TikTok is a popular short-form video app owned by the Chinese company ByteDance. Since launching internationally in 2017, TikTok has grown exponentially, with over 1 billion monthly active users as of September 2021. The app allows users to create, share, and discover short videos up to 3 minutes long on any topic. TikTok’s algorithm is known for quickly determining users’ interests and preferences to serve them personalized video feeds. This has contributed greatly to the app’s addictive nature and popularity among Gen Z users.
However, TikTok’s Chinese ownership and rapid growth have raised concerns, especially among governments worldwide, about how user data is collected, protected, and potentially accessed by the Chinese government. There are worries that TikTok could be compelled to censor content or be exploited for foreign influence or espionage. TikTok claims to store international user data securely outside China and not to remove content based on political sensitivities. But some cybersecurity experts say TikTok’s potential security vulnerabilities and privacy issues could make it a cyber risk.
TikTok’s Data Collection
TikTok collects a wide variety of data from its users. According to TikTok’s privacy policy, the app gathers information like:
- User content such as photos, videos, livestreams, comments, and messages
- Device and connection data like IP address, device ID, and network information
- Location data based on SIM card and IP address
- Cookies, pixel tags, and similar technologies that track user activity
- Metadata about content like hashtags, captions, and thumbnails
TikTok also admits to collecting some biometric data like faceprints and voiceprints. While the amount of data collection is extensive, research indicates it is comparable to platforms like Facebook and not necessarily illegal (1). The main concerns around TikTok’s data are how it could be aggregated and analyzed by its parent company ByteDance, and whether data practices fully comply with privacy regulations.
(1) https://www.cnn.com/2023/03/24/tech/tiktok-ban-national-security-hearing/index.html
TikTok’s Ties to China
TikTok is owned by the Chinese company ByteDance. While ByteDance was founded in China, it is registered in the Cayman Islands (Source: AP News). ByteDance owns 100% of TikTok through a complex corporate structure. While TikTok doesn’t operate in China, where its predecessor Douyin is available, ByteDance still exerts significant control over TikTok and its operations given its full ownership.
Some key facts about TikTok’s ownership (Source: Wikipedia):
- ByteDance is owned by founders and Chinese investors (20%), other global investors (60%), and employees (20%).
- While not directly owned by the Chinese government, ByteDance is still subject to Chinese internet censorship and surveillance laws.
- There are concerns around potentialinfluence and control over TikTok by the Chinese government through ByteDance.
While TikTok downplays its Chinese ownership, it’s clear there are still strong ties to China through its parent company ByteDance which has raised national security concerns in some countries.
Potential for Censorship
There have been numerous allegations that TikTok censors certain content on its platform. In 2020, TikTok was accused of censoring transgender users following reports of transgender users having videos being removed or muted [1]. The BBC reported that hashtags supporting LGBT pride were hidden and videos discussing China’s treatment of Uighur Muslims were removed or suspended [2]. TikTok has also been accused of censoring content that is critical of the Chinese government and its policies [3]. While TikTok claims that most of these incidents were “mistakes” or “glitches”, critics argue it forms part of a wider pattern of political censorship on the platform.
Vulnerabilities and Hacking
TikTok has faced some vulnerabilities and hacking incidents that raise concerns about its security. In May 2023, security researchers from Imperva discovered a vulnerability that could have allowed attackers to scrape information about users’ videos and gain access to personal data [1]. The researchers noted that fixing this vulnerability was important for preventing large-scale scraping of TikTok user data.
There have also been reported cases of TikTok accounts getting hacked or hijacked. According to cybersecurity firm Winsor Consulting, hackers have been known to break into TikTok accounts and then change the linked email address and password, locking out the original owner [2]. While TikTok has procedures to recover hijacked accounts, this still raises security fears for users.
Additionally, researchers from Check Point found multiple vulnerabilities in late 2021 that could have allowed hackers to manipulate user data and expose private information [3]. Fortunately, TikTok addressed many of these vulnerabilities after disclosure, but it demonstrates the app is not bulletproof to hacking attempts.
