Downloaded 1.6 million times in Australia, 2 billion worldwide, and having grown substantially since much of the world went into lockdown, TikTok lets users watch and share short, often musical clips that range from karaoke and impersonations to viral dances and political satire. But it has come under increased scrutiny from politicians and users over the data it collects, including when a recent iPhone update exposed it snooping on text that users had copied to their clipboards. The company has since promised to cease the practice.
The company says it leverages user data to improve and personalise the service as well as inform ads. On TikTok, ads appear as hashtags and challenges promoted by brands, or short form videos that resemble user creations.
Haskell-Dowland also raised the possibility that the stacks of video selfies on the platform could be used to make “deepfakes” — where videos of real people are used to create convincing forgeries of them saying or doing anything — which could be used by cyber criminals to scam people with false campaigns from their favourite online celebrities, or to fabricate material for blackmail.
A government with access to the video data could also use it to build a facial identification database and produce a list of TikTok users and their real identity from footage of protests, he says, or a Hollywood studio that bought the data could use it to generate crowds of people that moved naturally for use as extras.
Hoovering data to feed the engine
TikTok collects data when you make an account, including your username, age, email, phone number, photo or any other biographical information you provide. If you log in with Google, Facebook or another service TikTok will receive profile information from them too.
By crunching all the data together, TikTok can infer a lot of information you haven’t volunteered, and could potentially track you across devices and multiple accounts, as well as when you’re not using the app. The collected data, as is the case with other social media platforms, is key to TikTok’s operation.
“When you think about an organisation the size of TikTok, you’re not talking about a benevolent company who is generating an app for the good of the world,” says Haskell-Dowland.
“They’re obviously a business, and they’re there to make money, and yet they’re not charging for the app and they’re not charging a subscription fee. So clearly there has to be a business model behind it, and the only other thing they’ve got is that data, in significant volumes.”
The China connection
The app began in China as an app called Douyin in 2016, and was replicated elsewhere as TikTok the year after. In 2017 the owner of both apps acquired Musical.ly, a Chinese app with a sizeable western following, and in 2018 merged TikTok and Musical.ly together for an instant foothold in western markets.
Today the owner, ByteDance, operates both Douyin and TikTok but has appeared to take great care in keeping the operations separate.
Researchers posting their findings online have claimed TikTok collects an excessive amount of user data, while some politicians in the US and Australia have claimed that TikTok is sending user data to the Chinese government and should be banned, a charge that TikTok has repeatedly denied. Last week India included TikTok in a wide-ranging ban of Chinese apps and services.
The accusations and scrutiny come amid a notable rise in general anti-Chinese sentiment, including as part of the US-China trade war, from the Australian government’s recent cyber-security announcements and the sanctioning of telecommunications company Huawei.
A TikTok spokesperson says the app does not operate in China and has not received any requests from the Chinese government for user information, while the company’s newly-minted head of Australian operations Lee Hunter says the company would refuse such a request.
“TikTok does not share information of our users in Australia with any foreign government”, he says, adding that local data is stored in Singapore and protected from any external intrusion.
“Similar to industry peers, we will continue to drive our goal of limiting the number of employees who have access to user data and the scenarios where data access is enabled,” he says.
The app was recently pulled out of Hong Kong, following new national security laws imposed by Beijing. TikTok has been asked to appear before an Australian Senate inquiry into foreign interference on social media sites, which Hunter indicated was welcomed by the company.
Security expert Troy Hunt says that TikTok was amassing quite an extensive collection of information that would be a real cause for concern in the event of a data breach, but no worse than other social media companies.
“Let’s face it, there’s concern [about TikTok] because it’s Chinese. Look at how invasive Facebook is. No one’s talking about banning that from app stores in the western parts of the world,” he says.
Hunt, who monitors data breaches through his website Have I Been Pwned, says that as of now the manipulation of video data was less of a threat.
“The concern is less about the usage of the video content itself, and more about the amount of other personal information and tracking related data … which is implicitly collected,” he says.
Time to come clean
In addition to profile and tracking information, TikTok gleans data about you by processing the content you share — not just photos and videos but comments, challenge and survey entries too — and takes note of what you read and watch. A “preload” service begins uploading your video and audio as you’re making it, though TikTok says it deletes this data if you end up not posting the content.
Haskell-Dowland says the app is “capturing video footage of people’s homes, in many cases, that may well be workplaces”, and that could be a concern for some if TikTok was analysing the visual and audio data combined with tracking and location. He says going forward the company needed to spell out what it does with user data in the simplest possible terms.
“What do they actually do with it? Who owns it? How is it used or sold? Clearly, they’re making money, and whilst advertising may be a part of that there’s probably more to it, related to the sale of information, or marketing, or intelligence purposes,” he says.
“And that may well be quite legitimate, and they may be covered off through their privacy policies, but it isn’t presented in a way that’s user friendly and understandable to the average user.”
Tim is the editor of The Age and Sydney Morning Herald technology sections.