TikTok
(Image: Adobe)

A deconstruction of the TikTok source code reveals that phones running the short video app are communicating with Chinese servers despite promises that user data is being stored only outside China, a report released by an Australian cybersecurity company shows.

Internet 2.0 published a technical analysis of the TikTok application on both android and iOS devices, which breaks down what data the company has access to on users’ phones. It observed the Apple version of the application connecting to a server run by Chinese security company Guizhou BaishanCloud Technology Co Ltd, located in mainland China. 

“We could not determine with high confidence the purpose for the connection,” the report says.

TikTok’s parent company, ByteDance, denies the connection. In a statement to Crikey it rubbished the report:

The IP address is in Singapore, the network traffic does not leave the region, and it is categorically untrue to imply there is communication with China. The researchers’ conclusions reveal fundamental misunderstandings of how mobile apps work, and by their own admission, they do not have the correct testing environment to confirm their baseless claims.

The app’s communication with a Chinese server is not proof that ByteDance is sending user data to China. Similar applications such as Facebook or Telegram send server requests all over the world for myriad reasons, including for operating advertising networks or, indeed, sending and receiving user data. How and where apps send data can be extremely convoluted and difficult to entangle — even for people with access to the full source code.

However, the uncertainty about the purpose of this connection denied by ByteDance will feed concerns about the Chinese-owned app and the lack of transparency. Internet 2.0’s co-CEO Robert Potter told Crikey its analysis found the app’s infrastructure appeared to be less separate from China than it has said publicly.

“TikTok has a history of not being clear about what it does,” he said. “They have to give Australians assurances that their data is being respected and their privacy is protected.”

The report also details what it calls “excessive data harvesting” by the TikTok application. This includes hourly checking of the device’s location; the device’s unique identification details, calendar and contacts; a mapping of all the other applications on the phone; and more. These details are not required to run the app, but it does ask users for permission for this access.

The company defended its data collection as being in line or less than its competitors: “We collect information that users choose to provide to use and information that helps the app function, operate securely and improve the user experience.”

Last week TikTok Australia confirmed that ByteDance employees — including those in China — can access Australians’ data despite it being stored in US and Singapore servers. As Fergus Ryan wrote in Australian Strategic Policy Institute’s The Strategist, the server’s whereabouts are essentially irrelevant: “The location in which any data is stored is immaterial if it can be readily accessed from China.”

These new revelations prompted opposition spokesman on cybersecurity and countering foreign interference James Paterson to ask the federal government to “investigate all possible regulatory responses to protect Australians’ privacy and cybersecurity”.

Home Affairs Minister Clare O’Neil said the government has seen the report and urged individual caution.

“Australians need to be mindful of the fact that they are sharing a lot of detailed information about themselves with apps which aren’t properly protecting that information,” she said. “I hope it concerns Australians because it certainly concerns me.”