TikTok and the privacy perils of China’s first international social media platform

An illustration of the Chinese government using TikTok to watch its users.

TikTok, the video-sharing platform owned by the Chinese social media giant ByteDance, is one of the most popular social media services in the world, with an estimated 800 million users. However, its zealous data collection, use of Chinese infrastructure, and its parent company’s close ties to the Chinese Communist Party make it a perfect tool for massive surveillance and data collection by the Chinese government. 

After reviewing TikTok’s data collection policies, lawsuits, cybersecurity white papers, past security vulnerabilities, and its privacy policy, we find TikTok to be a grave privacy threat that likely shares data with the Chinese government. We recommend everyone approach TikTok with great caution, especially if your threat model includes the questionable use of your personal data or Chinese government surveillance.

How much user data does TikTok collect?

As with just about every social media platform, the answer is: “a lot.” According to its privacy policy, even if you just download and open the app but never create an account, TikTok will collect your:

  • IP address
  • Browsing history (i.e., the content you viewed on TikTok)
  • Mobile carrier 
  • Location data if you are using a mobile device (including GPS coordinates and WiFi and mobile cell data)
  • Info on the device you used to access TikTok (for Android devices, this includes your IMEI number, which is essentially your device’s fingerprint so it can be identified, and potentially your IMSI number, which is used to track users from one phone to another)

To open an account, you must enter a phone number or email and your date of birth. Once you have created an account, TikTok asks your permission for access to your social media accounts (like Twitter, Instagram, Facebook, etc.), your phone’s contact list, and GPS data. 

Once you start using the app, TikTok logs details about:

  • Every video you upload
  • How long you watch videos
  • Which videos you like
  • Which videos you share 
  • Any messages you exchange in the app 

Finally, if you buy coins, the in-app currency you can use to support your favorite video creators, TikTok will store your payment information.

According to TikTok, if you delete your account, the company will delete your account data, videos, and information within 30 days. This claim is impossible to independently verify, as is the case with most social media companies. 

TikTok’s data collection is extreme, even for a social media platform that collects its users’ data to serve them with targeted ads. And TikTok explicitly states in its privacy policy that it shares your browsing data and email address with third parties so that it can serve you with targeted advertising. 

TikTok faces multiple class-action lawsuits in the US

On November 27, 2019, a group of TikTok users in California filed a class action lawsuit against TikTok and ByteDance, saying the TikTok app “includes Chinese surveillance software.” The lawsuit claims TikTok collects all videos shot on the app, even if the videos are not published or even saved. The lawsuit goes on to allege that TikTok uses the videos and photos users upload to collect biometric data (such as face scans) without user permission and that even after you close the app, TikTok continues to collect biometric data.

This lawsuit also alleges that TikTok surreptitiously sends user data to China, something we will address below. 

There is a similar class action lawsuit from users in Illinois. This suit also alleges that TikTok uses facial recognition technology and AI to collect users’ facial geometry without informing their users. Illinois has a strict law that requires companies to receive consent before they collect any biometric data.

Does TikTok share data with the Chinese government?

What distinguishes TikTok from other social media giants is that it is owned and operated by a Chinese company. ByteDance, the company that owns TikTok, is headquartered in Beijing and is worth over $100 billion. Chinese domestic laws and regulations, along with internal party politics, can make it hard to parse whether a company is independent or coordinating with the Chinese Communist Party.

Even if ByteDance wanted to resist Chinese Communist Party control, it would have little real prospect of doing so. China’s National Intelligence Law, passed in 2017, allows the government to compel any Chinese company to provide practically any information it requests, including data on foreign citizens. Furthermore, Chinese laws also can force these requests to be kept secret and not disclosed via transparency reports. The lack of an independent judiciary system makes it almost impossible for a company to appeal a request from the Chinese government. On top of that, Chinese companies of any real size are legally required to have Communist Party “cells” inside them to ensure adherence to the party line.

However, there is little evidence ByteDance wants to resist the Chinese government. In fact, there are numerous examples that it is complicit in the Chinese Communist Party’s authoritarian policies. In 2018, ByteDance shut down Neihan Duanzi, a Chinese social media platform that was primarily used to share jokes and comedy, after state censors accused it of hosting “vulgar” content. Afterward, ByteDance said that it would “deepen cooperation” with the Chinese communist party. It then hired 2,000 more “content reviewers” and stated that “strong political sensitivity” would be an asset for the position.

ByteDance has repeatedly made the case that TikTok is not available in China and that user data is not stored in China. This is misleading. In its privacy policy, TikTok explicitly reserves the right to share user information with other members of its “corporate group” (i.e., ByteDance). 

