Proton
An illustration of the Chinese government using TikTok to watch its users.

TikTok, the video-sharing platform owned by the Chinese social media giant ByteDance, is one of the most popular social media services in the world, with an estimated 800 million users. However, its zealous data collection, use of Chinese infrastructure, and its parent company’s close ties to the Chinese Communist Party make it a perfect tool for massive surveillance and data collection by the Chinese government. 

After reviewing TikTok’s data collection policies, lawsuits, cybersecurity white papers, past security vulnerabilities, and its privacy policy, we find TikTok to be a grave privacy threat that likely shares data with the Chinese government. We recommend everyone approach TikTok with great caution, especially if your threat model includes the questionable use of your personal data or Chinese government surveillance.

How much user data does TikTok collect?

As with just about every social media platform, the answer is: “a lot.” According to its privacy policy(nueva ventana), even if you just download and open the app but never create an account, TikTok will collect your:

  • IP address
  • Browsing history (i.e., the content you viewed on TikTok)
  • Mobile carrier
  • Location data if you are using a mobile device (including GPS coordinates and WiFi and mobile cell data)
  • Info on the device you used to access TikTok (for Android devices, this includes your IMEI number, which is essentially your device’s fingerprint so it can be identified, and potentially your IMSI number, which is used to track users from one phone to another)

To open an account, you must enter a phone number or email and your date of birth. Once you have created an account, TikTok asks your permission for access to your social media accounts (like Twitter, Instagram, Facebook, etc.), your phone’s contact list, and GPS data. 

Once you start using the app, TikTok logs details about:

  • Every video you upload
  • How long you watch videos
  • Which videos you like
  • Which videos you share
  • Any messages you exchange in the app

Finally, if you buy coins, the in-app currency you can use to support your favorite video creators, TikTok will store your payment information.

According to TikTok, if you delete your account, the company will delete your account data, videos, and information within 30 days. This claim is impossible to independently verify, as is the case with most social media companies. 

TikTok’s data collection is extreme, even for a social media platform that collects its users’ data to serve them with targeted ads. And TikTok explicitly states in its privacy policy that it shares your browsing data and email address with third parties so that it can serve you with targeted advertising. 

TikTok faces multiple class-action lawsuits in the US

On November 27, 2019, a group of TikTok users in California filed a class action lawsuit(nueva ventana) against TikTok and ByteDance, saying the TikTok app “includes Chinese surveillance software.” The lawsuit claims TikTok collects all videos shot on the app, even if the videos are not published or even saved. The lawsuit goes on to allege that TikTok uses the videos and photos users upload to collect biometric data (such as face scans) without user permission and that even after you close the app, TikTok continues to collect biometric data.

This lawsuit also alleges that TikTok surreptitiously sends user data to China, something we will address below. 

There is a similar class action lawsuit(nueva ventana) from users in Illinois. This suit also alleges that TikTok uses facial recognition technology and AI to collect users’ facial geometry without informing their users. Illinois has a strict law that requires companies to receive consent before they collect any biometric data.

Does TikTok share data with the Chinese government?

What distinguishes TikTok from other social media giants is that it is owned and operated by a Chinese company. ByteDance, the company that owns TikTok, is headquartered in Beijing and is worth over $100 billion. Chinese domestic laws and regulations, along with internal party politics, can make it hard to parse whether a company is independent or coordinating with the Chinese Communist Party.

Even if ByteDance wanted to resist Chinese Communist Party control, it would have little real prospect of doing so. China’s National Intelligence Law(nueva ventana), passed in 2017, allows the government to compel any Chinese company to provide practically any information it requests, including data on foreign citizens. Furthermore, Chinese laws also can force these requests to be kept secret and not disclosed via transparency reports. The lack of an independent judiciary system makes it almost impossible for a company to appeal a request from the Chinese government. On top of that, Chinese companies of any real size are legally required to have Communist Party “cells”(nueva ventana) inside them to ensure adherence to the party line.

However, there is little evidence ByteDance wants to resist the Chinese government. In fact, there are numerous examples that it is complicit in the Chinese Communist Party’s authoritarian policies. In 2018, ByteDance shut down Neihan Duanzi, a Chinese social media platform that was primarily used to share jokes and comedy, after state censors accused it of hosting “vulgar” content(nueva ventana). Afterward, ByteDance said that it would “deepen cooperation(nueva ventana)” with the Chinese communist party. It then hired 2,000 more “content reviewers(nueva ventana)” and stated that “strong political sensitivity” would be an asset for the position.

ByteDance has repeatedly made the case that TikTok is not available in China and that user data is not stored in China. This is misleading. In its privacy policy, TikTok explicitly reserves the right to share user information with other members of its “corporate group” (i.e., ByteDance). 

Additionally, a white paper(nueva ventana) by the cybersecurity firm Penetrum found that over one-third of the IP addresses the TikTok APK connects to are based in China. The majority of these IP addresses are hosted by Alibaba, another Chinese tech giant. These IP addresses are what led to the allegations in the California lawsuit that TikTok secretly sends data to China. According to the Penetrum report, “TikTok does an excessive amount of tracking on its users and that the data collected is partially if not fully stored on Chinese servers with the ISP Alibaba.

