The Privacy Risks of TikTok – Why This Invasive App is So Dangerous

TikTok is a Chinese app owned by tech company ByteDance. On TikTok, users can create and share short videos. The app is reminiscent of Vine, a similar video sharing platform that reached its high a couple of years ago. Tiktok is extremely popular. It’s also the first Chinese social media app to do this well in the rest of the world. However, recent research has shown that the app’s security leaves much to be desired.

Several agencies and news outlets are now sounding the alarm and reporting on the many problems that have surfaced. ByteDance claims to want to break away from its Chinese background in order to serve a global audience and says it will never share data with the Chinese government. This claim, however, seems impossible now that new security laws have been introduced in Hong Kong.

TikTok’s user base mostly consists of children and adolescents, which many consider to be vulnerable groups. This is a main reason for different authorities to express their worries. However, it isn’t just the youth that might be in danger from TikTok. From December 2019 onwards, U.S. military personnel were no longer allowed to use TikTok, as the app was considered a ‘cyber threat’. Privacy regulators from the EU also decided to study TikTok’s privacy policy, and even Reddit’s CEO harshly condemned TikTok’s practices.

VPNOverview took a close look at TikTok and included the most recent research in its analysis. The findings are disturbing. The privacy and security risks that come with TikTok are serious. So, what can you do to limit those risks as much as possible?

TikTok and the Influence of the Chinese Government

TikTok is owned by ByteDance, a Chinese developer. For this reason, many wonder about the role the Chinese government plays behind the scenes. Just like the close inspection Huawei has found themselves under in recent years, TikTok isn’t trusted because of its connections to China. In the Chinese political system, the government has more influence in companies than is the case in Western countries. This means that the Chinese government could (and most likely will) collect data from users.

The Chinese government isn’t the only one collecting data; Western governments are also trying to gain insight into and influence social media platforms. The US government, for example, regularly attempts to obtain data through tech companies. Since the US is a constitutional state, however, there are several safeguards and laws in place that somewhat limit the government’s influence. The Western world has countless independent privacy watchdogs, while there’s no such thing in China.

Hacker group Anonymous claims that TikTok was primarily developed as spyware for the Chinese government. See tweet below:

Additionally, Anonymous has published a video listing the many dangers of TikTok. They quote a source that has done extensive research on TikTok: “Calling it an advertising platform is an understatement. TikTok is essentially malware that is targeting children. Don’t use TikTok. Don’t let your friends and family use it. Delete TikTok now […] If you know someone that is using it, explain to them that it is essentially malware operated by the Chinese government running a massive spying operation.”

These claims fit in with the recent developments surrounding TikTok. For example, Apple researchers announced that TikTok deliberately spies on users.

Claims keep piling up, showing that TikTok is a very invasive application that poses a substantial privacy risk. It seems that the data collection at TikTok goes much further than other social platforms such as Facebook or Instagram. This is surprising, since both of these companies have already faced backlash for the way they’ve dealt with user privacy. TikTok seems to collect data on a much larger scale than other social media platforms do. This, combined with TikTok’s origins makes it quite plausible that the Chinese government has insight into all of this collected data.

Browser trackers and data collection

Research from a German data protection website has revealed that TikTok installs browser trackers on your device. These track all your activities on the internet. According to ByteDance, these trackers were put in place to recognize and prevent “malicious browser behavior”. However, they also enable TikTok to use fingerprinting techniques, which give users a unique ID. This enables TikTok to link data to user profiles in a very targeted way.

Unfortunately, this happens with a great disregard of privacy – perhaps intentionally so. The German researchers indicate, for example, that IP addresses aren’t anonymized when TikTok uses Google Analytics, meaning your online behavior is directly linked to your IP address. An IP address provides information about your location and, indirectly, about your identity.

In addition, TikTok’s reasoning for this kind of data collection only raises more questions. What does the company mean by “malicious browser behavior”? What happens to the data collected through the trackers? Why does the company collect your IP address? And what gives TikTok the right to search your browser in the first place?

