TikTok is a popular short-form video app with over 1 billion monthly active users worldwide as of September 2022 (Source). Originally launched in China in 2016 as Douyin, TikTok exploded in popularity internationally when ByteDance acquired Musical.ly in 2017 and merged it into TikTok. The app allows users to create, share, and discover short videos ranging from 15 seconds to 3 minutes.
Despite its popularity, TikTok has faced scrutiny over potential security and privacy issues. The goal of this article is to examine some of the main security concerns surrounding TikTok and evaluate if they pose real threats to users.
Data Collection
TikTok collects extensive user data including location information, browsing and search history, messages sent within the app, and data on how users interact with content such as videos. According to a report by U.S. PIRG, TikTok tracks which videos users watch and how long they spend viewing them. The app’s privacy policy also allows it to collect precise location data based on users’ SIM card and IP address (TikTok Privacy Policy).
This broad data collection raises privacy concerns. Users have limited visibility into how their personal information is used by TikTok. There are also fears that the data could be accessed by the Chinese government given TikTok’s parent company ByteDance is based in China. Experts warn that the extensive data collection presents security risks and enables highly targeted advertising and manipulation.
Ties to China
TikTok is owned by the Chinese company ByteDance, which is headquartered in Beijing [1]. Since ByteDance is based in China, it is subject to Chinese laws and regulations, including censorship requirements. The Chinese government takes an active role in regulating and monitoring online content and activities. Companies like ByteDance are expected to comply with government directives on what is and is not acceptable to be published or promoted on platforms like TikTok [2].
This connection to China raises concerns that TikTok may censor content or share data with the Chinese government. TikTok has downplayed its ties to China, pointing out that its servers are based outside of China and not subject to Chinese law. However, given ByteDance’s location within China, the company and TikTok would face immense pressure to comply with Chinese authorities if requested [3].
Potential for Censorship
There have been numerous reports of TikTok censoring content deemed politically sensitive by the Chinese government. In September 2019, The Guardian reported that TikTok instructed moderators to censor videos that mentioned Tiananmen Square, Tibetan independence, or the banned religious group Falun Gong [1]. These leaked documents provide evidence that TikTok was following directives from its parent company ByteDance to censor certain topics in line with Chinese policy.
TikTok has also been accused of censoring content related to protests in Hong Kong. In 2019, TikTok suspended the account of an American teenager who posted a viral video criticizing China’s treatment of the Uyghur minority group [2]. These instances indicate TikTok may be restricting content that is critical of the Chinese government or promotes views contrary to Beijing’s political agenda.
While TikTok claims that it does not remove content based on “sensitivities related to China”, there are concerns that the platform’s politically-motivated censorship could spread as its popularity grows globally [3]. Some experts argue TikTok’s censorship practices are opaque and could potentially be leveraged for political ends in the future.
Vulnerabilities
TikTok has been found to contain a number of security vulnerabilities that could potentially be exploited by hackers. In May 2023, the Imperva Red Team discovered a vulnerability that allowed malicious actors to uncover user activity and personal information [1]. This vulnerability, known as a server-side template injection, allowed attackers to inject arbitrary code into TikTok’s back-end servers and extract sensitive data. Additionally, Microsoft researchers discovered vulnerabilities in late 2021 related to cross-site scripting and arbitrary code execution that could have enabled attackers to run malicious code on users’ devices [2]. These types of flaws, if exploited, could enable attackers to steal personal data, take control of accounts, or spread malware.
According to CVE Details, over 60 vulnerabilities have been reported in TikTok to date [3]. Many of the reported issues are related to improper access control, input validation errors, insecure data storage, and authentication weaknesses. While TikTok has worked to patch vulnerabilities that have been disclosed, the number of flaws uncovered indicates TikTok may have ongoing challenges securing its massive and complex technology infrastructure.
Third-Party Trackers
TikTok’s privacy policy indicates they use third-party trackers and partners to serve targeted ads, analyze usage, and improve services. Consumer Reports revealed TikTok embeds tracking pixels in websites that then pass information back to TikTok – even from users without accounts. This allows TikTok to build detailed profiles and track people across sites.
