TikTok, the video-sharing platform owned by the Chinese social media giant ByteDance, is one of the most popular social media services in the world, with an estimated 800 million users. However, its zealous data collection, use of Chinese infrastructure, and its parent company’s close ties to the Chinese Communist Party make it a perfect tool for massive surveillance and data collection by the Chinese government.
How much user data does TikTok collect?
- IP address
- Browsing history (i.e., the content you viewed on TikTok)
- Mobile carrier
- Location data if you are using a mobile device (including GPS coordinates and WiFi and mobile cell data)
- Info on the device you used to access TikTok (for Android devices, this includes your IMEI number, which is essentially your device’s fingerprint so it can be identified, and potentially your IMSI number, which is used to track users from one phone to another)
To open an account, you must enter a phone number or email and your date of birth. Once you have created an account, TikTok asks your permission for access to your social media accounts (like Twitter, Instagram, Facebook, etc.), your phone’s contact list, and GPS data.
Once you start using the app, TikTok logs details about:
- Every video you upload
- How long you watch videos
- Which videos you like
- Which videos you share
- Any messages you exchange in the app
Finally, if you buy coins, the in-app currency you can use to support your favorite video creators, TikTok will store your payment information.
According to TikTok, if you delete your account, the company will delete your account data, videos, and information within 30 days. This claim is impossible to independently verify, as is the case with most social media companies.
TikTok faces multiple class-action lawsuits in the US
On November 27, 2019, a group of TikTok users in California filed a class action lawsuit against TikTok and ByteDance, saying the TikTok app “includes Chinese surveillance software.” The lawsuit claims TikTok collects all videos shot on the app, even if the videos are not published or even saved. The lawsuit goes on to allege that TikTok uses the videos and photos users upload to collect biometric data (such as face scans) without user permission and that even after you close the app, TikTok continues to collect biometric data.
This lawsuit also alleges that TikTok surreptitiously sends user data to China, something we will address below.
There is a similar class action lawsuit from users in Illinois. This suit also alleges that TikTok uses facial recognition technology and AI to collect users’ facial geometry without informing their users. Illinois has a strict law that requires companies to receive consent before they collect any biometric data.
Does TikTok share data with the Chinese government?
What distinguishes TikTok from other social media giants is that it is owned and operated by a Chinese company. ByteDance, the company that owns TikTok, is headquartered in Beijing and is worth over $100 billion. Chinese domestic laws and regulations, along with internal party politics, can make it hard to parse whether a company is independent or coordinating with the Chinese Communist Party.
Even if ByteDance wanted to resist Chinese Communist Party control, it would have little real prospect of doing so. China’s National Intelligence Law, passed in 2017, allows the government to compel any Chinese company to provide practically any information it requests, including data on foreign citizens. Furthermore, Chinese laws also can force these requests to be kept secret and not disclosed via transparency reports. The lack of an independent judiciary system makes it almost impossible for a company to appeal a request from the Chinese government. On top of that, Chinese companies of any real size are legally required to have Communist Party “cells” inside them to ensure adherence to the party line.
However, there is little evidence ByteDance wants to resist the Chinese government. In fact, there are numerous examples that it is complicit in the Chinese Communist Party’s authoritarian policies. In 2018, ByteDance shut down Neihan Duanzi, a Chinese social media platform that was primarily used to share jokes and comedy, after state censors accused it of hosting “vulgar” content. Afterward, ByteDance said that it would “deepen cooperation” with the Chinese communist party. It then hired 2,000 more “content reviewers” and stated that “strong political sensitivity” would be an asset for the position.
Additionally, a white paper by the cybersecurity firm Penetrum found that over one-third of the IP addresses the TikTok APK connects to are based in China. The majority of these IP addresses are hosted by Alibaba, another Chinese tech giant. These IP addresses are what led to the allegations in the California lawsuit that TikTok secretly sends data to China. According to the Penetrum report, “TikTok does an excessive amount of tracking on its users and that the data collected is partially if not fully stored on Chinese servers with the ISP Alibaba.”
Alibaba works closely with the Chinese Communist Party and supports its invasive surveillance and censorship. It has a police post at its headquarters to facilitate data sharing with authorities and developed a popular Chinese propaganda app.
