TikTok has taken the world by storm in recent years, accumulating over 1 billion monthly active users globally as of September 2021 (Telegraph). Originally launched in China in 2016 under the name Douyin, TikTok exploded in popularity internationally after merging with Musical.ly in 2018. It is currently the fastest growing social media platform in multiple markets, including the UK and Europe.
However, TikTok’s rapid expansion outside China has not been without controversy. There are growing concerns around TikTok’s data privacy protections, content moderation policies, and potential for censorship or surveillance on behalf of the Chinese government. These issues have resulted in bans or restrictions of TikTok in some countries, like India and the US military. Given TikTok’s massive userbase, primarily of younger users, its security practices have come under increasing scrutiny by researchers, regulators, and the public.
Data Privacy Concerns
TikTok has faced criticism over its data collection practices and privacy policies. As a social media platform, TikTok collects a significant amount of data from its users including location information, browsing data, search history and more (https://www.tiktok.com/legal/privacy-policy-row). There are concerns that the extensive data gathered by TikTok could be accessed and misused by its parent company ByteDance which is headquartered in China.
Some worry that the Chinese government could potentially access TikTok user data through ByteDance, although TikTok claims that its data is stored outside of China. According to TikTok, U.S. user data is stored in Virginia with Singapore serving as its backup (https://www.pirg.org/articles/demystifying-tiktok-data/). However, given China’s national intelligence laws that require companies to share data if requested, some distrust remains.
While TikTok gathers a large volume of user data, some analysis indicates it may not necessarily collect more data than platforms like Facebook (https://www.cnn.com/2023/03/24/tech/tiktok-ban-national-security-hearing/index.html). However, the China ties and potential for government coercion has made U.S. authorities wary. The debate continues around whether the privacy risks of TikTok’s data practices warrant restriction.
Potential for Censorship
There have been concerns that TikTok engages in censorship of certain content, especially content that the Chinese government deems objectionable. In China, where TikTok operates a similar but separate app called Douyin, the platform has been known to censor topics considered politically sensitive by the Chinese government, such as the Tiananmen Square protests, Tibetan independence, and the religious movement Falun Gong.[1]
This censorship within China has raised fears that TikTok could censor content in other markets outside of China if the Chinese government demanded it. So far, there is no evidence that TikTok censors content outside of China the way Douyin does within China. However, leaked audio from TikTok meetings revealed discussions about restricting content related to “political and social issues” to avoid trouble with moderation and negative public perception.
While TikTok claims it does not censor content beyond what is required by local laws, the potential remains concerning to free speech advocates. TikTok’s ownership by the Chinese company ByteDance has fueled suspicions that it could give in to Chinese government influence or pressure in the future. More transparency around TikTok’s censorship policies and operations could help alleviate these concerns.
Vulnerabilities and Hacks
TikTok has faced scrutiny over potential security vulnerabilities that could allow malicious actors to compromise user accounts. In 2020, researchers at Check Point discovered multiple vulnerabilities that could have allowed hackers to manipulate content and extract personal information from accounts (Check Point Research Reveals Multiple Vulnerabilities in TikTok). While TikTok fixed the reported issues, it highlighted the need for ongoing security reviews.
In August 2022, Microsoft security researchers revealed a vulnerability in TikTok for Android that enabled account takeovers with just one click, without needing passwords (A ‘high severity’ TikTok vulnerability allowed one-click account takeover on Android). TikTok has acknowledged the need to strengthen account security and prevent compromise.
There have also been reports of TikTok accounts being hacked or compromised. While the exact methods are unclear, weak passwords, reused credentials from breaches, and vulnerabilities have enabled attackers to break into accounts. Users have reported email addresses being changed and videos being posted without consent. TikTok has advice for users to strengthen passwords and enable two-factor authentication.
Transparency Issues
TikTok has faced criticism about a lack of transparency around some of its data practices and content moderation decisions. Many privacy advocates and policymakers have called on TikTok to be more transparent about how it collects, stores, secures and uses data from its users.
