Social media app TikTok has been found to collect “excessive” amounts of user data, according to a new study of the app’s source code.
Canberra-based cybersecurity firm Internet 2.0 delivered a shocking white paper, which has been sent to Australian and US lawmakers. The study found that TikTok, which is owned by Chinese company ByteDance, is constantly tracking user location, accessing user contacts, maps all running and installed apps, calendars and external storage.
TikTok recently admitted that certain staffers in China can access all this data. While Australian staff at TikTok have vehemently denied they would ever hand over private data to Chinese authorities, workers in Mainland China may not have this luxury.
China’s National Intelligence Law of 2017 requires them to “support, assist and co-operate with the state intelligence work”.
The Internet 2.0. white paper outlines the dangers of this data collection, revealing the iOS version of the app “had a server connection to mainland China.”
“The TikTok mobile application has been built with a culture that does not place privacy as a principle as most of the permissions and device information being collected are above necessary for the application to function,” the report said.
“During analysis we could not determine with high confidence the purpose for the connection or where user data is stored. The China server connection is run by Guizhou Baishan Cloud Technology, a cloud and cybersecurity company. The subdomain connected to the China server connection resolved in multiple locations around the world including in China,” Internet 2.0 said.
“The IP address resolving to locations records in China regularly changed, however, connectivity to Guizhou was visible across a number different IP addresses. This was confirmed through the use of a number of security products and methods, including virus total, Metasploit, security trails and sandboxing.”
TikTok is also relentless with its access requests, to calendars, external storage, GPS locations, and other sensitive information.
“It is normal for an application to initially request access to contacts but TikTok’s persistent, endless harassment for user contacts access is abnormal,” the report said.
“It reflects a culture that does not prioritise privacy or a user’s preferences for privacy.”
The requests for external storage are standard, concedes the report, but “the aspect we list as excessive is TikTok doesn’t just retrieve the ability to see folders, it retrieves a list of everything available in the external storage folder.”
TikTok claims the data it collects is no more excessive than other social media platforms, and that this sensitive information is kept on servers outside of China.
“TikTok user data is stored in Singapore and the US, and we have been clear and vocal about employing access controls like encryption and security monitoring to secure user data, with the access approval process overseen by our US-based security team,” TikTok said.
”We continually encourage legitimate researchers to help validate our security standards.”
This paper comes as TikTok announced the replacement of its global head of security, Roland Cloutier, with Kim Albarella appointed to serve as interim head of TikTok’s Global Security Organisation.
“Part of our evolving approach has been to minimise concerns about the security of user data in the US, including the creation of a new department to manage US user data for TikTok,” Chief Executive Officer Shou Zi Chew and ByteDance Vice President of Technology Dingkun Hong said in a statement.
“This is an important investment in our data protection practices, and it also changes the scope of the Global CSO role.”
The focus on US security is a result of Republican senators claimed TikTok and ByteDance “are using their access to a treasure trove of US consumer data to surveil Americans”, practices which “unfortunately extend beyond consumer data into the national security space.”
“TikTok’s response confirms our fears about the CCP’s influence in the company were well founded,” Republican Senator Marsha Blackburn of Tennessee told Bloomberg.
“The Chinese-run company should have come clean from the start, but it attempted to shroud its work in secrecy. Americans need to know if they are on TikTok, Communist China has their information.”
Australian Senators are no less worried, calling for a crackdown.
“It was already worrying enough to recently learn user data is being accessed in mainland China,” Liberal Senator James Paterson said.
“It is frankly alarming to discover exactly what data is being collected from TikTok users, and how much of it is unnecessary.
“It’s hard to think of an innocent reason excessive data is being collected especially given it is obtainable by the Chinese government.
“The Albanese government must stop sitting on its hands and act to protect Australians cybersecurity and privacy.”
—
Ironically, TikTok is also being accused of destroying data that could prove vital in prosecuting war criminals.
Lawyers trying to gather evidence of war crimes in Ukraine have been hampered by TikTok’s practice of deleting “nearly 90 per cent” of videos deemed “inappropriate” before they hit the platform. This is effectively erasing evidence.
“How will investigators request information if they don’t know it ever existed?” international criminal lawyer Raquel Vázquez Llorente told the Financial Times.
“This can have a catastrophic effect for justice for human rights abuses.”
TikTok said it has preserved any Ukraine war posts, and will comply with law enforcement requests.
“We have data preservation policies in place relating to the war in Ukraine, and we stand ready to respond to requests from the International Criminal Court or other relevant law enforcement agencies, in line with our publicly available Law Enforcement Guidelines, which reflect international legal norms,” a TikTok spokesperson said.
The ICC’s data analysis chief David Hasman told the Financial Times that TikTok’s Chinese ownership is itself a roadblock.
“The way that TikTok stores data is much different, and where they store their data, in which countries, obviously is also a lot different,” Hasman said.
“I would say it’s probably one of the biggest challenges.”
