Reports on Friday that Amazon had asked employees to delete TikTok from their phones spread like wildfire—TikTok’s security woes have been the viral story of the month. Amazon quickly retracted the news—an internal memo had been released in error—but the implication that TikTok, an app installed by hundreds of millions, might be tapping into emails had resonated. That’s where we now find ourselves.
And while Amazon walked back from any ban, Wells Fargo has asked some employees to delete the app, citing “concerns about TikTok’s privacy and security controls and practices.” You’ll remember that the U.S. military has already banned TikTok from government-issued phones—and there is pressure to widen that significantly, all of which pales compared to India’s blanket ban and threats that Australia and—devastatingly for TikTok—the U.S. might follow suit.
I have reported on TikTok security concerns for more than a year—but we are now in uncharted territory. Whereas we have seen regulatory concerns and fines for data privacy violations and security vulnerabilities in the past, we have now seen TikTok caught up in the much wider U.S.-led backlash against Chinese tech. The question I’m now asked more than any other, unsurprisingly, is whether TikTok is seriously that dangerous and whether users should seriously delete the app.
The answer is not as simple as you might expect.
In recent weeks, we have seen reports emerge suggesting that TikTok is “Chinese spyware,” alleging that the app steals data from users’ devices and sends it to China. This is certainly not proven and almost certainly not true on any level, at least not in the way it is presented. TikTok does have two serious failings, though, and both should give its hundreds of millions of users reason for concern.
First, as with all platforms of its kind, TikTok occasionally releases software with security vulnerabilities that need to be urgently fixed. Earlier this year, the cyber sleuths at market-leader Check Point issued a warning over a “severe” risk in the way TikTok messaged its users. TikTok patched the issue. And while that same issue would garner serious headlines now, it didn’t back then. That’s unsurprising. The same Check Point team has flagged issued with Microsoft, WhatsApp and even Philips Hue lightbulbs in recent months. It’s par for the course.
We did see headlines with the recent iOS 14 clipboard issue, where TikTok was seen to be still accessing user clipboards, having been criticised for doing the same before. TikTok told me the issue was down to an anti-spam filter, essentially looking to flag users copying the same comment to multiple different accounts on the same device. They have acknowledged the issue and removed the feature—kudos to Apple.
“I’m yet to see a documented, material threat,” security expert Mike Thompson tells. “It’s no more than the usual bluster over a new app designed to help people connect. Yes, it comes with risk, but it’s no worse than any of the myriad other social networking communities. In this case, blame the players, rather than the game.”
Second, TikTok is a social media platform—you don’t need me to tell you that social media and data privacy are somewhat contradictory. TikTok captures data as you use the app, it is brilliantly positioned to infer your likes and dislikes, friends, pastimes, consumer behavior, locations, even patterns of life. And while the data might seem intrusive, it’s the same with Facebook and Google and countless other apps that you give permission to tap the data on your device.
Does that mean TikTok is sending your data back to China—no. Does that mean you are being spied upon, that your data is being compromised, putting you at risk—no, at least not any more onerously than with U.S. social media giants doing the same. “It’s not any worse or any better than what Facebook, Google and thousands of apps are doing already,” Cyjax CISO Ian Thornton-Trump tells me. “Any free service is going to want to monetize the data it’s accumulating.”
But let’s not be naive—there is a difference here. TikTok is Chinese. It is the first and only Chinese social media app that has managed to compete head to head with the U.S. giants that lead the market. It is now more viral than Instagram and YouTube, its bitesize recipe—where users are essentially given a scripted 15-seconds to become stars, all set to music, has proven hard to beat. It became the star of lockdown, as millions of bored kids and thousands of bored influencers flocked to the platform.
The fact that TikTok is Chinese gives rise to the most serious issue with the platform. While the data being captured on those hundreds of millions of devices is not much use to compromise an individual—it would be a horribly complex way to spy on select targets, it does provide an amortized dataset, country by country, city by city, demographic by demographic. Look at what Cambridge Analytica managed with Facebook data or the power of location pings to track users en masse.
That dataset, in the hands of an adversarial foreign government, is a risk—a very serious risk, in a world where social media is used to push propaganda out to users who tap those platforms as a primary source of news. When TikTok is described as a national security risk, that is essentially what those governments mean.
“The more insidious view,” Thornton-Trump says, “is that TikTok and other apps present a danger of mass manipulation and social control and disinformation. The danger may be minimal to the individual but serious for society and democracy.”
TikTok is at pains to stress that it has not provided user data to Beijing, that it would not do so if asked. “TikTok is led by an American CEO, with hundreds of employees and key leaders across safety, security, product, and public policy here in the U.S.,” the company told me in response to talk of that U.S. ban. “We have no higher priority than promoting a safe and secure app experience for our users. We have never provided user data to the Chinese government, nor would we do so if asked.”
Politicians in the U.S. and elsewhere clearly take a sceptical view on this, and the question is whether China could strong-arm ByteDance—TikTok’s Chinese owner—into tailoring or restricting content or could gather those amortized data findings to better shape their attempts to influence all of those populations. If you want to be cynical, you might ask if there’s a different between “user data,” as ByteDance puts it, and the broad anonymized datasets produced from its user base. If China knows what you all think, location by location, what’s the value of that data? Facebook has built an empire partly by mining its own superset of information.
As Check Point’s Oded Vanunu, the researcher behind their investigation into the platform, told me: “In 2016, social media was a major tool to distribute political messages using Cambridge Analytica’s illegitimate user data. There is a fear that with hundreds of millions of users, this non-U.S. application is hard to control. We see how hard it is for Facebook to control its data, so with TikTok the risk is high.”
That risk emanates from TikTok’s scale. The same issue throws up further risks. As with any hyper-scale app, hackers—whether criminal or nation-state—know that tapping a vulnerability gives likely access to target devices. “TikTok is high quality target for hacking groups,” Vanunu warns, “so whether the infrastructure is ready for such sophisticated malicious activities is the big question and the risk.”
We saw that same risk highlighted when the Twitter accounts associated with the hactivist group Anonymous tagged TikTok as Chinese spyware. The implication being that the platform had become a legitimate target for hackers to act against. That appears to be the pattern by which the loose hacker collective now operates.
So, should you delete the app? The answer is not at all easy. Your risk as an individual is broadly the same as with other social media apps that you use, although given the approach China takes to technology and media, you can be forgiven for taking a harder line over a Chinese platform. If you do stick with the app, as with all social media, beware what you share, don’t assume any data security or privacy.
Your risk as a citizen, though, is different. With what you know about China’s approach to data security and privacy and individual freedoms, with what you’ve read about data manipulation east versus west, do you feel comfortable using a Chinese-owned social media app? This is an app, after all, whose Chinese-market twin—Douyin—is censored and restricted and likely monitors its users. Look at the situation in Hong Kong. Then you can make an informed choice.
In the meantime, the decision may be taken out of your hands. It will be a hugely unpopular move by western politicians to restrict our online freedoms by banning an app as popular as TikTok, but the complexity of this situation raises questions we have not faced before. Questions that have nothing to do with you as individual users and everything to do with the politics between your government and Beijing. Even plucky TikTok might struggle to overcome a challenge on that scale.