Alibaba works closely with the Chinese Communist Party and supports its invasive surveillance and censorship. It has a police post at its headquarters(nueva ventana) to facilitate data sharing with authorities and developed a popular Chinese propaganda app(nueva ventana)

The Chinese government has long used the data it collects from Chinese tech companies to monitor, censor, and control its citizens. The all-seeing surveillance system they have created to monitor Uyghurs in Xinjiang(nueva ventana) is just one example. It also maintains an Orwellian “blacklist”(nueva ventana) that the government uses to prevent over 13 million “untrustworthy” citizens from purchasing plane or train tickets. One can only imagine what the Chinese government would do if it were able to extend its data collection beyond its borders.

TikTok and censorship

There are also concerns that the Chinese government and ByteDance are using TikTok as a tool to extend China’s censorship. American employees reported to the Washington Post(nueva ventana) that they were pressured by administrators in Beijing to restrict any political content.

The Guardian(nueva ventana) reported on TikTok guidelines that require moderators to block videos that “distort” historic events, such as “Tiananmen Square incidents.” In one example, a teenage girl from Florida had her account shut down(nueva ventana) after she brought attention to the plight of the Uyghurs, a Muslim minority in China. (TikTok later reinstated her, claiming her ban was an error.)

Is TikTok secure?

In December 2019, the cybersecurity researchers at Check Point Research(nueva ventana) discovered multiple vulnerabilities, including ones that would allow attackers to delete user videos, make hidden videos public, or upload unauthorized videos. The researchers worked with the TikTok team, and they say that these vulnerabilities have now been resolved. 

In April 2020, security researchers(nueva ventana) discovered that some versions of the TikTok app for Android and iOS rely on HTTP connections. By not using HTTPS, TikTok makes it easy for attackers to monitor user activity and even alter the videos the user sees without their knowledge. 

TikTok says a fix is already underway, but this certainly isn’t a strong track record when it comes to security.

TikTok and children

Given the demographics of TikTok users and the amount of data TikTok collects, the company has faced criticism for collecting data from children. In February 2019, Musical.ly, the Chinese social media app that ByteDance bought and then merged with TikTok, paid a $5.7 million fine to the FTC(nueva ventana) to settle allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by letting children under 13 sign up to its platform without their parents’ consent. 

In May 2020, 20 advocacy groups(nueva ventana) alleged that TikTok is still violating COPPA. They said the company never deleted the personal information it collected from children under 13 prior to the 2019 FTC settlement, is still not obtaining parents’ consent before collecting children’s personal info, and does not allow parents to review or delete the personal information it collects from their children.

Scrutiny of TikTok increases

Since February, politicians in Australia have been calling for greater scrutiny(nueva ventana) of the company’s data collection and possible censorship. On June 29, the Indian government banned TikTok(nueva ventana), along with over 50 other Chinese apps. And now, the US government(nueva ventana) is also weighing whether they should impose a ban on the app.  

As one US lawmaker said to the Wall Street Journal(nueva ventana), “all it takes is one knock on the door of their parent company [ByteDance], based in China, from a Communist Party official for that data to be transferred [from TikTok] to the Chinese government’s hands, whenever they need it.

Recently, US politicians have floated the idea of ByteDance selling TikTok(nueva ventana) as one way for the social media company to avoid questions over what it does with its users’ data. However, Chinese infrastructure and control are clearly deeply integrated into TikTok’s system, and it would be extremely hard for any company that purchased it to undo. 

Our take on TikTok

We stand for freedom of expression, and we want everyone to be able to voice their opinion. However, social media giants from TikTok to Facebook demand troves of personal data in exchange for the use of their platform. Often this data collection verges into the extreme. Does TikTok need access to your device’s ID number to deliver its service?

The fact that TikTok is owned by a Chinese company, one that has explicitly said it would deepen its cooperation with the Chinese Communist Party, makes this excessive data collection even more concerning. The Chinese government has a history of strong-arming and co-opting Chinese tech companies into sharing their data and then using this data to intimidate, threaten, censor, or engage in human rights abuses.

For these reasons, it is our opinion that, from a security and privacy standpoint, TikTok is an extremely dangerous social media platform. Its potential for mass collection of data from hundreds of millions of adults, teenagers, and children poses a grave risk to privacy. We believe that TikTok should be viewed with great caution, and if this concerns you, you should strongly consider deleting TikTok(nueva ventana) and its associated data. 

You can get a free secure email account from Proton Mail here(nueva ventana).

We also provide a free VPN service(nueva ventana) to protect your privacy.

Proton Mail and Proton VPN(nueva ventana) are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(nueva ventana). Thank you for your support.


Feel free to share your feedback and questions with us via our official social media channels on Twitter(nueva ventana) and Reddit(nueva ventana).

Artículos relacionados

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.