The Chinese government has long used the data it collects from Chinese tech companies to monitor, censor, and control its citizens. The all-seeing surveillance system they have created to monitor Uyghurs in Xinjiang is just one example. It also maintains an Orwellian “blacklist” that the government uses to prevent over 13 million “untrustworthy” citizens from purchasing plane or train tickets. One can only imagine what the Chinese government would do if it were able to extend its data collection beyond its borders.
TikTok and censorship
There are also concerns that the Chinese government and ByteDance are using TikTok as a tool to extend China’s censorship. American employees reported to the Washington Post that they were pressured by administrators in Beijing to restrict any political content.
The Guardian reported on TikTok guidelines that require moderators to block videos that “distort” historic events, such as “Tiananmen Square incidents.” In one example, a teenage girl from Florida had her account shut down after she brought attention to the plight of the Uyghurs, a Muslim minority in China. (TikTok later reinstated her, claiming her ban was an error.)
Is TikTok secure?
In December 2019, the cybersecurity researchers at Check Point Research discovered multiple vulnerabilities, including ones that would allow attackers to delete user videos, make hidden videos public, or upload unauthorized videos. The researchers worked with the TikTok team, and they say that these vulnerabilities have now been resolved.
In April 2020, security researchers discovered that some versions of the TikTok app for Android and iOS rely on HTTP connections. By not using HTTPS, TikTok makes it easy for attackers to monitor user activity and even alter the videos the user sees without their knowledge.
TikTok says a fix is already underway, but this certainly isn’t a strong track record when it comes to security.
TikTok and children
Given the demographics of TikTok users and the amount of data TikTok collects, the company has faced criticism for collecting data from children. In February 2019, Musical.ly, the Chinese social media app that ByteDance bought and then merged with TikTok, paid a $5.7 million fine to the FTC to settle allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by letting children under 13 sign up to its platform without their parents’ consent.
In May 2020, 20 advocacy groups alleged that TikTok is still violating COPPA. They said the company never deleted the personal information it collected from children under 13 prior to the 2019 FTC settlement, is still not obtaining parents’ consent before collecting children’s personal info, and does not allow parents to review or delete the personal information it collects from their children.
Scrutiny of TikTok increases
Since February, politicians in Australia have been calling for greater scrutiny of the company’s data collection and possible censorship. On June 29, the Indian government banned TikTok, along with over 50 other Chinese apps. And now, the US government is also weighing whether they should impose a ban on the app.
As one US lawmaker said to the Wall Street Journal, “all it takes is one knock on the door of their parent company [ByteDance], based in China, from a Communist Party official for that data to be transferred [from TikTok] to the Chinese government’s hands, whenever they need it.”
Recently, US politicians have floated the idea of ByteDance selling TikTok as one way for the social media company to avoid questions over what it does with its users’ data. However, Chinese infrastructure and control are clearly deeply integrated into TikTok’s system, and it would be extremely hard for any company that purchased it to undo.
Our take on TikTok
We stand for freedom of expression, and we want everyone to be able to voice their opinion. However, social media giants from TikTok to Facebook demand troves of personal data in exchange for the use of their platform. Often this data collection verges into the extreme. Does TikTok need access to your device’s ID number to deliver its service?
The fact that TikTok is owned by a Chinese company, one that has explicitly said it would deepen its cooperation with the Chinese Communist Party, makes this excessive data collection even more concerning. The Chinese government has a history of strong-arming and co-opting Chinese tech companies into sharing their data and then using this data to intimidate, threaten, censor, or engage in human rights abuses.
For these reasons, it is our opinion that, from a security and privacy standpoint, TikTok is an extremely dangerous social media platform. Its potential for mass collection of data from hundreds of millions of adults, teenagers, and children poses a grave risk to privacy. We believe that TikTok should be viewed with great caution, and if this concerns you, you should strongly consider deleting TikTok and its associated data.
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.
ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.
Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit. Note that while blog comments also remain open, questions and feedback will not be responded to individually. Where relevant, we will incorporate the most frequently asked questions or comments into a blog update.