As the US gets ready to ban TikTok downloads, there is still no proof the app is spying on you for China

Advertisement
As the US gets ready to ban TikTok downloads, there is still no proof the app is spying on you for China
TikTok, the app beloved by Generation Z, might get booted out of the US.Jon Kopaloff/Getty Images
  • The Trump administration is forcing TikTok to sell off its US business by September 15 or else face a ban, accusing it of posing a privacy and national security threat because it is owned by a Chinese company.
  • The administration has explicitly claimed TikTok spies on people but has never offered public evidence.
  • Experts diving through TikTok's code and policies say the app collects user data in a similar way to Facebook and other popular social apps.
  • Google and Facebook by comparison almost certainly hoover up more user data than TikTok through their sprawling number of apps and services — but get less US political scrutiny on privacy.
Advertisement

TikTok, the video-sharing app whose meteoric rise amongst teenage users has made it a challenger to the likes of Facebook, is under siege in the US thanks to its Chinese roots.

On Friday the US Commerce Department announced it is banning all new downloads of the app starting from September 20. This followed the news on Monday that TikTok's parent firm ByteDance is set to sign a deal with US tech giant Oracle. Stopping short of an outright sale, the deal would make Oracle TikTok's "trusted technology provider" in the US, and give it a majority stake in the company.

The Trump administration maintains because TikTok is owned by a Chinese company it poses a security risk, and in July it ran ads claiming TikTok spies on people. Trump cited this in two August executive orders, in which he ordered the company sell off its US operations or else face a ban.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

The spying claims hit home for some high-profile users, including online gaming megastar Tyler "Ninja" Blevins who announced he was deleting the app in July over privacy concerns.

But is TikTok actually any worse for snooping in your personal data than social media platforms like Facebook and Google?

Advertisement

According to the experts, evidence suggests the answer is no.

In terms of the data TikTok says it sucks up, it doesn't appear to be any worse than Facebook

Zoé Vilain, chief privacy and strategy officer at privacy app Jumbo told Business Insider that looking at TikTok's privacy policy, it was no more intrusive than Facebook's.

"From what I see from the privacy policy, and in comparison with the privacy policies of Facebook and Instagram, I don't really see much difference.

"Basically they are saying that they are using your usage data, behavior data, preferences, friends, contacts, to provide you with their service, to customize the service, and of course to do targeted advertising [...] this is exactly what Facebook is doing and Instagram is doing too," said Vilain.

As the US gets ready to ban TikTok downloads, there is still no proof the app is spying on you for China
President Donald Trump signed two August executive orders targeting TikTok's parent company ByteDance.REUTERS/Yuri Gripas

Vilain pointed out that the main difference between TikTok and Facebook or Instagram is in the kind of data users are routinely plugging into the app, as TikTok relies on video. "I think the main difference is that people are recording themselves and this is being recorded," she said.

Advertisement

There's also the fact TikTok is popular with younger folks.

"Also it's mainly used by teenagers, who are maybe less aware and less concerned about what they are sharing," Vilain said.

The FTC fined TikTok $5.7 million in February 2019 for inadequately protecting the privacy of its underage users, and on July 7 the agency announced it was looking into allegations that the company continues to violate children's privacy on the app.

In terms of how TikTok handles your data, it doesn't look any more suspicious than other social media

As the reports about the US forcing TikTok to hive off its American business began to swirl in early August, security researcher Baptiste Robert decided to do a deep-dive into what data TikTok sends back to its servers in an attempt to cut through the geopolitical rhetoric.

Reverse-engineering an app like TikTok's is not an easy task, and Robert is publishing a series of posts about his findings.

Advertisement

In his first post, Robert noted that a single report can't be expected to definitively prove whether or not TikTok poses a national security threat given it uses millions of lines of code.

But he also didn't find anything suspicious.

