your information to target you with ads, but it won’t stop TikTok from collecting the data in the first place.
My general privacy rule is: When in doubt, fib. There’s no reason to give TikTok your real name or access to your contacts or other social media connections. Pick a fake name and a throwaway email address.
You can also use TikTok without giving it your phone number or email by never logging in — you can still watch videos in the app and on the open Web, though you won’t be able to follow specific accounts or upload videos of your own. And this still won’t stop TikTok from gathering other information about your device.