In particular, there have been concerns around TikTok’s data sharing with its parent company ByteDance, which is based in China. TikTok has asserted that U.S. user data is stored separately from the rest of ByteDance, but some experts have questioned if there are adequate safeguards. TikTok published its first transparency report in 2021, but some say it lacks sufficient detail around government requests for user data and content takedowns.
TikTok has stated that it is committed to being transparent and accountable [1]. It has a Transparency Center on its website with information on its policies, programs, and data practices. However, critics argue TikTok needs to do more to open itself up to independent audits and oversight around issues like algorithmic transparency and content moderation [2]. The ongoing debate indicates there are still transparency concerns TikTok must address.
Actions by Governments
In June 2020, India banned TikTok along with over 200 other Chinese apps, after tensions escalated between the two countries following border clashes. With over 200 million Indian users, it was TikTok’s largest market at the time.
In a statement, India’s Ministry of Electronics and Information Technology said the apps were “prejudicial to sovereignty and integrity of India, defence of India, security of state and public order”.
The ban cut TikTok off from a massive userbase and forced it to miss out on significant advertising revenue in one of the world’s fastest growing internet markets. Following the ban, most Indian TikTok users migrated to other platforms like Instagram Reels and YouTube Shorts.
In the United States, policymakers have also voiced concerns over TikTok’s data practices and ties to China. Calls to ban or restrict TikTok escalated under the Trump administration, but no nationwide ban has been implemented so far.
However, some US government agencies including the military have prohibited personnel from using the app on government devices. Several US states have also barred the use of TikTok on state-owned devices.
TikTok’s Responses
TikTok has responded to security concerns and claims of data privacy risks on several occasions. In a press release, TikTok stated it offers the “highest standard of transparency” and emphasized that U.S. user data is stored on servers in the U.S. and Singapore, not China.
TikTok has also made changes to address security issues, including partnering with Oracle to host U.S. users’ data to alleviate data privacy concerns. TikTok claims it has made strides in transparency through a Transparency Center and report about government requests for user data and content removal.
Independent Security Reviews
TikTok has undergone independent third-party security reviews and audits in an effort to assure users and regulators that their data is secure. In 2021, TikTok engaged a leading cybersecurity firm to conduct an audit of its platform and data security controls which resulted in TikTok receiving ISO 27001 and 27701 certifications for its privacy and data security practices (TikTok Newsroom). The ISO certifications require ongoing independent audits to maintain compliance.
In September 2022, TikTok hired the British cybersecurity firm NCC Group to regularly audit TikTok’s data security practices, source code, and software development lifecycle (Reuters). NCC will make recommendations for improvements and provide verification reports to regulators. While these independent reviews aim to assure regulators and users, some critics argue they do not provide full transparency into TikTok’s algorithms and data practices.
Ongoing Debate
There continues to be an ongoing debate around the security risks posed by TikTok. Some lawmakers and analysts argue that the risks are too high given TikTok’s ownership by Chinese company ByteDance. They point to potential issues around data privacy, censorship, and Chinese government influence over the app’s operations [1].
However, TikTok has pushed back against claims that it represents a security threat. The company highlights that U.S. user data is stored on servers in the United States and Singapore, not China. TikTok also says its moderation policies prohibit manipulating content for any government. Furthermore, independent security reviews have not revealed any intentional backdoors for the Chinese government [2].
While risks may exist, some argue they can be properly managed through ongoing oversight and transparency from TikTok. But others maintain that any Chinese ownership of TikTok inevitably opens up unacceptable vulnerabilities [3].
Conclusion
In summary, TikTok faces ongoing scrutiny over several key security issues. These include concerns around data privacy, censorship, vulnerabilities, transparency, and actions by various governments. While TikTok has responded by highlighting its security features and commissioning independent reviews, questions remain about whether sufficient safeguards are in place.
Going forward, TikTok will need to continue improving its security and privacy protections to maintain user trust. Key priorities include strengthening encryption, enabling two-factor authentication, addressing any identified vulnerabilities, increasing transparency around data practices and content moderation, and complying with evolving government security requirements globally. TikTok faces challenges balancing user growth with privacy protections. Overall, the public debate highlights a need for greater oversight and assurances when it comes to securing user data.