User Privacy Concerns
TikTok has faced criticism and lawsuits over its handling of user privacy. In 2019, TikTok paid a $5.7 million fine to the Federal Trade Commission over allegations it illegally collected personal information from children under age 13 without parental consent. In 2021, TikTok agreed to pay $92 million to settle a class action lawsuit alleging violations of Illinois’ biometric privacy law through its collection of users’ facial geometry without consent. Some critics argue TikTok’s privacy policy allows an excessive amount of data gathering, and its default high privacy settings for minors should be expanded to all users.
Government Warnings and Bans
Several governments have raised concerns about the security of TikTok and taken steps to restrict or ban the app entirely. In 2020, India banned TikTok along with 58 other Chinese apps due to data privacy concerns (NYTimes). The United States government under President Trump issued executive orders to ban TikTok unless it was sold to an American company. However, the ban was blocked in court (Wikipedia). More recently, governors in over 10 U.S. states have banned TikTok on government devices and networks.
In 2021, the Dutch privacy watchdog determined TikTok violated children’s privacy laws and instructed the app to make changes. In 2022, the European Union’s data protection watchdog launched an investigation into TikTok’s data collection practices (TechTarget). The Canadian privacy commissioner also found TikTok’s practices violated local laws in 2022. Overall, government scrutiny and warnings about TikTok continue to increase globally.
TikTok’s Security Measures
TikTok states that it takes various measures to protect user security and privacy. According to TikTok’s privacy policy, the platform uses encryption to transmit user data securely and has physical and digital security protections like firewalls and server authentication to prevent unauthorized access to networks or servers https://www.tiktok.com/safety/en-us/privacy-and-security-on-tiktok/. TikTok also encourages users to enable two-factor authentication, use strong passwords, and avoid sharing account details to boost account security.
Additionally, TikTok claims that user data is stored on servers in data centers that have controls like access approvals and logging. According to TikTok, the app was built with a secure software development lifecycle including threat modeling, static analysis, fuzz testing, and penetration testing to identify and resolve potential vulnerabilities https://www.tiktok.com/community-guidelines/en/privacy-security/?enter_method=left_navigation.
Expert Opinions
Cybersecurity experts have weighed in on the potential risks of using TikTok. Bruce Schneier, a cybersecurity expert, wrote in CNN that TikTok’s data collection poses more of a privacy risk than a security risk. He argues that while TikTok collects a huge amount of data on its users, there’s no evidence China is spying on TikTok users or censoring content. However, he cautions that China could potentially weaponize TikTok’s data in the future.
CrowdStrike’s vice president of intelligence, Adam Meyers, said in an interview with CBS News that concerns about TikTok are “absolutely valid.” He explained that the Chinese government has demonstrated a willingness to leverage technology for espionage, and the amount of data collected by TikTok could be used to build profiles on millions of users. However, he also noted there are ways to mitigate potential risks through regulating the app.
The FCC commissioner Brendan Carr stated in Malwarebytes that TikTok should be removed from app stores because it poses an “unacceptable security risk.” He argued that TikTok is not just a social media app but rather a sophisticated surveillance tool that harvests extensive data from user devices.
Conclusion
After reviewing the potential cybersecurity risks of using TikTok, the findings suggest there are legitimate concerns around data privacy, censorship, and foreign government influence. However, the severity of these risks is still up for debate.
On the one hand, TikTok collects large amounts of user data, including location, messages, browsing history, and more. They have also shown a willingness to censor or suppress content deemed objectionable by the Chinese government. Given that TikTok’s parent company ByteDance is based in China, this raises alarms about state-sponsored espionage and propaganda. Several governments have even banned TikTok over these fears.
On the other hand, TikTok claims they store American user data in the US and Singapore, not China. They also say they would not hand over data to the Chinese government if asked. TikTok has taken steps to better secure user data and address privacy issues raised in the past. There is no definitive evidence yet their platform has been used for large-scale censorship or surveillance by China.
In summary, while the direct risks are unproven, TikTok’s ties to an authoritarian regime justified caution. Users, especially government employees, activists, and companies, should be aware their data could be monitored or manipulated. More oversight and transparency from TikTok would help assess the true level of risk. Avoiding or limiting use of the platform is one way to mitigate potential cybersecurity dangers in the meantime.