TikTok is a popular video sharing app owned by the Chinese company ByteDance that has experienced explosive growth over the past few years. The app has over 1 billion monthly active users worldwide, including over 100 million in the US.[1] However, concerns over TikTok’s data collection and privacy practices have raised alarm bells, especially in regards to the Chinese government’s potential access to user data.
TikTok collects a wide range of user data including browsing history, search terms, location data, messaging content and other sensitive information. There are concerns that TikTok may share this data with the Chinese government or third parties without user consent. This has prompted investigations from US regulators and bans of the app in some government agencies over national security risks.
In this article, we will examine the evidence around TikTok’s data collection practices, information security vulnerabilities, and whether the app compromises user privacy or leaks data inappropriately. We will also look at TikTok’s response to the allegations and what users can do to enhance their privacy on the platform.
TikTok’s Data Collection
TikTok collects a significant amount of user data, including names, ages, email addresses, phone numbers, locations, user-generated content like photos and videos, and device information.1 TikTok also obtains data on users’ interests and preferences through their interactions with content on the app. This allows TikTok to curate personalized feeds and serve targeted advertisements.2
Specifically, TikTok accesses users’:
- Profile information entered when creating an account
- Videos watched and engaged with
- Contacts and messages
- Information stored on mobile devices like photos and notes
- Location data
- Clipboard content
While TikTok claims not to collect more data than other social media platforms, experts argue the granular level of TikTok’s data collection is unparalleled and concerning.
TikTok’s Data Sharing
TikTok has faced scrutiny over its data sharing practices with its parent company ByteDance, which is headquartered in China. While TikTok stores American user data in the US and Singapore, the company has admitted that some data is accessible to employees in China
According to Forbes [1], TikTok revealed in June 2022 court filings that internal engineers in China can access certain U.S. user data to troubleshoot technical issues. Specifically, “TikTok employees outside the U.S can access information about U.S. users’ video engagement, such as total number of video views and comments.”
TikTok claims China-based employees with data access cannot see personally identifiable information or video content. However, cybersecurity experts argue that even non-identifiable data like viewing patterns could provide insight about American users that would be valuable to the Chinese government.
Leaked Source Code
In January 2021, there was an incident where a portion of TikTok’s source code and some private database information was leaked publicly on GitHub by a hacker (https://www.digitalmusicnews.com/2021/01/18/tiktok-source-code-leak/). This exposed parts of the internal code that runs the TikTok app, providing visibility into how the app operates behind the scenes. According to reports, the leaked code revealed some of TikTok’s key algorithms, data tracking/collection methods, and content moderation tactics. The hacker claimed the leak showed TikTok was essentially “spyware”, invading user privacy and exposing sensitive data.
While concerning, TikTok downplayed the severity and scope of the code leak. TikTok claimed only “basic public-facing APIs and libraries” were exposed, insisting no sensitive user data was compromised. However, cybersecurity experts warned that access to core source code could aid hackers in finding vulnerabilities to exploit in the future. The leaked code provided valuable insight into TikTok’s inner workings and raised broader concerns around the app’s data practices and security standards.
Exposed User Data
There have been several incidents where TikTok user data has been exposed publicly. In September 2020, personal information of TikTok users was found available on the dark web and hacker forums (Tiktok @user data Leaks @install update Photos @concesionarios Reviews @db connect Porn @hs extensions Naked @vl zey Photos @164] seeking @educational). The exposed data included profile pictures, usernames, follower count, videos liked and other account details of users.
In January 2021, 2 billion TikTok user records were put up for sale on a hacker forum, according to CyberNews (If It Says You Data Has Appeared in A Data Leak and …). The records included private email addresses and phone numbers of users. TikTok said the data was aggregated from multiple websites, not obtained via its systems.
In September 2021, TikTok influencers’ earnings were leaked online on hacker forums. The exposed data revealed how much money top TikTok creators were earning from branded content, LIVE streams and tips.
While TikTok has downplayed the incidents saying no private data was compromised, these exposures have raised concerns over TikTok’s ability to safeguard user data.
National Security Concerns
There have been growing worries that TikTok poses a threat to national security, especially due to its ties to China. In 2020, the Committee on Foreign Investment in the United States (CFIUS) determined that TikTok’s data collection and ties to its parent company ByteDance raise national security concerns.