TikTok claims they don’t sell data, but share information with third parties for business purposes like ads. However, TikTok’s list of supported third parties shows they share extensive user data with many external companies. While some data sharing may be expected for service functionality, the scale of monitoring is concerning for user privacy.
Cryptographic Issues
TikTok has faced scrutiny over weaknesses in its encryption and cryptography practices. In 2020, researchers discovered flaws that allowed attackers to manipulate user data and inject malicious code (https://www.nytimes.com/2020/01/08/technology/tiktok-security-flaws.html). Specifically, TikTok failed to validate HTTPS certificates, making connections vulnerable to man-in-the-middle attacks. The app also did not properly isolate internal resources, enabling cross-site scripting and code injection if attackers gained access. More recently in 2021, Check Point Software reported finding vulnerabilities that enabled attackers to retrieve personal information from TikTok user accounts, including names, birthdays and photos (https://fortune.com/2022/09/05/tiktok-security-more-scrutiny-microsoft-finds-high-severity-vulnerability-video-app/). These weaknesses stemmed from encryption flaws in how TikTok handles user authentication tokens and sensitive data. Experts note TikTok’s cryptography practices lag behind industry standards, posing risks of data leaks, account takeovers, injection attacks and more.
Government Concerns
Governments around the world have raised concerns about the security risks posed by TikTok. In the United States, FBI Director Christopher Wray warned that TikTok’s parent company ByteDance could control the app to access user data or manipulate content, posing national security risks (FBI Director Christopher Wray Raises National Security Concerns About TikTok – Associated Press, 2022).
The European Union has also warned about potential data transfers to China under the country’s national intelligence laws and has opened an investigation into TikTok. The UK government banned TikTok on government devices in early 2023 over security concerns (Why TikTok’s Security Risks Keep Raising Fears – Associated Press, 2023). India banned TikTok and dozens of other Chinese apps in 2020 over data privacy concerns.
These actions by governments worldwide underscore the data security issues posed by TikTok’s ties to China, its potential for censorship, and vulnerabilities in its code. While TikTok has claimed it keeps U.S. data secure and does not remove content due to Chinese influence, government agencies remain concerned about national security risks.
TikTok’s Response
TikTok says that the company has worked hard to improve their overall privacy and security practices. In a statement on their website, TikTok says that they “store all TikTok US user data in Virginia with backups in Singapore. TikTok does not remove content due to sensitivities related to China. We have never been asked by the Chinese government to remove any content and we would not do so if asked.”
TikTok also says that “We are not influenced by any foreign government, including the Chinese government; TikTok does not operate in China, nor do we have any intention of doing so in the future.” In terms of data privacy, TikTok says they “have worked to develop stringent policies and protocols to manage user data security in collaboration with industry-leading experts like Oracle.”
According to TikTok, their “goal is to minimize data access across regions so that, for example, employees in Asia Pacific would not have access to European user data.” They aim to provide transparency around their security practices and say they will continue working to “earn and build trust with users and key stakeholders.”
Conclusion
In summary, TikTok faces several key security issues related to data collection, ties to China, censorship, vulnerabilities, third-party trackers, and cryptography weaknesses. These concerns originate from TikTok’s parent company ByteDance being based in China and subject to Chinese laws requiring data sharing with the government. There are also technical issues like trackers collecting data without consent and potential vulnerabilities open to exploitation.
Experts have differing views on whether TikTok can sufficiently resolve these problems. Some believe the issues are fundamental to TikTok’s ownership and cannot be addressed without fully separating from ByteDance. Others think TikTok’s efforts like storing more data outside China have sufficiently isolated it from Chinese control. Much also depends on whether one trusts TikTok’s statements about not sharing data improperly or censoring politically sensitive content.
In the future, TikTok may need to make more structural changes to convince skeptics it can operate independently from China. But it’s unlikely concerns will be fully alleviated given the complexities involved. Overall, users, governments and experts will need to continually evaluate TikTok’s evolving security policies and actions.