Spyware disguised as a social app

The tracking activities mentioned above are questionable to say the least. Members of online tech communities on Reddit and other platforms believe that TikTok deliberately collects user data. It’s claimed that the app is essentially a way to steal data, disguised as a social medium.

A user on Reddit used reverse engineering to figure out more about TikTok. Anonymous quoted the results in the video we mentioned earlier. The Reddit user discovered that TikTok collects all kinds of information:

• Your smartphone’s hardware (CPU type, hardware IDs, screen size, dpi, memory usage, storage space, etc.);
• Other apps installed on your device;
• Network information (IP, local IP, your router’s MAC address, your device’s MAC address, the name of your Wi-Fi network);
• Whether your device was rooted/jailbroken;
• Location data, through an option that’s turned on automatically when you give a post a location tag (only happens on some versions of TikTok);

Additionally, the app creates a local proxy server on your device, which is officially used for “transcoding media”. However, this is done without any form of authentication, making it susceptible to misuse. Moreover, the tracking of that information can be configured remotely. The app also didn’t start using the HTTPS protocol until recently, which meant user data wasn’t safe in the first place.

The fact that multiple sources have independently stated that TikTok is nothing more than spyware labelled as “social media” is reason for us to explicitly discourage the use of this app at this time. Official investigations into TikTok are ongoing, although these might take some time. In this case, we believe it’s better to be safe than sorry.

TikTok privacy policy facilitates massive data exchange with governments and other companies

In its privacy statement, TikTok indicates what information it collects about users. If you go to the privacy policy from your settings on the app, you’ll only see a summary of the complete information. Each section allows you click through to more complete explanations in the same document.

Upon closer inspection of TikTok’s privacy policy, one can conclude that the company behind the app is allowed to hand over all user data to both commercial parties and governments. “We will share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, or if such use is reasonably necessary to comply with legal obligation, process or request.”

This is where the difference between the Chinese regime and political systems in other countries becomes evident. In China, the phrase “If legally required to do so” could simply mean “as soon as the government asks for it”. In addition, setting up a business entity by means of a mock structure could be enough to get your hands on TikTok user data. After all, the privacy policy allows the company to share all user data with entities with which TikTok does business.

The excerpts from TikTok’s privacy policy below show that they can easily share your data with a third party.

Critics rightly point out that even phrases such as “we will share your information (…) based on our legitimate business interests” offer too much opportunities for privacy infringement. This, among other worries about the app, has lead several countries to consider placing a ban on the app.

We asked investigative journalist and writer Maria Genova about her vision on TikTok. According to Genova, TikTok is a great tool for mass espionage. Genova says: “There’s a reason several countries have banned it. It’s unbelievable how much information an app like that pulls from your phone. (…) if it’s downloaded massively [in a country], you can observe the entire population and draw conclusions from that.”

Genova is well aware of the latest news surrounding such apps, and writes about them in her new book. “I’m writing [a book] which focuses on malicious apps and you don’t want to know how often an app changes its terms and conditions without anyone noticing. Google removes about 1 million malicious apps every year and those are all apps that were officially downloadable from the Google Play Store. An app can access your entire phone, including all your contacts, without you noticing,” said Genova.

TikTok Grows at an Alarming Rate

Despite the large amount of claims made about the dangers of TikTok, TikTok is growing fast. In the US alone, the number of users is projected to reach 45.4 million by the end of 2020. Worldwide, the estimate is 800 million TikTok users by the end of this year. Expectations are that the number of users will continue to grow in the coming years.

Statista’s projections below show the projected growth of TikTok in the United States until 2024.

Source: Statista

Google users also have become increasingly more interested in TikTok since its launch, as their search behavior shows. The image below shows the growing global interest in TikTok based on the number of searches done in Google, as illustrated by Google Trends. As you can see, there were some spikes in 2019, after which the amount of searches grew steadily.

The peak in search interest in September 2019 could be explained by the fact that, around that time, research showed there was widespread censorship on TikTok which worked in favor of the Chinese government. The platform heavily censured any images of protests in Hong Kong occurring at that time, likely in an attempt to silence the voices of the demonstrators. This was later confirmed by The Guardian.

