Following a damning new report from Buzzfeed News, Federal Communications Commissioner Brendan Carr called on Apple and Google to remove TikTok. Carr posted about the app on Twitter and called it a “[wolf in] sheep’s clothing” because of its surreptitious data practices.
Based on this new report, along with TikTok’s past privacy infringement issues and several investigations into its practices, the FCC Commissioner may have a point.
Report Spurs FCC Commissioner Into Action
In his letter to Apple and Google, Carr pointed out that TikTok is owned by Beijing-based ByteDance, which is required by Chinese law to comply with the PRC’s surveillance demands. He also mentioned the damning report that, if true, proves TikTok is not only abusing user data but is also lying about it.
The report is based on leaked audio recordings where TikTok employees talk about how ByteDance officials have repeatedly been accessing sensitive US user data. One official is even overheard saying “Everything is seen in China.” This comes despite TikTok making a big deal about its US user data being stored in the US. As Carr points out in his letter, that doesn’t prevent Beijing from accessing the data.
In his letter, Carr also highlights some of the app’s worst privacy-invading tactics, as revealed by several reports over the last few years. His main argument for why app stores should remove TikTok is that it doesn’t comply with the terms set out in their store policies. He also maintains that the app poses a serious threat to national security.
TikTok Has a History of Ignoring Privacy Laws
As Commissioner Carr pointed out in his letter, TikTok has a public history of clandestine privacy violations. That includes purposefully circumventing privacy safeguards in Google’s Android system in 2020 to gather user data without consent. Yet the app was allowed to stay on the Google Play Store.
TikTok has had run-ins with Apple too, as researchers found the app was collecting users’ sensitive data, including their passwords, messages, and crypto wallet addresses. Researchers later found the app was also collecting people’s biometric info (including faceprints) and any notes, photos, and recordings saved to their device’s clipboard.
TikTok’s parent company ByteDance has also had to settle several lawsuits for collecting US user data without consent. One lawsuit concerned Musical.ly (which ByteDance bought and rebranded as TikTok) where the company had allegedly collected the personal data of children under 13 without consent.
These worrisome practices have led to security concerns among officials, resulting in TikTok being banned by government departments and military branches in the US. In 2021, India also banned the app entirely. People expected the US to ban the app in 2021 too, but it didn’t happen.
On top of that, TikTok has been involved in several data breaches because it failed to secure its data properly and used third parties to manage its data. The question remains why the app hasn’t been removed from popular app stores yet given the overwhelming evidence of its privacy-invading tactics.
New investigations allude to even worse data-mining practices along with other shady behavior to conceal its inner workings.
Reverse Engineering Reveals TikTok’s Seedy Underbelly
In 2020, a Reddit post by a user called bangorlol caught a lot of attention for its claims about TikTok’s behavior during reverse engineering. In their post, they revealed TikTok takes several measures to prevent testers from seeing what the app does.
That includes hiding functions, encrypting all analytics requests with an algorithm that changes with every update, and preventing debuggers from attaching. They also said that, after it’s installed, TikTok downloads and unzips a remote zip file, then executes it. Bangorlol didn’t provide any details on what this executable does, but said there is no valid reason for an app to do this.
In an interview with DPL Surveillance Equipment, bangorlol identified themselves as a cybersecurity researcher. In their post, they also said TikTok didn’t use HTTPS for a long time. “They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too,” they added. That meant any man-in-the-middle attack could have stolen all that user data.
Other researchers have also looked into TikTok’s practices and found similarly damning behavior, including IP addresses in its APK source code that are linked to Alibaba.com. Alibaba is known for sharing user data with the Chinese government and has dealt with several data breaches too.
TikTok isn’t Just Another App
Many people have dismissed TikTok’s privacy violations in the past, arguing they already have mobile phones and other apps that track them anyway. It’s likely many will say the same after this news, but that would be a mistake.
But these aren’t your run-of-the-mill data gathering practices. TikTok is gathering extremely sensitive personal data at a staggering rate. Its developers have also ensured they can identify you, even if you delete your account or create a second account, via the MAC address identification. TikTok doesn’t ask its users’ consent to gather their Mac addresses, which openly flies against app store rules and privacy laws.
On top of that, the proxy server and zip file downloading practices bangorlol discovered, if true, are identical to various malware currently floating around the web. Both these practices leave a lot of room for abuse, giving TikTok’s developers the freedom to do anything they want without users’ knowledge.
In their Reddit post, bangorlol shared the same sentiment and told people to warn their friends and family off of the app. They also said people don’t see their privacy as valuable anymore but don’t understand how companies and governments can abuse that data.
That doesn’t mean you shouldn’t be concerned with how much data other platforms are gathering either. Digital privacy is at an all-time low, and even people like Tim Cook from Apple think it’s negatively affecting people’s lives. For that reason, being digitally literate is more important than ever.
Don’t Devalue Your Personal Data
If companies and governments feel your data is valuable, you shouldn’t just dismiss their intentions. You may not feel that your privacy is worth anything, but many other entities, including cybercriminals, will disagree. If the amount of data TikTok gathers doesn’t scare you, then you might not have thought it through.
Cybersecurity experts say privacy should be part of a platform’s design, not an afterthought, and recommend that you vet the platforms you use based on those principles. You should also make sure to avoid weak passwords, use a good password manager, and apply cyber hygiene to protect your privacy.
You could also consider improving your online privacy by using a private browser and encrypting your connection with CyberGhost VPN to prevent outsiders from seeing your data. You should consider deleting your TikTok account too if you want to prevent the Chinese government from having access to your devices and collecting any data they want from them.