Additionally, a white paper by the cybersecurity firm Penetrum found that over one-third of the IP addresses the TikTok APK connects to are based in China. The majority of these IP addresses are hosted by Alibaba, another Chinese tech giant. These IP addresses are what led to the allegations in the California lawsuit that TikTok secretly sends data to China. According to the Penetrum report, “TikTok does an excessive amount of tracking on its users and that the data collected is partially if not fully stored on Chinese servers with the ISP Alibaba.

Alibaba works closely with the Chinese Communist Party and supports its invasive surveillance and censorship. It has a police post at its headquarters to facilitate data sharing with authorities and developed a popular Chinese propaganda app

The Chinese government has long used the data it collects from Chinese tech companies to monitor, censor, and control its citizens. The all-seeing surveillance system they have created to monitor Uyghurs in Xinjiang is just one example. It also maintains an Orwellian “blacklist” that the government uses to prevent over 13 million “untrustworthy” citizens from purchasing plane or train tickets. One can only imagine what the Chinese government would do if it were able to extend its data collection beyond its borders.

TikTok and censorship

There are also concerns that the Chinese government and ByteDance are using TikTok as a tool to extend China’s censorship. American employees reported to the Washington Post that they were pressured by administrators in Beijing to restrict any political content.

The Guardian reported on TikTok guidelines that require moderators to block videos that “distort” historic events, such as “Tiananmen Square incidents.” In one example, a teenage girl from Florida had her account shut down after she brought attention to the plight of the Uyghurs, a Muslim minority in China. (TikTok later reinstated her, claiming her ban was an error.)

Is TikTok secure?

In December 2019, the cybersecurity researchers at Check Point Research discovered multiple vulnerabilities, including ones that would allow attackers to delete user videos, make hidden videos public, or upload unauthorized videos. The researchers worked with the TikTok team, and they say that these vulnerabilities have now been resolved. 

In April 2020, security researchers discovered that some versions of the TikTok app for Android and iOS rely on HTTP connections. By not using HTTPS, TikTok makes it easy for attackers to monitor user activity and even alter the videos the user sees without their knowledge. 

TikTok says a fix is already underway, but this certainly isn’t a strong track record when it comes to security.

TikTok and children

Given the demographics of TikTok users and the amount of data TikTok collects, the company has faced criticism for collecting data from children. In February 2019, Musical.ly, the Chinese social media app that ByteDance bought and then merged with TikTok, paid a $5.7 million fine to the FTC to settle allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by letting children under 13 sign up to its platform without their parents’ consent. 

In May 2020, 20 advocacy groups alleged that TikTok is still violating COPPA. They said the company never deleted the personal information it collected from children under 13 prior to the 2019 FTC settlement, is still not obtaining parents’ consent before collecting children’s personal info, and does not allow parents to review or delete the personal information it collects from their children.

Scrutiny of TikTok increases

Since February, politicians in Australia have been calling for greater scrutiny of the company’s data collection and possible censorship. On June 29, the Indian government banned TikTok, along with over 50 other Chinese apps. And now, the US government is also weighing whether they should impose a ban on the app.  

As one US lawmaker said to the Wall Street Journal, “all it takes is one knock on the door of their parent company [ByteDance], based in China, from a Communist Party official for that data to be transferred [from TikTok] to the Chinese government’s hands, whenever they need it.

Recently, US politicians have floated the idea of ByteDance selling TikTok as one way for the social media company to avoid questions over what it does with its users’ data. However, Chinese infrastructure and control are clearly deeply integrated into TikTok’s system, and it would be extremely hard for any company that purchased it to undo. 

Our take on TikTok

We stand for freedom of expression, and we want everyone to be able to voice their opinion. However, social media giants from TikTok to Facebook demand troves of personal data in exchange for the use of their platform. Often this data collection verges into the extreme. Does TikTok need access to your device’s ID number to deliver its service?

The fact that TikTok is owned by a Chinese company, one that has explicitly said it would deepen its cooperation with the Chinese Communist Party, makes this excessive data collection even more concerning. The Chinese government has a history of strong-arming and co-opting Chinese tech companies into sharing their data and then using this data to intimidate, threaten, censor, or engage in human rights abuses.

For these reasons, it is our opinion that, from a security and privacy standpoint, TikTok is an extremely dangerous social media platform. Its potential for mass collection of data from hundreds of millions of adults, teenagers, and children poses a grave risk to privacy. We believe that TikTok should be viewed with great caution, and if this concerns you, you should strongly consider deleting TikTok and its associated data. 

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.


Comments are closed.

27 comments on “TikTok and the privacy perils of China’s first international social media platform

  • This is a ridiculous article. I appreciate you’re just looking for clickbait in order to try and sell subscriptions to your software… but this is something where I’d be embarrassed if an eighth grader produced it.

    You literally did nothing except read / repeat the TikTok privacy policy? Let’s see your analysis of *any* other ad-driven social media network, and tell me the privacy policy is substantially different. And I guess your editor gave you a requirement on minimum number of words, but you had to fill the rest of the article with little more than mass-media reports filled entirely by politicians trying to stir up anti-China sentiment with innuendo and slander.

    Pathetic. Since you’re so dedicated to transparency and privacy, I expect you’ll be posting this comment in full.

    • Hi CT, we’re sorry you didn’t find this article useful, but we hope others do. We believe awareness about privacy issues is important, which is why we frequently address other ad-driven social media networks. You will find many examples of this if you scroll through our past articles.

  • I’m really afraid to use Protonmail after read this article. :)
    (Privacy issue is right but such article on protonmail blog with some sort of details)

  • Every piece of electronic infomation the CCP gains about your personal life will be used to destroy your life and can make you a prisoner in your own home, to scared to leave, if you get in the way of the CCP. A lifetime sentence of pyschological and physical threat risks await the brave whom choose CCP opposition.

  • What do you think the CIA is has been doing all these years with Instagram/FB etc??

    They can analyse my Cat videos all they want!!

  • hmm…. replace Tiktok by Facebook, China with “5 eyes countries” and you have a very similar situation.
    I am definitely not saying Tiktok should be used but I think the whole scare is a bit disingenuous. And I don’t really see what this compilation of press article is really pertinent to PM…
    BTW didn’t PM/PVPN receive substantial VC money ? Under what jurisdiction is your US office operating ?

    • No, we have not received substantial VC money. And we operate under Swiss jurisdiction; we do not directly employ anyone living in the US.

  • Good article, the trouble is that ALL Western governments have a hotline into ALL the important Western sites and probably the whole dame internet.

    So hard to criticise (creepy) China when the Western governments force Facebook/Amazon/Twitter/Google and so to pass all OUR data to them.

    Basically they’re all as bad as each other, governments and tech firms regardless of where they are in the world.

    Plus, one thing to consider, would one living in the West rather have the (creepy) Chinese government collecting data on them or their own government? Living in the West, I know the potential power that the governments have against me and the harm they can do to me – in effect they scare me. But the Chinese do not scare me because I’m not living their, and am unlikely to go there.

  • Facebook is guilty of all these offenses, but one thing is different, they share information with the US government, not the Chinese government.

    So, the question is, do you want the US government spying on you if you’re a US citizen, or the Chinese government? Preferably, I’d want the Russian government considering what kind of relationship Joe Biden has with the CCP, and Nancy Pelosi having a Chinese spy in her employment. Supposedly we’re in a new cold war, but considering how blatantly dishonest my government is, there’s no way to tell.

    It’s pretty clear that Silicon Valley has gotten into bed with a bunch of authoritarians in our government. This is precisely what we were working against when we started. No matter, it doesn’t take years of work and thousands of people to make a replacement with today’s technology and infrastructure.

  • Good to know
    * How would you qualify CRV (Charles River Ventures) ? Philanthropy ?
    * What’s the purpose of the US office then ?

  • Bueno, no olvidemos ese dicho que reza: “Cuando algo (en internet) es gratis, el producto eres tú”.
    No nos impresione que suceda en China, en EE.UU. o Rusia. Da igual.
    Todo tiene un costo y, en internet, si es gratis, de alguna manera deben sacar partido quiénes brindan ciertos servicios.
    En lo personal, me parece un buen articulo.
    Creo que todos somos (o deberíamos ser) conscientes de los riesgos, pero, sucede que nada cambiará, pues, las redes sociales, sean chinas, rusas, estadounidenses o, de donde sean, siempre son una tentación para las personas.
    Por ejemplo: No necesariamente tenemos que tener una cuenta en Facebook o en Tik Tok para ser rastreados en internet. ¿Metadatos?
    Por supuesto.
    ¿Puertas traseras? Siempre.
    Felicidades! Es un gran articulo.

  • I have never been a tiktok user (teenagers social media) but, is very scary that the most-known (as tutanota) private email provider tell of how insecure tiktok is right when DT start to say that China is spying us with tiktok, that tiktok is dangerous to the US national security and bla bla bla. If just decide that you want to write a blog about the insecurity in tiktok i have some obvious question:
    1.- Why do you talk specifically about tiktot? this (nasty) practices are common in social media, why did you talk about how insecure are your data in any social media in general?
    2.- Why now and without talking about the US president declarations about tiktot? I don’t think you want to look like if you were supporting some political party, but doing this right now makes you look like the news in countrys that have dictators and they say “there will be more taxes this year” and you look at the news and you see articles like “how the social inequality domines countrys with few taxes rate”.
    3.- Why so many emphasis in the fact that is China the country that is getting our data? No, im not from CCP, but if you want to write articles like a piece of journalism, you are supposed to be neutral. I have read some articles here in protonmail.com, and i don’t think that you only talk about “how bad is China”, i see that you also have articles about Google and other partys, but i still note a little bit of “why the US president is right and they should sell Tiktok to US” in this article.

