There is still no proof TikTok is spying on you for China
- The Trump administration is forcing TikTok to sell off its US business by September 15 or else face a ban, accusing it of posing a privacy and national security threat because it is owned by a Chinese company.
- The administration has explicitly claimed TikTok spies on people but has never offered public evidence.
- Experts diving through TikTok's code and policies say the app collects user data in a similar way to Facebook and other popular social apps.
- Google and Facebook by comparison almost certainly hoover up more user data than TikTok through their sprawling number of apps and services - but get less US political scrutiny on privacy.
- Visit Business Insider's homepage for more stories.
TikTok, the video-sharing app whose meteoric rise amongst teenage users has made it a challenger to the likes of Facebook, is under siege in the US thanks to its Chinese roots.
After months of sustained political pressure from lawmakers and US President Trump, TikTok's parent firm ByteDance is now in talks with Microsoft (and reportedly other US bidders) to sell its US business.
And in the background, the Trump administration has threatened to ban TikTok altogether, has run ads claiming it spies on people, and also demanded that the US Treasury get a big cut of any sale of the app.
The spying claims have hit home for some high-profile users, with online gaming megastar Tyler "Ninja" Blevins announcing he was deleting the app in July over privacy concerns.
But is TikTok actually any worse for snooping in your personal data than social media platforms like Facebook and Google?
According to the experts, evidence suggests the answer is no.
In terms of the data TikTok says it sucks up, it doesn't appear to be any worse than Facebook
"Basically they are saying that they are using your usage data, behavior data, preferences, friends, contacts, to provide you with their service, to customize the service, and of course to do targeted advertising [...] this is exactly what Facebook is doing and Instagram is doing too," said Vilain.
Vilain pointed out that the main difference between TikTok and Facebook or Instagram is in the kind of data users are routinely plugging into the app, as TikTok relies on video. "I think the main difference is that people are recording themselves and this is being recorded," she said.
There's also the fact TikTok is popular with younge rpeople.
"Also it's mainly used by teenagers, who are maybe less aware and less concerned about what they are sharing," Vilain said.
The FTC fined TikTok millions in February 2019 for inadequately protecting the privacy of its underage users, and on July 7 the agency announced it was looking into allegations that the company continues to violate children's privacy on the app.
In terms of how TikTok handles your data, it doesn't look any more suspicious than other social media
As the reports about the US forcing TikTok to hive off its American business began to swirl in early August, security researcher Baptiste Robert decided to do a deep-dive into what data TikTok sends back to its servers in an attempt to cut through the geopolitical rhetoric.
Reverse-engineering an app like TikTok's is not an easy task, and Robert is publishing a series of posts about his findings.
In his first post, Robert noted that a single report can't be expected to definitively prove whether or not TikTok poses a national security threat given it uses millions of lines of code.
But he also didn't find anything suspicious.
"As far as we can see, in its current state, TikTok doesn't have a suspicious behavior and is not exfiltrating unusual data. Getting data about the user device is quite common in the mobile world and we would obtain similar results with Facebook, Snapchat, Instagram and others," Robert's report concluded.
There are still 'legitimate concerns' around TikTok's lacklustre security
Business Insider spoke to iOS developer Talal Haj Bakry, who in March along with developer Tommy Mysk discovered a security flaw in TikTok which meant it was able to access iPhone users' clipboards without their permission, essentially meaning TikTok could read any text the user has copied.
The researchers noted that this could be as mundane as a shopping list or more serious data like passwords or financial information.
Subsequently LinkedIn and Reddit's apps were also discovered to be reading iOS users' clipboards, and all three companies have now altered their code after Apple started cracking down on the practice with its iOS 14 update.
A TikTok spokesperson said the reason the app was reading clipboards was to identify "repetitive, spammy behavior," and the company has submitted an update to the App Store getting rid of this feature.
In April Bakry and Mysk also discovered a vulnerability in TikTok which meant users' uploaded videos could be intercepted and even replaced.
This vulnerability was the result of TikTok using insecure HTTP connections to download videos from its servers. "All other social media apps have long made the switch to secure HTTPS for all network connections, in effort to protect user privacy and data integrity.
"Such a basic security failing does not inspire confidence in TikTok's ability in protecting their users' data, and exposes a lax attitude towards security," Bakry said.
A TikTok spokesperson told Business Insider: "TikTok prioritises user data security and already uses HTTPS across several regions, as we work to phase it in across all of the markets where we operate."
Bakry thinks TikTok's Chinese roots could be part of the reason it's playing catch-up on security.
"What makes TikTok stand out are the differing data privacy laws and security standards between China and other parts of the world. In the US and Europe, there are various laws and regulations in place to protect end-user privacy," Bakry said. "China is only recently catching up in creating data privacy laws, but it remains to be seen how effective these new laws will be when put in practice."
Bakry said there are "definitely legitimate concerns" around TikTok's security. "Whether it's intentional or merely the result of move-fast-and-break-things, the inadequate security of social media apps can pose a serious threat. These apps collect massive amounts of data from their users, and they become prime targets for bad actors seeking to steal information," he said.
Vilain agreed that regardless of whether the vulnerability was left open as a backdoor or the result of shoddy security. "Whatever the reason for this, if you're not securing the collection of data of course it's a threat and it's a violation of the GDPR for example in the European Union, and they should do something about this," she said.
TikTok has tried to distance itself from its Chinese roots
Regardless of whether TikTok's app is technically more invasive or insecure than any other social media app, the Trump administration's argument hinges on the idea that private companies in China can be turned into proxies for the Chinese government.
As scrutiny around the app has built up, TikTok has desperately tried to shake off the idea that it's a Chinese company.
"TikTok is led by an American CEO, with hundreds of employees and key leaders across safety, security, product, and public policy here in the US. We have no higher priority than promoting a safe and secure app experience for our users. We have never provided user data to the Chinese government, nor would we do so if asked," a TikTok spokesperson told Business Insider.
TikTok itself isn't present in China, but is the international twin of its sister app Douyin, which does operate in China.
TikTok has always maintained it doesn't store any user data on Chinese servers, although this was contested in a December 2019 lawsuit filed by a user. A TikTok spokesperson told Business Insider the app's data is stored on servers in the US with backups in Singapore.
In May 2020 the company also hired a new American CEO called Kevin Mayer, formerly a Disney streaming executive.
In July, TikTok announced it was withdrawing operations from Hong Kong alongside a slew of US tech companies following the implementation of China's sweeping new national security laws in the region.
Some critics said the withdrawal smacked of a PR move, given that sister app Douyin is more popular in Hong Kong than TikTok.
Nonetheless the Trump administration seems determined to make an example out of TikTok, and its parent company seems to be losing hope it can convince the US to leave it alone.
ByteDance's CEO Zhang Yiming told employees in an internal letter he believes Trump's "real objective" is to force a ban, rather than force a sale to Microsoft or any other American company.
US actions have also angered China's state media, who argue the US is trying to brazenly steal a successful Chinese company.
"China will by no means accept the 'theft' of a Chinese technology company, and it has plenty of ways to respond if the administration carries out its planned smash and grab," the state-owned China daily wrote in an editorial.
Receive a daily update on your cellphone with all our latest news: click here.
Get the best of our site emailed to you daily: click here.
Also from Business Insider South Africa: