Report on TikTok's 'excessive' harvesting of user data sparks security concerns

An analysis of the app's source code reveals that it checks users' location and insists on access to contacts.

A recent report detailing massive amounts of user data collected by TikTok has sparked privacy concerns around the hugely popular video app, which is owned by Chinese internet company ByteDance.

In a technical analysis of TikTok's source code, security research firm Internet 2-0 found the app, which is the sixth most-used globally with forecast advertising revenues of U.S. $12 billion in 2022, was "overly intrusive" and data collection was "excessive."

"In our analysis the TikTok mobile application does not prioritize privacy," the report said. "Permissions and device information collection are overly intrusive and not necessary for the application to function."

The app retrieves information on all other apps on a phone, potentially providing a realistic diagram of a person's device.

It checks the device location at least once an hour, and has ongoing access to the calendar and contacts.

"If the user denies access, it continuously requests for access until the user gives access," the report said.

The app also scoops up Wi-Fi SSID information, serial numbers of devices and SIM cards, IMEI numbers, MAC addresses and other unique identifying data.

It also reads the device clipboard along with all active subscriptions and accounts on the device, the report said.

"Also of note is that TikTok IOS 25.1.1 [the version that runs on iPhones] has a server connection to mainland China which is run by a top 100 Chinese cyber security and data company Guizhou Baishan Cloud Technology Co., Ltd," the report said.

While TikTok claims user data is stored in the U.S. and Singapore, the report found evidence of "many subdomains in the iOS app scattered around the world," including Baishan, China.

As of September 2021 TikTok had more than one billion active users globally, 142.2 million of whom are in North America.

The report found that TikTok makes use of a number of permissions considered "dangerous" by industry experts.

"Unfortunately, TikTok makes use of a lot of these dangerous permissions," it said, adding that the IOS justification, whereby developers can't gain access to data on a device without good reason, made iPhones less of an easy target for data harvesting than Android devices.

Privacy concerns

Caitlin Chin, a fellow at the U.S.-based Center for Strategic and International Studies (CSIS), said many security experts weren't surprised by the findings.

"It confirms what many of us were suspecting, which is that TikTok is indeed collecting a lot of information, and a lot of it," Chin told RFA. "It is very private information."

Chin said there are naturally concerns that user data will be acquired and used by the Chinese government.

"This information [harvested by TikTok] can immediately reveal or be used to infer a lot of information," she said. "For example, the data can show who you are in daily contact with, which political organizations you are associated with, and what you usually do."

Chin said TikTok is a potential backdoor for the Chinese government to gain access to highly sensitive personal information about users all over the world.

"It does raise questions about what types of data TikTok is collecting, especially if this is non-essential information that the Chinese government could potentially obtain, albeit stored outside of China," she said.

"It raises concerns about the privacy of private communications."

A spokesperson for TikTok denied the claims in the report that user data was sent to China.

"The IP address is in Singapore, and communications don't leave their region," the spokesperson said in comments emailed to RFA.

"It's absolutely untrue to suggest that there is a connection to China."

The spokesperson also denied that TikTok harvests as much data as the report said it did, and said it harvested less than many other popular apps.

The purpose of collecting data was to "improve the user experience," they said, adding that the access approval process is overseen by a security team in the United States.

‘Security threat to Western countries’

The Biden administration reversed a Trump-era ban on TikTok and WeChat, which hadn't been fully implemented due to legal challenges.

BuzzFeed reported on June 17 that the data of U.S.-based TikTok users had been repeatedly accessed by the employees of TikTok's Chinese parent company, ByteDance.

On the same day, Tiktok announced it had signed a deal with Oracle to store the private data of all U.S.-based users on its cloud servers, but experts said this didn't mean employees based in China couldn't access it.

On June 24, FCC Commissioner Brendan Carr wrote to Google and Apple, asking them to remove TikTok from their app stores, citing the amount of data collected from users' devices.

Carr cited Chinese laws requiring Chinese companies to comply with requests to hand over data, and potentially spy on users, by the authorities.

Zhang Xiaogang, a doctoral student in computer science at UNSW Sydney, said China is keen to export its model of high-tech authoritarianism overseas, to extend Beijing's influence around the world.

"It's inevitable that TikTok's parent company would take this approach," Zhang told RFA. "The CCP [Chinese Communist Party] wants to control everything and export totalitarian rule overseas through high-tech companies."

"It will be using its monitoring technology, collecting a large amount of intelligence, stealing technology and finding out useful information through big data analysis," he said.

"This will pose a security threat to Western countries."

He said overseas governments are gradually waking up to what is happening.

"Now the CCP has gone too far, and intelligence agencies and defense agencies in Western countries are gradually starting to pay attention to this issue," Zhang said.

"Many politicians haven't yet realized that the CCP is using its position in the market to steal technology and information," he said.

"Western countries should impose restrictions on social media apps exported by the CCP," Zhang said. "If the CCP bans overseas social media, Western countries have reason to ban TikTok."

More evidence needed

Liu Lipeng, a former Weibo censor now living in the United States, said more details are needed.

"I'm still hoping for more technical details, or for a whistleblower to leak some ... direct evidence telling us how they operate," Liu said.

But he said there is a lot of evidence to show that TikTok is fully cooperating with the Chinese authorities, including by not allowing users based in China to register.

Current affairs commentator Tang Jingyuan agreed with Zhang's assessment.

"The Chinese authorities use TikTok and other companies for intelligence-gathering, even infiltration and the expansion [of influence] and to export ideological weapons," Tang said.

Companies that are controlled by the CCP and operate with malicious intent should be completely banned outside of China, Tang said.

Translated and edited by Luisetta Mudie.