    Have a good day and i hope you continue prividing useful information to us.

    • Hi Daniel, thanks for the questions. We write about many privacy-invasive technologies, from smart TVs to Facebook to Amazon Ring. We are aware of the politicization of TikTok, but we have purposely avoided mentioning these issues and focused solely on privacy and security concerns, which is our area of expertise and is apolitical. You also ask about why we focus on China’s surveillance and privacy abuses without mentioning those of the US and other Western countries. However, if you look through our past blog articles, including in the last few months, we have written extensively about laws and practices in the US, UK, and elsewhere that are harmful to human rights. In fact, mass surveillance in the US is what led us to create ProtonMail in the first place.

  • Ustedes como ProtonMail nos aseguran que no tienen acceso a ninguna pantalla ni claves o contraseñas de ningún dispositivo relacionado con el correo electrónico cifrado ProtonMail. Pueden aseverar que es así, que son fieles a sus divulgaciones de cifrado y de no vulnerar los derechos de privacidad de usuarios de ProtonMail?
    Gracias y saludos.

  • Excellent read..
    PM don’t be cowed by some of the negative feedback – some of us find the article very informative and useful.

  • I am deeply concerned with ProtonMail’s uncritical promotion of U.S. State Department talking points, such as propaganda about TikTok and Hong Kong protests. Recently, a prominent HK “protestor” was exposed as a U.S.-state linked operative [1], further shedding light on the network of covert U.S. State involvement in destabilizing HK (involving e.g. Hong Kong Free Press, National Endowment for Democracy).

    Consider the key concluding paragraph to this article (as of this comment):

    “For these reasons, it is our opinion that, from a security and privacy standpoint, TikTok is an extremely dangerous social media platform. Its potential for mass collection of data from hundreds of millions of adults, teenagers, and children poses a grave risk to privacy. We believe that TikTok should be viewed with great caution, and if this concerns you, you should strongly consider deleting TikTok and its associated data.”

    There is no mention that TikTok stands on the exact same ground as service conglomerates such as Google and Facebook, sans their relationship with the U.S. Federal government. Omitting this key fact suggests that Proton Technologies AG has differing relationships to these governments.

    ProtonMail’s willingness to push political disinformation is beyond unacceptable. I will be terminating my financial support of Proton Technologies AG effective immediately based on this severe violation of trust.

    [1] – https://www.scmp.com/news/hong-kong/society/article/3097523/hong-kong-activist-writer-kong-tsung-gan-confirms-thats-only

    • I’m sorry to hear this. Our analysis is purely based on the technical and privacy aspects of the company. As a Swiss company, we always take a neutral position on political issues, and if you’re familiar with our blog you’ll know we’re probably more critical of American policies and companies, which are often more consequential on the global stage.

  • Do you have a secure search engine? My laptop address is samfox13@protonmail.com This message is from my desktop at samfox4867@gmail.com

    I am not sure I trust DuckDuckGo. I most definitely do NOT trust Google & internet explorer.

    When I change from Windows 7 to Windows 10 I want to change my mailbox to Proton Mail from gmail. ()Any suggestions on how to get a clean version of Windows 10?)

    The pro I had that could give me a clean Win 10 has died. He was very good & became a good friend.

    Thank you!

    • Hi Sam,

      At the moment, the Proton suite of encrypted products doesn’t include a secure search engine. Thanks.

  • PM,

    Thank you for pledging support for Hong Kong. We are living in turbulent times in which totalitarianism is rising throughout the world, and the silence of Western liberal democracies is frightening — not to the mention the complicity, censorship and cooperation of Western corporations with regards to communist China.

  • Hi,
    I greatly appreciated this article when I first read it in the summer. I appreciated the obvious researched and factual information from a non-biased and security minded viewpoint. I work with a lot of kids who use TikTok, so the information was of particular interest to me.

    From my understanding, a deal was made between the United States and China in September that moved partial ownership to Oracle. I would love an update from your viewpoint as to the security of TikTok since this deal. Is it enough to make it safe for children (and adults) to use and maintain privacy?

    • Hi Lena,
      This is a good question. Hypothetically, the sale to Oracle and Walmart would eventually eliminate the Chinese government’s access to TikTok’s data and their ability to censor messages on the platform. However, unless Oracle and Walmart proactively address the app’s data collecting procedures, then that information would now be in the hands of two private corporations, which is far from ideal (but also not too different from using Facebook).
      I know this is a vague response, but so much about this is still up in the air. It’s unclear if the deal is even still going through https://qz.com/1931773/tiktok-deal-with-oracle-walmart-is-in-its-own-lame-duck-period/.
      If this deal is completed, we will consider revisiting this blog post with an updated evaluation.