University of Surrey’s Prof Alan Woodward discusses the ongoing concerns about TikTok’s use or misuse of users’ data, and considers whether all social media apps should be treated with the same suspicion.
The social media app TikTok has been the focus for concerns that the Chinese government could access data on individual users. Whether the app poses a security risk remains unclear, but TikTok has now been banned from government devices in several countries.
However, reports suggest that computer-based tools designed to collect data from publicly available sources can also collate extensive information on TikTok users – as well as those on other networking apps. These Open-Source Intelligence (OSINT) tools need no special access to apps. This raises questions that apply to all forms of social media.
In 2015, on a visit to the UK, President Xi Jinping of China said: “The Chinese government supports Chinese companies in going global. But we believe that this process should be market oriented, with companies being the main driver.”
The following year, the Beijing-based private company ByteDance launched a video sharing app called Douyin. For users outside China they created TikTok in 2017.
To ensure its place in global markets, ByteDance didn’t simply take the Douyin app and reconfigure it for the 40 languages it now supports. Instead, the company paid nearly US$1 billion for a business called Musical.ly, set up in 2014.
Although based in Shanghai, Musical.ly already had an office in California. By conducting the merger in late 2018, and retaining the TikTok name, ByteDance quickly increased the rate at which their app was downloaded. By the end of 2018, TikTok was one of the most downloaded apps in the world.
You might be forgiven for thinking this was yet another classic piece of corporate engineering resulting in an internet sensation. However, some governments in Europe and North America seem to think that TikTok is more than a simple commercial enterprise.
Shifting geopolitics
TikTok has been a lightning rod for a shift in sentiment that has seen the UK, EU, Canada and the US ban the app from government devices on grounds of security.
TikTok narrowly missed being banned completely from the US in 2020 by then president, Donald Trump. That threat has now been revived under the Biden administration.
Much of the worry about TikTok is fuelled by Chinese government legislation compelling companies based in the country to co-operate with state authorities as required.
It’s an open question whether TikTok is really a security risk; it could also be a company caught in the crossfire of tensions between countries.
Security concerns were supported by a report in 2022 from cyber security firm Internet 2.0. Their investigations appeared to show that TikTok was capturing data with the potential to be useful, should someone wish to build a profile of the user.
This would have remained a purely theoretical threat if the data were not being passed back to China. For a long time, TikTok insisted any data collected by their servers could not be accessed by anyone in China.
In November 2022, the company changed its privacy policy. It now said staff in China could access data. In fact, it went further, stating that European users’ data was accessible to TikTok staff in Brazil, Canada, Israel, the US and Singapore. This did little to help quell security concerns.
ByteDance has responded to recent bans by saying it has not provided user data to the Chinese government. It also claims that its data collection practices align with those of other social media companies.
Code analysis
Two further reports by highly respected research groups at Citizen Lab and the Georgia Institute of Technology set out to resolve whether TikTok was a threat to national security, or to users in general.
A detailed analysis of the code in the app found that TikTok was based on Douyin, the version for Chinese users, which has features that make it compliant with Chinese censorship regulations.
This common code appears to be customised to fit different global requirements. Citizen Lab reported: “The end result of customising the common code base seems to create a product that largely follows international industry norms, as we have not found any undesirable features like the ones in Douyin, nor strong deviations of privacy, security and censorship practices when compared to TikTok’s competitors, like Facebook.”
This suggests that TikTok, as supplied to global markets, is no worse in terms of harvesting user data than other social media platforms. The conclusions of the Georgia Tech report were similar, noting that China’s government didn’t need special legal powers over ByteDance to gain access to data, as so much is offered up freely.
Any OSINT tool could be used to gather user data, whether or not the service provider cooperates. These tools can be used, for example, to collate a list of followers for an individual user. In certain cases, they can access even more personal information, such as an email address for a given profile.
Purpose unclear
Companies like Facebook are generally clear as to why they gather your data: they use information to sell advertising. The question then is, what is the real intention behind TikTok gathering user data?
The Citizen Lab report noted a lingering doubt that dormant features written for Douyin but not used in TikTok could be enabled by TikTok’s computer servers. The facts suggest that TikTok could scoop up your data, but there’s no evidence they actively do so.
An equally pertinent concern is how social media companies filter information presented to you. So-called “shadow-banning” – excluding users from people’s feeds because the company dislikes what they say – is increasingly common.
As tensions between various countries rise, China, US and Europe included, it’s difficult not to conclude that the main drivers behind some TikTok bans relate to wider geopolitical concerns.
In many ways this is irrelevant when it comes to the security of government smartphones and other technology. Putting aside motivation for a moment, the fact that all platforms can potentially access information that should remain private suggests to me that every social media app should be banned from official devices.
Professor Alan Woodward works in the Department of Computer Science at the University of Surrey. He is an internationally renowned computer security expert with particular expertise and current research interests in cyber security, covert communications, forensic computing and image/signal processing.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.