What’s the problem with TikTok? It’s a harder question to answer than it seems. The social video app, which has joined Facebook/Instagram, YouTube and Twitter in the list of societally important social networks, is frequently spoken about with an air of suspicion, and it’s not hard to guess why: the app’s Chinese roots loom large in the conversation. (ByteDance, which owns TikTok, insists that it is headquartered in the Cayman Islands, one of the only instances I’ve seen of a company deciding that loudly proclaiming its paper HQ is located in a tax haven is preferable to the alternative). But sometimes, it can feel like the cart leading the horse. The app has Chinese roots, therefore it must be suspicious – right?
So I was interested to read a report that attempts to look at the general suspicion of the service. Published on Monday by the Australian-US cybersecurity firm Internet 2.0, it is based on a teardown of TikTok’s Android and iOS apps. The report’s author, Thomas Perkins, writes:
In our analysis, the TikTok mobile application does not prioritise privacy. Permissions and device information collection are overly intrusive and not necessary for the application to function.
Also of note is that TikTok IOS 25.1.1 has a server connection to mainland China which is run by a top 100 Chinese cyber security and data company Guizhou Baishan Cloud Technology Co Ltd.
Perkins’ report offers a dizzying list of data the TikTok app can access while it’s running, including the device location, calendar, contacts, other running applications, wi-fi networks, phone number and even the SIM card serial number. He concludes:
For the TikTok application to function properly, most of the access and device data collection is not required. This leads us to believe that the only reason this information has been gathered is for data harvesting. It is also notable that the device only needs to ask the user for permission to perform each of these actions once and then follow the user’s preferences. The application however has a culture of persistent access or continuously asking for a decision reversal by the user. The hourly checking of location is also unnecessary. Finally, device mapping, external storage access, contacts and third-party applications data collection allows TikTok the ability to reimage the phone in the likeness of the original device.
The most alarming finding in the report is that unexplained connection to a server that Perkins locates in mainland China, run by Guizhou BaishanCloud Technology Co Ltd.
When the Guardian asked TikTok about the findings, it dismissed the report. The server connection it specifically rejected, with a spokesman saying that the IP address listed “is in Singapore, the network traffic does not leave the region, and it is categorically untrue to imply there is communication with China.
“The researcher’s conclusions reveal fundamental misunderstandings of how mobile apps work and, by their own admission, they do not have the correct testing environment to confirm their baseless claims,” the spokesperson said.
On data collection, the company said: “The TikTok app is not unique in the amount of information it collects, which is less than many popular mobile apps. In line with industry practices, we collect information that users choose to provide to us and information that helps the app function, operate securely, and improve the user experience. Also, like our peers, we constantly update our app to keep up with evolving security challenges and encourage our users to download the most current version of TikTok.”
Here’s the thing: I believe them. The problem with TikTok is not its aggressive data collection – or, if it is, it’s not a problem unique to TikTok. Surveillance capitalism is almost a cliche at this point, but download any random game from the Android App Store and you’ll find a similar level of data being harvested in order to enable the targeted advertising that monetises the service.
A significant chunk of this data is collected to enable “fingerprinting” – the ability to track users from app to app. That’s what Apple tried to cut down on when it started offering users the ability to opt-out of being tracked across apps, by setting one specific tracking ID – the “IDFA” token – to zero for users who request it. But fingerprinting can get sneaky, fast: I’ve covered attempts to track devices using the fonts installed on a device, the remaining battery, and even how bright the room is.
All of this is to say that if you have a problem with TikTok’s ad and tracking tech, you probably have a problem with the wider software ecosystem in 2022. When the company does go further than its peers, it gets pushback: plans from earlier this year to target users with personalised adverts regardless of explicit consent were scrapped following outcry.
There are elements of TikTok’s tracking that are more unique to the service. Perkins’ report highlights the company’s insistence that users provide access to their contacts field, noting that “if the user denies access, it continuously requests for access until the user gives access.” This is part of TikTok’s “growth hacking” approach, a set of policies and approaches geared towards maximising user acquisition. By receiving your contacts list, TikTok can recommend you follow people you know; can kickstart its algorithmic personalisation by feeding in data about what your friends like; in turn, it can boost your friends’ use of the app by letting them know when a pal has signed up.
None of this is new, but TikTok’s approach to growth hacking is quite a bit more aggressive than its peers: no other major app, for instance, actively encourages users to follow the friend who sent them a link to a post, as TikTok does. Again, though, the persistent criticism of TikTok is rather stronger than “it practices growth hacking to an extent that is unseemly”.
I think the problem TikTok’s critics have is fundamentally one of trying to ram a square peg into a round hole. Even if you start from the assumption that a Chinese social media app becoming a major player in American culture is inherently problematic – which isn’t an unreasonable assumption – the problems with that power aren’t to do with the data the app has access to.
It’s possible to draw up totally wild, action movie-style plot where TikTok’s data could pose a geopolitical risk to the west. What if, say, the prime minister’s son takes to posting private videos of his parents’ movements that can then be analysed by the People’s Liberation Army to set up a perfect cyberattack? In practice, though, the value of data harvesting to TikTok is the same as the value to Facebook, Google and all the other tech giants that it sits alongside: it makes the company money.
I don’t mean to sound blase. I’ve covered TikTok closely for years, and broke the story three years ago that the company’s moderation guidelines, written in China, required western teams to censor stories about Tiananmen Square or Tibetan independence. (TikTok said at the time that those guidelines were already out of date, and in the years since, its approach to political topics has changed greatly.) But since then, I’ve become convinced that looking for the smoking gun that will prove the social video app is a danger to the west is a fool’s errand.
The problem with TikTok is no more and no less than the fact that it is a tremendously influential and important app, owned by a Chinese company. There is no technical data that will answer the question of whether that level of social and cultural power “should” be in the hands of a company with roots in a geopolitical opponent.
If you want to read the complete version of the newsletter please subscribe to receive TechScape in your inbox every Wednesday.