Recent polling indicates many Americans share these concerns, with 52% believing TikTok is a national security threat. Lawmakers have highlighted how the risk from TikTok has only increased over time, especially as the amount of user data collected has grown. There are worries that the Chinese government could access TikTok user data or influence content, using the platform for espionage, censorship or propaganda.
Some analysts argue that a ban may not be the best solution, and that more focused data security requirements could help address risks. However, there is bipartisan agreement that steps need to be taken to mitigate TikTok’s national security threats.
TikTok’s Response
TikTok has tried to ease growing privacy concerns and suspicions that the app shares data with the Chinese government. In response to allegations of data theft and security flaws, TikTok published a blog post outlining their approach to data privacy and security.
They stated that TikTok user data is stored in the US and Singapore, not China. TikTok also claimed they operate separately from their China-based parent company ByteDance. Additionally, they emphasized that employees outside of China do not have access to TikTok user data.
To address concerns over source code leaks, TikTok acknowledged there were “misconfigured storage settings” that exposed some user data in late 2021. They stated this issue was quickly fixed. TikTok maintained that there is no evidence data was actually accessed or misused.
Overall, TikTok aims to reassure users and regulators that privacy protections are a top priority. However, some experts argue their statements do not provide enough transparency into data practices. Concerns persist over potential access to data by Chinese authorities.
Legislative Action
There have been growing concerns from US lawmakers about TikTok and its handling of user data. In 2020, Secretary of State Mike Pompeo said the Trump administration was “certainly looking at” banning TikTok over national security concerns. In 2021, a group of Republican senators introduced a bill aimed at blocking TikTok from operating in the US over data security worries [1].
In 2022, FCC Commissioner Brendan Carr called on Apple and Google to remove TikTok from their app stores, citing “its pattern of surreptitious data practices.” TikTok CEO Shou Zi Chew testified before Congress in September 2022, where he reaffirmed that TikTok does not share US user data with China. However, lawmakers remained skeptical and questioned TikTok’s ties to its parent company ByteDance, which is headquartered in China.
Most recently, in December 2022, a bipartisan group of senators introduced a bill that would ban TikTok from operating in the US unless the company meets certain criteria, including being audited to ensure their data practices do not threaten national security. The fate of this and other proposed bills remains uncertain, but reflects ongoing scrutiny of TikTok by US officials.
Expert Perspectives
Cybersecurity experts have weighed in on the potential risks of TikTok’s data collection practices. Brian Haugli, CEO of SideChannel and a cyber security expert, said “TikTok is taking more data than any other social platform out there by magnitudes”. He explained that TikTok’s aggressive data collection allows it to build detailed profiles on users for ad targeting or other purposes.
Privacy researchers have also raised concerns. Serge Egelman, research director of the Usable Security & Privacy Group at UC Berkeley, said of TikTok: “There’s no smoking gun…But at the same time, there’s a lot of smoke”. He pointed to obfuscated code and other techniques that seem intentionally designed to evade analysis. While no specific data leaks have been confirmed, the opacity around TikTok’s practices fuels suspicion.
Experts urge caution in dealing with TikTok until its data handling practices are more transparent. But they also acknowledge the app doesn’t seem markedly worse than competitors in data collection. The core concern remains the potential for TikTok’s parent company ByteDance to share data with the Chinese government, which it denies.
Conclusion
While there have been concerning revelations about TikTok’s data collection and security practices, there is no clear evidence to suggest the platform has experienced large-scale leaks of private user information. The app certainly gathers an extensive amount of user data, and its handling of that data raises important questions. However, fears of major personal data leaks appear largely speculative at this point.
Some experts argue TikTok’s ties to China and past security flaws open the door to potential data leaks. But concrete examples have yet to emerge. The main verified incidents involve exposed public data, source code leaks, or suspected flows of aggregated analytics. There are no proven cases of mass leaks exposing private user info.
In summary, TikTok likely stores significant sensitive user data. But major leaks have not been substantiated. While vigilance is warranted, claims of actual mass private data leaks seem premature given current evidence. Moving forward, TikTok must continue strengthening its security to match its sweeping data collection.