A deconstruction of the TikTok source code reveals that phones running the short video app are communicating with Chinese servers despite promises that user data is being stored only outside China, a report released by an Australian cybersecurity company shows.
Internet 2.0 published a technical analysis of the TikTok application on both android and iOS devices, which breaks down what data the company has access to on users’ phones. It observed the Apple version of the application connecting to a server run by Chinese security company Guizhou BaishanCloud Technology Co Ltd, located in mainland China.
“We could not determine with high confidence the purpose for the connection,” the report says.
TikTok’s parent company, ByteDance, denies the connection. In a statement to Crikey it rubbished the report:
The IP address is in Singapore, the network traffic does not leave the region, and it is categorically untrue to imply there is communication with China. The researchers’ conclusions reveal fundamental misunderstandings of how mobile apps work, and by their own admission, they do not have the correct testing environment to confirm their baseless claims.
The app’s communication with a Chinese server is not proof that ByteDance is sending user data to China. Similar applications such as Facebook or Telegram send server requests all over the world for myriad reasons, including for operating advertising networks or, indeed, sending and receiving user data. How and where apps send data can be extremely convoluted and difficult to entangle — even for people with access to the full source code.
However, the uncertainty about the purpose of this connection denied by ByteDance will feed concerns about the Chinese-owned app and the lack of transparency. Internet 2.0’s co-CEO Robert Potter told Crikey its analysis found the app’s infrastructure appeared to be less separate from China than it has said publicly.
“TikTok has a history of not being clear about what it does,” he said. “They have to give Australians assurances that their data is being respected and their privacy is protected.”
The report also details what it calls “excessive data harvesting” by the TikTok application. This includes hourly checking of the device’s location; the device’s unique identification details, calendar and contacts; a mapping of all the other applications on the phone; and more. These details are not required to run the app, but it does ask users for permission for this access.
The company defended its data collection as being in line or less than its competitors: “We collect information that users choose to provide to use and information that helps the app function, operate securely and improve the user experience.”
Last week TikTok Australia confirmed that ByteDance employees — including those in China — can access Australians’ data despite it being stored in US and Singapore servers. As Fergus Ryan wrote in Australian Strategic Policy Institute’s The Strategist, the server’s whereabouts are essentially irrelevant: “The location in which any data is stored is immaterial if it can be readily accessed from China.”
These new revelations prompted opposition spokesman on cybersecurity and countering foreign interference James Paterson to ask the federal government to “investigate all possible regulatory responses to protect Australians’ privacy and cybersecurity”.
Home Affairs Minister Clare O’Neil said the government has seen the report and urged individual caution.
“Australians need to be mindful of the fact that they are sharing a lot of detailed information about themselves with apps which aren’t properly protecting that information,” she said. “I hope it concerns Australians because it certainly concerns me.”
It’s Tik Tok the latest hysteria about China. We happily give away our lives to Google, FB, etc. Sure we’re not happy about it but there doesn’t seem to be the same level of concern as when dealing with anything Chinese.
What an absolute crock! Just the China Threat industry keeping the fear going to line their pockets.
All TikTok collects, at best, is your email, phone number, type of stupid videos you like and location IF you enable location services. Be far more concerned that the data is stored in US and Singapore servers. Anyone worried should create an account with a fake name, separate email address and et a prepaid SIM (do this for all Social Media etc). Google, FB etc have far more.
BTW. Any country where you actually apply for a Visa also has far more information than TikTok. The US also has your fingerprints if you have entered there and any country has a lot more information if you use a biometric passport.
With respect you wouldn’t be in a position to know what it collects – unless you have real skills and tools in this area and have put in real effort to analyse the app.
If you are so inclined to respond to this, perhaps what is your ICT security experience at a hands on technical level – tools, techniques, major achievements?
How about you tell everyone what it collects then? Do you have a TikTok account?
With the post 9/11 hysteria, our own Government has the right to pretty much raid our personal data whenever it feels like it. Perhaps some articles on that issue.
I am sure James Paterson is happy about the data being stored in Singapore and the U.S…they are our besties…right? Oh! wait a minute…
As soon as I read Fergus Ryan and ASPI mentioned I realised I wasted my time reading this.
I assume James Patterson is also concerned about our data being stored in Singapore and the U.S. We can trust them unequivocally can’t we? Oh…wait a minute…