WWhat’s the problem with TikTok? It’s a harder question to answer than it seems. The social video app, which has made the list of socially important social networks alongside Facebook/Instagram, YouTube and Twitter, is often viewed with suspicion, and it’s not hard to see why: the app’s Chinese roots run deep spread conversation. (ByteDance, which owns TikTok, insists it is headquartered in the Cayman Islands, one of the few instances I’ve seen of a company that has decided to loudly announce that its headquarters are in a tax haven preferred to the alternative). But sometimes it can feel like the cart is leading the horse. The app has Chinese roots, hence it got to be suspicious – right?
So I was interested to read a report trying to investigate the service’s general suspicion. It was released by Australian-American cybersecurity firm Internet 2.0 on Monday and is based on a teardown of TikTok’s Android and iOS apps. The author of the report, Thomas Perkins, writes:
In our analysis, the TikTok mobile application does not prioritize privacy. Collecting permissions and device information is too intrusive and not necessary for the application to work.
It is also worth noting that TikTok IOS 25.1.1 has a server connection to mainland China operated by one of the top 100 Chinese cybersecurity and data companies Guizhou Baishan Cloud Technology Co GmbH.
Perkins’ report provides a staggering list of data that the TikTok app can access while it’s running, including device location, calendar, contacts, other running apps, Wi-Fi networks, phone number, and even SIM card serial number . He concludes:
For the TikTok application to work properly, most of the access and device data collection is not required. This leads us to believe that the only reason this information was collected is for data collection. It is also worth noting that the device only needs to ask the user for permission to perform each of these actions once and then follow the user’s preferences. However, the application has a culture of constant access or constant requests for a reversal of the user’s decision. The hourly location check is also no longer necessary. Finally, device mapping, access to external storage, data collection from contacts and third-party applications allow TikTok to remap the phone like the original device.
The report’s most alarming finding is this unexplained connection to a server that Perkins locates in mainland China and is managed by Guizhou BaishanCloud Technology Co Ltd. is operated.
When the Guardian asked TikTok about the results, it dismissed the report. The server connection specifically denied it, with a spokesman saying that the IP address listed “is in Singapore, network traffic does not leave the region and implying there is communication with China is categorically wrong.”
“The researcher’s conclusions reveal fundamental misconceptions about how mobile apps work, and by their own admission they do not have the proper testing environment to validate their unsubstantiated claims,” the spokesperson said.
Regarding data collection, the company said: “The TikTok app is not unique in the amount of information it collects, which is less than many popular mobile apps. In accordance with industry practices, we collect information that users voluntarily provide to us and information that helps the app work, work securely, and improve user experience. Also, like our colleagues, we are constantly updating our app to keep up with evolving security challenges and encourage our users to download the latest version of TikTok.”
Here’s the thing: I believe them. The problem with TikTok isn’t its aggressive data collection — or, if it is, it’s not a problem unique to TikTok. Surveillance capitalism is almost a cliché at this point, but download any game from the Android App Store and you’ll find that a similar level of data is collected to power the targeted advertising that monetizes the service.
A significant portion of this data is collected to enable “fingerprinting” – the ability to track users from app to app. That’s what Apple tried to limit when it first started offering users the ability to opt out of tracking across apps by nulling a specific tracking ID — the “IDFA” token — for users who choose to do so. But fingerprinting can quickly get sneaky: I’ve covered attempts to track devices based on the fonts installed on a device, how much battery is left, and even the brightness of the room.
All of this means that if you have an issue with TikTok’s ads and tracking technology, you likely have an issue with the broader software ecosystem in 2022. If the company goes further than its competitors, it will be pushed back: Earlier year plans to target users with personalized ads regardless of their explicit consent have been scrapped following the outcry.
There are elements of TikTok tracking that are more unique to the service. Perkins’ report highlights the company’s insistence that users grant access to their contact panel, noting that “if the user denies access, it continually asks for access until the user grants access.” This is part of TikTok’s “growth hacking” approach, a set of policies and approaches aimed at maximizing user acquisition. By getting your contact list, TikTok can recommend you to follow people you know; can boost its algorithmic personalization by feeding in data about what your friends like; In turn, it can increase your friends’ usage of the app by letting them know when a friend has signed up.
None of this is new, but TikTok’s approach to growth hacking is a lot more aggressive than its competitors: no other major app, for example, actively encourages users to follow the friend who sent them a link to a post like TikTok does. But again, the persistent criticism of TikTok is stronger than “it practices growth hacking to an unseemly extent.”
I think the problem TikTok’s critics have is basically that they’re trying to ram a square pin into a round hole. Even if you start from the assumption that a Chinese social media app that’s becoming a major player in American culture is inherently problematic — which isn’t an unreasonable assumption — the problems with that power have nothing to do with the data to which the app has access.
It’s possible to craft a completely wild action movie-style storyline where TikTok’s data could pose a geopolitical hazard to the West. What if, for example, the prime minister’s son posts private videos of his parents’ movements, which can then be analyzed by the People’s Liberation Army to plan a perfect cyberattack? In practice, however, the value of data collection for TikTok is the same as the value for Facebook, Google, and all the other tech giants it faces: It makes the company money.
I don’t want to sound smug. I’ve followed TikTok closely for years, and three years ago shared the story that the company’s moderation policies, written in China, required western teams to censor stories about Tiananmen Square or Tibetan independence. (TikTok said those guidelines were already outdated at the time, and in the years since its approach to political issues has changed a lot.) But since then, I’ve been convinced that finding the hard evidence will prove that the social video app is one Danger to the West is child’s play.
The problem with TikTok is nothing more and nothing less than the fact that it is a hugely influential and important app owned by a Chinese company. There is no technical data to answer the question of whether this level of social and cultural power “should” reside in the hands of a corporation rooted in a geopolitical adversary.
If you would like to read the full version of the newsletter, please subscribe to TechScape in your inbox every Wednesday.