"As far as we can see, in its current state, TikTok doesn't have a suspicious behavior and is not exfiltrating unusual data. Getting data about the user device is quite common in the mobile world and we would obtain similar results with Facebook, Snapchat, Instagram and others," Robert's report concluded.

There are still 'legitimate concerns' around TikTok's lackluster security — but they're not unique

Business Insider spoke to iOS developer Talal Haj Bakry, who in March along with developer Tommy Mysk discovered a security flaw in TikTok which meant it was able to access iPhone users' clipboards without their permission, essentially meaning TikTok could read any text the user has copied.

The researchers noted that this could be as mundane as a shopping list or more serious data like passwords or financial information.

Advertisement

Subsequently, LinkedIn and Reddit's apps were also discovered to be reading iOS users' clipboards, and all three companies have now altered their code after Apple started cracking down on the practice with its iOS 14 update.

A TikTok spokesperson said the reason the app was reading clipboards was to identify "repetitive, spammy behavior," and the company has submitted an update to the App Store getting rid of this feature.

In April Bakry and Mysk also discovered a vulnerability in TikTok which meant users' uploaded videos could be intercepted and even replaced.

This vulnerability was the result of TikTok using insecure HTTP connections to download videos from its servers. "All other social media apps have long made the switch to secure HTTPS for all network connections, in effort to protect user privacy and data integrity.

"Such a basic security failing does not inspire confidence in TikTok's ability in protecting their users' data, and exposes a lax attitude towards security," Bakry said.

Advertisement

A TikTok spokesperson told Business Insider: "TikTok prioritizes user data security and already uses HTTPS across several regions, as we work to phase it in across all of the markets where we operate."

Bakry thinks TikTok's Chinese roots could be part of the reason it's playing catch-up on security.

"What makes TikTok stand out are the differing data privacy laws and security standards between China and other parts of the world. In the US and Europe, there are various laws and regulations in place to protect end-user privacy," Bakry said. "China is only recently catching up in creating data privacy laws, but it remains to be seen how effective these new laws will be when put in practice."

Bakry said there are "definitely legitimate concerns" around TikTok's security. "Whether it's intentional or merely the result of move-fast-and-break-things, the inadequate security of social media apps can pose a serious threat. These apps collect massive amounts of data from their users, and they become prime targets for bad actors seeking to steal information," he said.

Vilain agreed that regardless of whether the vulnerability was left open as a backdoor or the result of shoddy security. "Whatever the reason for this, if you're not securing the collection of data of course it's a threat and it's a violation of the GDPR for example in the European Union, and they should do something about this," she said.

Advertisement

TikTok has tried to distance itself from its Chinese roots

Regardless of whether TikTok's app is technically more invasive or insecure than any other social media app, the Trump administration's argument hinges on the idea that private companies in China can be turned into proxies for the Chinese government.

As scrutiny around the app built up earlier this year, TikTok desperately tried to shake off the idea that it's a Chinese company. In May 2020 the company hired an American CEO called Kevin Mayer, formerly a Disney streaming executive. Mayer left the role in August, citing a changing "political environment."

TikTok itself isn't present in China, but is the international twin of its sister app Douyin, which does operate in China.

TikTok has always maintained it doesn't store any user data on Chinese servers, although this was contested in a December 2019 lawsuit filed by a user. ByteDance's head of security said in an interview this means it would be impossible for China to compel the company to hand over user data because it falls under US jurisdiction.

In July, TikTok announced it was withdrawing operations from Hong Kong alongside a slew of US tech companies following the implementation of China's sweeping new national security laws in the region. Some critics said the withdrawal smacked of a PR move, given that sister app Douyin is more popular in Hong Kong than TikTok.

Advertisement

ByteDance has found itself caught between Washington and Beijing during its negotiations. China has decried the Trump administration's attempt to force a sale of TikTok's US operations, and in late August threw a spanner into negotiations by placing strict new export restrictions which affected TikTok's highly sought-after recommendation algorithm.

{{}}