Currently, established platforms such as Facebook and Instagram still have more search volume than TikTok. However, their search volumes are no longer increasing. They might even be decreasing. Meanwhile TikTok is growing rapidly. If TikTok really poses a substantial privacy risk, which certainly seems to be the case, the widespread use of the app is a major source of concern.

It’s important to note that TikTok’s currently banned in Russia. However, you can still access TikTok using a clever workaround.

TikTok’s Privacy Options

How do users experience TikTok and what information do they consciously share with the app? TikTok users need to create an account to unlock all of the app’s features. The default option is to use your phone number to register, although you can also use an email address. The latter is a slightly safer option when it comes to protecting your privacy, as long as you use an email address that doesn’t reveal your identity.

When TikTok asks whether you want personalized advertisements, your only option is clicking a large button with “accept”. If you don’t want personalized ads, you’ll have to go to your settings and change it there. In practice, many users won’t take the time to do this or even know it’s an option. To top it all off, this specific setting is disabled by default, tempting you to turn it on and making it seem as if you turned it off already. This way, many people will unknowingly allow for their data to be used for personalized ads.

You can’t change many privacy settings

Once you’ve created an account, you’re able to view your limited privacy settings. There are only two settings you can turn on or off. Firstly, there’s the setting described above regarding advertising preferences. Secondly, TikTok has a setting with which users can control their interaction with others.

When you download, install, and use TikTok, you automatically agree to their privacy policy. This policy states that TikTok is allowed to collect all kinds of information about its users without giving them a chance to opt-out. This information includes:

• Any data users provide to create an account.
• Information about your use of the app. This includes the videos you watch and which other users you interact with.
• Data from Facebook, Google, or Twitter (if you create an account via one of those platforms).

It remains unclear where the collected data is saved, what it’s used for, and who does or doesn’t have access to that information. When talking about the purpose of collecting information, the privacy policy merely includes statements such as “improving the user experience” and more uninformative wording.

Access to your camera and microphone

TikTok needs access to your camera and microphone in order to work properly. This might sound logical, since we’re talking about a video app. However, there aren’t any specifications explaining how exactly these permissions are used. Therefore, TikTok could theoretically record conversations and sounds using your microphone, even when you aren’t filming a TikTok video.

Other tech companies have used this technique as well, often resulting in a lot of backlash. Apple’s Siri, for example, kept recording conversations even when it wasn’t supposed to. This speech assistant for the iPhone and iPad therefore listened to more than it was intended to. It interpreted words like “serious” or “series” as “Siri”, seeing those as a reason to wake up and start recording. A seemingly innocent mistake, but one that can lead to the spreading and leaking of extremely sensitive conversations and data.

Whether we’re talking about voice recordings, location data or identity data: the more ambiguities a privacy statement contains, the more possibilities the company has to twist those statements. This strongly increases the chance of privacy infringement.

The Dangers of the TikTok Community

Aside from the privacy concerns surrounding TikTok, there are other threats present on this platform as well. TikTok has hundreds of millions of users, and not all of them have good intentions. Since many of the people who’re active on the app are children, this doesn’t bode well. Some of the dangers these young users might encounter, are online bullying and harassment.

Justine Pardoen of Bureau Jeugd en Media, a Dutch organization focusing on internet safety for children, names grooming as another risk of TikTok. Online grooming happens when an adult makes contact with a child through digital means, with the intention of meeting that child. It often involves (a wish to engage in) sexual abuse or the production of child pornography.

Finally, there are countless crooks and attempts at fraud on TikTok. This comes with a risk of identity theft, among other things. If you’re a parent who worries about the online safety of their child, you can always consult our guide with tips for protecting your child on the internet.

What We at VPNOverview Think About TikTok

We at VPNOverview are curious to see the future conclusions of ongoing investigations and research about TikTok. Our editors regularly download and use popular applications to test their security and privacy options. We have, for example, also tested dating apps Grindr and Tinder. The current findings and concerns surrounding TikTok are reason enough for us to remove the app from our devices. Whether TikTok’s main target group – young people between 14 and 25 – is sensitive to the privacy concerns that have come to light, remains to be seen.