By Shelly Banjo, Kartikay Mehrotra and William Turton
TikTok has become one of the world’s most popular apps by serving up a steady beat of lip-syncing videos and viral memes. But behind the scenes the company, owned by one of China’s biggest tech firms, is also scooping up massive amounts of data on Americans and tracking users’ every move.
Security researchers say TikTok’s information-collection practices are consistent with Facebook Inc., Google and other U.S. tech companies looking to tailor ads and services to their users. The bigger issue lies in what TikTok does with the intel it gathers. Some groups, like the Democratic and Republican national committees and Wells Fargo & Co., have discouraged or banned people from using the app.
“The problem here is not the quantity of data that’s being collected, but rather who else can access it. And those problems exist on the end of data transmission that no one but TikTok can see,” said Oded Vanunu, head of products vulnerability research at Check Point Software Technologies Ltd., who discovered a security hole in the app last year that has since been resolved.
There’s little doubt the backlash against TikTok stems in part from the ongoing economic and political rivalry between Washington and Beijing. When U.S. President Donald Trump and Secretary of State Michael Pompeo said that they were considering banning the app last week, both indicated such a move would be one way to retaliate against China over its handling of the coronavirus.
The company, part of ByteDance Ltd. and incorporated in the Cayman Islands, has consistently denied that it hands over data to Beijing and has taken measures to try to distance itself from its Chinese roots. ByteDance is considering changing TikTok’s corporate structure to include a new management board and a separate global headquarters, people familiar with the plans said last week. In June, former Walt Disney Co. executive Kevin Mayer became TikTok’s first American chief executive officer.
US officials haven’t provided any proof publicly that TikTok is sharing information with the Chinese government. The company says American user data is stored in servers in the U.S. and Singapore, not China.
Another reason why TikTok prompts more concern than other social media sites is that the app, which counts more than 2 billion users worldwide including 165 million American users, has attracted a large proportion of young people.
TikTok starts collecting data the minute you download the app, according to researchers. It tracks the websites you’re browsing and how you type, down to keystroke rhythms and patterns, according to the company’s privacy policies and terms of service. The app warns users it has full access to photos, videos and contact information of friends stored in the device’s address book, unless you revoke those permissions.
Even when you’re not singing and dancing around your living room, the app tracks everywhere you go using your IP address and GPS coordinates, providing the app with your precise location while working, voting, attending protests, traveling, or simply picking up milk from the grocery store. You can disable all GPS collection on your devices, but, in some cases, that would shut off access to apps that need location data to function, like Google Maps.
Devices running Apple Inc.’s iOS block TikTok from tracking web browsing and keystrokes done on other apps. Although this monitoring still happens inside the TikTok app on iPhones. Apple’s operating system also requires apps to ask permission to access user photos, videos and contacts, and users can choose to share their location just once, only while using an app, or never.
Once you use TikTok for a few days, the app has a good idea of what you look like, how you hold your phone, who your friends are, what videos you like to watch, what topics you’re interested in and what websites you visit. It reads the messages you compose and exchange on the app. TikTok can then match this data to other information collected about users from third-party services and publicly available sources.
TikTok’s iPhone version verifies users and their devices using an authentication tool researchers have identified as vulnerable to a malicious cyber attack, according to a report by cybersecurity firm Zimperium Inc. TikTok hasn’t been used as a platform to launch such an attack, according to ZecOps, a sister company to Zimperium.
American tech companies have also been accused of bending data privacy rules to enhance information gathering. In June, Google was sued for illegally collecting users’ browser history even when set to ‘incognito mode,’ a claim it denies.
“We know that Google and Facebook collect a lot of the same data, but they use it to make more money,” said Kirsten Martin, professor of technology ethics at the University of Notre Dame’s Mendoza College of Business. “The problem lies in not knowing what TikTok is doing with the data, if they are manipulating it and whether the data is going into the hands of an adversary.
Most recently, researchers found that TikTok had access to the words and images users had cut and paste on their devices, whether it was an innocuous shopping list or sensitive passwords. Researchers identified 56 other apps doing the same thing, including AccuWeather and The New York Times. TikTok has said it has since disabled the function on iOS.
“TikTok collects much less U.S. user information than many of the companies in our space and stores it in the U.S. and Singapore,” a company spokesman said. “We have not, and would not, give it to the Chinese government.”
The ability to track a person’s every move and assemble a behavioral profile is a key reason the Pentagon warned U.S. military personnel in January to delete TikTok from their phones. That precise data could be deadly in the wrong hands, said Republican Senator Josh Hawley, who has introduced a bill to ban TikTok on all government-issued devices.
Amazon.com Inc. last week sent a notice to employees to delete TikTok, but later said the email was sent in error. TikTok was also among the dozens of apps from Chinese companies banned by India last month over security and privacy concerns.
ByteDance is already under a U.S. national security review for its 2017 acquisition of Musical.ly, a startup it later merged with TikTok. Critics say the app could be used for foreign influence campaigns and that it censors videos in line with Beijing’s priorities. TikTok’s data practices are also the subject of inquiries by the U.S. Federal Trade Commission, the U.S. Department of Justice and at least two class action suits.
Experts question why TikTok would be treated any differently than any other company expected to give Beijing whatever data it asks for, as required by China’s cybersecurity laws.
“At the end of the day TikTok is a Chinese company,” said Kiersten Todt, a former Obama administration official and resident scholar at the University of Pittsburgh Institute for Cyber Law, Policy and Security.
And in any case, TikTok doesn’t necessarily have to hand over data to Beijing for China to gain access to it, Todt said. U.S. intelligence officials have documented decades of Chinese espionage, including a massive 2017 hack of U.S. credit reporting agency Equifax and the personal data of about 145 million Americans, she said. “The prevalence and saturation of TikTok gives the Chinese government tremendous access.”