TikTok: Friend or foe?

A damning report from TheWrap begs the question: can the Chinese-owned social media app be trusted?

Look, I’m gonna be honest: I’m not the biggest fan of TikTok. I get that it’s existentially grown in popularity over the past few years and it gets user attention unlike any other social media app, but the appeal of its content format is something I fail to grasp.

Enough people do grasp it, obviously, and the platform’s growth isn’t slowing down anytime soon. In September 2021, TikTok hit 1 billion monthly users after amassing 78.7 million registered users. Combined with its growing popularity in older demographics and expansion to more devices like TVs, there doesn’t seem to be anything that can stop TikTok in its tracks.

That is, unless security eventually becomes an indisputable roadblock for new signups.

Since TikTok (then called Musical.ly) was purchased by Chinese technology company ByteDance in 2017, the app has been under heavy scrutiny from law makers due to national security concerns. At the time, it was mainly public speculation, but evidently enough to get Washington’s attention.

In 2020, former President Donald Trump tried to ban the app from the United States, in line with what India did. The executive order in which the ban would be enacted was eventually thrown out by President Joe Biden’s administration. However, the app remains under a microscope as Biden’s team actively discusses new regulations for foreign-owned apps which, if put in place, would force TikTok to change key aspects of its operation in the name of public security.

Until recently, there’s been no real evidence that TikTok is, in fact, playing dirty. A new report from TheWrap claims to change that.

According to the report, two separate studies have concluded that TikTok actively circumvents the security regulations of Apple’s App Store and the Google Play Store in order to mine granular user and device data, all while remaining incredibly discrete.

TikTok is essentially an elaborate web browser

The report cites researchers who were able to dig into how ByteDance could be getting away with this. Upon their examination, they found that TikTok is essentially an elaborate web browser. The main TikTok feed uses a JavaScript-based bridge to pull content from the app’s servers, eliminating the need for intricate system libraries to deliver content natively. This allows the app to slip through code audits from Apple or Google that look for malicious practices and make it much harder for developers or researchers to reverse engineer. Monitoring for future bad behavior is also apparently off the table.

This system also lets TikTok operate its feed however it wants to. The studies found that the app can change its behavior “as it pleases without users’ knowledge.” Since it’s strictly server-operated, the “For You” feed might not be for you at all – it could be videos TikTok thinks you’ll enjoy, but blended with videos it wants you to see.

Of course, TikTok is denying any sort of foul play here. The company told TheWrap that its app adheres to the information security standards and app store policies in the US, UK, India, Singapore, and Ireland. In addition, the company had the following to say on what kind of information it collects from its users.

“The TikTok app is not unique in the amount of information it collects, compared to other mobile apps. In line with industry standards, we collect information that users choose to provide to us in order to improve the experience people have on our app. Also like our peers, we constantly update our app to keep up with evolving security challenges.”

What TikTok refers to as “industry standards” is a unique ad tracking ID assigned to virtually every user of the internet. The ID allows companies to identify you and understand what you’re interested in. That’s how apps like Instagram can display ads for socks if you search for “socks” on Amazon. That ID is carried across the platforms you use to deliver targeted ads and further boost advertising sales for businesses like Facebook and Google.

TikTok uses the same ID to deliver relevant ads to your feed, but the app claims the buck stops there when it comes to tracking you and your data. What the company says isn’t true (and what it refuses to comment on) is the mining of extra data pertaining to your device, your personal information, and other details most users wouldn’t want social media apps peeping in on like IP addresses and direct messages sent to other users.

The two studies, conducted by “white hat” cybersecurity experts, were verified by five independent experts before TheWrap published its findings. Frank Lockerman, a cyber threat engineer at cybersecurity firm Conquest Cyber, was one of the experts who reviewed the studies and was vocal about his findings.

“These dynamic properties allow TikTok carte blanche access to your device within the scope of what the application can see,” said Lockerman. “The TikTok browser not only has access to convert from web to device, but it also has the ability to query things on the device itself.

“This has great significance to the security of the app, because the state of it cannot be determined by static analysis of the app alone.”

Another expert who reviewed the studies, Russ Jowell of BestApp.com, noted how secretive TikTok seems to be when it comes to how it operates. “It seems to me that ByteDance has gone to monumental lengths — possibly more than Facebook, Twitter and other social networks — to conceal the inner workings of their app.”

Despite so much mystery behind the inner workings of TikTok, it still remains a question on many users’ minds as to whether the app poses any serious threat. After all, apps like Facebook have been gathering enormous amounts of our personal data for years, and we’re all still cool with using them.

Where the most amount of distrust from users comes from is what each company does with our data. Facebook regularly sells it to advertisers which, while isn’t ideal, is a reality many have come to live with. And fortunately, it seems like an easy problem to have: if you don’t want your data traded between companies, Apple lets you disable ad tracking on a per-app bases in iOS, while Google provides a similar tool in Android. The features are so effective, in fact, that Apple’s implementation alone was enough for Facebook to lose $10 billion in ad revenue.

TikTok might be China’s way of delivering propaganda to Americans

TikTok’s practices with our data, however, are speculated to be totally different. Since its acquisition by ByteDance, TikTok has been reported as a vehicle for the Chinese government to spy on Americans by mining their device data and regularly tracking it, even going so far as to deliver propaganda to certain users to influence decision-making and promote censorship. Former employees of TikTok have claimed that that’s indeed happening, and there’s been no shortage of deep-dives into the types of personal data TikTok might have driven by reports like that.

But by far the most jarring piece of evidence that users should feel weary about is the Chinese government’s stake in ByteDance. Back in August, WangTouZhongWen Technology, a fund created by the Chinese government, purchased a one percent stake in ByteDance after the company was re-evaluated to 200 million yuan from 10 million yuan. The stake not only made national headlines, but it raised serious red flags for users who were already concerned about their privacy.

As expected, TikTok refutes any influence the Chinese government has on its platform, and it denies ever giving the government US citizen’s data on its FAQ page. In addition, other studies have indicated that at least as of now, TikTok doesn’t pose a serious security risk.

And so, TikTok continues to see incredible amounts of growth. Through its popular short-form content format, the app is able to latch on to the attention span of even the most hyperactive, all while managing to remain as a place for trends to take off and creators to become break-out superstars.

I’m not trying to spread some conspiracy regarding TikTok’s involvement in everyday American culture, nor am I claiming that China is actively spying on Americans. What I am saying, however, is that TheWrap’s report sheds an important light on a serious issue facing TikTok: whether a lot of people use the app or not, it seems that it’ll always remain a controversial platform. And eventually, I can’t help but think it’ll no longer be a personal opinion to believe TikTok is a serious threat to both personal and national security – it’ll be fact.

Until then, I suppose I’ll go back to watching virtually every account I follow make a “hilarious” video showcasing traits of different people with Louis Prima’s “Angelina/Zooma Zooma” playing in the background.

From the Wiretapped newsletter. Subscribe to get columns like this every week in your inbox.